July 14, 2014

Insurance Against The FTC's Claims of Deceptive Acts and Practices: Developing Your Own Industry Standards For Data Security

3rd.Small.2nd.IMG_20140713_170245 - Copy.jpgWe have been discussing what businesses can do to protect against the Federal Trade Commission commencing an enforcement action against them for allegedly failing to take reasonable precautions to ensure the safety of their customers' private data, such as financial information, dates of birth, social security numbers, and even health records: Develop, and implement, industry standard, and commercially reasonable, data security practices. This time, we will see just how effective those efforts are by, in effect, asking Target.

What makes such Industry Standard Practices and Commercially Reasonable Efforts so promisingly effective is that:

  • They were approvingly cited as source of guidance as to what a business must do to properly protect its customers' data, by the court in the case entitled, The Federal Trade Commission, Plaintiff, v. Wyndham Worldwide Corp., et al., Defendants. Civil Action No. 13-1887 (ES), United States District Court, D. New Jersey. This was the same case which approved the FTC's right to police data security practices.
  • Many businesses use those terms in their posted privacy policy.
  • The FTC already has demonstrated a willingness to allege deceptive acts or practices against companies that claim they follow Industry Standard Practices and take Commercially Reasonable Efforts to ensure data security but nevertheless suffer data breaches. This is what the FTC did in the Wyndham case. The FTC, in effect, will see a data breach; examine how it happened; determine that the precautions the company took to safeguard the data were inadequate and therefore did not meet Industry Standards or amount to Commercially Reasonable Efforts; and claim that the company deceived their customers by putting those terms in their privacy policy without abiding by them.
  • Companies can define, on their own, what Industry Standard Practices and Commercially Reasonable Efforts, actually mean, for their business and their customers

Some companies, and industries, have gone to great lengths to define Industry Standard Practices and Commercially Reasonable Efforts for themselves. We previously pointed out the extraordinary data security efforts leading retailers were taking to protect the safety of their customers' sensitive, private information; how they were sharing information, between themselves and governmental agencies, and collaborating with outside experts, to develop industry standard practices in data security; how they established an independent entity, the Retail Cyber Intelligence Sharing Center, or R-CISC, to do exactly that. We also examined a benefit of, if not the actual reason for, the retailers' efforts: To protect themselves.

Retailers seem to be some of the most tempting targets of data security breaches. They handle large amounts of their customers' financial information every day. Credit and debit card numbers are perhaps the most inviting targets because they are so lucrative and can be turned into illicit gains so quickly by cyber-criminals. Here are some facts which might put the retailers' efforts into perspective:
.

Continue reading "Insurance Against The FTC's Claims of Deceptive Acts and Practices: Developing Your Own Industry Standards For Data Security" »

July 8, 2014

Industry Standard Practices: What Your Business Can Do To Comply With The FTC's Data Security Standard; Part II

run-the-race-1415400-m.jpgWhat, exactly, should your business do to protect itself from a Federal Trade Commission enforcement action for failing to use reasonable precautions to ensure data security for your customers' sensitive, private information? In our last post we discussed the difficulty involved in complying with a standard for which no specific regulation has been promulgated; the statute which forms the basis of the standard is amorphous, especially when applied to data security; and the binding case law to which it is recommended that you turn, is nascent, if not non-existent. In this post, we will examine what businesses can and are doing to protect themselves, by taking what little guidance is available and making it work, on their own.

Perhaps the best guidance as to what your business must do comes from the Wyndham case we have spent so much time analyzing, which officially is entitled, The Federal Trade Commission, Plaintiff, v. Wyndham Worldwide Corp., et al., Defendants. Civil Action No. 13-1887 (ES), United States District Court, D. New Jersey. The April 7, 2014 decision of U.S.D.J. Esther Salas, which denied the motion to dismiss brought by one of the defendants, Hotels and Resorts, went to great lengths to point out the available sources of guidance in the absence of specific regulations for data security requirements. In our last article, though, we pointed out the problems of relying for guidance on some of the sources recommended by the court: inchoate case law, which is in its infancy and, at best, incomplete, and on a statute designed to leave a regulatory agency significant flexibility to assert its enforcement power, and which was enacted before the need for data security, or cybersecurity, even was conceived.

