The Third Circuit Court of Appeals’ Wyndham Decision Gives a Green Light to the FTC to Sue Businesses for Lax Cybersecurity Practices Under the Unfairness Prong of Section 5 of the FTC Act

On August 24, 2015, the Third Circuit Court of Appeals affirmed denial of Wyndham Worldwide Corporation’s motion to dismiss the FTC’s lawsuit against it. This ruling is significant for several reasons. First, the ruling finds the FTC has the authority to regulate corporate data security practices under the unfairness prong of Section 5 of the FTC Act (“Section 5″). Second, the FTC is not required to publish regulations or rules as to what reasonable data security practices are before suing businesses for lax cybersecurity practices under the unfairness prong of Section 5.

The FTC alleged that Wyndham’s cybersecurity practices were “unfair” to consumers because Wyndham, among other things, (1) stored customer’s payment card information in unencrypted readable text, (2) permitted the use of easily-guessed passwords, (3) failed to use firewalls to limit access, (4) used out-of-date operating systems that lacked security updates for 3 years, (5) permitted servers to connect to the company’s network through default user ID’s and passwords, (6) failed to maintain an accurate inventory of computers, (7) failed to adequately restrict third-party vendors’ access to the company’s network, (8) failed to use reasonable measures to detect unauthorized access or to conduct security investigations, and (9) did not follow proper incident response procedures.   As a consequence, according to the FTC, Wyndham suffered 3 hacking attacks wherein payment card information for over 619,000 consumers was accessed, resulting in over $10 million in fraud loss.

The ruling confirms that the FTC is not required to provide notice of specific cybersecurity standards before suing a company for unfair practices under Section 5. The court found businesses are not entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity practices are required, but are only entitled to notice of whether their conduct falls within the meaning of the FTC Act itself, not the FTC’s interpretation of the FTC Act. According to the court, businesses have fair notice that cybersecurity practices, as a general matter, can form the basis of an unfair practice, given the 2007 FTC Guidebook “Protecting Personal Information: A Guide for Business” and the cost–benefit analysis inherent in Section 5’s definition of unfair conduct. (A practice is unfair if it causes consumers injury which is not reasonably avoidable and is not outweighed by countervailing benefits to consumers or to competition). The cost-benefit analysis for corporate cybersecurity includes the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity. After the second hack of Wyndham’s systems, the court declared it should have been “painfully clear” that Wyndham’s conduct failed the cost-benefit analysis.

The court expressed skepticism during oral argument over consulting consent decrees and brochures for legal guidance, but ultimately found complaints and consent decrees in administrative cases published on the FTC’s website and in the Federal Register provided notice of what cybersecurity practices failed the cost-benefit analysis for unfair conduct under Section 5. Accordingly, businesses and their counsel should review the FTC’s brochures, complaints, and consent decrees to ensure that their data security practices meet the standards suggested by the FTC.

Another significant aspect of the Third Circuit’s ruling involves the role Wyndham’s privacy policy played, which the court found directly relevant to whether Wyndham’s conduct was unfair. One of the elements of an unfair practice under Section 5 is whether a consumer cannot reasonably avoid injury from the defendant’s conduct. The FTC persuasively argued that consumers could not reasonably avoid injury because Wyndham’s misleading privacy policy overstated its cybersecurity practices. (Wyndham’s privacy policy stated that it safeguarded its customers’ information by using “standard industry practices” and took “commercially reasonable efforts … and other appropriate safeguards.”)   The Court declared that a company acts unfairly, not just deceptively under Section 5, when it publishes a privacy policy “designed to attract customers concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, [and] exposes its unsuspecting customers to substantial financial injury…” This analysis is significant because privacy policies have long been a source of the FTC’s enforcement actions for deceptive conduct under Section 5, but now can serve as source of enforcement power under the unfairness prong of Section 5.

What remains unknown is how far reaching the effect of this decision will be. This ruling is only in the Third Circuit so it is possible other Circuits may disagree if faced with similar questions. In addition, the Court’s rulings involved a motion to dismiss. The Court only evaluated the sufficiency of the pleadings, taking what was alleged by the FTC as true. This means Wyndham’s ultimate liability, and the potential liability of other businesses alleged by the FTC to have unfair data security practices, is not yet known. Nonetheless, we can expect to see the FTC continuing its active enforcement activity, including unfairness grounds in the FTC’s actions against businesses for failure to reasonably secure and protect consumer information.

New York Court Refuses to Imply Private Right of Action Into Data Privacy Laws, But Allows a Negligence Claim Based on Alleged Failure to Protect Medical Data

A New York state trial court issued a recent decision that neatly demonstrates the present risk of private litigation over data privacy breaches in New York by dismissing 10 out of 11 counts in a data privacy case. In Abdale v. North Shore-Long Island Jewish Health System, Inc. (Index No. 02367/2013), class action plaintiffs alleged that a group of health care providers had failed to adequately protect their confidential medical and personal information, and allowing their information to fall into the possession of thieves. According to their complaint, the plaintiffs’ confidential information on both hard copy and electronic documents were found to be in the possession of accused criminals as a result of the defendants’ failures. Some plaintiffs even alleged specific losses stemming from the disclosures, such as stolen tax refunds. Based on these facts, the complaint therefore alleged a laundry list of common law and statutory causes of action:

  1. Negligence per se based upon violations of New York’s data breach notification law, General Business Law §899-aa;
  2. Negligence per se based on violations of New York’s law on patient access to their medical information, Public Health Law §18;
  3. Negligence per se based upon violations of New York’s law on the privacy of social security numbers, General Business Law §399-ddd(4);
  4. Negligence per se based on violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104-191, 110 Stat. 1936 (1996 );
  5. Negligence per se based on violations of the Health Information Technology for Economic and Clinical Health Act (HITECH), 42 USC §17921-53;
  6. Violations of New York’s General Business Law §349, forbidding deceptive acts and practices by businesses;
  7. Breach of contract;
  8. Breach of fiduciary duty;
  9. Negligence;
  10. Breach of the implied covenant of good faith and fair dealing; and
  11. Misrepresentation.

In analyzing the defendant medical providers’ motion to dismiss, the trial court first addressed each of the negligence per se claims and found that none of the federal or state statutes provided individual patients or consumers to assert a private cause of action for violations.

With respect to the consumer protection law, General Business Law §349, the Plaintiffs had alleged that defendants had failed to protect their information despite publishing privacy policies and notices asserting that they would do so. The court, however, found that the defendants’ privacy statements “do not constitute an unlimited guaranty that patient information could not be stolen or computerized data could not be hacked.” Accordingly, the court ruled that, as a matter of law, the defendants failure to protect their patients’ information “did not misled the plaintiffs in any material way and does not constitute a deceptive practice within the meaning of the statute.”

The court next dismissed four out of five common law claims for failure to plead the necessary factual predicates. The Plaintiffs’ breach of contract and good faith and fair dealing claims were dismissed due to their failure to allege specific contractual relationships with the defendants and to identify specific contract terms that were breached. The Plaintiffs’ breach of fiduciary duty claim was dismissed for failure to meet the heightened pleading burden for such claims under New York law. Finally, the Plaintiffs’ misrepresentation claim was dismissed for the failure to allege, with respect to each defendant individually, a failure to disclose information about the existence of the privacy breaches despite a duty to do so.

