CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Archive for the ‘Cyber, Privacy, & Security’ Category

Head In the Cloud – United States Supreme Court Takes On Application of Domestic Warrant To Information Stored Internationally

Posted on: March 9th, 2018

By: Glenn M. Kenna

The Supreme Court is set to decide a vital question this term – Can the government use a warrant served in the United States to obtain emails stored abroad?  The United States Government says it can, Microsoft disagrees.  The Case is United States v. Microsoft Corporation, in which the Supreme Court heard oral argument on February 27, 2018.

To understand the nature of the conflict a little back story is necessary.  Congress passed a law in 1986, the Electronic Communications Privacy Act (ECPA).  Part of title II of the ECPA, 18 USC § 2703, allows law enforcement agencies to issue warrants, so called Section 2703 Warrants, to discover electronic communications stored in an “electronic communications system.”  In other words, the government can serve a warrant on an email service provider, such as Microsoft, and obtain emails stored on Microsoft’s servers.

In the Microsoft case, the Government did exactly that.  It served a warrant on Microsoft in Redmond Washington to discover electronically stored communications in connection with an ongoing investigation into a crime allegedly committed in the United States.  The issue at the heart of the dispute is that the warrant sought the contents of communications stored on servers in Ireland.  In response to the warrant, Microsoft turned over domestically stored information (in this case certain metadata about the emails) but refused to turn over the contents of the communications stored abroad.  A legal battle between the Government and Microsoft has ensued, ultimately leading to the Supreme Court granting cert.

In the ongoing dispute between Microsoft and the Government, Microsoft contends that the Government’s attempt to enforce the warrant is an extraterritorial act, i.e. and attempt by the Government to enforce Untied States Law abroad.  It further asserts that complying with the warrant could run afoul of the law in the country where the information is stored.  The United States’ position is that, should the ECPA not apply to information stored abroad, every service provider would simply move their servers out of the United States – taking the communications beyond the reach of US law enforcement agencies.  Moreover, it reasons, Microsoft can access the information domestically regardless of where the information is stored, which the government contends does not require the application of the ECPA abroad.

The ECPA pre-dates the internet.  Email as we know it today did not exist in 1986.  The drafters of the ECPA could not have imagined a world where people stored their entire lives on remote servers, or a world where those servers could be located anywhere across the globe.  Those are issues with which courts continue to struggle, including the Supreme Court in this case.

It remains to be seen how the Court will rule in the Microsoft case, or if Congress will act to modernize the ECPA before the Court’s decision (indeed, a bipartisan group of senators has introduced the CLOUD act to address the issues raised in the Microsoft case.)  What is clear, however, is that Microsoft represents just one small part of an ongoing clash between law and technology.  While not at issue directly in the Microsoft case, the dispute also raises the question, what right do we have in the privacy of our electronic worlds?

If you have any questions or would like more information, please contact Glenn Kenna at [email protected].

Supreme Court Declines to Hear Data Breach Standing Case

Posted on: February 23rd, 2018

By: Amy C. Bender

The ongoing issue of when a plaintiff has grounds (“standing”) in data breach cases saw another development this week when the U.S. Supreme Court declined to weigh in on the debate.

CareFirst, a BlueCross BlueShield health insurer, suffered a cyberattack in 2014 that was estimated to have exposed data of 1.1 million customers. Affected customers filed a federal class action lawsuit in the District of Columbia claiming CareFirst failed to adequately safeguard their personal information. CareFirst asked the court to dismiss the case, arguing that, since the customers had not alleged their stolen personal data had actually been misused or explained how it could be used to commit identity theft, the customers had not suffered an injury sufficient to give them standing to sue and the court therefore lacked jurisdiction to hear the case. The court agreed with CareFirst and dismissed the case. Notably, in this particular breach, CareFirst maintained the hackers had not accessed more sensitive information such as the customers’ Social Security or credit card numbers, and the court found the customers had not alleged or shown how the hackers could steal the customers’ identities without that information. In other words, the mere risk to the customers of future harm in the form of increased risk of identity theft was too speculative.

The customers appealed this decision, and the appellate court reversed, finding the district court had read the customers’ complaint too narrowly. The appellate court reasoned that the customers actually had asserted their Social Security and credit card numbers were included in the compromised data and that they had sufficiently alleged a substantial risk of future injury.

In response, CareFirst filed a petition with the Supreme Court asking it to review the appellate decision. This would have been the first pronouncement on this issue from the high court in a data breach class action lawsuit, a move long-awaited by lower courts, lawyers, and their clients in order to gain more clarity on the application of prior decisions like Spokeo in the specific context of data breach litigation. However, the Supreme Court denied the request (without explanation, as is typical).

As we have reported here and here, courts continue to grapple with the contours of standing in data breach cases. We will continue to monitor and report on developments in this still-evolving area of the law.

If you have any questions or would like more information, please contact Amy Bender at [email protected].

