Oregon: Proposed Privacy Legislation Changes

By on March 26, 2015

The State of Oregon Legislature has recently drafted changes to existing statute (ORS 646A.622) as relating to consumer personal data protections.

The amended legislation encompasses enforcement of safeguards required for consumer personal data and creates new provisions relating to standing/damages. Most noteworthy, the proposed amendment establishes a private right of action for a consumer who suffers ascertainable loss of money or property as result of a failure to maintain reasonable safeguards to protect security, confidentiality and integrity of that consumer’s personal information.

If passed, the new regulation takes effect on January 1, 2016.

For a copy of the proposed changes to ORS 646A.622, please contact our Privacy & Data Security Group.

Filed under Consumer Personal Data Protection, Privacy Rights

NIST Opens Comment Period: The Security of Automated Access Management

By on March 17, 2015

For those involved in open and automated access technology, NIST’s Interagency Report 7966: Security of Interactive and Automated Access Management Using Secure Shell (SSH) should be of some interest.  The full report is here. This is the second public comment period for this draft report and the comment deadline is April 3, 2015.

Although NIST’s purpose of the report is to “assist organizations in understanding the basics of Secure Shell (SSH) and SSH access management”, the framework is ripe with lessons/best practices for information and privacy security measures within any organization with network engineering.

There are at least four major noteworthy components in the report:

Section 4.6: Pivoting. “Malware can be engineered to use SSH keys to spread when automated access is allowed.” Aside from the cautionary tale that a single intrusion event can quickly lead to a network infiltration, an equally important take away is that organizations need to know the location (at all times) of SSH keys so that they can be monitored for unauthorized access/duplication.

Section 4.7: Lack of Knowledge and Human Errors.  The report cites to the growing human error component which impacts the security of SSH-based systems. Some of the cited reasons include “complexity of SSH management and the lack of knowledge many administrators have regarding secure SSH configuration and management.”  It goes without saying that the human side of the security setup (which can involve thousands of hosts), makes it more likely that an unauthorized key vulnerability can be exploited with any resultant clean-up being very time consuming.

Section 6.2: Cryptographic key management and protection. “Key management and protection is another important component of solution design, including key generation, use, storage, recovery, and destruction.”  Organizations should take efforts to ensure that access to keys is always properly restricted, monitored and that retrieval can take place in a short time frame if the need arises.

Section 6.5: Preparing devices for retirement or disposal. “Devices and media that hold private keys should be sanitized or destroyed, unless the keys have been retired/rotated.” Keys that are held in mobile devices should be tracked and removed when not needed.  Devices that are retired should ensure data sanitization and/or purging take place.  A detailed guide to media sanitization is here.

Interested parties should take the opportunity to provide comments towards the finalization of these future industry standards.

Image courtesy of Flickr by Mike

Filed under NIST, Secure Shell (SSH), SSH access management

To Post on Facebook, or Not to Post

By on February 25, 2015
Leave a comment

We’ve all seen it make the rounds on our Facebook newsfeeds: the post that declares something along the lines of “my rights are attached to all my personal data drawings, paintings, photos, video, texts, etc.”  Its reappearance around the end of 2014 was likely due to a notice sent by Facebook regarding changes in their policies, which took effect on January 1, 2015.

In the United States, this message does not have the power to unilaterally waive the privacy terms to which each user agrees upon opening a Facebook account.  For example, the new terms state that subject to a user’s privacy and application settings, “[f]or content . . . like photos and videos (IP content), . . . you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook.”  The only way to terminate Facebook’s license is to delete your IP content or delete your account, but if you have shared that content with other users that have not deleted it, Facebook still maintains a license on it.