The other sources of guidance referred to by the court in the Wyndham case include the FTC's public complaints, consent agreements, business guidance brochure, and public statements. Even the court, however, admitted those are not controlling, but are only persuasive, authority.

The last sources of guidance approvingly mentioned by the court in the Wyndham case are industry standard practices and commercially reasonable efforts to ensure data security. If a business, or group of businesses, can define those terms, so that they actually mean something concrete, then they should be effective in defending against claims that a business did not go far enough to ensure the security of its customers' data.

Banding together to share information regarding threats and cybersecurity best practices, it seems, is exactly what some very well-known companies are doing. As we have previously written:

On May 14, 2014, the Retail Industry Leaders Association, with the reported backing of companies such as American Eagle Outfitters, Gap Inc., J. C. Penney Company Inc., Lowe's Companies, Inc., Nike, Inc., Safeway, Inc., Target Corporation, VF Corporation and Walgreen Company, announced a joint effort to share information regarding cyber-threats and security. Named the Retail Cyber Intelligence Sharing Center, or R-CISC, it is designed as a way to allow retailers to enhance cybersecurity by sharing information about, and developing means to protect against, such threats.

The retailers' emphasis on developing industry-wide best practices for data security is clear from their 5.14.14 press release, and goes beyond just sharing information amongst themselves:

Continue reading "Industry Standard Practices: What Your Business Can Do To Comply With The FTC's Data Security Standard; Part II" »

July 5, 2014

What Your Business Can Do to Comply With the Federal Trade Commission's Data Security Standard. Part I: Does It Give Fair Notice?

misty-morning-2-786135-m.jpgWhat, exactly, can a business do to protect itself against a Federal Trade Commission enforcement action for allegedly failing to take reasonable precautions to protect its customers' sensitive, private, digital information, such as credit card numbers, bank account information, dates of birth, and even medical records? Especially because it is difficult to know exactly what the term "reasonable precautions" actually means in the quickly evolving world of cybersecurity, it is important to develop a credible answer to the question. Some high-profile businesses, including at least one which has been the victim of a large-scale cyber-breach, have come up with a seemingly simple, though elegant, solution.

To appreciate the solution, though, you first have to understand the problem. This post will discuss the full extent of the problem. In the next post, we will examine the solution.

One of the main attacks against the FTC's Reasonable Precautions cybersecurity standard is that it does not provide fair notice of what it requires, or prohibits. What, exactly, constitutes a reasonable precaution and what does not? How can a business be expected to comply with a standard if it does not have fair notice of what it requires? This was a major defense in both the FTC's administrative trial against LabMD, and the action entitled the Federal Trade Commission, Plaintiff, v. Wyndham Worldwide Corp., et al., Defendants. Civil Action No. 13-1887 (ES), United States District Court, D. New Jersey (the "Wyndham case") both of which we have written about at length. At least so far, though, "reasonableness," as applied on a case-by-case, fact specific basis, is all a business basically has to work with.

In the Wyndham case, as we have previously written, one of the defendants, Hotels and Resorts, based its motion to dismiss the complaint, in large part, on the allegation that the reasonable precautions cybersecurity standard was too vague, and that the FTC should issue detailed regulations giving fair notice of what the standard required, before the FTC could seek to enforce it. In denying the motion, the court held:

Continue reading "What Your Business Can Do to Comply With the Federal Trade Commission's Data Security Standard. Part I: Does It Give Fair Notice?" »

June 30, 2014

What Does Investigating Insurance Fraud Have In Common With the World Cup? You Make the Call.

football-1134963-m.jpgWhat does investigating Insurance Fraud have in common with the FIFA World Cup currently taking place in Brazil? More than you might think, especially if you're a world-class goalie trying to stop a penalty kick.