The only claim that survived was the negligence claim, in which Plaintiffs alleged that they gave confidential information to certain of the defendants, who promised to safeguard it, but that the defendants’ employee instead stole their data and sold it to third parties. The trial court found that these allegations sufficiently stated a claim against the defendants that allegedly received the information.

Although this is just one case, the trial court’s decision suggests that New York courts are not eager to imply private causes of action into statutes that do not explicitly authorize them. On the other hand, holders of confidential information must recall that these statutes continue to be enforceable by regulators and/or prosecutors and the court’s decision to allow the Plaintiffs’ negligence claim to continue indicates that at least this judge found that a common law tort could easily stretch to fit business failures to protect confidential information.

Online Retailers Increasingly at Risk of Website Accessibility Lawsuits

Given the lack of formal guidance on website accessibility under the Americans with Disabilities Act (ADA), “www” might as well stand for the “Wild, Wild, West.” Twenty-five years after ADA first passed, there are still unclear guidelines in place for how companies should make their websites accessible to disabled visitors. Plaintiffs have taken advantage of this uncertainty—and the series of recent enforcement actions and statements of interest issued by the Department of Justice (DOJ)—by bringing a flurry of suits against retailers.

As website accessibility lawsuits continue to rise, retailers cannot afford to wait for formal guidance before taking steps to protect themselves.

Background on Accessibility Lawsuits

These cases are not new. In 2006, for example, the National Federation of the Blind brought suit against Target, claiming that the retailer violated Title III because blind people were unable to access much of the information on the defendant’s website, nor purchase anything from its website independently. In September 2008, the parties settled for a $6 million class reward; the judge later awarded $3.7 million in attorney’s fees and costs.

The more recent cases are based on the same basic premise: they claim that by failing to make their websites accessible to blind or deaf visitors, the sites violate Title III of the ADA, which imposes upon places of public accommodation an obligation to “furnish appropriate auxiliary aids and services where necessary to ensure effective communication with individuals with disabilities.” Although these lawsuits have arisen across the country, a substantial number are filed in California under both the ADA and California’s Unruh Civil Rights Act, which provides for up to $4,000 in penalties per violation.

In the last year or so, at least thirteen website accessibility lawsuits have been brought in the Central District of California alone. The vast majority of these lawsuits involve retailers and the vast majority of these cases settled almost immediately after they were filed (before filing a response or attending a case management conference).

Retailers Forced to Rely on Limited DOJ Guidance

Until recently, the only guidance in this area came from an Advanced Notice of Proposed Rulemaking (ANPRM) that the DOJ issued in 2010, in which it announced that it would issue new regulations under Title III of the ADA to address the accessibility of public accommodations websites. The proposed rule was expected to be released this year, but has since been delayed until April 2016 (though a recent DOJ statement of interest emphasizes that there is no scheduled date for publication of a final rule). The DOJ is expected to issue specific regulations applicable to Title II ADA entities (such as universities) before then; these regulations may shed light on how the DOJ plans to approach its Title III rule.

In the absence of formal guidance, retailers should look at a series of recent DOJ consent decrees and statements of interests for direction on how to comply with the ADA. In general, the DOJ has recognized the W3C Web Content Accessibility Guidelines 2.0 (“WCAG 2.0”) as a standard for compliance. WCAG 2.0 calls for companies to provide text alternatives for non-text content; provide captions and other alternatives for multimedia; create content that can be presented in different ways, including by assistive technologies, without losing meaning; make it easier for users to see and hear content; make all functionality available from a keyboard; give users enough time to read and use content; not use content that causes seizures; help users navigate and find content; make text readable and understandable; make content appear and operate in predictable ways; help users avoid and correct mistakes; and maximize compatibility with current and future user tools.

Under the WCAG 2.0, there are three levels (A, AA, and AAA) that a company can attain, based on how successfully it meets the standards. Last year, the Department of Transportation adopted WCAG 2.0 Level AA as the legal standard that governs the websites of airline carriers under the Air Carrier Access Act.

The DOJ first published guidance on website accessibility in March 2015 as part of its legal agreement with H&R Block. The DOJ had alleged that H&R Block violated the ADA by denying disabled individuals full and equal enjoyment of online and mobile tax-preparation materials and services. In the consent decree, the DOJ called on H&R Block to meet many of the WCAG 2.0 standards, including using captions, text alternatives, audio descriptions, and other mechanisms to make the website more accessible. Additionally, the agreement imposed a series of administrative requirements. H&R Block agreed to:

  • Appoint a Web Accessibility Coordinator reporting directly to the Chief Information Officer, who will provide regular reports about the Web Accessibility Program;
  • Establish a Web Accessibility Committee;
  • Adopt a Web Accessibility Policy;
  • Maintain a disabled-accessible mechanism for website visitors to provide comments, recommendations, and questions regarding accessibility of the website;
  • Implement procedures to provide customer assistance to disabled customers;
  • Train employees responsible for website content on accessibility requirements;
  • Test all web content for accessibility before it is put into production; and
  • Retain a third-party accessibility consultant.

Additionally, in November 2014, the DOJ announced that it entered into a settlement agreement with America’s leading Internet grocer, Peapod LLC and Ahold U.S.A. Inc. The DOJ alleged that www.peapod.com was not accessible to people with visual or hearing impairments. Peapod agreed to ensure that its website and mobile applications conform to the Web Content Accessibility Guidelines 2.0 Level AA Success Criteria (WCAG 2.0 AA), and to follow many of the administrative remedies laid out in the H&R settlement.

The Question of Equivalent Alternatives

Unfortunately for retailers, it is currently unclear whether a company can meet its obligations under the ADA by offering users an alternate way to access the information and services made available on its website.

For years, retailers took comfort in the 2010 ANPRM’s suggestion that a website does not necessarily have to be accessible, as long as the company offers an equivalent alternative way to access the goods and services made available on the website. It explained:

[C]overed entities with inaccessible websites may comply with the ADA’s requirement for access by providing an accessible alternative, such as a staffed telephone line, for individuals to access the information, goods, and services of their website. In order for an entity to meet its legal obligation under the ADA, an entity’s alternative must provide an equal degree of access in terms of hours of operations and range of information, options, and services available. For example, a department store that has an inaccessible website that allows customers to access their credit accounts 24 hours a day, 7 days a week in order to review their statements and make payments would need to provide access to the same information and provide the same payment options in its accessible alternative.

On June 25, 2015 the DOJ seemed to shift position in cases against Harvard and MIT filed by the National Association of the Deaf. These cases alleged that the universities failed to caption online video content, and thus violated the ADA and Section 504 of the Rehabilitation Act. The universities argued both that the cases should be dismissed because neither statute applies to websites, and that the DOJ should wait for the web regulations to take effect. In its “statements of interest” in both cases, the DOJ explained that the 2010 ANPRM was issued to offer guidance to covered entities on how to meet their “pre-existing obligations” to make their websites accessible. This seems to suggest that companies are responsible for making their websites accessible, regardless of whether they can provide for an equal degree of access through other means.

In light of these statements of interest, retailers should no longer assume that they are not responsible for making their websites accessible.

Websites Not Associated with a Physical Location

Another area of uncertainty is whether a website is subject to the ADA if it does not have a nexus to any physical place of public accommodation.

