Category Archives: Cybersecurity and E-discovery

White House Announces Federal Data Privacy Framework as Additional Breaches Signal Litigation

Posted on by

On the heels of an unprecedented year of major data breaches affecting some of America’s largest retailers, President Barack Obama recently announced his bid to propose new legislation that protects consumers from identity theft and other forms of digital trespass.   This proposal represents the first attempt at a national data privacy regime.

Citing that nearly 100 million Americans have had their personal information compromised and roughly ninety percent of the population has, at some point, lost exclusive control of their personal information, President Obama announced that he will seek to establish federal criteria for the reporting of data breaches.  The effect of the proposed federal criteria would preempt similar laws at the state level that tend to confuse or contradict.  Specifically, the President indicated that custodians like retailers and financial institutions will be required to report data breaches within thirty days so as to facilitate a proactive response from government agencies and consumers alike.  Perhaps most importantly, President Obama’s new data privacy infrastructure also seeks to establish a Consumer Privacy Bill of Rights that would codify basic principles of data privacy that all custodians must abide.  In addition, the Consumer Privacy Bill of Rights would set in place certain baseline protections across all industries that would operate as minimum standards for the care of sensitive personal data.

Although there is little doubt that a national data privacy framework will do much to aid consumer expectations in respect of how their private information is shared and protected, custodians such as retailers, educational institutions and financial establishments should be mindful that increased federal involvement is likely to mean greater regulatory oversight and potential for litigation.  With due apologies to our colleagues who must now confront the maelstrom of regulatory compliance, we with a litigation bend tend to foresee that federal data privacy legislation will not only require custodians to actively revisit their policies and procedures across the board, but will serve as the minimum standard of care for losses resulting from data breaches and in all likelihood give rise to per se negligence claims.

For our part, and the part of those intimately involved in industries where ever-evolving technologies impact the ability to account for private personal data, the suggestion of federal data legislation should therefore serve as a call to take action before potential losses make their way to courtrooms across the country that have likewise sensed the specter of litigation and eagerly awaited a uniform direction.  Thanks to Adam Gomez for contribution to this post.  Please contact Brian Gibbons with any questions.

 

Is the FTC the US Policeman on Cyber Liability Claims?

Posted on by

One of the biggest US cyber liability questions is – as Congress has not passed a law on point – who is responsible for policing data breaches and enforcing the violations? (The question is of less impact in places like the EU where responsibility is clearly delineated by laws). The recent case of Federal Trade Commission v. Wyndham Worldwide Corporation sheds light on the issue.

In the case, Judge Salas, a New Jersey federal district court trial judge, was asked to rule on the legality of the Federal Trade Commission’s attempt to “be” the enforcer when it filed a 15 U.S.C. § 45(a) FTC Act claim against Wyndham Hotels and Resorts. 15 U.S.C. § 45(a) empowers the FTC to file actions against acts or practices “affecting commerce” that are “unfair” or “deceptive. The violations at issue resulted from Wyndham’s alleged failure to properly deal with unauthorized attacks on its property management systems – attacks that led to the compromise of more than 619,000 consumer payment card account numbers and the resultant sale of those numbers to Russian black market entities.

In response to the claim, Wyndham filed a Fed. R. Civ. P. 12(b)(6) motion to dismiss. It argued that 15 U.S.C. § 45(a) only empowered the FTC to regulate “unfair and deceptive acts or practices” and policing data breaches did not fall within the scope of this power. In a decision of first impression (that is certain to be appealed), Judge Salas held that 15 U.S.C. § 45(a) did, in fact, empower the FTC to police data breaches. She has thus allowed the action to go forward.

What does all of this mean for insurers and their insureds? The answer is two-fold. First, insurers must question whether the policies they write provide coverage for regulatory actions commenced by the FTC. Second, insurers and insureds need to understand that, beyond dealing with consumer claims, a FTC 15 U.S.C. § 45(a) action when a data breach occurs should be expected.

For more information about this post, please contact Bob Cosgrove at .

Your Car Knows What You Are Doing.

Posted on by

We often think of privacy breaches in the context of lost, stolen or hacked credit cards. We think of things like the recent Target data breach. What we often forget to think of is things like the location service devices inside our smartphones, or our cars. As this recent NYT article makes clear, car manufacturers are collecting substantial amounts of information about you — they’re just not telling you about it. Legislation is on the way to address the issue, but all this legislation is likely to do is increase the potential for lawsuits. We’re aware of this potential at WCM and it’s why we’ve begun to certify our lawyers as IAPP professionals and have created our Privacy, Cybersecurity and E-Discovery practice group.

For more information about this post, please contact Bob Cosgrove at .