The hardest job in all of soccer, or football as the rest of the world calls it, arguably is that of the goalkeeper on a penalty kick. Think of how big that goal really is. Now think of how small that keeper actually is. There is no comparison between the two. Add in the fact that tied games are decided on penalty kicks, and you'll understand the pressure involved, especially when you're playing for the World Cup and know that two World Cup Finals have been decided on penalty shootouts. Many people complain about how unfair it is to decide a game that way, especially when, as they see it, a goalie has to get lucky to stop a penalty kick. Just yesterday, Sunday June 29, 2014, an article in the New York Times by Rob Hughes lamented the fact that Brazil just beat Chile on penalty kicks, especially because Chile's last one didn't go in because it hit the goalpost.

How does a keeper have any chance at all to stop the open, unimpeded shot, from 12 yards away, when the penalty-taker has all that room to kick at? As it turns out, he does it in much the same way a fraud investigator detects a lie: He does his homework, knows what to look for, and then goes on instinct. Unlike a fraud investigator, though, not many people expect the keeper to get it right.

A study recently was conducted to see if there was any way to help the goalkeepers with their nearly impossible task. It came up with a few answers, which also, though inadvertently, may give some pointers on how to conduct a fraud investigation. Entitled "The development of a method for identifying penalty kick strategies in association football", it is authored by Benjamin Noël, Philip Furley, John van der Kamp, Matt Dicks and Daniel Memmert, and is published in the Journal of Sports Sciences.

Continue reading "What Does Investigating Insurance Fraud Have In Common With the World Cup? You Make the Call." »

June 28, 2014

Partition Actions in New York: How Do You Split Up A House?

broken-glass-1046397-m.jpgNot everyone in New York knows what a Partition Action is. If you own real property, though, it's probably a good idea to learn.

It is not your everyday slip and fall, automobile accident, or even breach of contract case. Those are the things most people have heard of and the things many trial lawyers have tried. A Partition Action, though, is different. Though it's cloaked in legal terms, it's really about how to split up real property between two or more owners in the fairest way possible. That is why, most often, it involves selling the property and splitting the proceeds equitably.

The normal ingredients for a Partition Action are:


  • A piece of real property; it could have a house but it doesn't have to.

  • The real property has to be owned by more than one person. Think of an investment property: either an existing house that you want to rent out or that you want to flip, or fix up and sell for a profit; or even a vacant piece of land which you want to develop.

  • One of the owners has to want to sell. It could be for any of a number of reasons: maybe she's tired of being a landlord; maybe she wants to get her money out of the property and cash out; or maybe her co-owner just doesn't get along with her anymore.

Continue reading "Partition Actions in New York: How Do You Split Up A House? " »

June 21, 2014

Investigating Insurance Fraud in New York: How to Catch a Liar

the-maze-2-1008265-m.jpgFiguring out whether someone is lying or telling the truth isn't easy, as we've previously written.

Investigating Insurance Fraud isn't easy, either. Just ask anyone who works in SIU, and they'll tell you about the legwork involved: the interviews to take; the documents to get and go over; the data to analyze. And it all comes down to one thing: Is the person who's making the claim, telling the truth or lying? That, as we've previously written, probably is the hardest question for the fraud investigator to answer.

If the insured is lying about something important, something material and relevant to the investigation of the claim, chances are here in New York he won't recover anything. If the insured claims he had a lot of expensive, scheduled, jewelry stolen, but it wasn't, chances are he's not going to recover anything under his policy. If the insured claims that, when his house burned down, he had a lot of costly new electronics and clothes destroyed, and he's telling the truth, he'll get what he's entitled to under his homeowner's policy. If he's lying, though, chances are he won't get a dime, even for the house.

It's not always easy, though, to know when somebody's lying. We've all heard the classic telltale signs: A person is lying when he blinks rapidly; looks away; looks up and to the side; has dry mouth. The only problem is, so has the liar. Ask yourself: is someone who is basically trying to steal money, and has to lie to get away with it, going to advertise that he's lying?

