Hacking Major League Baseball

The FBI and the U.S. Justice Department are investigating whether St. Louis Cardinals officials hacked into the Houston Astros’ internal networks. This appears to be one of the first suspected cases of corporate espionage relating to a professional sports team hacking the database of another team.

According to numerous reports, FBI investigators appear to have uncovered evidence that the Cardinals breached the Astros’ databases, and one database in particular known as “Ground Control,” to obtain information and internal discussions about trades, proprietary statistics and scouting reports. This information could be used for a variety of purposes including knowing what players are being scouted, the team’s scouting methods and other proprietary information of the team.

Reports also indicate that the attack may have been launched to cause problems for Astros’ general manager Jeff Luhnow, who left the Cardinals in 2011. According to some reports, the Cardinals’ officials were concerned that Luhnow may have taken the team’s proprietary information to the Astros. Speculation is that the Cardinals may have simply tried a series of passwords (Luhnow has denied that he used similar passwords while working for the two teams) until they were able to gain access to the Astros’ network. Whether true or not, this is another example of why passwords should not be recycled or used universally across different platforms and applications. Rather, users should use different passwords, mix uppercase, lower case and symbols.

We will continue providing updates to the investigation of the House of (the) Cards, as they occur.

Corona Class Action Against Sony Pictures Survives Motion to Dismiss

After the highly publicized cyber-attack on Sony Pictures Entertainment, Inc., which has been attributed to the so-called Guardians of Peace, Michael Corona, and eight other former Sony employees whose personal information was stolen, filed a class action asserting claims for: (1) Negligence; (2) Breach of Implied Contract; (3) Violation of the California Customer Records Act; (4) Violation of the California Confidentiality of Medical Information Act; (5) Violation of the Unfair Competition Law; (6) Declaratory Judgment; (7) Violation of Virginia Code § 18.2-186.6, and (8) Violation of Colorado Revised Statutes § 6-1-716.

Sony filed a motion to dismiss arguing that the Central District of California lacked subject matter jurisdiction over the action. Specifically, Sony argued that the plaintiffs lacked Article III standing, because they failed to allege a current injury or threatened injury that was certainly impending. Sony further argued that, even if plaintiffs had standing, the suit must be dismissed for failure to state a claim.

On June 15, 2015, the court ruled on the motion to dismiss. The court disagreed that plaintiffs’ allegations were insufficient to establish standing. Relying on Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), Clapper v. Amnesty International USA, Inc., 133 S.Ct. 1138 (2013), and In re Adobe Systems, Inc. Privacy Litigation, 2014 WL 4379916, the court determined that the plaintiffs need only allege a credible threat of real and immediate harm, or certainly impending injury—not a current injury—which they had done by alleging their information was stolen, posted on file-sharing websites for identity thieves to download, and was used to send emails threatening physical harm to employees and their families.

The court’s ruling is consistent with other recent rulings in California, which suggests this is a trend in the prosecution of data breach claims rather than just an outlier. (To read more on this subject, please see our article published in DRI’s For the Defense in February 2015, available here.)

The court then turned to the merits of plaintiffs’ claims. It dismissed four of plaintiffs’ claims and a portion of plaintiffs’ negligence claim. The court dismissed the plaintiff’s negligence claim to the extent it was based on an increased risk of future harm, as there was no cognizable injury. The court also dismissed plaintiffs’ breach of implied contract claim, finding that, while there was an implied employment contract, that there was no indication Sony intended to frustrate the agreement by consciously and deliberately failing to maintain an adequate security system. The court dismissed the California Customer Records Act claim as the plaintiffs were not damaged as Sony customers. Further, the court dismissed plaintiffs’ claims for violation of the Virginia Code and the Colorado Consumer Protection Act, because plaintiffs failed to allege injury resulting from the alleged untimely notification.

Plaintiffs’ negligence claim survived to the extent it was based on actual damages, such as costs associated with credit monitoring, password protection, freezing/unfreezing of credit, obtaining credit reports, and penalties resulting from frozen credit, even though they were prophylactic in nature because they were reasonable and necessary. The court denied the motion to dismiss with respect to plaintiffs’ claim for violation of California Business and Professions Code Section 17200 on the same basis.