The European Union, however, has taken serious issue with this. EU data protection authorities say that this part (along with other parts) of Facebook’s policy violates their privacy laws.  On February 3, 2015, a task force led by Belgium, the Netherlands, and Germany was formed to investigate the concerns with Facebook’s privacy policy.  On February 23, 2015, a draft report commissioned by the Belgian Data Protection Authority outlined the following issues with Facebook’s policy:

  1. Consent to many of Facebook’s processing activities is likely not valid “[g]iven the limited information Facebook provides and the absence of meaningful choice;”
  1. The current “opt-out” default setting for advertising, as well as Facebook’s practice of combining and sharing data about its users, “do[] not meet the requirements for legally valid consent,” and opt-outs for location-data collection “are simply not provided;”
  1. Facebook’s new Statement of Rights and Responsibilities “contains a number of provisions which do not comply with the Unfair Contract Terms Directive” of European consumer protection law;
  1. The use of user-generated content for commercial purposes (the subject of the “my rights are attached to my personal data” post mentioned above) is not transparent and is not subject to “adequate control mechanisms;”
  1. The collection of location data parameters should be “turned off by default,” and users should be allowed “to determine when and how location data can be used by Facebook and to what purpose;”
  1. Facebook’s monitoring of its users while they are on and off the site is not in compliance with the e-Privacy Directive requiring “free and informed prior consent before storing or accessing information on an individual’s device;” and
  1. The terms “do not properly acknowledge” the fact that users cannot prevent Facebook from using their information gained from outside their network (i.e., if you have shared that content with other users that have not deleted it, Facebook may still use it).

Perhaps the necessitation of making these changes to comply with European Union laws will trickle into Facebook’s privacy policies for the U.S., but it is always wise to be wary of what you post and to periodically review social media privacy policies.

Filed under Privacy Policies, Privacy Rights

Gordon & Rees Wishes Everyone a Happy Privacy Day!

By on January 28, 2015
Leave a comment

On Jan. 22, Gordon & Rees presented its First Inaugural Legal Education Conference, a day of informative programs covering 10 legal areas of key importance to businesses. The Privacy and Data Security Group presented on the topic “Trends in Data Breach, Emerging Regulations, Enforcement and Lawsuits” at the Convene Conference Center in New York City.

The program panelists included Gordon & Rees attorneys Andrew Castricone, Craig Mariam, Linda Mullany, Peiyi Chen, and Hazel Mae Pangan, who discussed the triggering events and identification of a data breach incident, responsive and investigative measures, notification requirements to government agencies and consumers, and customer/client complaints and lawsuits. In addition to retail and institutional breaches, the panelists reviewed HIPAA/HITECH Privacy and Security Rules, as well as the HIPAA Breach Notification Rule, including its similarities and differences to other data security rules, and the Enforcement Rule under HIPAA. More than 200 guests, including clients, attorneys, business owners, consultants and industry experts were among those in attendance.

For your reference, we’ve provided Cyber/Data Breach Reference Guide: Best Practices, State Surveys, HIPAA Enforcement. This helpful guide includes a 50 state survey of the current data breach statutes as well as an additional 50 state survey of current data destruction statutes.

We thank you to all those who attended, and helped make the symposium a great success.

Filed under Uncategorized

FTC Charges Data Broker with Theft of Consumers’ Information and Money from Accounts

By on January 22, 2015
Leave a comment

According to a recent Federal Trade Commission complaint, a data broker sold sensitive personal information of hundreds of thousands of consumers – including Social Security and bank account numbers – to scammers who allegedly debited millions from their accounts.  The complaint alleges that data broker LeapLab bought payday loan applications of financially strapped consumers, and then sold that information to marketers whom it knew had no legitimate need for it. At least one of those marketers, Ideal Financial Solutions – a defendant in another FTC case – allegedly used the information to withdraw millions of dollars from consumers’ accounts without their authorization.

According to the FTC’s website and the complaint, these defendants would collect hundreds of thousands of payday loan applications from payday loan websites.  These website applications, including those bought and sold by LeapLab, contained consumers’ sensitive financial information, names, addresses, phone numbers, Social Security numbers and bank account numbers including routing numbers.