In April 2015, the Ninth Circuit in Earll v. eBay Inc. became the first Circuit Court to address this issue, holding that a nexus is required. In simple terms, this means that web-only businesses are not places of public accommodation under Title III.

Although no other Circuit has reached this precise issue, the Third and Sixth Circuits have each held that Title III does not apply where there is not a sufficient connection between the discrimination the plaintiffs alleged and a physical place. In both cases, the courts found that a long-term disability plan by an employer and administered by an insurance company does not fall within the purview of Title III; because the plaintiffs in both cases received disability benefits through their employment, the courts found that they did not have a connection to their insurance company’s office and thus were not discriminated against in connection with a public accommodation.

The Eleventh Circuit has interpreted Title III somewhat more broadly, finding that it covers both tangible barriers (such as those that prevent a disabled person from entering a building) and intangible barriers to a physical place (such as eligibility requirements or discriminatory policies).

Conversely, the First and Seventh Circuits have found that Title III applies even in the absence of some connection to a physical place.[1] Similarly, the Second Circuit has expressed that Title III “is not only obligated by the statute to provide disabled persons with physical access,” but has not yet considered a case in which a defendant operated no physical space open to the public but nevertheless provided goods or services to the public.

Both the District of Massachusetts and District of Vermont have found that Title III covers entities providing exclusively web-based services to the public. In both cases, the courts explained that, “excluding businesses that sell services through the Internet from the ADA would ‘run afoul of the purposes of the ADA and would severely frustrate Congress’s intent that individuals with disabilities fully enjoy the goods, services, privileges, and advantages available indiscriminately to other members of the general public.”

Conclusion

Until more formal or specific guidance becomes available, retailers should evaluate their websites under the WCAG 2.0 Guidelines, and make any necessary changes as soon as possible. Given the lack of clarity, companies should also consult with counsel with expertise in this area to explore what other changes they should consider to protect themselves.

[1] Carparts Distrib. Ctr., Inc. v. Auto. Wholesalers Assn. of New England, 37 F.3d 12, 19 (1st Cir. 1994); Doe

  1. Mutual Omaha Ins. Co., 179 F.3d 557, 559 (7th Cir. 1999); Morgan v. Joint Admin. Bd., Ret. Plan of the Pillsbury Co. and Am. Fed’n of Grain Millers, AFLCIO-CLC, 268 F.3d 456, 459 (7th Cir. 2001).

Second Wave of Auto-Renew Lawsuits Makes Business Model Risky

In the past several years, subscription-based product and service providers have emerged in almost every sector. People are buying baby supplies, razors, groceries and cloud space by using a model once reserved for magazines. For a monthly fee, startups also offer services such as transportation, personal assistance, and dress rentals — as companies continue to thrive using the monthly subscription model, more startups continue to launch.

Although subscription-based services can benefit consumers by offering simplicity and lower prices, legal issues emerge when customers claim that they did not knowingly agree to continue paying for future products or services. In the past several months, these customers have filed several class action lawsuits against retailers of all kinds, pursuant to both state and federal laws.

Automatic Renewal Laws

To date, at least 16 states have enacted statutes regulating automatic renewals to varying degrees.[1] While these statutes vary in strictness, they generally require companies to disclose automatic renewal policies in a clear and conspicuous manner. Additionally, some statutes require companies to obtain customers’ affirmative consent before charging a credit card, and to disclose how to cancel the subscription and avoid future recurring payments.

Not surprisingly, California’s Automatic Renewal Law (ARL), California Business and Professions Code § 17600, et seq., is perhaps the strictest state statute. The ARL prohibits retailers from charging consumers’ credit card, debit card or bank account for ongoing orders without their explicit consent. Under the law, businesses who automatically renew customers’ orders must state the automatic renewal or continuous service offer terms in a “clear and conspicuous” manner before the order is finalized; this means that the terms must be in a larger or contrasting type that “clearly calls attention to the language,” and that the disclosure must be made before and in immediate proximity to the signature line or online authorization button. Before charging a customer, a company must obtain her “affirmative consent” to the renewal policy. Additionally, businesses must provide customers with a copy of their terms, including information on how to cancel the subscription. The law applies to contracts entered into by any California resident, regardless of where the company is located. After the ARL took effect in December 2010, at least 11 class action lawsuits targeting companies’ automatic renewal practices have been filed, several of which have already been voluntarily dismissed

In January 2015, New York introduced legislation similar to the California law (NY Senate Bill 40), which would require customers’ express consent before charging them for a renewal. This new bill would be much stricter than New York’s current law regulating automatic renewal offers. Other states with fairly strict statutes include Connecticut, Oregon, Illinois, Georgia, and Florida.

 Renewed Interest in Auto-Renew Actions

This is not the first time that retailers have been sued pursuant to the ARL or other auto-renew laws. In 2013, a series of class action lawsuits targeted the automatic renewal policies of popular music and video streaming companies. The plaintiffs in each of these cases claimed that the company failed to clearly and conspicuously disclose that they would charge the customer a recurring payment, either after an initial payment or after a free trial expired. Almost all of these suits were brought in California and reached confidential settlements soon after they were filed.

A second wave of these suits began this past December 2014, weeks after Sirius XM agreed to a $3.8 million settlement in a case brought by 45 states and the District of Columbia. Since then, actions have been filed against SeaWorld, Birchbox (subscription beauty service), LifeLock (identity theft protection provider), AAA (roadside assistance provider), Blizzard Entertainment (producers of the online role-playing game World of Warcraft), Tinder (dating app), and Blue Apron (food delivery app). This list of companies is markedly different from those in the first wave: In addition to expanding outside the music and video streaming context, the Plaintiffs’ bar has shown its willingness to bring actions against startups like Birchbox and Tinder. As more companies adopt subscription-based business models, it is almost certain that these actions will continue to arise.

In the first Tinder lawsuit, filed in late April 2015 in the Central District of California, the plaintiff alleges that when the dating app transitioned from being a free service to charging a monthly fee, it failed to clearly and conspicuously disclose that its subscription would automatically renew each month. This action was voluntarily dismissed on July 21, 2015. In late May 2015, two additional cases were filed against Tinder in San Luis Obispo County and Los Angeles County Superior Courts.

In early March 2015, two cases were filed in the Southern District of California against startup Birchbox, which delivers beauty products each month to its subscriber customers. The two cases were consolidated on April 30, 2015 and the plaintiff filed an amended complaint for the consolidated action on May 14, 2015. Both plaintiffs purchased subscriptions from the startup (one of their original complaints explains that the service appeared in the plaintiff’s shopping cart as “Women’s Rebillable Monthly Subscription”). Despite the seemingly transparent name of the subscription, however, plaintiffs claim that Birchbox violated the ARL and California’s Unfair Competition Law by failing to clearly and conspicuously disclose or obtain customers’ consent to the service’s automatic renewal and continuous service terms. In their amended complaint, the plaintiffs claim that the terms should have been “in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks,” and included during the check-out process (instead, they were included in the website’s “Terms and Conditions” section). The parties are scheduled to attend mediation on September 16, 2015, and the case is stayed pending that mediation until October 1, 2015.

The most recent of these suits was filed in June 2015 against Blue Apron, and was removed on July 21, 2015. Similar to the Tinder and Birchbox cases, the complaint alleges that the cooking ingredient delivery app violated the ARL by failing to prevent its automatic renewal terms in a clear and conspicuous manner, charging consumers for continuous service, without their consent, and failing to provide information on how to cancel the subscription.