Continue reading "Investigating Insurance Fraud in New York: How to Catch a Liar" »

June 13, 2014

Shadow IT, The Cloud, and the FTC's Reasonable Precautions Cybersecurity Standard

door-in-the-shadow-1443400-m.jpgShadow IT, or Rogue IT, is the practice of employees reportedly improvising their way to a more productive job, without their company's knowledge or approval, by importing cloud based tools to allow greater ease of access to company documents, bypassing firewalls, and facilitating collaboration, to enhance company performance. What could possibly be the harm? It just might be a good way to violate the FTC's Reasonable Precautions cybersecurity standard.

In order to sustain allegations of unfair practices under the FTC Act, which is the power the FTC uses to enforce its Reasonable Precautions cybersecurity standard, the FTC must prove substantial injury. Quoting from the April 7, 2014 decision of the U.S.D.J. Esther Salas in FTC v Wyndham, et al:

See Am. Fin. Servs. Ass'n, 767 F.2d at 972 ("An injury may be sufficiently substantial . . . if it does a small harm to a large number of people, or if it raises a significant risk of concrete harm.") (internal quotation marks and citations omitted).[13]

Merely allowing sensitive, private information to be leaked on line, evidently can meet the test for substantial injury.

We previously wrote about the FTC's case against LabMD. Allegedly, a LabMD employee put a music file sharing application on her work computer, and accidentally shared a company file containing medical information for approximately 9,300 people. Once done, it really couldn't be undone because there was no way to control what any other person did with the file. According to the FTC, it was enough that the information was shared. The FTC's lawyer, Alain Sheer, according to a May 20, 2014 report in the National Law Journal, argued that the legal standard, i.e., what the FTC has to prove, is not actual harm, but whether there is a likelihood of harm. That might explain why, according to the same article, he said that the FTC did not plan on offering evidence from any victims of actual ID theft.

In both the Wyndham case and the LabMD case, one of the FTC's main allegations reportedly was that the particular company did not keep adequate firewalls. Those firewalls basically help the company control access to company files. Putting company documents in the cloud, however, puts them off-site, and may in fact bypass those same firewalls. Putting documents in the cloud, without the company's direct knowledge, however, is what Shadow IT apparently is all about.

Continue reading "Shadow IT, The Cloud, and the FTC's Reasonable Precautions Cybersecurity Standard" »

June 3, 2014

How Difficult Is It For a Business To Comply With Its Own Privacy Policy?

miror.image.untitled-1430946-m.jpgIf a business' privacy policy says it will protect its customers' sensitive private digital information in certain ways, then it probably is a good idea for the business to keep that promise. The Federal Trade Commission has sued businesses for allegedly making promises in their privacy policies that they did not keep.

How difficult is it for a company to comply with its own data security, or privacy, policy? Evidently, it is difficult, labor intensive and time-consuming; mostly because of the problems translating the words of the policy into detailed computer instructions or code, and the vast amount of code that needs to be checked to ensure it complies with the policy.

Is there a way for a business to protect itself by ensuring that its privacy policy is properly, and consistently, carried out? There might be, and it involves something called Legalease, which actually clears things up rather than makes them more confusing.

The highest profile recent case in which the FTC has alleged that a company deceived the public by failing to live up to the promises made within its own privacy policy, is the FTC v Wyndham Worldwide Corp., et al. We previously wrote about the April 7, 2014 decision of Esther Salas, U.S.D.J., which denied the motion of one of the defendants, Wyndham Hotels and Resorts, LLC ("Hotels and Resorts"), to dismiss the complaint against it. In that decision the court describes the FTC's deception claim this way, beginning on p.33:

Hotels and Resorts also challenges the FTC's deception claim (HR's Mov. Br. At 23). In this claim, the FTC cites the Defendants' privacy policy disseminated on Hotels and Resorts' website and alleges that, "in connection with the advertising, marketing, promotion, offering for sale, or sale of hotel services, Defendants have represented, directly or indirectly, expressly or by implication, that they had implemented reasonable and appropriate measures to protect personal information against unauthorized access" but that "Defendants did not implement reasonable and appropriate measures to protect personal information against unauthorized access." (Compl.paragraph 21, 44-45). Accordingly, the FTC alleges that Defendants' representations "are false or misleading and constitute deceptive acts or practices" under Section 5(a) of the FTC Act. (Id. Paragraph 46).

