September 2, 2014

Cybersecurity Alphabet Soup: The CDC, FTC, R-CISC, and RILA. What's The Best Way To Protect Your Customers' Data?

sunrise-963348-m.jpgThere was an interesting article in Wired.com, the magazine, recently that put a new twist on an old topic: What's the best way to make sure the internet, and all of the information that travels on it every day, is safe? How do you really make cybersecurity, secure? After all, the safer the information, the more secure people will feel, and the use of the web, for everything from e-commerce to portable electronic healthcare records, will grow. The flip-side is just as true: the more hacks, hackers and data-breaches, the slower the pace of progress. The good will be harder to come by if the bad is hard to avoid.

Peter W. Singer, who wrote the article, entitled, "How to Save the Net: A CDC for Cybercrime," which was posted on 08.19.14, 6:30 a.m., proposes an interesting idea.

The CDC, otherwise known as the Centers for Disease Control, is much in the news recently. Chances are, if you've seen news stories about the Ebola outbreak in West Africa, or the MERS outbreak earlier this year, the CDC has come up in more than just passing. It's the clearinghouse for health related information, combating communicable diseases, the world over. There was just an article, by Betsy McKay, Nicholas Bariyo, and Drew Hinshaw, that appeared in the August 23-24, 2014 Weekend Edition of the Wall Street Journal in the Review Section, which talks about the invaluable help the CDC gave to another country that used to be at risk of virulent Ebola outbreaks. Uganda used to send blood samples to the CDC's facilities in Atlanta, to be screened for Ebola. Now, thanks to technology and training the CDC provided, Ugandans do the same for themselves, in country, which lets them detect outbreaks of the deadly virus sooner, respond to them quicker, and stop them before they do large scale damage.

A central clearinghouse for ideas, both proven and proposed, to safeguard digital information seems like a good idea. Having a one size fits all approach, in which the government entity is the one upon whom everyone fighting the problem relies, may not be. That's not really even the job the CDC is doing with Ebola.

Look at how the Federal Trade Commission is policing cybersecurity: the whole point of the its Reasonable Precautions cybersecurity standard, and its enforcement, and codification, on a case by case basis, is that "Reasonable Precautions" become reasonable, or not, based on the particular facts of a given situation. What might be the right protection for digital information exchanged between wholesale distributors and retailers, might not be sufficient to protect information between retailers and consumers, and that in turn might not be enough to safeguard patients' healthcare histories when they are exchanged among medical providers. What might be a commercially reasonable effort to safeguard information in one industry, might not be in another.

The FTC encourages individual companies, and the industries in which they compete, to voluntarily join together to ensure data security. By making the terms Industry Standard Practices and Commercially Reasonable Efforts mean something substantive, companies can protect themselves against FTC enforcement actions for lax data security, as we've previously noted. Look no further than the April 7, 2014 decision of U.S.D.J. Esther Salas, in The Federal Trade Commission, Plaintiff, v. Wyndham Worldwide Corp., et al., Defendants, Civil Action No. 13-1887 (ES), United States District Court, D. New Jersey, to see why. If a company can't figure out what the FTC wants it to do to protect its customers' data, then it should create, and live by, Industry Standard Practices which will become Commercially Reasonable Efforts if all the major companies in the industry implement them. Many companies already say they do this anyway, right in their privacy policies. Instead of meaningless legal verbiage, make the terms mean something concrete; show they can work, and the FTC will have little to complain about, even if those efforts occasionally fail. Some of the most vulnerable industries, including retail, are banding together to do just that.

The Retail Industries Leaders Association, or RILA, as we previously noted, formed a voluntary clearinghouse, known as the Retail Cyber Intelligence Sharing Center, or R-CISC, to develop and share industry leading practices in cybersecurity, by communicating amongst themselves information they learn regarding threats and defenses. The reported backers of the initiative have put in a lot of effort: they've conferred with cybersecurity experts and involved interested government agencies. They also have a lot at stake: credit cards and financial information are common targets; just ask the RILA members.

One main benefit of a CDC for the wired world, according to Peter W. Singer, is the trust and confidence it will bring to all those who rely on it. By bringing the best and brightest together under one centralized government-funded roof, it would allow users to know that independent experts, with their best interests in mind, were on the job, fighting off the bad guys. That's a good thing; but is that the only way to achieve it?