In March 2015, the Middle District of Florida refused to dismiss the case brought against SeaWorld, which claims that SeaWorld breached its payment plan contract by automatically renewing and charging customers for annual passes to its parks for the upcoming year without their consent and before the current 12-month period ends. The parties attended mediation on May 11, 2015, but were unable to reach an agreement. In late June 2015, the court set the jury trial for March 2017.

The cases against AAA, Lifelock, and Blizzard have each already been voluntarily dismissed.

 Federal Enforcement

In addition to being subject to state auto-renewal laws, all companies are subject to the Federal Trade Commission Act, 15 U.S.C. § 41, et seq., which requires stores to honestly and clearly disclose their auto-renewal policies.

Since 2011, the FTC has filed suits in Nevada, Maryland, and Washington against companies for unfair or deceptive business practices related to their automatic renewal policies. The most recent suit was brought against DIRECTV in March 2015 in the Northern District of California. One claim in the FTC’s action is that the company violates the FTC Act by automatically charging customers for premium channels after their free trial for those channels expires. On April 2, 2015 DIRECTV admitted that it offered free trials of premium channels for a limited time, after which it begins charging customers for those channels unless they cancel, but claimed that the terms of these promotions were clearly and conspicuously disclosed to consumers.

Congress’s enactment of the Restore Online Shoppers’ Confidence Act (ROSCA) provides the FTC and state attorneys general with an additional basis for targeting companies’ renewal policies. ROSCA generally prohibits charging online consumers for goods or services through a “negative option feature” to an agreement, whereby the customer’s silence or failure to cancel the agreement is treated as acceptance of the offer. In other words, ROSCA requires companies to obtain consent from customers before signing them up for a free trial that automatically turns into a paid subscription. A seller may only avoid this requirement by clearly and conspicuously disclosing the material terms of the agreement before obtaining the customer’s billing information, obtaining the customer’s express consent before making the charge, and providing a simple way to stop the recurring charges. Even though ROSCA took effect in 2011, the FTC did not bring its first action under the law until October 2014. The FTC has brought ROSCA claims against at least three businesses since then, including DIRECTV, which indicates the Commission’s increased interest in enforcing this law. DIRECTV also asserted eleven affirmative defenses, including failure to state a claim, equitable doctrines, and lack of jurisdiction and standing. The FTC filed a motion to strike some of these defenses in early June 2015, and DIRECTV filed a reply on June 22, 2015. On July 1, the court issued a scheduling order, calling for the FTC to file an amended complaint by August 1, 2015.

On June 16, 2015 the Central District of California entered a Temporary Restraining Order and the FTC issued a complaint, alleging that since at least 2010, a number of defendants had marketed and sold skin care products on a variety of websites in violation of ROSCA, the FTC Act, and the Electronic Funds Transfer Act (“EFTA”). According to the complaint, the defendants advertised “risk free trials” to receive skin care items, suggesting that consumers would only pay $4.95 or less in shipping costs. According to the complaint, defendants failed to adequately disclose that they would charge consumers’ credit or debit accounts for the trial product, typically as much as $97.88, after a 10-day period, and that customers would be automatically enrolled in subscription plans whereby they were automatically sent more products and charged recurring fees each month. The FTC specifically noted that because the goods often did not arrive until ten days after the order was placed, it was impossible for many customers to return opened products within the ten-day period in order to avoid the $97.88 fee. Additionally, the complaint alleged that defendants failed to adequately disclose that returned items would be subject to a $15 restocking fee.

As the FTC continues to vigorously enforce ROSCA in new industries, retailers using the subscription or automatic renewal models should ensure that their advertisements and terms are compliant.

Penalties for Violating Automatic Renewal Laws

The penalties for violating state automatic renewal statutes can be serious. California’s ARL, for example, allows for liability under other laws, such as California’s Unfair Competition Law, and also provides that any goods tendered to a customer pursuant to a non-compliant automatic renewal policy “shall for all purposes be deemed an unconditional gift to the consumer.” Plaintiffs’ lawyers claim that, under this provision, retailers must provide restitution to the consumer for 100 percent of gross revenues received pursuant to the automatic renewal, even if the consumer actually wanted or anticipated the renewal. Notably, this provision only refers to “goods” and not to “services.”

Although many of the settlements in past auto-renew cases have been confidential, those with public terms show the potentially high value of these cases to Plaintiffs’ attorneys. As mentioned above, Sirius XM settled an automatic renewal case for $3.8 million in December 2014. In September 2014, Angie’s List settled an auto-renewal suit brought in Indiana for $2.8 million.

Given the potentially high penalties for violating state automatic renewal laws, companies that sell subscription-based goods, services, or memberships should make sure that their user agreements comply with local regulations. To help ensure compliance, companies should consult counsel with expertise in this area before enacting automatic renewal policies. The recent uptick in litigation — which has been brought against startups and established companies alike, in a wide variety of industries — shows that no company is immune from these potentially expensive actions.

[1] These include California (Cal. Bus. & Prof. Code §§ 17600-17606), Connecticut (Conn. Gen. Stat. § 42-126b), Florida (Fla. Stat. § 501.165), Georgia (O.C.G.A. § 13-12-3), Illinois (815 ILCS 601/10), Louisiana (La. Rev. Stat. § 9:2716), Maryland (Md. Code Com. Law § 14-12B-06), New Hampshire (N.H. Rev. Stat. § 358-I:5), New York (N.Y. Gen. Oblig. Law § 5-903), North Carolina (N.C. Gen. Stat. § 75-41), Oregon (Or. Rev. Stat. §§ 646A.293, .295), Rhode Island (R.I. Gen. Laws § 6-13-14), South Carolina (S.C. Code § 44-79-60), South Dakota (S.D. Codified Laws § 49-31-116), Tennessee (Tenn. Code §§ 62-32-325, 47-18-505), and Utah (Utah Code § 15-10-201).

How Your Company Can Defend Itself Against Cyber-Extortion

Intro

Sensational headlines about major data breaches have become common. The most typical scenarios are those in which hackers access personal data about a company’s customers and use that data for identity theft. But another type of fast-growing hack, so-called cyber extortion, may be even more damaging. In this type of attack, hackers essentially kidnap data and hold it for ransom.

For both companies and their customers, the rise of cyber extortion is alarming. There are, however, steps that can be taken to help mitigate risk. For sure, companies who are proactive both pre- and post-breach are generally better positioned when it comes to their customers’ data.

Detail

There are, unfortunately, many methods of attack employed by cyber extorters.   For example, these criminals can initiate an attack far outside a company’s network through a distributed denial of service (DDoS). Here, thousands of “zombie” computers, taken over by hackers without the knowledge of the computers’ owners, are used to simultaneously bombard a target website, knocking it offline. DDoS attacks can be especially damaging to enterprises such as e-commerce companies that rely on user access to their websites to conduct business.

Apart from DDoS attacks, cyber criminals may seek to break into company’s networks. Once inside, hackers can follow any number of avenues to extort money from their victims.

Tactics may include: encrypting data that exist in business systems; disabling critical business systems; or blocking access to corporate sites. In any case, victims are severely handcuffed by hackers until a “ransom” is paid.

Hackers may also redirect part or all of a corporate website by altering DNS settings and holding the original destination hostage. Or, they may also steal intellectual property and threaten to sell it to competitors.

