Attorney Advertising

Articles Posted in Business Law

by

crowbar-854266-m.jpgThere are a few recent news stories that business owners, fraud investigators, and consumers should be aware of. Though not necessarily related, they point out the ever-growing need to protect digital information and the consequences for those who do not. Cybersecurity, it seems, is something that will affect everyone, eventually.

The topic of the first story, unfortunately, is common; the numbers, thankfully, are not, though we should all hope they stay that way. According to an article by Danny Yidron in the Wall Street Journal, which was last updated at 2043 hrs Eastern Time on August 5, 2014, a gang of Russian hackers has amassed 1.2 billion stolen user names and passwords from approximately 500 million unsuspecting people. According to the private security firm that discovered the theft, Hold Security in Milwaukee, the hackers obtained the information from 420,000 websites, allegedly ranging from leaders in major industries to small businesses and personal websites. No measurable harm evidently has come from the theft, at least not yet. The hackers reportedly so far are using the data only to send spam messages on social media accounts. That doesn’t mean the people whose information was stolen are free and clear: There is a growing trend in recent years, according to the report, where cybercriminals amass online credentials for later use. While that later use isn’t specified, it shouldn’t be all that hard to determine. Consumers, according to the report, often use the same user names and passwords across various websites. If a hacker learns a user name and password for one account, it’s not that hard to imagine that the hacker also could gain access to the consumer’s other accounts, including on websites that store, or have access to, the consumers’ financial information, including credit card numbers.

In order to see the harm that was done already, merely because the hackers have the user names and passwords, you have to remember that just exposing your customers’ confidential information sometimes is enough to trigger an enforcement action by the Federal Trade Commission to force businesses to take reasonable precautions to protect their customers’ digital information. If you remember the LabMD case, which we already spent some time discussing, the FTC’s claims of unfair or deceptive acts or practices in, or affecting, commerce, were directed against LabMD for allegedly inadvertently posting the confidential information of less than 10,000 individuals on a file sharing platform that was intended to share music files instead. During the FTC’s administrative law trial against LabMD, it reportedly did not even plan to present any witnesses who were the victims of the alleged ID theft; exposing the information, allegedly, was enough.

We’re not comparing the theft of user names and passwords to exposing confidential health information, which allegedly is what occurred in the LabMD case. Allowing the theft of user names and passwords could lead to some real trouble, though, especially if it leads to the theft of user financial information, such as credit card numbers. That leads straight to the second news story.
Continue reading

by

3rd.Small.2nd.IMG_20140713_170245 - Copy.jpgWe have been discussing what businesses can do to protect against the Federal Trade Commission commencing an enforcement action against them for allegedly failing to take reasonable precautions to ensure the safety of their customers’ private data, such as financial information, dates of birth, social security numbers, and even health records: Develop, and implement, industry standard, and commercially reasonable, data security practices. This time, we will see just how effective those efforts are by, in effect, asking Target.

What makes such Industry Standard Practices and Commercially Reasonable Efforts so promisingly effective is that:

  • They were approvingly cited as source of guidance as to what a business must do to properly protect its customers’ data, by the court in the case entitled, The Federal Trade Commission, Plaintiff, v. Wyndham Worldwide Corp., et al., Defendants. Civil Action No. 13-1887 (ES), United States District Court, D. New Jersey. This was the same case which approved the FTC’s right to police data security practices.
  • Many businesses use those terms in their posted privacy policy.
  • The FTC already has demonstrated a willingness to allege deceptive acts or practices against companies that claim they follow Industry Standard Practices and take Commercially Reasonable Efforts to ensure data security but nevertheless suffer data breaches. This is what the FTC did in the Wyndham case. The FTC, in effect, will see a data breach; examine how it happened; determine that the precautions the company took to safeguard the data were inadequate and therefore did not meet Industry Standards or amount to Commercially Reasonable Efforts; and claim that the company deceived their customers by putting those terms in their privacy policy without abiding by them.
  • Companies can define, on their own, what Industry Standard Practices and Commercially Reasonable Efforts, actually mean, for their business and their customers

Some companies, and industries, have gone to great lengths to define Industry Standard Practices and Commercially Reasonable Efforts for themselves. We previously pointed out the extraordinary data security efforts leading retailers were taking to protect the safety of their customers’ sensitive, private information; how they were sharing information, between themselves and governmental agencies, and collaborating with outside experts, to develop industry standard practices in data security; how they established an independent entity, the Retail Cyber Intelligence Sharing Center, or R-CISC, to do exactly that. We also examined a benefit of, if not the actual reason for, the retailers’ efforts: To protect themselves.