What if the businesses which hold their customers' information on line were held accountable for not doing enough to protect that data? What if they faced the loss of business, and profits, as well as a government enforcement action, if they didn't do enough? What lengths would they go to in order to keep their customers' trust?

If you look at some quotes in the RILA press release, from the people involved in forming the R-CISC, you'll see that trust is a recurring theme there, too:

Continue reading "Cybersecurity Alphabet Soup: The CDC, FTC, R-CISC, and RILA. What's The Best Way To Protect Your Customers' Data?" »

August 22, 2014

Old Cases, Same Rule: Experts' Affidavits In Opposition To Motions For Summary Judgement In New York.

mountain-haze-1130128-m.jpgWe spent our last entry talking about when a trial court faced with a motion for summary judgement can consider an affidavit from an expert even though the expert was not disclosed until after the Note of Issue and Certificate of Readiness were filed. The answer, more often than not, at least in the Appellate Division, Second Department in New York: When the expert makes a difference by establishing the existence of a material issue of triable fact. See Rivers v. Birnbaum, 102 A.D.3d 26, 953 N.Y.S.2d 232 (2nd Dept. 2012), and Begley v. City of New York, 111 A.D.3d 5, 972 N.Y.S.2d 48, 72 (2nd Dept. 2013), leave to appeal denied, 23 N.Y.3d 903, 988 N.Y.S.2d 130 (2014).

Rivers v. Birnbaum, supra, and Begley v. City of New York, supra, were not the actual sea changes they might appear to be at first. Though important decisions, the rule they enunciated was applied in many cases before they were decided and the ones in which it was not applied were the exceptions that proved the rule.

King v. Gregruss Mgmt. Corp., 57 A.D.3d 851, 852-53, 870 N.Y.S.2d 103 (2nd Dept. 2008), was a personal injury action in which the plaintiff was injured when he tried to cut open a steel drum containing windshield washer fluid with an electric saw. The Second Department held that the trial court should not have considered the affidavit from the plaintiff's expert in opposition to the defendants' various motions for summary judgement and should have precluded the expert from testifying at any stage of the proceedings.

The expert in King v. Gregruss Mgmt. Corp., supra, undoubtedly would have made a difference. It just appears that there was no way to verify the facts on which his opinion was based and his testimony actually was more about basic, critical, and unverifiable facts, than scientific opinion. All told, the case is a fine example of a plan too smart by half, and illustrative of the type of behavior that more often than not will be penalized, if for no other reason than it should be. It is that behavior, more than the simple late disclosure of the expert, which prevented the expert's affidavit from being considered:

Continue reading "Old Cases, Same Rule: Experts' Affidavits In Opposition To Motions For Summary Judgement In New York. " »

August 20, 2014

What a Difference a Triable Issue of Fact Can Make: The Use of Experts to Oppose Motions for Summary Judgement in New York, Revisited.

case-ilustration-1015897-m.jpgIt has been some time since we last spoke about the use of experts to oppose motions for summary judgement in New York. The topic, however, is still relevant. Some continue to believe there is a hard and fast rule, at least in the Appellate Division, Second Department, which forbids a trial court from considering an affidavit from an expert unless the party offering the expert's affidavit served full expert's disclosure pursuant to CPLR 3101(d)(1) prior to the filing of the Note of Issue and Certificate of Readiness or at least moved to vacate the Note of Issue and Certificate of Readiness if they had not served expert's disclosure by then. As we pointed out in our last entries on the subject, there is no such concrete rule and there never really was. A case that should go to trial most often does; it withstands a motion for summary judgement, unless the party who uses the affidavit nefariously refused to disclose the expert in time.