Hotels and Resorts' privacy policy seems innocuous, though it does sound suspiciously like the FTC's "Reasonable Precautions" cybersecurity standard that Wyndham complained so loudly about in the same case. The privacy policy says the company will comply with certain amorphous standards without defining what those standards specifically require. According to the court, beginning on p. 37 of its decision:

Continue reading "How Difficult Is It For a Business To Comply With Its Own Privacy Policy? " »

May 30, 2014

Apple, Amazon, & E-books: Antitrust Regulation and Unfair Competition in the News

stick-insect-mother-and-baby-1425436-m.jpgIt's been a while, but claims of unfair competition involving e-books are back in the news. About a year ago the Justice Department won its antitrust case against Apple for horizontal price fixing of e-books. Now Apple's main competitor, Amazon, is having a dispute with one of the same publishers involved in the Apple case, Hachette. Amazon reportedly is pressuring Hachette to let it keep a bigger share of the sales price of e-books, and driving up the price in the process. Whether there is any comparison, or connection, between what Apple did and what Amazon is doing, is for you to decide.

What Apple Did

Let's look at what the court determined Apple did wrong. The Apple case was decided, after a bench trial, by U.S. District Judge Denise Cote. In her July 10, 2013 decision, she held, beginning at p. 9:

"The Plaintiffs have shown that the Publisher Defendants conspired with each other to eliminate retail price competition in order to raise e-book prices, and that Apple played a central role in facilitating and executing that conspiracy. Without Apple's orchestration of this conspiracy, it would not have succeeded as it did in the Spring of 2010."

The Justice Department's view of what Apple did was summed up nicely in an article by Bob Van Voris about the Apple trial, which appeared in Bloomberg on Jun 21, 2013 at 12:01 AM ET:

"Mark Ryan, a lawyer for the Justice Department, followed Snyder [Apple's attorney] yesterday, arguing that Apple headed up 'an old-fashioned, straightforward price-fixing agreement.' "

The way Apple conspired to end retail price competition and raise the price of e-books was simple, according to the court. Before Apple, the publishers sold e-books to retailers such as Amazon at a wholesale price and the retailers sold the e-books to the public at whatever price they saw fit. The publishers wanted to raise the price of e-books and Apple gave them a way. Apple agreed to let the publishers set the prices of e-books, which were as much as 50% higher than what Amazon was charging at the time. In return, the publishers agreed to pay Apple a fixed percentage of the sales price. This is the agency model. In return, the publishers gave Apple a Most Favored Nation clause, which is a way of saying they agreed to let Apple match its competitors' lowest price for the same e-book. According to the court, the publishers also agreed to a harsh financial penalty unless Amazon and other competitors agreed to let the publishers set the retail prices. In effect, the publishers set the price, Apple took a share, and everyone had an incentive to go along.

What Amazon Is Doing

Continue reading "Apple, Amazon, & E-books: Antitrust Regulation and Unfair Competition in the News " »

May 26, 2014

Memorial Day 2014: Thank You

american-flag-624272-m.jpgHave you ever just wanted to say, "Thanks"? Not the throw-away, say it to get it over with, kind of thanks; but the heartfelt, I really couldn't have done this without you, sort of thank you? With today being Memorial Day, maybe it's not such a bad idea.

Memorial Day: summer, barbecues, friends, family; not a bad thing comes to mind. Its history, though, is a lot more solemn. According to the Veterans Administration's website's Memorial Day History, what used be called Decoration Day began this way:

Three years after the Civil War ended, on May 5, 1868, the head of an organization of Union veterans -- the Grand Army of the Republic (GAR) -- established Decoration Day as a time for the nation to decorate the graves of the war dead with flowers. Maj. Gen. John A. Logan declared that Decoration Day should be observed on May 30. It is believed that date was chosen because flowers would be in bloom all over the country.

