CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Posts Tagged ‘ransomware’

Georgia High Court to Rule on Damages Required for Data Breach Claims

Posted on: September 3rd, 2019

By: Amy Bender

The Georgia Supreme Court soon will weigh in on the ongoing debate within the courts of when individuals may bring claims based on data breaches involving their personal information when they have not suffered any actual financial harm.

In what is now, however unfortunate, a familiar story, the plaintiffs in Collins et al. v. Athens Orthopedic Clinic, P.A. were patients at a medical clinic that experienced a ransomware attack that provided the hacker access to their personal information stored on the clinic’s computer database, such as their Social Security number, date of birth, and medical history. The hacker then posted the information on the Dark Web and another website. The clinic did not provide credit monitoring, identity theft protection, or other remedies to its victim patients, which the patients then had to purchase themselves. One of the plaintiffs also experienced fraudulent credit card charges, although she actually did not allege those changes were the result of the clinic’s data breach.

Instead of claiming any violation of a data breach statute, the plaintiffs brought claims under Georgia state law for negligence, breach of contract, unjust enrichment, declaratory judgment, Georgia Uniform Deceptive Trade Practices Act, and attorney’s fees. The trial court dismissed the claims before trial, and the Georgia Court of Appeals agreed, finding measures such as credit monitoring and identity theft protection and their associated costs, which are designed to prevent exposure to future, speculative harm, were not sufficient proof of the damages required to establish any of their claims.

The Georgia Supreme Court agreed to review the case and recently heard oral argument. A decision is expected within the next few months. At oral argument, some of the justices seemed skeptical of the lower courts’ rulings and the argument that the plaintiffs needed to wait until they had been victimized by identity fraud before they could file suit. However, no ruling has been made yet.

Courts around the country have taken differing views on whether the mere exposure of personal information, without more, is enough to be considered “damages” or if the plaintiff must prove additional financial harm. (See our related blog posts here, here, and here.) The upcoming Georgia Supreme Court decision hopefully will shed light on this issue and serve as a helpful guide for both organizations and individuals, at least within the State of Georgia.

Another takeaway from this case is that it usually is prudent for an organization that has experienced a data breach exposing personal information of its patients or clientele to bear the cost of credit monitoring and identity theft services, in addition to implementing strong data security measures that may prevent such an attack from occurring in the first place. Indeed, although not mandatory in Georgia and most other states, a handful of other states do require that these services be offered to affected individuals at no cost when they are notified of a data breach. Although these costs can be high, they can be covered by the organization’s cyber liability insurance policy and likely pale in comparison to the time and money the organization may spend defending a lawsuit arising out of the breach.

For more information or for assistance with data security or response measures, contact FMG’s Data Security, Privacy & Technology team.

Smart Cities Face Hacking Threat

Posted on: August 15th, 2018

By: Ze’eva Kushner

As you sit in traffic, frustrated and wondering why the city or municipality cannot do something to ease congestion, know that a city’s use of internet-connected technology to make your commute better may also invite hackers to wreak havoc on your city.

Traffic is just one of many problems that “smart cities” use internet-connected technology to address.  A smart city can set up an array of sensors and integrate their data to monitor things like air quality, water levels, radiation, and the electrical grid.  That data then can be used to automatically inform fundamental services like traffic and street lights and emergency alerts.

Smart city technology provides many benefits to city management, including connectivity and ease of management.  However, these very same features make the technology an attractive target for hackers.  In a recently released white paper, IBM revealed 17 vulnerabilities in smart city systems around the world.  Some of these risks were as simple as failing to change default passwords that could be guessed easily, bugs that could allow an attacker to inject malicious software commands, and others that would allow an attacker to sidestep authentication checks.  Additionally, use of the open internet rather than an internal city network to connect sensors or relay data to the cloud presents an opportunity for hackers.

Atlanta is an example of a smart city that is attempting to improve its efficiency by employing smart city technology, with its focus being mobility, public safety, environment, city operations efficiency, and public and business engagement.  Atlanta knows all too well how crippling a hack can be, as it suffered from the ransomware attack in the Spring that kept residents from services such as paying their water bills or traffic tickets online.  The hacking threat to smart cities is real and significant.

If you have any questions or would like more information, please contact Ze’eva Kushner at [email protected].

Cybersecurity in Georgia Hits a Roadblock

Posted on: May 14th, 2018

By: Ze’eva Kushner

On May 8, 2018, Georgia’s Governor Nathan Deal made a controversial decision to veto a cybersecurity bill.  Issued in the wake of the massive data breach of Atlanta-based Equifax, among other data breaches across the country, the cybersecurity bill would have made logging into a computer without permission illegal, even if no information was stolen.  The recent ransomware attack on the City of Atlanta serves as a reminder of the potential significant costs of not having computer systems protected adequately.

However, the bill included multiple exemptions, one of which would have permitted individuals to engage in active defense measures aimed at preventing or detecting unauthorized computer access.  In the industry, this is often referred to as “hacking back.”  The defensive actions could have included techniques such as using beaconing technology to determine the location of a hacker or leaving one’s network to track down stolen data.  The legality of these cyber defense measures is murky.

Google and Microsoft both urged Governor Deal to veto the bill, explaining that the active defense exemption would have authorized the hacking of other networks and systems under the pretext of cybersecurity and potentially lead to anticompetitive behavior.  According to Governor Deal, the end result of the bill would have hurt organizations’ ability to secure their computer systems.

If you have any questions or would like more information, please contact Ze’eva Kushner at [email protected].