CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Archive for the ‘Cyber, Privacy, & Security’ Category

The Ethical Duty of Technology Competence – The Day is Coming in California

Posted on: December 5th, 2019

By: Renata Hoddinott

Recognizing the emergence of technology, its impact on the practice of law, and the importance of lawyers understanding technology, the American Bar Association modified its Model Rules in 2012 to make clear a lawyer’s duty of competence includes both a substantive knowledge of the law and the competent use of technology. ABA Model Rule 1.1 Comment 8 provides, in part, that, “to maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice including the benefits and risks associated with relevant technology.”

Since then, 38 states* have now adopted some version of Comment 8. In 2016, Florida went even further and became the first state to require lawyers to complete three hours of continuing legal education on technology every three years. In 2019, North Carolina followed suit and requires lawyers to complete one hour of continuing education devoted to technology training every year.

But where California normally leads the nation in many areas, in this it is in the minority of hold-out states which have not adopted a version of Comment 8. While the State Bar of California’s Standing Committee on Professional Responsibility and Conduct has issued several opinions involving technology to date, California has not yet expressly referred to a technology component of a lawyer’s duty of competence in its Rules of Professional Conduct.

There are constantly emerging technologies to assist lawyers in delivering legal services to their clients. In the past, lawyers were deemed competent based on their experience and knowledge of a substantive area of law. As technology evolved, so too did the concept of competence. Types of  technology used  by today’s lawyers include the technology used to run a law firm and practice, case management software, billing software, and email, as well as data security to protect client confidentiality, technology used to present information to the court, electronic discovery, saving client information in the cloud and other third-party service platforms, and the use of social media such as Facebook, LinkedIn, and blogs. There is also the growing area of artificial intelligence or AI which is transforming the way lawyers and law firms perform legal research, due diligence, document review, and even more.

While these technologies offer many benefits to help increase efficiency, minimize mistakes, and decrease labor costs, there are also associated risks and pitfalls. Technology competence includes an understanding of the technology a lawyer currently utilizes in his or her practice, the additional technology available, and the technology that a client or prospective client uses or owns. Lawyers who are not technologically competent may be putting their clients and themselves at a disadvantage, as well as potentially risking a malpractice action in certain cases.

Attorneys must recognize the ways in which technology influences the practice of law in California. While it is not yet mandated as in many other states, that day is coming soon. And while technology continues to advance faster than developments in California law, lawyers should consider their duties of competence, diligence, supervision, and maintaining confidentiality when implementing and using technology.

*The states which have adopted some version of Comment 8 are: Alaska, Arizona, Arkansas, Colorado, Connecticut, Delaware, Florida, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Michigan, Minnesota, Missouri, Montana, Nebraska, New Hampshire, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.

If you have any questions or would like more information, please contact Renata Hoddinott at [email protected], or any other member of our Lawyers Professional Liability Practice Group, a list of which can be found at www.fmglaw.com.

Latest Study in Cybersecurity Awareness and End User Behaviors

Posted on: September 5th, 2019

By: Michael Kouskoutis

Cybersecurity awareness company Proofpoint recently published its fourth-annual Beyond the Phish report, which analyzes end-user behavior and employee knowledge on cybersecurity.  Gathering from over 130 million data points across 14 categories, 16 industries and over 20 departments, this report is regarded as among the most useful cybersecurity studies published each year.

Notable findings include:

  • Participants incorrectly answered about 1 in 4 questions regarding identification of phishing threats.
  • Participants showed poor awareness surrounding risky communication channels (like connecting to public WiFi networks), and struggled to identify distinctions between public and private data.
  • Participants treat mobile devices differently, often taking greater risks than with stationary computers.
  • In comparison with prior reports, users have a greater understanding of ransomware and are becoming better at recognizing malicious pop-ups.
  • End users are also increasingly using physical security practices, such as locking devices before leaving them unattended.
  • End users in the finance industry performed the best, while those in education and transportation were the worst performing users across all industries.
  • End users in hospitality performed the worst in the “Physical Security Risks” category.
  • Workers in the insurance industry performed particularly well in the “Avoiding Ransomware Attacks” category.
  • Communications was the best performing department among all industries, while customer service, facilities and security departments performed the worst.
  • 83% of global organizations experienced phishing attacks in 2018.