There was a really good cartoon in today's paper that pretty much sums it all up. It shows a family having a picnic under a tree in a park. The kids are running and the parents are laughing; everyone is having a carefree good time. The park, though, is built on a soldier's helmet.

There also was a story about a long ago trip to the U.S. Military cemetery just beyond the beaches of Normandy, France: No fancy gravestones; just row upon row upon row of Crosses and Stars of David. Words couldn't do it justice.

Finally, there was an opinion piece in the May 24-25 Weekend Edition of the Wall Street Journal by Robert M. Sapolsky, entitled "Humans Aren't The Only Animals Stuck on Status." The point of the piece is that we aren't the only ones who know and care about where we stand in society. We all spend a lot of time comparing ourselves to others; but we're not the only ones. He cites male baboons and ravens, in particular. He has to admit, though, that we're the only ones who would spend so much time trying to decide who would get voted off the island first: Donald Sterling or Vladimir Putin?

The problem is, his point misses the point. Sure, people compare themselves. Sure people like to look at how the rich and famous live; Robin Leach, anyone? Think of the huge audience a British royal wedding draws here.

But what about the people who run towards danger, not because it's dangerous, but because they want to help? What about those people who help but don't ask for much of anything in return, except to help? Did the soldiers really have to volunteer to give their lives for us? Did the first responders really have to run up more than 100 flights of stairs when everyone else was running down?

Maybe, we should care about class after all. Who better to look up to than the ones who willingly give their lives for people they don't even know, because they know defending them is the right thing to do? Maybe, just maybe, they are the highest class of people, after all. Who would've thought: the ones who deserve the highest honors are the ones who care more about others than themselves.

Sometimes, people do the right thing for the right reason, and the right reason is nothing more than they know it's the right thing to do. They don't need a heroes' welcome. Maybe, just maybe, a simple thank you is enough. Maybe we all should try it a little more often; it can't hurt.

Happy Memorial Day.

Go raibh maith agaibh

Ray Grasing

May 25, 2014

Is the FTC's Reasonable Precautions Cybersecurity Standard Fair?

gavel-952313-m.jpgIn this post we are going to examine the rules used to determine whether the Federal Trade Commission's "Reasonable Precautions" cybersecurity standard gives businesses fair notice of what they have to do to adequately protect their customers' information from data breaches. The short answer is that businesses have to watch how the FTC enforces the standard, and act accordingly.

In subsequent posts we will examine whether the standard supplies the required notice by exploring how, and whether, the FTC has enforced the standard, as well as what if anything businesses can, and are, doing to comply with it and protect themselves.

The two main cases that have made the news recently regarding the FTC's cybersecurity standard are the FTC's administrative trial against LabMD, Inc. that we spoke about last time, and the FTC's suit against Wyndham Worldwide Corp and its three subsidiaries, which is entitled Federal Trade Commission, Plaintiff, v. Wyndham Worldwide Corp., et al., Defendants. Civil Action No. 13-1887 (ES), United States District Court, D. New Jersey. Both LabMD and Wyndham reportedly challenged the FTC's right to enforce any such cybersecurity standard and have argued that even if it can, the standard is too vague, so that no business can know what it has to do to comply with it.

The FTC argues that it has the right to enforce the Reasonable Precautions standard under its authority pursuant to Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. §45(a), to prohibit unfair or deceptive acts or practices in, or affecting, commerce. It basically argues that:


  • A business that doesn't take reasonable precautions to protect its customers' data is acting unfairly because that failure meets the statutory definition of unfair acts or practices found in 15 U.S.C. § 45(n): it causes or is likely to cause substantial injury to consumers which they cannot reasonably avoid and it is not outweighed by countervailing benefits to consumers or competition;

  • Reasonableness is a sufficiently clear standard; but.

  • Reasonableness can be decided, and enforced, on a case by case basis.