There have been a series of decisions that have clarified that this is the rule. The first was Rivers v. Birnbaum, 102 A.D.3d 26, 953 N.Y.S.2d 232 (2nd Dept. 2012). Another, more recent example, is Begley v. City of New York, 111 A.D.3d 5, 972 N.Y.S.2d 48, 72 (2nd Dept. 2013), leave to appeal denied, 23 N.Y.3d 903, 988 N.Y.S.2d 130 (2014), which is especially instructive because of the way it summarizes the reasons for the rule. It holds, in relevant part:

Continue reading "What a Difference a Triable Issue of Fact Can Make: The Use of Experts to Oppose Motions for Summary Judgement in New York, Revisited." »

August 8, 2014

How Learning About Play Can Help You Pick A Jury

swing-in-a-park-1351566-m.jpgHave you ever wanted to do absolutely nothing: nothing real, nothing hard, nothing serious, at least not for a little while? Maybe lie down on the beach, read a good book, go play a round of miniature golf with your family and friends? Just be a little silly, just a little?

Remember when you were a kid, when you had the summer to yourself, to do what you wanted when you wanted with whoever you wanted? Just go find some friends and play: a game of basketball, or stickball, or maybe a game of manhunt; whatever you and your friends decided to do, however you agreed to do it. You and your friends would make up the game, and maybe the rules as you went. You'd try to be fair, make sure everyone had a shot, but still try to win. It might have been a long time ago but it still was memorable.

Well maybe all fun and games aren't only fun and games after all. Maybe they're a necessary part of life that can tell you a lot about a person and how they interact with others, how they handle complex social interactions, get along with people and convince them to participate in activities. Maybe, just maybe, they also can help you pick a jury. Yes, this is a law blog, and yes, everything has to get around to the law sooner or later; though it sure is fun to think of being 14 again with the whole summer in front of you.

While driving to work the other day I heard an interesting story on NPR's Morning Edition. They were interviewing a Canadian researcher, a fellow by the name of Sergio Pellis. He was saying how important recess is to children; that countries that have more recess usually have students that perform better academically than those with less. It was more than just that, though: free play is what's important, and the reasons were fascinating.

Continue reading "How Learning About Play Can Help You Pick A Jury" »

August 6, 2014

Cybersecurity Update: Hackers' Gains, Target's Losses, and E-Commerce

crowbar-854266-m.jpgThere are a few recent news stories that business owners, fraud investigators, and consumers should be aware of. Though not necessarily related, they point out the ever-growing need to protect digital information and the consequences for those who do not. Cybersecurity, it seems, is something that will affect everyone, eventually.

The topic of the first story, unfortunately, is common; the numbers, thankfully, are not, though we should all hope they stay that way. According to an article by Danny Yidron in the Wall Street Journal, which was last updated at 2043 hrs Eastern Time on August 5, 2014, a gang of Russian hackers has amassed 1.2 billion stolen user names and passwords from approximately 500 million unsuspecting people. According to the private security firm that discovered the theft, Hold Security in Milwaukee, the hackers obtained the information from 420,000 websites, allegedly ranging from leaders in major industries to small businesses and personal websites. No measurable harm evidently has come from the theft, at least not yet. The hackers reportedly so far are using the data only to send spam messages on social media accounts. That doesn't mean the people whose information was stolen are free and clear: There is a growing trend in recent years, according to the report, where cybercriminals amass online credentials for later use. While that later use isn't specified, it shouldn't be all that hard to determine. Consumers, according to the report, often use the same user names and passwords across various websites. If a hacker learns a user name and password for one account, it's not that hard to imagine that the hacker also could gain access to the consumer's other accounts, including on websites that store, or have access to, the consumers' financial information, including credit card numbers.

In order to see the harm that was done already, merely because the hackers have the user names and passwords, you have to remember that just exposing your customers' confidential information sometimes is enough to trigger an enforcement action by the Federal Trade Commission to force businesses to take reasonable precautions to protect their customers' digital information. If you remember the LabMD case, which we already spent some time discussing, the FTC's claims of unfair or deceptive acts or practices in, or affecting, commerce, were directed against LabMD for allegedly inadvertently posting the confidential information of less than 10,000 individuals on a file sharing platform that was intended to share music files instead. During the FTC's administrative law trial against LabMD, it reportedly did not even plan to present any witnesses who were the victims of the alleged ID theft; exposing the information, allegedly, was enough.

We're not comparing the theft of user names and passwords to exposing confidential health information, which allegedly is what occurred in the LabMD case. Allowing the theft of user names and passwords could lead to some real trouble, though, especially if it leads to the theft of user financial information, such as credit card numbers. That leads straight to the second news story.