Hackers even pose as cyber security specialists and offer to identify weaknesses and fix them for a fee. Instead, they find exploitable weaknesses in corporate networks and threaten to notify the press or competitors unless payment is made.

The same malware used on individuals can be adapted for corporate espionage. Criminals might commandeer a computer microphone or camera in a boardroom or executive office to film or record confidential meetings. Using that business intelligence, hackers could extort a company, sell its secrets to rivals, or manipulate company stock with calibrated releases of privileged information.

Perpetrators of these and other forms of cyber extortion range from organized crime rings to disgruntled employees. Indeed, attacks are even more insidious when launched from the inside. Law enforcement has engaged in a number of significant investigations in recent months involving former or disgruntled company employees. In many of these cases, employees attempted to extort money from employers by threatening to expose privileged information or activate malware. These recent incidents cost victimized businesses from $5,000 to $3 million.

Sony

The hack of Sony Pictures Entertainment in late 2014 prior to its release of the film “The Interview” drew more attention than any previous cyber-extortion plot and could ultimately cost Sony millions in revenues and reputational damage. The facts surrounding this breach and its potentially long-reaching impact have been widely reported.

For the purpose of this article, it is important to note that the average company may think a lower public profile protects it from such a potentially damaging cyber extortion. But while the Sony hack was unprecedented in its scope and the public interest it generated, the assistant director of the FBI’s Cyber Division said it was likely that 90 percent of U.S. corporations — large, midsized and small — are equally vulnerable to such an attack.

Ashley Madison

More recently, some 37 million users of Ashley Madison are reportedly at risk for extortion after hackers stole information – including nude pictures and credit card data – from the site on the night of July 19, 2015. Hackers claim to have completely compromised the user database and financial records of the site, which caters to anonymous customers seeking extramarital affairs.

A statement from Avid Life Media, the parent company of Ashley Madison, confirmed the hack and stated that personal information posted online by hackers had been deleted. It is unknown, however, how many people accessed the leaked and highly sensitive personal information before it was taken down.

Why Companies “Dummy Up” and Pay Up

While breaches like Sony Pictures and Ashley Madison dominate headlines, midsized companies actually may be the most vulnerable. For a number of reasons, smaller organizations may fail to invest in adequate security measures to protect themselves, fearing that even minor changes to day-to-day operations might jeopardize profitability. These companies may also lack the personnel or resources to effectively respond to cyber extortion attempts. They are, however, viewed as having deep-enough pockets to attract cyber extortionists.

The vast majority of cyber extortion attempts go unreported. When it comes to insider attacks specifically, three-quarters of the time companies deal with the matter internally and do not disclose the incident to authorities, according to a 2014 cybercrime survey by Carnegie Mellon University.

To many companies, it appears cheaper and less disruptive to pay the ransom than to hire a third-party, or even devote internal resources, to respond to the breach. Many businesses simply can’t afford the loss of revenues if their site goes down and stays down for any length of time.

Alternatives to Capitulation- what companies can do

While it can be tempting for a company to try to buy itself out of a problem, capitulating to terrorist-like demands also carries risks. There is never a guarantee that the criminals will not come back for more, and customers and business partners may lose confidence in the company should they discover that paying off extortionists was acceptable.

Additionally, paying a ransom does not address the underlying vulnerability the criminals exploited in the first place. Only an investigation, in conjunction with law enforcement experienced in such crimes, can reveal the weaknesses that allowed the attack to occur. It can also help to identify remediation that will prevent similar attacks and potentially reveal other weaknesses that can be fixed.

How to Deal With Cyber Extortion — Before and After It Occurs

Once a company or individual becomes a victim of cyber extortion, the number of good options dwindles quickly. Rather than react after the fact, corporate leaders need to have a response plan in place so mitigating the risk of cyber extortion schemes can be the main focus.

A comprehensive plan should include:

  • A list of stakeholders to be informed.
  • Predetermined and defined lines of communication that will speed information sharing.
  • Appropriately trained and informed leaders empowered to make decisions during an incident.
  • A process for the continuous updating of information technology systems and security policies (at least quarterly) to keep pace with changes in business and technology.
  • Established relationships with law enforcement (local, state and/or federal) to reduce the chance of a slow, confused response.

Prevention

Companies can also take a number of steps to lessen the likelihood that they will fall victim to cyber extortion or extortion:

  • Identify all potential internal and external threats by:
    • Monitoring social media.
    • Staying on top of public forums related to your business.
    • Identifying employees who may want to harm your company.
  • Audit computer networks to identify and assess vulnerabilities. Questions include:
    • Are software patches being applied in a timely fashion?
    • Does the network have segmentation so that an attack in one area won’t impact others?
    • Are there access controls in place for your data?
    • Are network logs collecting sufficient detail and maintained for a long enough period of time to allow for proper historical investigation?
    • Do you know where all your endpoints are and are network topology maps up to date? This especially is important because networks are dynamic, with companies continually adding and removing servers and distributing new devices to employees.

Conclusion

Cyber extortion crimes will only grow more complex over time. Criminals are continually changing their patterns of attack. While no company can protect itself perfectly, it can make smart investments in due diligence, response plans and sensible security based on rigorous risk assessments of what they stand to lose in the event of such an attack.

Remotely Hijacked Vehicles and Androids – How Vulnerable Is Your Personal Tech?

On Tuesday, July 21, 2015, Wired magazine published an article discussing a vulnerability in the Chrysler Uconnect feature through which an attacker may gain remote access to the vehicle’s CAN bus, allowing the attacker to manipulate not only the vehicle’s climate control and infotainment systems, but more importantly its transmission, braking, and steering controls. The security researchers who discovered the vulnerability, Chris Valasek and Charlie Miller, had received a grant in 2013 from the Pentagon research arm DARPA and in 2014 demonstrated the ability to control a vehicle by directly connecting their laptops to the vehicle’s CAN bus. The significance of their most recent research is the ability to target vehicles remotely using the Uconnect’s linkage to the Sprint cellular network. Through the network, Valasek and Miller were able to obtain the GPS coordinates, VIN number, make, model, and IP address for vehicles anywhere in the country, so long as they were connected to the Sprint network. Valasek and Miller are scheduled to provide briefings on their research at the Black Hat USA conference on August 5-6 and at the DefCon conference on August 7-8.

For almost nine months, the researchers have been sharing their research with Chrysler, which allowed the company to quietly create and release a patch to address the vulnerability. Initially, the patch was only available by taking an affected vehicle to the dealer for service or downloading the patch onto a USB device from the company’s Uconnect website. On Thursday, July 23, Chrysler and Sprint implemented a set of security controls on the Sprint network, designed to detect and block attacks across the network regardless of whether vehicles themselves have been patched. Valasek and Miller tested the exploit following the network patch and were unable to access Miller’s Jeep remotely, prompting a tweet by Valasek commending Chrylser and Sprint on the fix. On Friday, July 24, announced a recall of approximately 1.3 million vehicles, including the 2015 model year Dodge Ram pickup, Dodge Challenger and Viper, and the Jeep Cherokee and Grand Cherokee SUV’s. However, rather than returning vehicles to the dealer for maintenance, the recall will involve a USB drive being sent to owners by mail, which will patch the vulnerability when inserted in the vehicle.