Finally, the motion was denied with respect to the California Confidentiality of Medical Information Act claim, because negligent maintenance of records, which allows someone to gain unauthorized access, may constitute a negligent release of medical information within the meaning of the Act. The plaintiffs did not need to allege an affirmative act to maintain this cause of action.

Please continue to monitor our blog for more updates on the Corona case and other news on privacy and data security.

New Law to Restrict New York City Employers from Considering Credit History

On April 16, 2015, the New York City Council overwhelmingly passed a bill that prohibits employers from using consumer credit history in hiring potential employees. Mayor Bill de Blasio signed the bill into law on May 6, 2015, which means the law goes into effect on September 3, 2015.

The proposed legislation, called the Stop Credit Discrimination in Employment Act (“Act”), will affect companies that consider consumer credit history (whether by credit report or otherwise) in making hiring decisions. It also bans the use of credit history for any employment purpose, not just for hiring. An employer could therefore not base any decision affecting, for example, compensation or the terms or conditions of employment on credit history.

It is important to note that, although this Act uses terms like “consumer credit reports,” it should not be confused with “consumer reports” that many may be familiar with from the federal Fair Credit Reporting Act, which can include all forms of background checks (though, unlike the Act, only if done by a third party). The scope of information covered by the Act is much more limited and truly only covers credit-related information.

The Act does not, however, apply in all circumstances. It contains several exemptions. It does not apply to:

  • employees required to possess security clearance under federal or state law;
  • employees required to be bonded under City, state, or federal law;
  • employees with signatory authority over third-party funds or assets valued at $10,000 or more;
  • employees with a fiduciary responsibility to their employer and authority to enter into agreements valued at $10,000 or more;
  • police officers;
  • employees at the department of investigation in a law enforcement position or who perform an investigative function;
  • certain employees subject to background investigation by the department of investigation;
  • non-clerical employees with access to trade secrets, intelligence information, or national security information; and
  • employees with authority to modify the company’s digital security systems.

Although ten states and the City of Chicago also ban employers from checking the credit history of job applicants, the proposed legislation for New York City is broader. For example, eight of the other jurisdictions exempt financial institutions, which the New York City legislation does not do.

The Act does not specify penalties or damages for using credit history in making an employment decision. Instead, the bill modifies the New York City Human Rights Law, Section 8-101 et seq. of the Administrative Code of the City of New York. The Act thus effectively creates a new “protected class” and allows a private cause of action for discrimination against an employer that uses such information. An employer found liable for using credit history in making employment decisions would consequently be treated the same as one engaging in an unlawful discriminatory practice on the basis of age, race, national origin, gender, and the like. These damages are among the broadest of all employment discrimination protection statutes and include the potential for back pay, front pay, unlimited compensatory damages, and unlimited punitive damages.

Attorneys in Gordon & Rees’s New York Employment Practice Group are available to assist employers with any questions or concerns regarding the above.

Privacy and Security on the Internet of Things

Like it or not, technology is becoming inextricably entwined with the fabric of our lives. Our cars, our homes, even our bodies, are collecting, storing and streaming more personal data than ever before. In 2015, Gartner, Inc. forecasts the number of connected “things” will reach 4.9 billion, up 30 percent from 2014. By the year 2020, that number is expected to reach 25 billion.

We are moving toward a world where just about everything will be connected. Yes, this will include smartphones, computers and tablets. It will also include everyday objects like car keys, thermostats and washing machines. Google is even developing ingestible microchips that could serve as “electronic tattoos.” This disruptive shift, known as the Internet of Things (IoT), will be a powerful force for business transformation. Soon all industries and all areas of society will be impacted directly by the transition.

As companies evolve to adapt to meet the consumer expectations in this new uber-connected world, they must be aware of the risks involved. No, I’m not talking about machine turning on man in a Terminator-like scenario. But make no mistake, the challenges and risks for both businesses and consumers are no less scary than a shape-shifting cyborg.

In the rush to jump into this connectivity, companies will face multiple considerations. Strategic decisions might involve an upgrade in technology, a move to cloud-based storage, or network integration of all new products or services. However before taking any action, it is essential to weigh the privacy and security risks that go hand in hand with the collection of personal data.