Retailers seem to be some of the most tempting targets of data security breaches. They handle large amounts of their customers’ financial information every day. Credit and debit card numbers are perhaps the most inviting targets because they are so lucrative and can be turned into illicit gains so quickly by cyber-criminals. Here are some facts which might put the retailers’ efforts into perspective:
.
Continue reading

by

run-the-race-1415400-m.jpgWhat, exactly, should your business do to protect itself from a Federal Trade Commission enforcement action for failing to use reasonable precautions to ensure data security for your customers’ sensitive, private information? In our last post we discussed the difficulty involved in complying with a standard for which no specific regulation has been promulgated; the statute which forms the basis of the standard is amorphous, especially when applied to data security; and the binding case law to which it is recommended that you turn, is nascent, if not non-existent. In this post, we will examine what businesses can and are doing to protect themselves, by taking what little guidance is available and making it work, on their own.

Perhaps the best guidance as to what your business must do comes from the Wyndham case we have spent so much time analyzing, which officially is entitled, The Federal Trade Commission, Plaintiff, v. Wyndham Worldwide Corp., et al., Defendants. Civil Action No. 13-1887 (ES), United States District Court, D. New Jersey. The April 7, 2014 decision of U.S.D.J. Esther Salas, which denied the motion to dismiss brought by one of the defendants, Hotels and Resorts, went to great lengths to point out the available sources of guidance in the absence of specific regulations for data security requirements. In our last article, though, we pointed out the problems of relying for guidance on some of the sources recommended by the court: inchoate case law, which is in its infancy and, at best, incomplete, and on a statute designed to leave a regulatory agency significant flexibility to assert its enforcement power, and which was enacted before the need for data security, or cybersecurity, even was conceived.

The other sources of guidance referred to by the court in the Wyndham case include the FTC’s public complaints, consent agreements, business guidance brochure, and public statements. Even the court, however, admitted those are not controlling, but are only persuasive, authority.

The last sources of guidance approvingly mentioned by the court in the Wyndham case are industry standard practices and commercially reasonable efforts to ensure data security. If a business, or group of businesses, can define those terms, so that they actually mean something concrete, then they should be effective in defending against claims that a business did not go far enough to ensure the security of its customers’ data.

Banding together to share information regarding threats and cybersecurity best practices, it seems, is exactly what some very well-known companies are doing. As we have previously written:

On May 14, 2014, the Retail Industry Leaders Association, with the reported backing of companies such as American Eagle Outfitters, Gap Inc., J. C. Penney Company Inc., Lowe’s Companies, Inc., Nike, Inc., Safeway, Inc., Target Corporation, VF Corporation and Walgreen Company, announced a joint effort to share information regarding cyber-threats and security. Named the Retail Cyber Intelligence Sharing Center, or R-CISC, it is designed as a way to allow retailers to enhance cybersecurity by sharing information about, and developing means to protect against, such threats.

The retailers’ emphasis on developing industry-wide best practices for data security is clear from their 5.14.14 press release, and goes beyond just sharing information amongst themselves:
Continue reading

by

misty-morning-2-786135-m.jpgWhat, exactly, can a business do to protect itself against a Federal Trade Commission enforcement action for allegedly failing to take reasonable precautions to protect its customers’ sensitive, private, digital information, such as credit card numbers, bank account information, dates of birth, and even medical records? Especially because it is difficult to know exactly what the term “reasonable precautions” actually means in the quickly evolving world of cybersecurity, it is important to develop a credible answer to the question. Some high-profile businesses, including at least one which has been the victim of a large-scale cyber-breach, have come up with a seemingly simple, though elegant, solution.