The article and demonstration also brought attention to new legislation introduced by Senators Ed Markey (D-Mass.) and Richard Blumenthal (D-CT) on July 21. Five months ago, Sen. Markey released a report entitled “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk,” based on responses he had received sixteen major automobile manufacturers, prompted by letters from Markey. The new bill, cited as the “Security and Privacy in Your Car Act of 2015″ (or “SPY Car Act of 2015″), would require that all vehicles manufactured two years after the enactment of corresponding regulations must adhere to certain cybersecurity standards, including but not limited to equipping “[a]ll entry points to the electronic systems of each motor vehicle manufactured for sale in the United States … with reasonable measures to protect against hacking attacks” and incorporating “isolation measures to separate critical software systems from noncritical software systems.” The bill would also require that all data collected by the vehicle must be “reasonably secured” to prevent unauthorized access while the data is stored onboard, in transit, and in any remote storage or use. In addition, vehicles must be equipped with capabilities to “immediately detect, report, and stop attempts to intercept driving data or control the vehicle.” Any manufacturer not in compliance may be held liable for a civil penalty of up to $5,000 per violation.

The bill would also call on the National Highway Safety and Transportation Administration (NHTSA) and the Federal Trade Commission (FTC) to create a new set of regulations manufacturers would be required to adopt in order to comply with the law. The FTC, who released a report in January 2015 entitled “Internet of Things: Privacy & Security in a Connected World” addressed the issue of connected-vehicles and potential risks posed if an attacker were able to remotely access a vehicle’s controls through its telematics system, similar to the attack carried out by Miller and Valasek. They recommended certain best practices related to all IoT devices (including connected-vehicles), promoting “security by design” (making security and privacy priorities in the design phase rather than post-market features) and continued monitoring (and where feasible, patching) of devices by manufacturers throughout their life cycle. Against this backdrop, it remains to be seen whether these recommended best practices will be incorporated into the SPY Act’s regulatory requirements if the bill becomes law.

In another disclosure in advance of the Black Hat USA and DefCon conferences next week, Israeli enterprise mobile security company Zimperium zLabs revealed on Monday, July 27, a vulnerability that could expose up to 95% of all Android smartphones to control by a remote attacker, all from a single text message. To put this in perspective, as many as 950 million Android phones may be susceptible to this disclosed exploit. The vulnerability, nicknamed “Stagefright,” allows an attacker to embed a virus within a video file, which is then sent to the device via MMS, executing without any interaction from the device’s owner. The vulnerability would also allow the attacker to erase their trail, deleting the infected message before it can be viewed by the user. The only information necessary to launch the attack is the victim’s cell phone number. There are potential temporary fixes being disclosed online, including changing your device’s settings to prevent auto-retrieval of MMS messages, allowing users to screen messages before downloading.

The full details of the vulnerability will be disclosed in a briefing at Black Hat, but Zimperium had already shared details of the bug to Google in April in order to give the company sufficient time to remedy the flaw and distribute a patch to its partners. Google responded promptly and has already distributed the patches to manufacturers, but is now waiting on manufacturers to distribute the patches to their customers. However, because the Android OS has been modified by so many manufacturers, resulting in a fragmented kaleidoscope of slightly-varied mobile operating systems, there is no single readily-accessible unified fix for all Android devices. One concern expressed among the information security community is that manufacturers may not move quickly to distribute patches, particularly for legacy devices no longer on the market. Consistent with the FTC’s promoted best practices of monitoring and supporting legacy devices after the product is released to the market, it remains to be seen how quickly Android phone manufacturers release the patch to their users.

Google v. Oracle Headed Back Down

Among the many high-profile cases dealt with in its latest term, the Supreme Court denied Google’s petition for writ of certiorari in the case of Oracle America, Inc. v. Google, Inc., 750 F.3d 1339 (Fed. Cir. 2014).

Oracle’s predecessor in interest, Sun, conceived the idea to write a number of ready-to-use Java programs to perform common computer functions and to organize those programs into groups or “packages.” These packages allow programmers to use the pre-written code to build certain functions into their own programs, rather than write their own code to perform those functions from scratch. The idea was to create shortcuts for programmers. The actual Java “application programming interface” (“API”) packages, 37 of which were at issue in the Oracle v. Google case, each consist of two types of “source” code – declaring code and implementing code. The declaring code is the “expression that identifies the prewritten function” and “commands the computer to execute the associated implementing code. The implementing code gives the computer the step-by-step instructions for carrying out the declared function.” In addition, the Java API packages have a (three-dimensional) specific structure, sequence and organization.

Much of the industry discussion regarding this case revolves around the role played by APIs in smart phones and cloud computing. However, Oracle offers three different licenses for the Java API packages. Of these, the “General Public License” is free and provides that the licensee can use the packages – both the declaring and implementing code – but must “contribute back” its innovations to the public — an “open source” license. However, Google refused to agree to contribute back any of the new code that would be written. Therefore, Google decided to use the Java programming language to design its own virtual machine and to write its own implementation code for the functions in the Java API that were key to mobile devices, resulting in the Android platform, which grew to include 168 API packages – 37 of which correspond to the Java API packages at issue. With regard to these 37 packages, “Google believed Java application programmers would want to find the same 37 sets of functionality in the new Android system callable by the same names as used in Java.” To achieve this result, Google copied the declaring source code from these 37 packages verbatim, inserting that code into part of its Android software. In doing so, Google also copied “the elaborately organized taxonomy” of all the names of methods, classes, interfaces, and packages, that is, Google also duplicated the “structure, sequence and organization” of the 37 packages.

Google argued, and the trial court had held, that the replicated elements of the packages were not copyrightable because “there is only one way to write” the declaring code, and therefore the “merger” doctrine barred anyone from claiming copyright ownership. Further, the trial court held that the declaring code was not protectable because “names and short phrases cannot be copyrighted.” With regard to the overall structure of the Java API packages, the trial court had found that because it is a “command structure, a system or method of operation” to carry out pre-assigned functions, it was not entitled to copyright protection.

The court of appeals rejected all of these arguments, reversed on the copyrightability issue and remanded on the issue of fair use. With regard to the declaring source code, the court held that the merger doctrine only applied when there are a limited number of ways to express an idea, and the idea is said to “merge” with its expression. The court noted that, under Ninth Circuit law, the doctrine of merger is an affirmative defense to infringement, not an element of copyrightability. In addition, the court rejected application of merger to the case because the Android declaring code, the method and class names “could have been different from the names of their counterparts in Java and still have worked.” Further, the trial court had erred by focusing its merger analysis on the options available to Google at the time of copying, whereas copyrightability is to be evaluated at the time of creation, not at the time of infringement.

The court of appeals then quickly disposed of the “short phrases” argument by noting that while “words and short phrases such as names, titles and slogans” are not subject to copyright protection, the question is whether “those phrases are used creatively.” The court analogized to the opening paragraphs of “A Tale of Two Cities,” which is nothing but a string of short phrases. Oracle was not seeking copyright protection for a specific short phrase or work, but for 7,000 lines of declaring code. The court similarly dismissed Google’s claim that the declaring code it copied fell within the “scenes-a-faire” doctrine because they are “standard, stock, or common to a topic.” Essentially, Google’s argument here is that “because programmers have become accustomed to and comfortable with using the groupings in the Java API packages, those groupings are so commonplace as to be indispensable to the expression of an acceptable programming platform.”