While data breach might be the first risk that comes to mind, there are a number of legal issues that could become major problems if not addressed.

Data Security

The IoT will create massive amounts of data that will necessarily be linked to personal identifying information to be useful. Employees, customers and affiliates will be interacting with countless devices all day long, usually without being aware they are doing so. There will be many new and perhaps unforeseen opportunities for data breaches.

Unintended Consequences

Designers and manufacturers of devices for the IoT may be accountable for unintended consequences. We have already seen instances of persons taking over video cameras connected to computers to “spy” on people. It’s not a stretch to think that these spies will also monitor devices connected to the internet to find out when a home is unoccupied.

Liability

The IoT will rely on devices to perform many tasks that are now subject to the risks of human error. Even with the best of designs there will be issues of where liability falls when, for example, a self-driving car or some other automatous device malfunctions or is otherwise involved in an untoward outcome. There will likely be an evolving body of law establishing the allocation of fault in such circumstances.

Regulation

The federal and perhaps state governments will regulate the IoT. Such regulations will impact how organizations design and use IoT devices. As in other fields, regulation can both strengthen and impair an organization’s position in its market. Proactively addressing such issues can save an organization considerable expense and allow it to better control its risk.

Companies and organizations must plan for the regulations, potential liabilities, and consumer privacy issues related to the IoT now to avoid crippling legal nightmares later. In the absence of regulations, corporations will need to be cognizant of the need to self-regulate by developing and enforcing an effective set of best practices. While the “Internet of Things” may sound futuristic, in reality… the future is now.

Leon Silver is a co-managing partner at Gordon & Rees’ Phoenix office, Chair of the firm’s Retail & Hospitality Practice Group and a member of the firm’s Commercial Litigation, and Privacy & Data Security Practice Groups. Andy Jacob is a member of the Appellate and Commercial Litigation Practice Groups.

Data Privacy and Security Meets the Legal Industry

Huron Legal has recently reported that law firms are getting smarter about addressing data privacy and security issues. Aside from the efforts these law departments, law firms, and other service providers are making to protect sensitive and confidential data, the overall focus on privacy and recent data breaches is affecting the legal sector just like any other sector. According to the article, the four biggest trends in data privacy in the legal industry are the following:

  • Law Firms as Clients: As law firms become increasingly more involved with privacy issues, they are becoming more sophisticated consumers of external legal services. They are placing the information governance practices of vendors and third party legal service contractors under much greater scrutiny than ever before.
  • Opportunity Versus Threat: Although one could expect to see more pushback from law firms on newer stringent data security requirements, instead law firms seem to be responding to these heightened client demands and seeing them as a differentiator when competing for business. Demonstrating an ability to deal with sensitive and often high-value matters from an information perspective makes good business sense.
  • Privacy by Design Vendors: Legal vendors are largely playing catch-up in data privacy issues. For a long time, the tools they provided for legal services were narrow. But now legal vendors need to rise to the same challenge. Additionally, these vendors need to design both the software and processes with privacy in mind. This includes considering the “privacy by design” principles before they become hindrances to the sale of services.
  • Data Privacy Moves Fast: The most important consideration when dealing with privacy and security is understanding that it is an evolving field. Since the definitions and laws are changing, both within the U.S. and abroad, everyone in the legal industry needs to be prepared for change and to be flexible. The laws today may be different in two years, so planning with that in mind is critical.

The full article is here. Our Privacy & Data Security Group will continue to monitor the implications of privacy issues within the legal services sector.

FCC Fines Prompt AT&T to “Zealously Guard” Customers’ Personal Information

On April 8, 2015, the Federal Communications Commission (“FCC”) announced its largest ever data security settlement requiring AT&T to pay $25 million to resolve an investigation into data security breaches at its call centers in the Philippines, Mexico, and Colombia. AT&T’s privacy violations involved the unauthorized disclosure of the names, full or partial Social Security Numbers, and other protected customer proprietary network information (“CPNI”) of nearly 280,000 U.S. customers.

The initial focus of the FCC’s investigation was a 168-day long breach beginning in November 2013 at AT&T’s call center in Mexico where thousands of customer accounts were accessed and sold without authorization. The buyers, who were likely trafficking stolen cell phones, submitted nearly 291,000 handset unlock requests to AT&T’s Mexico call center. Similar breaches occurred in Columbia and the Philippines, where a combined total of approximately 211,000 customer accounts were accessed without authorization.