Continue reading "Cybersecurity Update: Hackers' Gains, Target's Losses, and E-Commerce" »

August 1, 2014

Partition Actions In New York II: When Do You Sell and When Do You Divide Real Property?

chocolate-biccie-759508-m.jpgIt's been a while since we last spoke about Partition Actions in New York. Though, perhaps, not well known, they are an important tool for anyone who owns real property as a tenant in common or as a joint tenant. A good example would be where you, along with some relatives, inherit a house. The house is yours, and theirs; each of you has responsibilities, to maintain, and pay the expenses for, the house. Likewise, each of you can try to have the house sold so you can split the proceeds. If some of the other owners balk at this, you can go to court to force the sale and equitably split the proceeds; that is, you can bring a Partition Action.

The last time, we went through the basics: who can bring a partition action and what they have to do in order to succeed. This time, well take a look at a more interesting aspect of a Partition Action: What do you have to show to make sure the real property gets sold, rather than split down the middle? Put another way, how can you try to make sure you get the cash out of the land rather than just be left with a smaller piece of land?

That a Partition Action can, in fact, partition real property between its various owners, is made clear by one of the most interesting cases you could come across, at least for a history buff in New York who knows what the Rockaways look like now, which is nothing if not built up, and listens to how they were then, 117 years ago: as open and expansive as Promised Land in Amagansett or Hither Hills in Montauk, with nothing from the Atlantic to Jamaica Bay. To see them then would have been awesome; to the people who owned this little patch of the Rockaways, they definitely were worth fighting over.

In Chittenden v. Gates, 18 A.D. 169, 173-74, 45 N.Y.S. 768, 770-71 (2nd Dept. 1897), the court, on appeal, upheld the lower court's order directing that this pristine land be split between the owners, rather than sold. The quote from the case is rather long, but worthwhile reading in its entirety, both for the law and the picture it paints of the land as it then existed. If you notice, the rule then is much as it is now; the title of the statute might be different, but the intent remains the same: the first choice is to divide the property, equally:

Continue reading "Partition Actions In New York II: When Do You Sell and When Do You Divide Real Property?" »

July 25, 2014

Antitrust, Anti-Steering Rules, and American Express: The Justice Department Pursues Unfair Competition In A Business Model

sunset-on-lake-purple-light-1406480-m.jpgUnfair competition is back in the news. The U.S. Justice Department sued American Express a few years ago for unfair competition in the credit card business. Since such things take time, the trial just began on Monday July 7, 2014. The issues, the accusations, and the justifications seem fairly familiar, especially when you recall the last big antitrust trial and the unintended consequences that followed. Whether the same thing will happen this time, though, is something only time will tell.

The last time, the Justice Department sued Apple, to prevent what it said was anti-competitive practices in the e-book business. As we previously wrote, these included the agency model, in which the publishers set the price of the e-book, and the seller, in this case Apple, takes a set percentage of that price; and most-favored nation clauses, in which the seller, is allowed to match its lowest competitor's price. Well, Apple lost, the Justice Department won, and, some would say, so did Amazon. Apple was trying to break into the e-book market and its job was made harder; Amazon was the dominant seller in the e-book business and some would say its job was made easier because it could use its market share to leverage ever better deals for itself and, it would say, for its customers, too.

This time, the Justice Department reportedly takes issue with American Express' rules that prohibit merchants that accept its cards from offering discounts or otherwise steering customers to use cards that are less expensive for the merchants to process. Credit card companies, it seems, make money by charging merchants a set percentage of the sales price for every sale made on one of their credit cards. These swipe fees vary and, reportedly, American Express cards have some of the higher ones. Merchants would be able to keep more of the purchase price if a customer used a credit card that had a lower swipe fee and they could give credit card customers a discount, some portion of the money saved, as an incentive. American Express evidently does not want that to happen because its customers presumably would have to pay more, i.e. not receive a discount or incentive, to use an American Express Card.