To appreciate the solution, though, you first have to understand the problem. This post will discuss the full extent of the problem. In the next post, we will examine the solution.

One of the main attacks against the FTC’s Reasonable Precautions cybersecurity standard is that it does not provide fair notice of what it requires, or prohibits. What, exactly, constitutes a reasonable precaution and what does not? How can a business be expected to comply with a standard if it does not have fair notice of what it requires? This was a major defense in both the FTC’s administrative trial against LabMD, and the action entitled the Federal Trade Commission, Plaintiff, v. Wyndham Worldwide Corp., et al., Defendants. Civil Action No. 13-1887 (ES), United States District Court, D. New Jersey (the “Wyndham case”) both of which we have written about at length. At least so far, though, “reasonableness,” as applied on a case-by-case, fact specific basis, is all a business basically has to work with.

In the Wyndham case, as we have previously written, one of the defendants, Hotels and Resorts, based its motion to dismiss the complaint, in large part, on the allegation that the reasonable precautions cybersecurity standard was too vague, and that the FTC should issue detailed regulations giving fair notice of what the standard required, before the FTC could seek to enforce it. In denying the motion, the court held:
Continue reading

by

door-in-the-shadow-1443400-m.jpgShadow IT, or Rogue IT, is the practice of employees reportedly improvising their way to a more productive job, without their company’s knowledge or approval, by importing cloud based tools to allow greater ease of access to company documents, bypassing firewalls, and facilitating collaboration, to enhance company performance. What could possibly be the harm? It just might be a good way to violate the FTC’s Reasonable Precautions cybersecurity standard.

In order to sustain allegations of unfair practices under the FTC Act, which is the power the FTC uses to enforce its Reasonable Precautions cybersecurity standard, the FTC must prove substantial injury. Quoting from the April 7, 2014 decision of the U.S.D.J. Esther Salas in FTC v Wyndham, et al:

See Am. Fin. Servs. Ass’n, 767 F.2d at 972 (“An injury may be sufficiently substantial . . . if it does a small harm to a large number of people, or if it raises a significant risk of concrete harm.”) (internal quotation marks and citations omitted).[13]

Merely allowing sensitive, private information to be leaked on line, evidently can meet the test for substantial injury.

We previously wrote about the FTC’s case against LabMD. Allegedly, a LabMD employee put a music file sharing application on her work computer, and accidentally shared a company file containing medical information for approximately 9,300 people. Once done, it really couldn’t be undone because there was no way to control what any other person did with the file. According to the FTC, it was enough that the information was shared. The FTC’s lawyer, Alain Sheer, according to a May 20, 2014 report in the National Law Journal, argued that the legal standard, i.e., what the FTC has to prove, is not actual harm, but whether there is a likelihood of harm. That might explain why, according to the same article, he said that the FTC did not plan on offering evidence from any victims of actual ID theft.

In both the Wyndham case and the LabMD case, one of the FTC’s main allegations reportedly was that the particular company did not keep adequate firewalls. Those firewalls basically help the company control access to company files. Putting company documents in the cloud, however, puts them off-site, and may in fact bypass those same firewalls. Putting documents in the cloud, without the company’s direct knowledge, however, is what Shadow IT apparently is all about.
Continue reading

by

miror.image.untitled-1430946-m.jpgIf a business’ privacy policy says it will protect its customers’ sensitive private digital information in certain ways, then it probably is a good idea for the business to keep that promise. The Federal Trade Commission has sued businesses for allegedly making promises in their privacy policies that they did not keep.

How difficult is it for a company to comply with its own data security, or privacy, policy? Evidently, it is difficult, labor intensive and time-consuming; mostly because of the problems translating the words of the policy into detailed computer instructions or code, and the vast amount of code that needs to be checked to ensure it complies with the policy.

Is there a way for a business to protect itself by ensuring that its privacy policy is properly, and consistently, carried out? There might be, and it involves something called Legalease, which actually clears things up rather than makes them more confusing.