Continue reading "Is the FTC's Reasonable Precautions Cybersecurity Standard Fair?" »

May 23, 2014

The FTC, LabMD, EBay, and Cybersecurity: What Do Reasonable Precautions Actually Mean?

chain-1-1105094-m.jpgThe Federal Trade Commission's effort to force businesses to take reasonable precautions to protect their clients' sensitive personal information from data breaches is back in the news this week, as is at least one big, new data breach. What the FTC does, and what it tries to get businesses to do, about cybersecurity, should be important to everyone. Sooner or later, it seems, any business could have their customers' data stolen and face FTC charges as a result.

Why you should pay attention: EBay just announced a large data breach. According to an article published in the Seattle Times on May 21, 2014, hackers stole some of the company's employees' log-in credentials and used them to gain access to EBay's corporate network, which includes customers' names, addresses, dates of birth, and encrypted passwords. It happened between late February and early March 2014 but was discovered only two weeks ago. EBay said there was no evidence that any of its customers were harmed by the breach. They did, however, ask each of their active users to change their passwords. To put it into perspective, they reportedly have 145 million active users. There might not be any damage, but it is a big deal.

What you should pay attention to: The latest FTC enforcement action to make the news is the administrative law trial of the medical testing company, LabMD, Inc. The FTC has alleged that its lax security measures exposed, and compromised, the private information of almost 10,000 customers. One of the main issues, according to a report in the May 20, 2014 National Law Journal by Jenna Greene, is whether the FTC overstepped its bounds by bringing the charges.

The FTC's effort to enforce what amounts to a "reasonable precautions" cybersecurity standard is not new. As we noted a few weeks ago, in a separate case the FTC brought against Wyndham Worldwide Corp, Federal District Court Judge Esther Salas on April 7, 2014, upheld the Federal Trade Commission's right to police corporate cybersecurity practices under its authority, pursuant to Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. §45(a), to prohibit unfair or deceptive acts or practices in, or affecting, commerce.

The Wyndham case was interesting because it involved hundreds of thousands of people who allegedly had their debit and credit card information stolen because they did something everyone does: pay for a hotel room. The LabMD case might be a lot smaller, but there was a lot more at stake.

LabMD did more than merely expose the personal financial information of its customers; it allegedly exposed their confidential medical information as well, according to the FTC's August 29, 2013 press release. These allegedly included the results of medical tests, including for cancer, according to the National Law Journal Report. Those medical records make the case important.

Continue reading "The FTC, LabMD, EBay, and Cybersecurity: What Do Reasonable Precautions Actually Mean?" »

May 19, 2014

Recent Developments in Technology, Cybersecurity, and Fraud Prevention Your Business Should Be Aware of

cone-jpg-1387257-m.jpgThere really is no way any more to avoid technology, and all of the good and the bad that goes along with it. Recent news articles point out how technology is the one place where business, science, and the law intersect; why every business owner should stay up to date on the developments within it; and why, no matter how careful you are, you can never stop being vigilant.

Technology and computing were not always everywhere. As an article in the May 17-May 18, 2014 Weekend Edition of the Wall Street Journal points out, fifty years ago, computers were the domain of a select minority of scientists, mathematicians, and engineers; only they could use, or understand, the complicated instructions necessary to run them. Then two Dartmouth College professors, John Kemeny and Tom Kurtz, along with some enthusiastic students, created a different sort of way to control and operate computers. They believed, according to the article, that the best way to get the biggest benefit from the technology was to open it up to as many people as possible. They created the computer language BASIC, or Beginner's All-purpose Symbolic Instruction Code. They designed it to be accessible to the everyman. They allowed, and encouraged, wider access to computers, even for those off-campus through remote access phone lines. They helped democratize computing and foresaw that it would impact most businesses and private lives in the not distant future, though they couldn't be sure of all of the good and the bad that would come from it.