The government's position was summed up nicely in an article in the Wall Street Journal by Robin Sidel that was last updated on July 3, 2014 9:01 a.m. ET:

Continue reading "Antitrust, Anti-Steering Rules, and American Express: The Justice Department Pursues Unfair Competition In A Business Model " »

July 14, 2014

Insurance Against The FTC's Claims of Deceptive Acts and Practices: Developing Your Own Industry Standards For Data Security

3rd.Small.2nd.IMG_20140713_170245 - Copy.jpgWe have been discussing what businesses can do to protect against the Federal Trade Commission commencing an enforcement action against them for allegedly failing to take reasonable precautions to ensure the safety of their customers' private data, such as financial information, dates of birth, social security numbers, and even health records: Develop, and implement, industry standard, and commercially reasonable, data security practices. This time, we will see just how effective those efforts are by, in effect, asking Target.

What makes such Industry Standard Practices and Commercially Reasonable Efforts so promisingly effective is that:

  • They were approvingly cited as source of guidance as to what a business must do to properly protect its customers' data, by the court in the case entitled, The Federal Trade Commission, Plaintiff, v. Wyndham Worldwide Corp., et al., Defendants. Civil Action No. 13-1887 (ES), United States District Court, D. New Jersey. This was the same case which approved the FTC's right to police data security practices.
  • Many businesses use those terms in their posted privacy policy.
  • The FTC already has demonstrated a willingness to allege deceptive acts or practices against companies that claim they follow Industry Standard Practices and take Commercially Reasonable Efforts to ensure data security but nevertheless suffer data breaches. This is what the FTC did in the Wyndham case. The FTC, in effect, will see a data breach; examine how it happened; determine that the precautions the company took to safeguard the data were inadequate and therefore did not meet Industry Standards or amount to Commercially Reasonable Efforts; and claim that the company deceived their customers by putting those terms in their privacy policy without abiding by them.
  • Companies can define, on their own, what Industry Standard Practices and Commercially Reasonable Efforts, actually mean, for their business and their customers

Some companies, and industries, have gone to great lengths to define Industry Standard Practices and Commercially Reasonable Efforts for themselves. We previously pointed out the extraordinary data security efforts leading retailers were taking to protect the safety of their customers' sensitive, private information; how they were sharing information, between themselves and governmental agencies, and collaborating with outside experts, to develop industry standard practices in data security; how they established an independent entity, the Retail Cyber Intelligence Sharing Center, or R-CISC, to do exactly that. We also examined a benefit of, if not the actual reason for, the retailers' efforts: To protect themselves.

Retailers seem to be some of the most tempting targets of data security breaches. They handle large amounts of their customers' financial information every day. Credit and debit card numbers are perhaps the most inviting targets because they are so lucrative and can be turned into illicit gains so quickly by cyber-criminals. Here are some facts which might put the retailers' efforts into perspective:
.

Continue reading "Insurance Against The FTC's Claims of Deceptive Acts and Practices: Developing Your Own Industry Standards For Data Security" »

July 8, 2014

Industry Standard Practices: What Your Business Can Do To Comply With The FTC's Data Security Standard; Part II

run-the-race-1415400-m.jpgWhat, exactly, should your business do to protect itself from a Federal Trade Commission enforcement action for failing to use reasonable precautions to ensure data security for your customers' sensitive, private information? In our last post we discussed the difficulty involved in complying with a standard for which no specific regulation has been promulgated; the statute which forms the basis of the standard is amorphous, especially when applied to data security; and the binding case law to which it is recommended that you turn, is nascent, if not non-existent. In this post, we will examine what businesses can and are doing to protect themselves, by taking what little guidance is available and making it work, on their own.

Perhaps the best guidance as to what your business must do comes from the Wyndham case we have spent so much time analyzing, which officially is entitled, The Federal Trade Commission, Plaintiff, v. Wyndham Worldwide Corp., et al., Defendants. Civil Action No. 13-1887 (ES), United States District Court, D. New Jersey. The April 7, 2014 decision of U.S.D.J. Esther Salas, which denied the motion to dismiss brought by one of the defendants, Hotels and Resorts, went to great lengths to point out the available sources of guidance in the absence of specific regulations for data security requirements. In our last article, though, we pointed out the problems of relying for guidance on some of the sources recommended by the court: inchoate case law, which is in its infancy and, at best, incomplete, and on a statute designed to leave a regulatory agency significant flexibility to assert its enforcement power, and which was enacted before the need for data security, or cybersecurity, even was conceived.