The FTC’s complaint alleges that certain non-lender third parties included marketers that made unsolicited sales offers to consumers via email, text message, or telephone calls.  According to the FTC’s complaint, the defendants had reason to believe these marketers had “no legitimate need” for the sensitive information they were selling. The defendants in the case are alleged to have violated the FTC Act’s prohibition on unfair practices.

The FTC notes that it files a complaint when it has “reason to believe” that the law has been or is being violated and it appears to the FTC that a proceeding is in the public interest.  We will monitor this case and provide further updates of interest.

Image courtesy of Flickr by John Taylor.

Filed under Data Breach Investigations, Federal Trade Commission, Merchant/Vendor Data Breach, Privacy Rights, Retailers

‘Twas the Season for Data Breaches

By on January 13, 2015
Leave a comment

With the recent hacks into Sony’s system and the emails sent to Home Depot’s customers regarding the breach of its system, data breach is no longer some fantastical notion that only plays out in a 1980s sci-fi movie. It is a real threat to businesses and their employees and customers, and that threat rises during the holiday season, when the average consumer spends approximately $800 on gifts for family, friends, and co-workers.

Venture back with me to December 2013, when Target Corporation announced that it was hacked, which resulted in 110 million of its customers having their credit- and debit-card information stolen. When I came across a recent ruling in that case, my reaction was: “Oh, yes. I vaguely remember that happening,” and I might have even been a customer who received an email from Target explaining the breach. My point is that, as consumers, the shock has worn off, and we are not surprised to hear about such breaches. But businesses cannot be so cavalier—the courts require vigilance in the protection of data.

As we have reported on our blog, multiple lawsuits arose shortly after Target’s announcement, resulting in the consolidation of all federal cases into In re: Target Corp. Customer Data Security Breach Litig., which involved claims brought by financial institutions on one hand, and by consumers on the other.  Just last month, the District of Minnesota ruled largely in favor of the financial institutions on Target’s motion to dismiss, making it clear that Target breached its duty to maintain adequate security systems.

Just in time for the holiday season, the now famous Sony breach (which, in part, resulted in the cancellation of most theater showings of the movie, “The Interview”) has triggered at least five class-action complaints filed in California federal court against Sony Pictures Entertainment, Inc.  The hacking incident allegedly exposed volumes of confidential emails, social security numbers, and salary and medical information of Sony’s former and current employees.  The gist of the complaints is that Sony, despite being aware that hackers were able to breach their system, “failed to develop, maintain, and implement internet security measures on its corporate network,” and this led to the catastrophic data breach that one complaint calls an “epic nightmare.”  Just last week at the Consumer Electronics Show, Sony’s CEO, Kazuo Hirai described the hack, noting that Sony and its current and former employees “were the victim[s] of one of the most vicious and malicious cyber attacks in recent history.”

The class action filed in Los Angeles Superior Court also blames Sony for its decision regarding “The Interview,” since the film allegedly sparked the ire of hackers who were not pleased with the subject matter (a planned talk show assassination of North Korea’s leader, who was heavily parodied).  In addition to its limited theatrical release, it was recently reported that the film has earned over $30 Million in online and on demand sales.

It is too early to predict the outcome of these actions, but it is likely that the federal complaints regarding Sony will ultimately be consolidated.  As with most data breach cases, we anticipate heavily briefed motions to dismiss on standing and other grounds.  We will, or course, track these cases and provide updated reports as developments unfold.

Filed under Data Breach, Data Breach Class Actions, Minnesota’s Plastic Security Card Act

State Law Claims Viable For Violations of HIPAA

By on December 22, 2014
Leave a comment

In a recent opinion, the Connecticut Supreme Court determined that state law claims based on violations of the Health Insurance Portability and Accountability Act (HIPAA) were viable.