The study also reported a significant increase in safe behaviors in organizations that offer continuous training across all cyber topics.  With human error being the leading cause of cybersecurity breaches, businesses should make cyber awareness a core component of employee training and offer continual training programs that are up-to-date with the latest threats to cybersecurity.  For more information with cyber data security or breach response, contact Michael Kouskoutis at [email protected].

Georgia High Court to Rule on Damages Required for Data Breach Claims

Posted on: September 3rd, 2019

By: Amy Bender

The Georgia Supreme Court soon will weigh in on the ongoing debate within the courts of when individuals may bring claims based on data breaches involving their personal information when they have not suffered any actual financial harm.

In what is now, however unfortunate, a familiar story, the plaintiffs in Collins et al. v. Athens Orthopedic Clinic, P.A. were patients at a medical clinic that experienced a ransomware attack that provided the hacker access to their personal information stored on the clinic’s computer database, such as their Social Security number, date of birth, and medical history. The hacker then posted the information on the Dark Web and another website. The clinic did not provide credit monitoring, identity theft protection, or other remedies to its victim patients, which the patients then had to purchase themselves. One of the plaintiffs also experienced fraudulent credit card charges, although she actually did not allege those changes were the result of the clinic’s data breach.

Instead of claiming any violation of a data breach statute, the plaintiffs brought claims under Georgia state law for negligence, breach of contract, unjust enrichment, declaratory judgment, Georgia Uniform Deceptive Trade Practices Act, and attorney’s fees. The trial court dismissed the claims before trial, and the Georgia Court of Appeals agreed, finding measures such as credit monitoring and identity theft protection and their associated costs, which are designed to prevent exposure to future, speculative harm, were not sufficient proof of the damages required to establish any of their claims.

The Georgia Supreme Court agreed to review the case and recently heard oral argument. A decision is expected within the next few months. At oral argument, some of the justices seemed skeptical of the lower courts’ rulings and the argument that the plaintiffs needed to wait until they had been victimized by identity fraud before they could file suit. However, no ruling has been made yet.

Courts around the country have taken differing views on whether the mere exposure of personal information, without more, is enough to be considered “damages” or if the plaintiff must prove additional financial harm. (See our related blog posts here, here, and here.) The upcoming Georgia Supreme Court decision hopefully will shed light on this issue and serve as a helpful guide for both organizations and individuals, at least within the State of Georgia.

Another takeaway from this case is that it usually is prudent for an organization that has experienced a data breach exposing personal information of its patients or clientele to bear the cost of credit monitoring and identity theft services, in addition to implementing strong data security measures that may prevent such an attack from occurring in the first place. Indeed, although not mandatory in Georgia and most other states, a handful of other states do require that these services be offered to affected individuals at no cost when they are notified of a data breach. Although these costs can be high, they can be covered by the organization’s cyber liability insurance policy and likely pale in comparison to the time and money the organization may spend defending a lawsuit arising out of the breach.

For more information or for assistance with data security or response measures, contact FMG’s Data Security, Privacy & Technology team.

Breaking – Eleventh Circuit Holds No TCPA Standing For Receipt of Single Unsolicited Text Message

Posted on: August 29th, 2019

By: Matthew Foree

In Salcedo v. Alex Hanna, the U.S. Court of Appeals for the Eleventh Circuit has just issued a major decision holding that receipt of a single unsolicited text message does not establish standing under the Telephone Consumer Protection Act (“TCPA”). A copy of the opinion is available here.

In this case, the plaintiff, who was a former client of the defendant law firm, received a multimedia text message from the defendant offering a 10% discount on his services. Plaintiff filed suit as a representative of a putative class of former clients who received unsolicited text messages from the defendant in the past four years alleging violations of the TCPA.

In reaching its decision, the court considered Eleventh Circuit precedent in the Palm Beach Golf Center-Boca, Inc. v. John G. Sarris, D. D. S., P. A. case, in which it found standing for a plaintiff who alleged that receiving a junk fax in violation of the TCPA harmed him because, during the time that it took to process the fax message, his fax machine was unavailable for legitimate business. The court distinguished that case based on differences between faxes and text messages.  Among other things, it found that a fax message consumed the fax machine entirely while a text does not consume a cellular phone.  It noted that, unlike a cellular phone, a fax machine is unable to receive another message while processing.