The other sources of guidance referred to by the court in the Wyndham case include the FTC's public complaints, consent agreements, business guidance brochure, and public statements. Even the court, however, admitted those are not controlling, but are only persuasive, authority.

The last sources of guidance approvingly mentioned by the court in the Wyndham case are industry standard practices and commercially reasonable efforts to ensure data security. If a business, or group of businesses, can define those terms, so that they actually mean something concrete, then they should be effective in defending against claims that a business did not go far enough to ensure the security of its customers' data.

Banding together to share information regarding threats and cybersecurity best practices, it seems, is exactly what some very well-known companies are doing. As we have previously written:

On May 14, 2014, the Retail Industry Leaders Association, with the reported backing of companies such as American Eagle Outfitters, Gap Inc., J. C. Penney Company Inc., Lowe's Companies, Inc., Nike, Inc., Safeway, Inc., Target Corporation, VF Corporation and Walgreen Company, announced a joint effort to share information regarding cyber-threats and security. Named the Retail Cyber Intelligence Sharing Center, or R-CISC, it is designed as a way to allow retailers to enhance cybersecurity by sharing information about, and developing means to protect against, such threats.

The retailers' emphasis on developing industry-wide best practices for data security is clear from their 5.14.14 press release, and goes beyond just sharing information amongst themselves:

Continue reading "Industry Standard Practices: What Your Business Can Do To Comply With The FTC's Data Security Standard; Part II" »

July 5, 2014

What Your Business Can Do to Comply With the Federal Trade Commission's Data Security Standard. Part I: Does It Give Fair Notice?

misty-morning-2-786135-m.jpgWhat, exactly, can a business do to protect itself against a Federal Trade Commission enforcement action for allegedly failing to take reasonable precautions to protect its customers' sensitive, private, digital information, such as credit card numbers, bank account information, dates of birth, and even medical records? Especially because it is difficult to know exactly what the term "reasonable precautions" actually means in the quickly evolving world of cybersecurity, it is important to develop a credible answer to the question. Some high-profile businesses, including at least one which has been the victim of a large-scale cyber-breach, have come up with a seemingly simple, though elegant, solution.

To appreciate the solution, though, you first have to understand the problem. This post will discuss the full extent of the problem. In the next post, we will examine the solution.

One of the main attacks against the FTC's Reasonable Precautions cybersecurity standard is that it does not provide fair notice of what it requires, or prohibits. What, exactly, constitutes a reasonable precaution and what does not? How can a business be expected to comply with a standard if it does not have fair notice of what it requires? This was a major defense in both the FTC's administrative trial against LabMD, and the action entitled the Federal Trade Commission, Plaintiff, v. Wyndham Worldwide Corp., et al., Defendants. Civil Action No. 13-1887 (ES), United States District Court, D. New Jersey (the "Wyndham case") both of which we have written about at length. At least so far, though, "reasonableness," as applied on a case-by-case, fact specific basis, is all a business basically has to work with.

In the Wyndham case, as we have previously written, one of the defendants, Hotels and Resorts, based its motion to dismiss the complaint, in large part, on the allegation that the reasonable precautions cybersecurity standard was too vague, and that the FTC should issue detailed regulations giving fair notice of what the standard required, before the FTC could seek to enforce it. In denying the motion, the court held:

Continue reading "What Your Business Can Do to Comply With the Federal Trade Commission's Data Security Standard. Part I: Does It Give Fair Notice?" »

June 30, 2014

What Does Investigating Insurance Fraud Have In Common With the World Cup? You Make the Call.

football-1134963-m.jpgWhat does investigating Insurance Fraud have in common with the FIFA World Cup currently taking place in Brazil? More than you might think, especially if you're a world-class goalie trying to stop a penalty kick.

The hardest job in all of soccer, or football as the rest of the world calls it, arguably is that of the goalkeeper on a penalty kick. Think of how big that goal really is. Now think of how small that keeper actually is. There is no comparison between the two. Add in the fact that tied games are decided on penalty kicks, and you'll understand the pressure involved, especially when you're playing for the World Cup and know that two World Cup Finals have been decided on penalty shootouts. Many people complain about how unfair it is to decide a game that way, especially when, as they see it, a goalie has to get lucky to stop a penalty kick. Just yesterday, Sunday June 29, 2014, an article in the New York Times by Rob Hughes lamented the fact that Brazil just beat Chile on penalty kicks, especially because Chile's last one didn't go in because it hit the goalpost.