The plaintiff in Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 314 Conn. 433 (Conn. 2014) was involved in a paternity suit and requested that the defendant, her medical provider, not produce any records to her former lover.  However, the defendant was served with a subpoena from the ex-lover, and produced the documents to the court without plaintiff’s knowledge.  See id. at 437.  The plaintiff sued the medical provider after she began experiencing harassment from her ex, who was able to review the medical records.  See id.  In the four-count complaint, the plaintiff alleged breach of contract, negligence, negligent misrepresentation, and negligent infliction of emotional distress.  See id. at 438-439.  In particular, she alleged that the defendant violated HIPAA by producing medical records without authorization.

The court determined that “the regulatory history of the HIPAA demonstrates that neither HIPAA nor its implementing regulations were intended to preempt tort actions under state law arising out of the unauthorized release of a plaintiff’s medical records.  As the plaintiff aptly notes, one commenter during the rulemaking process had raised the issue of whether a private right of action is a greater penalty, since the proposed federal rule has no comparable remedy.”  Id. at 453.  Accordingly, the court found that HIPAA did not preempt state law claims for alleged breaches of confidentiality.  See id. at 459.  However, the court declined to find, as a matter of law, whether the defendant was negligent in producing the medical documents, and remanded to the trial court for further proceedings.  We will continue to provide updates in this case.

Filed under Health Insurance Portability and Accountability Act

Privacy Class Action Dismissed for P.F. Chang’s

By on December 17, 2014
Leave a comment

P.F. Chang’s has a reason to celebrate this holiday season: A judge recently dismissed a data breach class action lawsuit against the Chinese-inspired food restaurant chain citing the failure of the two plaintiffs in describing any injury for which relief could be granted. The ruling itself is available here.

In the action, the plaintiffs John Lewert and Lucas Kosner filed a class action complaint against P.F. Chang’s arising from a data breach involving theft of customers’ credit card and debit card data. The plaintiffs alleged that P.F. Chang’s had failed to comply with reasonable security standards arising from the data breach, which one report estimated that nearly seven million cards were compromised as a result of the breach, dating as far back as September 18, 2013.

Following the discovery by the U.S. Secret Service of the data compromise, it was confirmed by P.F. Chang’s that identity thieves had used personal identifying data to steal individual’s identities and open financial accounts and receive government benefits under those names, inter alia.

In the lawsuit, the plaintiffs had alleged that they incurred several types of damages in that they overpaid for products/services purchased from P.F. Chang’s, which included overpayment for putative compliance with industry standard measures for the collection and safeguarding of personally identifiable information. The plaintiffs also claimed that they had suffered actual damages from monetary losses arising from unauthorized bank account withdrawals and/or related bank fees. The plaintiffs further claimed damages arising from costs associated with identity theft and the increased risk of identity theft, and claimed opportunity cost and value of time spent monitoring financial and bank accounts, including the cost of obtaining replacement cards.

In ruling on P.F. Chang’s motion to dismiss, the court did not deny there was a theft of customers’ credit card information from the security breach. However, the court relied on authority that future injury regarding the release of data is not a current injury in fact. Accordingly the court ruled that the plaintiffs had suffered no injury and found unconvincing the argument that the plaintiffs had been overcharged since there was no indication that P.F. Chang’s had charged more for people who paid via credit/debit cards as compared to those who paid by cash.

The court also ruled that there was no economic injury involved with the time the plaintiffs incurred to replace any credit card and so no opportunity costs or damages arose from this aspect.  Finally, the court held that a party cannot manufacture standing unless they can show that the harm of identity theft is imminent. The court found that the potential threat of identity theft was eliminated after the customers in this case cancelled the cards that were involved in the security breach.

This ruling is being appealed to the Seventh Circuit. We will continue to monitor the impact of this ruling on future data breaches involving similar factual and legal issues.

Image courtesy of Flickr by Mark Crawley

Filed under Data Breach Class Actions, Privacy Rights, Standing

Update: Manuel Noriega, Lindsay Lohan Take Aim at “Call of Duty,” “Grand Theft Auto” Video Game Makers

By on October 30, 2014
Leave a comment

The Superior Court of California has granted Activision’s motion to dismiss with prejudice Noriega v. Activision/Blizzard pursuant to California’s Anti-Slapp Statute.