The highest profile recent case in which the FTC has alleged that a company deceived the public by failing to live up to the promises made within its own privacy policy, is the FTC v Wyndham Worldwide Corp., et al. We previously wrote about the April 7, 2014 decision of Esther Salas, U.S.D.J., which denied the motion of one of the defendants, Wyndham Hotels and Resorts, LLC (“Hotels and Resorts”), to dismiss the complaint against it. In that decision the court describes the FTC’s deception claim this way, beginning on p.33:

Hotels and Resorts also challenges the FTC’s deception claim (HR’s Mov. Br. At 23). In this claim, the FTC cites the Defendants’ privacy policy disseminated on Hotels and Resorts’ website and alleges that, “in connection with the advertising, marketing, promotion, offering for sale, or sale of hotel services, Defendants have represented, directly or indirectly, expressly or by implication, that they had implemented reasonable and appropriate measures to protect personal information against unauthorized access” but that “Defendants did not implement reasonable and appropriate measures to protect personal information against unauthorized access.” (Compl.paragraph 21, 44-45). Accordingly, the FTC alleges that Defendants’ representations “are false or misleading and constitute deceptive acts or practices” under Section 5(a) of the FTC Act. (Id. Paragraph 46).

Hotels and Resorts’ privacy policy seems innocuous, though it does sound suspiciously like the FTC’s “Reasonable Precautions” cybersecurity standard that Wyndham complained so loudly about in the same case. The privacy policy says the company will comply with certain amorphous standards without defining what those standards specifically require. According to the court, beginning on p. 37 of its decision:
Continue reading

by

gavel-952313-m.jpgIn this post we are going to examine the rules used to determine whether the Federal Trade Commission’s “Reasonable Precautions” cybersecurity standard gives businesses fair notice of what they have to do to adequately protect their customers’ information from data breaches. The short answer is that businesses have to watch how the FTC enforces the standard, and act accordingly.

In subsequent posts we will examine whether the standard supplies the required notice by exploring how, and whether, the FTC has enforced the standard, as well as what if anything businesses can, and are, doing to comply with it and protect themselves.

The two main cases that have made the news recently regarding the FTC’s cybersecurity standard are the FTC’s administrative trial against LabMD, Inc. that we spoke about last time, and the FTC’s suit against Wyndham Worldwide Corp and its three subsidiaries, which is entitled Federal Trade Commission, Plaintiff, v. Wyndham Worldwide Corp., et al., Defendants. Civil Action No. 13-1887 (ES), United States District Court, D. New Jersey. Both LabMD and Wyndham reportedly challenged the FTC’s right to enforce any such cybersecurity standard and have argued that even if it can, the standard is too vague, so that no business can know what it has to do to comply with it.

The FTC argues that it has the right to enforce the Reasonable Precautions standard under its authority pursuant to Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. §45(a), to prohibit unfair or deceptive acts or practices in, or affecting, commerce. It basically argues that:

  • A business that doesn’t take reasonable precautions to protect its customers’ data is acting unfairly because that failure meets the statutory definition of unfair acts or practices found in 15 U.S.C. § 45(n): it causes or is likely to cause substantial injury to consumers which they cannot reasonably avoid and it is not outweighed by countervailing benefits to consumers or competition;
  • Reasonableness is a sufficiently clear standard; but.
  • Reasonableness can be decided, and enforced, on a case by case basis.

Continue reading

by

cone-jpg-1387257-m.jpgThere really is no way any more to avoid technology, and all of the good and the bad that goes along with it. Recent news articles point out how technology is the one place where business, science, and the law intersect; why every business owner should stay up to date on the developments within it; and why, no matter how careful you are, you can never stop being vigilant.