The court again noted that the analysis must be on the external factors that dictated “Sun’s selection of classes, methods and code – not upon what Google encountered at the time it chose to copy those groupings and that code.” The court’s analysis of this “non-literary” aspect of Oracle’s claimed copyright – the structure, sequence and organization of the API packages — is more complex and reveals a circuit split. The trial court had relied upon Lotus Development Corp. v. Borland Int’l, Inc., 49 F.3d 807 (1st Cir. 1995), aff’d without opinion by equally divided court, 516 U.S. 233 (1996), to hold that the Java API packages were a “method of operation” and therefore not copyrightable. In addition to distinguishing Lotus on its facts, the court noted that the Ninth Circuit has reached the exact opposite conclusion, finding that copyright protects the expression of a process or method. Id. at 19. Rather, the Ninth Circuit uses the Second Circuit’s “abstraction-filtration-comparison” analysis when assessing whether the non-literal elements of a computer program constitute protectable expression. Indeed, no other circuit follows the First Circuit in this regard.

The court also reversed the trial court’s finding that in order for at least some of the Java Code to run on Android, Google was required to provide the same command system using the same names, taxonomy and functional specifications. The trial court had held “Google replicated what was necessary to achieve a degree of interoperability but no more, taking care to provide its own implementations.” However, the cases relied upon by the trial court involved copying in order to do reverse-engineering, that is, in order to understand the functional aspects of the copyrighted works – and then created new products that would work with them. Indeed, Google designed Android so that it would not be compatible with the Java platform.

The court of appeals finally remanded on the defense of fair use, holding that, even under a correct reading of the law, there were fact issues on the fair use factors, particularly whether Google’s use was necessary to work within a language that had become an industry standard. Now that the Supreme Court has denied cert, we may expect to see several years of litigation, doubtless followed by further appeals, on whether Google’s use of the API’s was “fair.” Both Google and Oracle have publically stated that they are committed to the litigation, and the stakes could hardly be higher.

If You Want Coverage for a Data Breach, You Need Cyber Liability Insurance

The Connecticut Supreme Court recently issued an opinion which provides further confirmation that commercial general liability (CGL) policies do not apply to provide coverage for most data breaches. In the case of Recall Total Info. Mgmt., Inc. v. Fed. Ins. Co., 317 Conn. 46 (2015), the court affirmed the judgment of the Appellate Court that there was no coverage available under the “personal injury” coverage of the CGL policy issued by Federal Insurance Company (Federal) and the umbrella liability policy issued by Scottsdale Insurance Company (Scottsdale). The relevant provisions in the umbrella liability policy were identical, in relevant part, to those in the CGL policy.

Factual Background

The circumstances resulting in the data breach are somewhat unusual. In October 2003, Recall Total Information Management, Inc. (Recall) entered into a vital records storage agreement with International Business Machines (IBM) whereby Recall agreed to transport and store various electronic media belonging to IBM. Recall then sub-contracted the transportation services to Executive Logistics, Inc. (Ex Log). Under the subcontract, Ex Log was required to name Recall as an additional insured on its CGL and umbrella liability policies.

On February 23, 2007, Ex Log dispatched a transport van to move computer tapes from an IBM facility in New York to another location. During transport, a cart containing the tapes fell out of the back of the van near a highway exit ramp. The parties agreed that approximately 130 of the tapes were removed from the roadside by an unknown person and never recovered. The lost tapes contained employment data for approximately 500,000 past and present IBM employees. The information included social security numbers, birthdates and contact information.

After being notified that the tapes had been lost, IBM immediately took steps to prevent harm from any dissemination of the personal information. The steps included notification to potentially affected employees and the establishment of a call center to answer inquiries regarding the lost data. IBM also provided the potentially affected employees with one year of credit monitoring to protect against identity theft. IBM claimed more than $6,000,000 in mitigation costs.

Recall settled IBM’s claim for mitigation costs, and then sought indemnification from Ex Log. Ex Log sought coverage under its policies for the indemnification claim, which was denied. Following the denial of coverage, Recall and Ex Log entered into a settlement in which Ex Log signed a promissory note in favor of Recall for $6,419,409.79 and assigned all of its rights under the policies to Recall. Recall then filed suit against Federal and Scottsdale, asserting several claims including breach of contract. The trial court granted the carriers’ motions for summary judgment, concluding that the losses were not covered under either the “property damage” or “personal injury” provisions of the policies.

No “Property Damage”

Recall chose not to appeal the trial court’s decision that the loss of the tapes was not “property damage.”  The trial court concluded that the lost data was intangible property, which was expressly excluded from coverage. Most CGL policies issued after 2001 specifically provide that “electronic data is not tangible property.” See ISO Form No. CG 00 01 10 01.

No “Personal Injury”

However, Recall did appeal the trial court’s decision that the loss of the tapes did not constitute a “personal injury.”  The policies define “personal injury” to include “injury, other than bodily injury, property damage or advertising injury, caused by an offense of…electronic, oral, written or other publication of material that…violates a person’s right of privacy.” Recall Total Info. Mgmnt. v. Federal Ins. Co., 147 Conn. App. 450, 462 (Conn. App. Ct. 2014). Recall alleged that this provision was satisfied because “[b]y virtue of the loss and theft of the IBM tapes…the personal information that was stored on the tapes, including social security information and other private data, has been published to the thief and/or other persons unknown…thereby subjecting [Recall] to potential claims and liability…including liability for the cost of notifying the persons whose data was lost and for providing credit monitoring services to persons who requested it.” Id.

The Appellate Court found that the dispositive issue was whether the information contained on the tapes had been published. 147 Conn. App. at 462. The Appellate Court further found that, regardless of the precise definition of publication, access is a necessary prerequisite to the communication or disclosure of personal information. Id. at 463. The Appellate Court took notice of evidence that the lost tapes were not of the type that could be read by a personal computer. Id. The Appellate Court further pointed to the complete lack of facts in the record suggesting that the personal information was actually accessed by someone. Id. at 462. Accordingly, it held that Recall’s settlement with IBM was not covered under the “personal injury” provisions of the policies because there was no evidence of publication of the data. Id. at 463.

The decision of the Connecticut Supreme Court is the most recent in which a court has determined that the “publication” requirement for “personal injury” coverage is not met under the circumstances of a data breach. In the case of Zurich Am. Ins. Co. v. Sony Corp. of Am., No. 651982/2011 (N.Y. Sup. Ct. Feb. 21, 2014), the court held that coverage was not triggered where the “publication” was not an intentional act committed by the insured, but instead was the result of a criminal act of a third-party hacker. While these courts have focused on different aspects of the “publication” requirement, the end results are in line with the generally accepted principle that the CGL policy is not intended to provide cyber liability coverage. This intent is reflected in a set of exclusions issued by the Insurance Services Office (ISO) in May 2014 that bar coverage for claims “arising out of any access to or disclosure of any person’s or organization’s confidential or personal information.” The message is clear that cyber liability insurance is a necessary part of any business’s insurance portfolio.

Uber Privacy Policy Challenged by EPIC Letter to FTC

On Monday, the Electronic Privacy Information Center (EPIC) filed a complaint urging the Federal Trade Commission (FTC) to investigate Uber Technologies Inc.’s business practices, and in particular, its new privacy policy, which goes into effect July 15. Although Uber described its new policy as an attempt to clarify its existing terms, while also providing for “potential new use cases,” the complaint claims that Uber’s updated privacy policy is an unlawful and deceptive trade practice.