In response, the FCC brought charges of violations of Sections 222 and 201(b) of the Communications Act (the “Act”) against AT&T for failure to timely report the breaches. Section 222 of the Act requires companies like AT&T to take every reasonable precaution to protect customer data, including CPNI, and to take reasonable measures to discover and report attempts to access CPNI, including notifying law enforcement “as soon as practicable, in no event later than seven (7) business days, after reasonable determination of the breach.” Section 201(b) of the Act prohibits unjust and unreasonable practices.

4-28AT&T notified law enforcement of the Mexico call center breach on May 20, 2014, over a month after it began its internal investigation, and several months after the actual breach. In an effort to mitigate the breach, AT&T notified victims of the breach and the California Attorney General, terminated its relationship with the Mexico call center, mandated the uniform use of partial social security numbers in all call centers, and developed new customer account monitoring and phone access/unlock policies.

The FCC settlement also mandates the implementation of a permanent, strict compliance plan that requires AT&T to:

  1. designate a senior compliance manager who is a certified privacy professional;
  2. complete a privacy risk assessment reasonably designed to identify internal risks of unauthorized access, use, or disclosure of personal information and CPNI;
  3. implement an information security program reasonably designed to protect CPNI and personal information from unauthorized access, use, or disclosure;
  4. prepare a compliance manual to be distributed to all covered employees and vendors; and
  5. regularly train employees on its privacy policies and applicable privacy legal authorities.

AT&T is required to report any noncompliance to the FCC and must file regular compliance reports for the next three years.

The FCC has taken the position that phone companies are expected to “zealously guard” their customers’ personal information and that the FCC “will exercise its full authority against companies that fail to safeguard the personal information of their customers.” This position tracks the trend of active enforcement of consumer data security breaches over the past year. To that end, companies in possession of CPNI and other protected customer information should heed the Agreement and “look to [it] as guidance” for protecting customer information and avoiding liability under Sections 222 and 201(b) of the Act.

We expect that other telephone companies/carriers will continue to evolve and implement heightened security measures in response to this settlement, and the FCC will surely investigate those companies who are not in compliance.

Image courtesy of Flickr by Michael Weinberg

Target Ends Dispute With Mastercard Over 2013 Data Breach

Following the highly publicized data breach affecting Target retail stores in 2013, the retail giant has agreed to pay up to $19 million to MasterCard credit card issuers worldwide to compensate them for the costs of canceling accounts, creating new accounts, and issuing new cards. MasterCard is urging card issuers to accept the deal, which calls for Target to pay the card issuers by the end of the second quarter.

In late 2013, Target suffered a massive data breach in which 110 million customer records were stolen, which included 40 million credit card numbers. In an attempt to be proactive, Target informed financial institutions about credit cards that may have been compromised and offered free credit counseling to its consumers to combat the onslaught of litigation that was to follow. As a result of the breach, which was highly publicized, many other retail establishments became victims of their own data breaches, spurring numerous lawsuits nationwide.

Apart from individual consumers filing class action lawsuits across the country against Target, credit card issuers, which include banks, credit card companies, and other financial firms, incurred hard costs of cancelling accounts and issuing replacement cards with new account numbers. While individual consumers filing data breach lawsuits had to overcome Clapper in arguing that an injury-in-fact did occur instead of speculative damages, credit-card issuers and financial institutions had actual damages to move forward on their claims. As a result, Target has negotiated a deal only with MasterCard to this point.  It is possible that Target is also negotiating a similar agreement with Visa.

Image courtesy of Flickr by Mike Mozart

Speedy Internet May Cost You More Than Money

On March 30, 2015, AT&T offered its “GigaPower” service to Cupertino, California. It is currently offered in a handful of cities across the United States (Austin, Dallas, Fort Worth, Kansas, Raleigh-Durham, and Winston-Salem) with ten other planned metro areas. GigaPower is promoted as Internet service with “[b]lazing-fast speeds up to 1Gbps,” allowing the user to download twenty-five songs in one second, an HD television show in three seconds, and an HD movie in thirty-six seconds.