How does a keeper have any chance at all to stop the open, unimpeded shot, from 12 yards away, when the penalty-taker has all that room to kick at? As it turns out, he does it in much the same way a fraud investigator detects a lie: He does his homework, knows what to look for, and then goes on instinct. Unlike a fraud investigator, though, not many people expect the keeper to get it right.

A study recently was conducted to see if there was any way to help the goalkeepers with their nearly impossible task. It came up with a few answers, which also, though inadvertently, may give some pointers on how to conduct a fraud investigation. Entitled "The development of a method for identifying penalty kick strategies in association football", it is authored by Benjamin Noël, Philip Furley, John van der Kamp, Matt Dicks and Daniel Memmert, and is published in the Journal of Sports Sciences.

Continue reading "What Does Investigating Insurance Fraud Have In Common With the World Cup? You Make the Call." »

June 28, 2014

Partition Actions in New York: How Do You Split Up A House?

broken-glass-1046397-m.jpgNot everyone in New York knows what a Partition Action is. If you own real property, though, it's probably a good idea to learn.

It is not your everyday slip and fall, automobile accident, or even breach of contract case. Those are the things most people have heard of and the things many trial lawyers have tried. A Partition Action, though, is different. Though it's cloaked in legal terms, it's really about how to split up real property between two or more owners in the fairest way possible. That is why, most often, it involves selling the property and splitting the proceeds equitably.

The normal ingredients for a Partition Action are:


  • A piece of real property; it could have a house but it doesn't have to.

  • The real property has to be owned by more than one person. Think of an investment property: either an existing house that you want to rent out or that you want to flip, or fix up and sell for a profit; or even a vacant piece of land which you want to develop.

  • One of the owners has to want to sell. It could be for any of a number of reasons: maybe she's tired of being a landlord; maybe she wants to get her money out of the property and cash out; or maybe her co-owner just doesn't get along with her anymore.

Continue reading "Partition Actions in New York: How Do You Split Up A House? " »

June 21, 2014

Investigating Insurance Fraud in New York: How to Catch a Liar

the-maze-2-1008265-m.jpgFiguring out whether someone is lying or telling the truth isn't easy, as we've previously written.

Investigating Insurance Fraud isn't easy, either. Just ask anyone who works in SIU, and they'll tell you about the legwork involved: the interviews to take; the documents to get and go over; the data to analyze. And it all comes down to one thing: Is the person who's making the claim, telling the truth or lying? That, as we've previously written, probably is the hardest question for the fraud investigator to answer.

If the insured is lying about something important, something material and relevant to the investigation of the claim, chances are here in New York he won't recover anything. If the insured claims he had a lot of expensive, scheduled, jewelry stolen, but it wasn't, chances are he's not going to recover anything under his policy. If the insured claims that, when his house burned down, he had a lot of costly new electronics and clothes destroyed, and he's telling the truth, he'll get what he's entitled to under his homeowner's policy. If he's lying, though, chances are he won't get a dime, even for the house.

It's not always easy, though, to know when somebody's lying. We've all heard the classic telltale signs: A person is lying when he blinks rapidly; looks away; looks up and to the side; has dry mouth. The only problem is, so has the liar. Ask yourself: is someone who is basically trying to steal money, and has to lie to get away with it, going to advertise that he's lying?

Continue reading "Investigating Insurance Fraud in New York: How to Catch a Liar" »

June 13, 2014

Shadow IT, The Cloud, and the FTC's Reasonable Precautions Cybersecurity Standard

door-in-the-shadow-1443400-m.jpgShadow IT, or Rogue IT, is the practice of employees reportedly improvising their way to a more productive job, without their company's knowledge or approval, by importing cloud based tools to allow greater ease of access to company documents, bypassing firewalls, and facilitating collaboration, to enhance company performance. What could possibly be the harm? It just might be a good way to violate the FTC's Reasonable Precautions cybersecurity standard.