In its October 27, 2014, decision, the court explained that the defendant’s use of former Panamanian dictator Manuel Noriega’s likeness in the video game “Call of Duty”  was de minimis and the character was transformative.  In this regard, the court determined the character created for the video game was more like “the defendant’s own expression rather than the celebrity’s likeness.”

The court also distinguished this lawsuit from the No Doubt v. Activision lawsuit, where the “characters” were really lifelike depictions of the rock band in the “Band Hero” video game.

We will continue to monitor case developments and courts’ treatment of anti-SLAPP, First Amendment and other defenses in these types of cases, including a watchful eye on Lindsay Lohan’s similar “Grand Theft Auto” suit in New York.

Filed under Free Speech, Privacy Rights, Unauthorized Use of Likeness, Video Games

Manuel Noriega, Lindsay Lohan Take Aim at “Call of Duty,” “Grand Theft Auto” Video Game Makers

By on September 25, 2014
Leave a comment

Recent high-profile case filings demonstrate the trend of using traditional privacy laws in the context of today’s high-tech world.  A lesson learned from such filings, and to be learned as the cases progress, is that to avoid potentially costly litigation one must exercise an abundance of caution before using a person’s likeness, or even a close parody, in commercial activities.

In July, former Panamanian dictator Manuel Noriega sued Activision Blizzard, the maker of the popular game “Call of Duty,” in a California Superior Court.  In the complaint, Noriega claims Activision misappropriated his likeness and portrayed him as “a kidnapper, murderer and enemy of the state.” While Noriega resides in a Panamanian prison for, among other things, money laundering and murder, the game suggests he is “the culprit of numerous fictional heinous crimes.”  The complaint also lists violations of the right of publicity, unjust enrichment, and unfair business practices and seeks unspecified damages.

Under California Civil Code §3344, it is a violation to use a person’s likeness in products without consent.  Violators are liable for actual damages sustained and “any profits from the unauthorized use that are attributable to the use.”

Former New York Mayor Rudy Giuliani is one of the attorneys representing Activision and, on September 22, the defense filed a special motion to strike under California’s Ant-SLAPP statute – California Code of Civil Procedure §425.16, which insulates a defendant who has been sued for free speech.  In particular, the defense maintains that were Noriega to succeed, it would hinder numerous artists and writers from being able to utilize historical figures in their creative works.

Noriega’s suit comes on the heels of an action Lindsay Lohan filed in New York against Take-Two Interactive and Rockstar Games, the makers of “Grand Theft Auto V.”  In the June complaint, Lohan alleges the defendants used “her image, likeness, clothing, [and] outfits” and that the “Lacey Jonas” character plot line tracks Lohan’s real life events.  Portions of the game take place at Chateau Marmont, an LA hotspot Lohan and other celebrities frequent – though Lohan was banned for failing to pay a $46,000 bill.

Based on these alleged similarities, Lohan sued for violation of her right of privacy under New York Civil Rights Law § 51.  (In New York, there is no common law right of publicity.)  To prevail, Lohan must prove the defendants used her name, picture, or voice for advertising purposes within the state of New York without consent.  In August, the game makers filed a motion to dismiss and requested sanctions asserting Lohan’s claims are frivolous.

These are not the first instances of “celebrities” suing a video game maker for using his or her image without permission.  In 2012, No Doubt, a popular rock bank, settled with Activision when the company allegedly used its likeness in the video game “Band Hero.”  Earlier this year, Electronic Arts, another video game maker, settled two lawsuits with former NCAA athletes for $60 million following an appeals court determination that a video game maker has no right to use their likeness without permission or compensation.  More than 100,000 athletes were estimated to share in the proceeds.

Given these trends that push the boundaries of privacy, there are surely more cases to come and we will keep a watch and report on new developments.

Filed under Free Speech, Privacy Rights, Unauthorized Use of Likeness, Video Games

Older posts

Newer posts