 

South Dakota Introduces Data Breach Notification Legislation

Posted on: February 14th, 2018

By: Kacie L. Manisco

On January 23, 2018, South Dakota’s Senate Attorney Judicial Committee unanimously voted in favor of introducing data breach notification legislation. Senate Bill 62 would require an “Information Holder,” i.e., a person or business conducting business in South Dakota that owns or retains computerized personal or protected information, to notify South Dakota residents whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

The law would require notification within 45 days from the discovery of the breach, unless notification would impede a criminal investigation. Moreover, when there is a breach affecting more than 250 South Dakota residents, the Information Holder would be required to notify the state’s Attorney General and all consumer reporting agencies of the timing, distribution and content of the breach notification.

The Bill defines a “breach” as “the acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by an unauthorized person that materially compromises security, confidentiality, or integrity of personal or protected information maintained by the information holder.”

The Bill further empowers the South Dakota Attorney General’s office to investigate and enforce violations. The Attorney General would be authorized to impose criminal penalties for the failure to disclose a breach as an unfair or deceptive practice under South Dakota’s Deceptive Trade Practices and Consumer Protection law. In addition, the Attorney General could impose a civil penalty of $10,000 per day per violation and recover attorneys’ fees and costs associated with any action brought against the Information Holder.

Currently, Alabama and South Dakota are the only two states in the United States without data breach notification statutes. If the South Dakota legislation passes, Alabama may soon be the only state lacking a data breach notification law.

If you have any questions or would like more information, please contact Kacie Manisco at [email protected]w.com.

Cybersecurity Deadlines Approaching for Banking, Insurance, and Financial Services Companies

Posted on: February 8th, 2018

By: David A. Cole

Businesses that are subject to the New York Department of Financial Services (“DFS”) cybersecurity regulations should be aware of upcoming compliance deadlines. Don’t be fooled—these regulations may apply to your business even if you’re not located in New York. The DFS cybersecurity regulations broadly apply to any business “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the [New York] Banking Law, the Insurance Law or the Financials Services Law.” A full description of entities covered is listed on the DFS website.

Earlier this summer, covered entities had to meet an initial deadline requiring them to: (1) designate a Chief Information Security Officer; (2) establish a cybersecurity program; and (3) develop a written cybersecurity policy. Now, DFS has issued a press release to remind covered entities of another upcoming deadline under the cybersecurity regulations. By February 15, 2018, covered entities must submit a statement to DFS certifying their compliance with the regulations.  The certification must be submitted through DFS’ online cybersecurity portal.  A proposed certification of compliance form is attached as Appendix A to the regulations.

In addition, by March 1, 2018 (the one year anniversary of the cybersecurity regulations), covered entities must submit their first annual written report to their boards, governing bodies, or other appropriate individual/committee.   Also by this deadline, covered entities are required to have in place:

  • Regular cybersecurity awareness training;
  • Continuous monitoring or period penetration testing and vulnerability assessments;
  • Multi-factor authentication controls; and,
  • A process for the completion of written and documented periodic risk assessments of information systems in conformance with written policies and procedures.

If you need help meeting these requirements, are looking for assistance with the policies and procedures or training, or if you have any questions, please talk to one of our Data Security, Privacy & Technology attorneys. We are here to help!

Enhanced Privacy and Data Security Law on Tap for North Carolina

Posted on: February 8th, 2018

By: Paul H. Derrick

A bi-partisan privacy and data security bill will soon be rolled out in North Carolina, and its impact will be significant. North Carolina Attorney General Josh Stein and State Representative Jason Saine are co-authoring “The Act to Strengthen Identity Theft Protections.”  According to a recent press release and fact sheet, they plan to seek its introduction in the State’s General Assembly during the coming months.

The bill will bring dramatic changes to North Carolina’s existing Identity Theft Protection Act, particularly in two areas: (1) the imposition of an affirmative duty to implement and maintain data security procedures and practices; and (2) a 15-day breach notification window.  Companies that experience a data breach and have failed to maintain reasonable security practices will be deemed to have committed a per se violation of the North Carolina Unfair and Deceptive Trade Practices Act, and each person affected by the breach would constitute a separate and distinct violation of the law.  With provisions for treble damages and attorney’s fees, even for nominal violations, data breach litigation would quickly become much more lucrative for plaintiffs’ attorneys.

The proposed bill also would require companies to notify affected individuals and the Attorney General within 15 days following discovery or notification of a breach.  That is a substantial change from the current law’s requirement that notification be made “without unreasonable delay.”  Businesses will need to have a response plan already in place in the event a breach occurs, rather than waiting until the time arrives to develop a course of action.

Other provisions in the legislation update the definition of security breach to include ransomware attacks, broaden the definition of “personally identifiable information” to include medical information and insurance account numbers, allow consumers to freeze and unfreeze their credit without charge, and provide individuals with greater access to and control over their personal data.

Because it already has strong bi-partisan support, some version of the bill will almost surely be passed into law. North Carolina employers must not wait until that happens to begin preparing for it, however.  Businesses should audit their existing internal privacy and data security programs now and immediately develop meaningful and legally-compliant safeguards in any areas that are lacking.

Please contact Paul Derrick at [email protected] or anyone in FMG’s Data Security, Privacy, & Technology practice group if you would like more information on developing and implementing privacy and data security programs. We also have extensive experience in guiding organizations through data breaches and representing clients in data breach litigation.