In order to sustain allegations of unfair practices under the FTC Act, which is the power the FTC uses to enforce its Reasonable Precautions cybersecurity standard, the FTC must prove substantial injury. Quoting from the April 7, 2014 decision of the U.S.D.J. Esther Salas in FTC v Wyndham, et al:

See Am. Fin. Servs. Ass'n, 767 F.2d at 972 ("An injury may be sufficiently substantial . . . if it does a small harm to a large number of people, or if it raises a significant risk of concrete harm.") (internal quotation marks and citations omitted).[13]

Merely allowing sensitive, private information to be leaked on line, evidently can meet the test for substantial injury.

We previously wrote about the FTC's case against LabMD. Allegedly, a LabMD employee put a music file sharing application on her work computer, and accidentally shared a company file containing medical information for approximately 9,300 people. Once done, it really couldn't be undone because there was no way to control what any other person did with the file. According to the FTC, it was enough that the information was shared. The FTC's lawyer, Alain Sheer, according to a May 20, 2014 report in the National Law Journal, argued that the legal standard, i.e., what the FTC has to prove, is not actual harm, but whether there is a likelihood of harm. That might explain why, according to the same article, he said that the FTC did not plan on offering evidence from any victims of actual ID theft.

In both the Wyndham case and the LabMD case, one of the FTC's main allegations reportedly was that the particular company did not keep adequate firewalls. Those firewalls basically help the company control access to company files. Putting company documents in the cloud, however, puts them off-site, and may in fact bypass those same firewalls. Putting documents in the cloud, without the company's direct knowledge, however, is what Shadow IT apparently is all about.

Continue reading "Shadow IT, The Cloud, and the FTC's Reasonable Precautions Cybersecurity Standard" »

June 3, 2014

How Difficult Is It For a Business To Comply With Its Own Privacy Policy?

miror.image.untitled-1430946-m.jpgIf a business' privacy policy says it will protect its customers' sensitive private digital information in certain ways, then it probably is a good idea for the business to keep that promise. The Federal Trade Commission has sued businesses for allegedly making promises in their privacy policies that they did not keep.

How difficult is it for a company to comply with its own data security, or privacy, policy? Evidently, it is difficult, labor intensive and time-consuming; mostly because of the problems translating the words of the policy into detailed computer instructions or code, and the vast amount of code that needs to be checked to ensure it complies with the policy.

Is there a way for a business to protect itself by ensuring that its privacy policy is properly, and consistently, carried out? There might be, and it involves something called Legalease, which actually clears things up rather than makes them more confusing.

The highest profile recent case in which the FTC has alleged that a company deceived the public by failing to live up to the promises made within its own privacy policy, is the FTC v Wyndham Worldwide Corp., et al. We previously wrote about the April 7, 2014 decision of Esther Salas, U.S.D.J., which denied the motion of one of the defendants, Wyndham Hotels and Resorts, LLC ("Hotels and Resorts"), to dismiss the complaint against it. In that decision the court describes the FTC's deception claim this way, beginning on p.33:

Hotels and Resorts also challenges the FTC's deception claim (HR's Mov. Br. At 23). In this claim, the FTC cites the Defendants' privacy policy disseminated on Hotels and Resorts' website and alleges that, "in connection with the advertising, marketing, promotion, offering for sale, or sale of hotel services, Defendants have represented, directly or indirectly, expressly or by implication, that they had implemented reasonable and appropriate measures to protect personal information against unauthorized access" but that "Defendants did not implement reasonable and appropriate measures to protect personal information against unauthorized access." (Compl.paragraph 21, 44-45). Accordingly, the FTC alleges that Defendants' representations "are false or misleading and constitute deceptive acts or practices" under Section 5(a) of the FTC Act. (Id. Paragraph 46).

Hotels and Resorts' privacy policy seems innocuous, though it does sound suspiciously like the FTC's "Reasonable Precautions" cybersecurity standard that Wyndham complained so loudly about in the same case. The privacy policy says the company will comply with certain amorphous standards without defining what those standards specifically require. According to the court, beginning on p. 37 of its decision:

Continue reading "How Difficult Is It For a Business To Comply With Its Own Privacy Policy? " »