Technology and computing were not always everywhere. As an article in the May 17-May 18, 2014 Weekend Edition of the Wall Street Journal points out, fifty years ago, computers were the domain of a select minority of scientists, mathematicians, and engineers; only they could use, or understand, the complicated instructions necessary to run them. Then two Dartmouth College professors, John Kemeny and Tom Kurtz, along with some enthusiastic students, created a different sort of way to control and operate computers. They believed, according to the article, that the best way to get the biggest benefit from the technology was to open it up to as many people as possible. They created the computer language BASIC, or Beginner’s All-purpose Symbolic Instruction Code. They designed it to be accessible to the everyman. They allowed, and encouraged, wider access to computers, even for those off-campus through remote access phone lines. They helped democratize computing and foresaw that it would impact most businesses and private lives in the not distant future, though they couldn’t be sure of all of the good and the bad that would come from it.

Fast-forward to today: Businesses rely on computing for much of their day to day operations. As we’ve previously written, they use, possess, and maintain large amounts of their customers’ personal and financial information. Use a credit card or debit card, and think of all the important information you are turning over, all of which thieves like to steal: credit card numbers, dates of birth, addresses, and social security numbers. The legal importance of all this information being passed around is easy to see: If it gets stolen people will be hurt financially and they’ll look for someone to cover their losses. We’ve also previously written about how the Federal Trade Commission is seeking to force businesses to take reasonable precautions to safeguard their customers’ private information. Businesses evidently realize there is a problem and many now are trying to do something about it.
Continue reading

by

butterfly-1427284-m.jpgMost people by now have heard of the Heartbleed bug. It’s the programming flaw in one of the most common encryption methods on the internet: OpenSSL. It makes what should be secure websites, and the personal information they contain, vulnerable to hackers. It is more important, though, than just another internet threat. Every business should consider whether it can be liable for depending on the vulnerable encryption software in the first place. This is especially important in light of the Federal Trade Commission’s efforts to ensure that businesses take reasonable precautions to protect their customers’ digital data.

The same day the Heartbleed bug was announced, April 7, 2014, Federal District Court Judge Esther Salas, upheld the Federal Trade Commission’s right to police corporate cybersecurity practices. As we previously mentioned, the court denied Wyndham Worldwide Corp.’s motion to dismiss a suit the FTC brought against it which arose out of three separate alleged hacking incidents that occurred over a two year period.

According to a story by Matt Egan published on April 8, 2014 in Fox Business.com, the FTC sued Wyndham Worldwide Corp. and three subsidiaries, alleging that Wyndham, unreasonably and unnecessarily, exposed consumers’ personal data to unauthorized access and theft that resulted in hundreds of thousands of customers having their payment card account information exported to a domain registered in Russia and a fraud loss of more than $10 million. The suit reportedly alleged that, among other things, Wyndham:

  • Failed to use readily available security measures like firewalls;
  • Allowed software to be configured inappropriately;
  • Failed to ensure hotels implemented adequate information security policies;
  • Failed to remedy known security vulnerabilities.

[Emphasis supplied]

What makes the ruling especially relevant to the Heartbleed bug is the way that the encryption software the bug affects is developed and maintained.
Continue reading

by

illustration-card-1441198-m.jpgJust in case anyone thinks that cybersecurity is nothing more than an esoteric exercise for computer geeks and technicians, of no importance to the average person or business, the Heartbleed bug has come along to show us all how wrong that is. It was only just discovered two weeks ago and its impact was felt around the world almost immediately.

According to an article in the April 9, 2014 Daily Mail, the Heartbleed bug bypasses the normal safety features of websites. It can affect many of those sites that you might have noticed, which begin with an “https://” in front of their internet address, and which often appear with the symbol of a lock, both of which are supposed to mean they are safe. The bug, though, makes them vulnerable. It reportedly could affect more than 500,000 websites
The bug reportedly allows hackers to bypass normal encryption safety measures to get at encrypted information, including the most profitable types such as credit card numbers, user names, and passwords. The unauthorized user can even obtain the digital keys to impersonate other servers or users and eavesdrop on communications.

It’s not considered malicious software or malware because it is more of programing flaw; but that really is not important. What is important is that the flaw, and the vulnerability, went undetected for more than two years until it recently was discovered, independently, by researchers at Google and the Finnish company Codenomicon. A fix is possible, and reportedly fairly easily applied. The problem seems to be that the fix has to be manually applied by the people who run each individual site. That, unfortunately, will take time.
Continue reading