The court also looked to the judgment of Congress as to whether plaintiff’s allegations were treated as a concrete injury-in-fact. Among other things, the court recognized that “Congress’s legislative findings about telemarketing suggest that the receipt of a single text message is qualitatively different from the kinds of things Congress was concerned about when it enacted the TCPA. In particular, the findings in the TCPA show a concern for privacy within the sanctity of the home that do not necessarily apply to text messaging.” The court determined that Congress’s “privacy and nuisance concerns about residential telemarketing are less clearly applicable to text messaging.” Significantly, it noted that a single unwelcome text message will not always involve intrusion into the privacy of the home in the same way that a voice call to a residential line necessarily does.  As part of its analysis, the court also found the Ninth Circuit decision in the Van Patten v. Vertical Fitness Group, LLC case, which dealt with the same issue, unpersuasive.  It distinguished that case by noting that it stopped short of examining whether isolated text messages not received at home come within the judgment of Congress.

The Eleventh Circuit also found that history and the judgment of Congress do not support finding concrete injury in plaintiff’s allegations. It noted that the plaintiff did not allege “anything like enjoying dinner at home with his family and having the domestic peace shattered by the ringing of the telephone.” The court  summed up its position by stating that the “chirp, buzz, or blink of a cell phone receiving a single text message is more akin to walking down a busy sidewalk and having a flyer briefly waved in one’s face. Annoying, perhaps, but not a basis for invoking the jurisdiction of the federal courts.”

Judge Pryor concurred in judgment only and noted that the majority opinion appropriately, and her view, leaves unaddressed whether a plaintiff who allege that he had received multiple unwanted and unsolicited text messages may have standing to sue under the TCPA. With this understanding, she concurred in the majority’s judgment.

It remains to be seen how this case will be used to defeat standing in future cases, including how it is applied to cases involving multiple text messages and calls to cellular telephones.  This is a major decision that will have a drastic effect on standing in TCPA class action cases. If you have any questions about this decision, please do not hesitate to contact Matt Foree at [email protected].

Connecticut and Delaware Enact New Data Security Laws for the Insurance Industry

Posted on: August 8th, 2019

By: Ben N. Dunlap

Connecticut and Delaware have enacted new laws imposing data security obligations on the insurance industry, joining New York, South Carolina, Ohio, Michigan, and Mississippi.

Connecticut’s Insurance Data Security Law, signed by the Governor on July 26, 2019, creates new information security, risk management, and reporting requirements for carriers, producers, and other businesses licensed by the Connecticut Insurance Department.  Following the model of New York’s Department of Financial Services 2017 Cybersecurity Regulations, the Connecticut law requires licensees to maintain an information security program corresponding to the size and complexity of the licensee’s operations; perform regular risk assessments; and designate a responsible individual to oversee the information security program.  The law requires oversight by the licensee’s board of directors and annual certification of compliance to the Insurance Department.  The law also imposes a new reporting requirement: licensees will also have to report cybersecurity incidents to the Insurance Department within three business days.  The law becomes effective October 1, 2019, but licensees have until October 1, 2020 to prepare and implement programs compliant with the new requirements.

The Delaware Insurance Data Security Act, signed by the Governor on July 31, 2019, establishes a regulatory framework requiring insurers licensed to do business in Delaware to develop and implement a comprehensive data security program. Following the 2018 Model Act published by the National Association of Insurance Commissioners, the Delaware law requires insurers to report instances of data breaches to the Delaware Insurance Commissioner and consumers, and it authorizes the Department of Insurance to investigate violations of and impose penalties against insurance carriers.

The Delaware law requires licensees to (1) implement information security programs and conduct risk assessments to try to prevent data breaches and compromising of consumers’ nonpublic information and personal data; (2) conduct thorough investigations to determine if a cybersecurity event or data breach may have occurred and whose data may have been compromised; (3) notify the Insurance Commissioner within three business days of determining that a data breach or cybersecurity event has occurred; (4) notify all impacted consumers within 60 days of the determination that their data has or may have been compromised; and (5) offer free credit monitoring services for one year to consumers impacted by breaches.

If you have any questions or would like more information, please contact Ben Dunlap at [email protected].