Among other things, the complaint asks the FTC to halt Uber’s collection of user location data when it is unnecessary to provide a service; to halt Uber’s collection of user contact list information; and to require that ride information be deleted once the ride is completed.

Uber announced its new privacy policy in a blog post on May 28, explaining that its privacy counsel from Hogan Lovells LLP had reviewed the company’s privacy practices and recommended simplifying the privacy policy. “In the interest of transparency,” however, the post also described “potential new use cases” that would be permitted under the new policy.

EPIC’s complaint is centered on two of these new uses. First, Uber’s new policy would allow the app to track users’ locations when the app is running in the background, which Uber explained would help “get people on their way more quickly.” Second, the policy would allow Uber to access users’ contact lists and send promotional messages to users’ friends and family.

The new policy states:

• Location Information: When you use the Services for transportation or delivery, we collect precise location data about the trip from the Uber app used by the Driver. If you permit the Uber app to access location services through the permission system used by your mobile operating system (“platform”), we may also collect the precise location of your device when the app is running in the foreground or background. We may also derive your approximate location from your IP address.

• Contacts Information: If you permit the Uber app to access the address book on your device through the permission system used by your mobile platform, we may access and store names and contact information from your address book to facilitate social interactions through our Services and for other purposes described in this Statement or at the time of consent or collection.

For both the tracking and the promotional features, the post promises that “users will be in control: they will be able to choose whether to share the data with Uber.” Citing this language, EPIC has alleged that Uber has deceptively reassured customers that they would be in control of their data when the update policy actually deprives them of that control.

According to EPIC’s complaint, while iOS phones can disable the contact-syncing option by changing the contacts setting on their phones, the Android mobile platform does not offer any comparable setting. Similarly, the Android platform does not allow users to modify data location settings for individual apps—so if a user wants to bar Uber from tracking a user’s location while the app was running in the background, the user would need to turn off location data for all apps. Again, however, Uber will notify customers before it begins tracking their information in the background, so that they have the option of opting out. The complaint also says that by sending unsolicited texts to customers and people on their contact lists, Uber may be violating the Telephone Consumer Protection Act (TCPA).

The policy explains:

IMPORTANT INFORMATION ABOUT PLATFORM PERMISSIONS
Most mobile platforms (iOS, Android, etc.) have defined certain types of device data that apps cannot access without your consent. And these platforms have different permission systems for obtaining your consent. The iOS platform will alert you the first time the Uber app wants permission to access certain types of data and will let you consent (or not consent) to that request. Android devices will notify you of the permissions that the Uber app seeks before you first use the app, and your use of the app constitutes your consent…

Additionally, even when a customer has opted out of tracking, the revised policy would allow Uber to track customers based on their IP addresses. According to the complaint, this is an unfair business practice because users are not given the option of opting out of this kind of tracking.

Once the new policy takes effect, Uber will be able to collect and store various information about its users, including: location data, contact information, transaction information, usage and preference information, device information and information regarding calls and messages between riders and drivers. Notably, Uber is not unique in accessing this kind of data—it is common, for example, for apps to track customers’ locations based on their IP addresses. Because apps in many industries regularly access the kinds of data being used by Uber, and because of the current lack of regulations in this area, any action that the FTC may decide to take will likely have effects extending outside of the rideshare industry.

The FTC has not yet indicated whether it is investigating Uber’s practices. That said, the Commission has shown an increased interest in privacy issues surrounding peer-to-peer businesses. Earlier this month, for example, the Commission hosted a workshop entitled “The Sharing Economy,” which examined competition, consumer protection and economic issues arising in the sharing economy and considered whether and how existing regulatory frameworks can be responsive to sharing economy business models while maintaining appropriate consumer protections.

The Buck Stops Here: CEOs Held Most Accountable by Directors for Major Data Breaches

According to a recent joint survey of nearly 200 directors of public companies by the New York Stock Exchange and Veracode, CEOs are most likely to be held responsible in the event of a major data breach, ahead of the chief information officer (CIO), chief information security officer (CISO), and board members themselves. This trend appears to recognize the critical role of top level management in ensuring that cyber security is made an enterprise-wide priority and that sufficient resources are being allocated to address potential vulnerabilities before a breach occurs.

Over 78 percent of the directors surveyed by the NYSE were outside directors serving on one to three executive boards in a myriad of industries, including financial services, technology, and healthcare. Although more than 80% of the respondents stated that cyber security matters are discussed at nearly every meeting, 66% responded that they were less than confident in their company’s ability to secure against cyberattacks. One particularly alarming response was that 20% indicated that cyber security was only discussed after either an internal incident or incident within the same industry.

This reactive response is also reflected in the priorities associated with new technology-based products and services. Security risks were ranked 4th in the list of top concerns for new products and services, behind revenue potential, competitive differentiation, and development costs. Part of the problem is that directors perceive enhanced security as detrimental to customer perception of their products. As one director commented, “The more you increase security, the less user friendly” the product or service becomes. However, in the event of a breach of security, directors identified “brand damage due to customer loss” as their primary fear, behind the cost of responding to a breach and the loss of competitive advantage due to disclosure of strategic plans or proprietary designs. This is indicative of the critical balancing act companies face when pushing the boundaries of innovation – they need a product secure enough that customers feel safe using it, while at the same time keeping security features unobtrusive enough not to interfere with the customer’s perception.

Although directors are becoming increasingly aware of the threats and consequences of cyberattacks, the survey also illustrates a knowledge gap between directors and the product design process. More than 2/3 of the directors believed that most or all of their web and mobile applications had been evaluated for potential cyber security vulnerabilities before being made available to customers; however, separate studies by SANS and IDG Research have indicated that a majority of enterprise software applications are never assessed for vulnerabilities (possibly as high as 62% according to IDG Research).

As reports surface of major breaches traced to third-party vendors, 72% of responding directors indicated that they were concerned or very concerned about the risk of third-party software. However, the potential risks extend beyond software vulnerabilities and also encompass the internal security processes of vendors who are given access to a company’s networks, as in the case of the HVAC provider whose stolen network credentials allegedly resulted in the initial intrusion at Target. One director in the survey expressed concern with a company’s “inability to know whether customers and suppliers who use our systems have adequately secured their own access points.”

While the report drew attention to the threat faced by CEOs who do not adequately address cyber security threats, it also emphasized the importance of qualified CISOs capable of managing and communicating cyber security information to directors and management. In addition to technical skills and experience, directors also stated that business acumen and strong communication skills were key qualities they look for in a CISO. In order to communicate effectively with board members, respondents stated that CISOs should discuss cyber security in terms of high-level security strategy descriptions and risk metrics, rather than overly detailed technical descriptions.

Ultimately, boards of directors and management are recognizing that executive-level commitment and sufficient allocation of resources are critical for a mature cyber security program. As enterprises re-assess their own information security capabilities and communicate their expectations to third-party vendors, CISOs are being called upon to assume greater business responsibility and engage in aspects of the business outside of the traditional IT functions. This will involve a change in traditional business methodologies, emphasizing security and privacy-by-design principles, increasing supply chain oversight, and facilitating effective communication among management so that all key players are capable of making informed decisions over the cyber security matters for which they will ultimately be held responsible.

LexBlog