Fast-forward to today: Businesses rely on computing for much of their day to day operations. As we've previously written, they use, possess, and maintain large amounts of their customers' personal and financial information. Use a credit card or debit card, and think of all the important information you are turning over, all of which thieves like to steal: credit card numbers, dates of birth, addresses, and social security numbers. The legal importance of all this information being passed around is easy to see: If it gets stolen people will be hurt financially and they'll look for someone to cover their losses. We've also previously written about how the Federal Trade Commission is seeking to force businesses to take reasonable precautions to safeguard their customers' private information. Businesses evidently realize there is a problem and many now are trying to do something about it.

Continue reading "Recent Developments in Technology, Cybersecurity, and Fraud Prevention Your Business Should Be Aware of" »

May 17, 2014

Do the Elderly Make Better Jurors? How Pre-crastination Can Help You Pick a Better Jury

dumbbells-1356802-m.jpgThere's a new term that's making the rounds, which might make us reconsider whether common wisdom is always wise and might make trial lawyers re-think how they select jurors: pre-crastination. As we'll see, it means that maybe trial attorneys shouldn't decide whether someone can be a good juror in spite of his old age and frailty, but because of them.

Everyone's heard of procrastination: Why do something today when it can wait until tomorrow? Most people procrastinate even though they know it's not a good idea. There might be nothing more productive than the last minute but, when you're counting down to a deadline, you always could use more time. The right thing to do, we all know, is to get it done now, right away, with time to spare. The only problem is that might lead us to make bad choices and irrational decisions.

We previously wrote about how older jurors might be a better fit for some cases. They generally have a wealth of knowledge and experience to draw from. It might take them a little longer to come to an answer, but that's because of the large amount of information they have to process, not necessarily because they are becoming feeble minded. Maybe, if you can convince them, they can sway the other members of the jury for you. That, however, may not be the only reason to select an elderly juror.

Continue reading "Do the Elderly Make Better Jurors? How Pre-crastination Can Help You Pick a Better Jury" »

May 5, 2014

A New Development in Arson Investigations: An Easier Way For An Insurer To Prove Its Arson Defense

puzzles-1439091-2-m.jpgAs we just talked about in our last article, in order for an insurance company to deny a first-party property claim in New York because of arson, and make that denial stand up in court, it has to prove that the insured intentionally caused the fire, and it has to do so by clear and convincing evidence. That is not always an easy burden of proof to meet. There reportedly is an exciting new tool being developed that might make proving arson, i.e., that a fire was intentionally set, easier and help arson investigators become even more effective in determining who caused the fire.

Researchers from the University of Alberta and the Royal Canadian Mounted Police, working in tandem, have developed a new computer program that can pinpoint the presence of gasoline in debris taken from a fire scene. What makes this so important is that gasoline, according to the researchers, is the most common accelerant found in arson fires; evidently preferred by arsonists everywhere. By making it easier to detect, and confirm, the presence of gasoline, you stand a good chance of making arson easier to prove and less profitable to attempt.

What makes the new tool so helpful, is that it often is difficult to confirm the presence of an accelerant in debris taken from a fire scene. No two houses, buildings, or fire scenes, are exactly alike; they contain different mixes of materials. Different materials leave behind different chemical compounds when burned, and these can mask the presence of an accelerant such as gasoline. The researchers, in effect, developed a computer filter that can by-pass the background noise to pinpoint the tell-tale signs of gasoline. They developed their tool by examining data from 232 samples taken from fires across Canada; by using real-life debris rather than merely relying on simulations, the researchers say their tool is dependably accurate.

Currently, determining whether there are traces of an accelerant left behind at a fire scene is time-consuming work. According to the researchers, the Royal Canadian Mounted Police have two separate forensic scientists examine each sample to see if their findings agree; this can take several hours for each sample, and there normally are three to four samples per fire. The newly developed computer program shrinks this time substantially. The first scientist still will have to analyze the debris herself, but will be able to confirm her findings in seconds, rather than hours, by using the computer program. A second forensic scientist will not have to analyze the debris unless the computer program's findings disagree with those of the first scientist.

Continue reading "A New Development in Arson Investigations: An Easier Way For An Insurer To Prove Its Arson Defense " »