The price tag for this super-speed is either $139.00/month, or $110.00/month plus allowing AT&T to monitor your Internet browsing. Thus, AT&T’s customers will have to choose whether to allow such monitoring or in effect pay $29.00 for their privacy. AT&T’s “Internet Preferences” analytics program monitors all activity in order to use that information to target its customers with personalized advertisements, for which it can then charge advertisers. According to an AT&T spokesperson, opting out of the Internet Preferences program will ensure that the customer does not receive targeted ads, but AT&T’s privacy policy still allows it to collect information on its customers’ web activity for certain purposes. AT&T has stated that the benefits of these ads are that AT&T can keep its prices from rising, and since all the data is maintained in-house, it will not sell its customers’ information. AT&T claims that the “vast majority” of its customers have opted to participate in the Internet Preferences program.

This comes on the heels of the recent battle over net neutrality which resulted in the Federal Communications Commission’s February 26, 2015 adoption of “Open Internet” rules. These rules seek to “protect and maintain open, uninhibited access to legal online content without broadband Internet access providers being allowed to block, impair, or establish fast/slow lanes to lawful content.” Given that the federal government has determined that service providers cannot charge web users or websites for entry onto an Internet superhighway “fast” lane, it is unlikely that AT&T will be the only Internet service provider to start charging to maintain its customers’ privacy.

Our Privacy & Data Security Group will continue to monitor the implications of AT&T’s recent offering in this regard.

Image courtesy of Flickr by Mike Mozart

In Highly Watched Case, U.K. Court Allows Google-Safari Consumer Privacy Case to Proceed

A March 27 U.K. Appellate Court ruling against Google could have significant implications in the U.K., and potentially serve as persuasive authority in other jurisdictions, as the international community continues to implement and interpret consumer protection laws with respect to data privacy.

Three years ago, Google, Inc. agreed to pay $22.5 million to settle a privacy suit filed by the Federal Trade Commission (FTC) in the United States District Court of the Northern District of California. The FTC alleged that Google collected personal information from users of Apple, Inc.’s Safari web browser, despite representing to those users that it would not collect their data unless they consented to the collection.

According to the FTC, despite Google’s representations, the company exploited an exception to Safari’s default browser settings, allowing it to place a temporary cookie on the users’ computer. Thereafter, Google would use the temporary cookie as a way of placing more permanent advertising tracking cookies. The FTC charged that Google’s misrepresentations and continued use of targeted advertising to Safari users constituted a breach of a previous settlement agreement between the FTC and Google, in which Google agreed not to misrepresent the extent to which consumers can exercise control over information collection.

In a similar suit filed in 2013 in the U.K., a group of Safari users alleged that Google violated their data privacy rights by using the same method—what the United Kingdom Court of Appeal called the “Safari Workaround.” Google appealed an adverse ruling in a lower court, and argued to the U.K. Court of Appeal that (1) the users cannot bring a claim against Google under U.K.’s Data Protection Act (DPA) because they did not suffer any financial harm and (2) that Google was unaware that it was tracking the users’ information.

Last week, the U.K. Court of Appeal rejected both of Google’s arguments, holding that a claim under the DPA is not limited to only financial injuries, and that Google undoubtedly “became aware of it during the relevant period but chose to do nothing about it until the effect of the ‘Safari Workaround’ came into the public domain[.]”

We will be keeping a close eye on application of this ruling, and any ripple effects elsewhere as global privacy protections evolve.

Image courtesy of Flickr by Carlos Luna

Oregon: Proposed Privacy Legislation Changes

The State of Oregon Legislature has recently drafted changes to existing statute (ORS 646A.622) as relating to consumer personal data protections.

The amended legislation encompasses enforcement of safeguards required for consumer personal data and creates new provisions relating to standing/damages. Most noteworthy, the proposed amendment establishes a private right of action for a consumer who suffers ascertainable loss of money or property as result of a failure to maintain reasonable safeguards to protect security, confidentiality and integrity of that consumer’s personal information.

If passed, the new regulation takes effect on January 1, 2016.

For a copy of the proposed changes to ORS 646A.622, please contact our Privacy & Data Security Group.