Sedgwick Cybersecurity and Privacy Chair John Stephens Published on Cyberextortion and Ransomware

John Stephens, Sedgwick partner and head of the firm’s Cybersecurity and Privacy Practice Group, has published an article in Corporate Counsel entitled “The Rise of Cyber-Extortion, and How to Fight Back.”  9-23-15 – Corporate Counsel – Stephens

He was also recently published in the National Law Journal for his article “When Hackers Take Your Digital Data Hostage.” 10-5-15 – The National Law Journal – Stephens

Congratulations John and thank you for your contributions to the field of cybersecurity!

California AG Sends Strong Message to Live Up to Privacy Promises or Face Multi-Million Dollar Consequences

A California state court on September 17, 2015 approved a $33 million settlement between the California Attorney General (“AG”), the California Public Utilities Commission (“PUC”) and Comcast for Comcast’s failure to live up to its promise not to disclose customer’s information when those users paid for a non-published telephone number. This settlement illustrates the AG’s office efforts to come down hard on businesses that do not live up to their privacy promises.

The AG’s office filed a complaint against Comcast charging it with false advertising and unfair business practices, as well as violation of the Public Utilities Code. Comcast charged its customers $1.50 per month to obtain a non-published, non-listed telephone number which would not be posted in online directories, phone books, or directory assistance. The AG claimed Comcast permitted the non-published, non-listed numbers of its California customers to be made available for publishing when Comcast made a system-wide account number change in late 2009. According to the AG, from July 2010 through December 2012, 75,000 Comcast customers who had paid the monthly fee for a non-published, non-listed number had their information published with a vendor, in a phone book, or made available by a directory assistance provider.

Before the AG’s complaint was filed, Comcast deleted the non-published numbers from directory listings it controlled, attempted to notify all of the affected 75,000 customers, refunded the amount charged to current customers, and notified former customers how to obtain a refund. Nevertheless, the AG’s office found Comcast’s conduct objectionable to the extent that it sought and obtained an agreement to pay $33 million from Comcast, most of which goes to the California PUC and the AG’s office, with only around $8 million for direct payments to affected customers. The settlement also requires Comcast to implement compliance programs with regular audits and reporting.

The settlement with Comcast confirms the AG’s office will continue to use the false advertising and unfair and deceptive act sections of California’s Business and Profession Code to bring tough enforcement actions against businesses, even when it appears a business made significant efforts to remediate failures or mistakes relating to disclosure of the private information of its customers. This case is also notable in that the consumer information disclosed—name, telephone number, and address—is not deemed personally identifiable information under California’s breach notice law (Civ. Code § 1798.82) which subjects a business to notice obligations if accessed or disclosed without authorization. These elements alone—name, telephone number, and address—are similarly not included in the definition of personal information in California’s law that requires business to implement and maintain reasonable security procedures and practices to protect personal information (Civ. Code §1798.81.5). However, the AG may have taken such a tough position with Comcast because Comcast charged a fee to its customers to keep this information private, even though the disclosed data elements in this case are not normally treated specially under California law.

This case is helpful in that it provides examples of disclosures to customers, contractual provisions with vendors, and notice letters to customers that the AG approved. Modeling similar documents after those approved by the AG’s office in this case may help to reduce the sting of an enforcement action. On the other hand, this case suggests that a mistake or failure relating to disclosure of consumer’s private information will not be tolerated; it also suggests businesses should take the utmost care to ensure the private information of their customers is never disclosed, accessed, or breached because of the incredibly expensive penalties that might ensue. The AG is certainly incentivizing businesses to implement protections of consumer information as close to fool-proof as possible, or conversely, not to provide strong privacy policies so that a business does not have to face stiff fines if it fails to live up to promises relating to consumer’s information.

Sign o’ the Times: DMCA Battle Over Good Faith vs. Fair Use of Prince Song–The Ninth Circuit Rules

The interplay of fair use and the takedown provisions in the Digital Millennium Copyright Act (DMCA) has been controversial since the DMCA was signed into law in 1998.  For example, citing fair use, the John McCain/Sarah Palin campaign protested CBS’ takedown notice of a campaign ad posted on YouTube that used part of a Katie Couric interview.   Groups such as the Electronic Frontier Foundation (EFF) argued that political ads incorporating copyrighted material were “paradigmic examples of fair use” in an open letter to CBS, Christian Broadcasting Network, Fox Networks and NBC Universal asking these networks to desist from issuing takedown notices of political ads. Yet, last year, Gannett sent a takedown notice on the posting of a video of an interview with Alison Lundergan Grimes trying to avoid admitting that she voted for President Obama. In a less political context, but with wide implications, this tension between fair use and copyrights is central to the ongoing battle in Lenz v. Universal Music Corp. Brought on Stephanie Lenz’s behalf by the EFF, Lenz obtained a ruling in 2008 that the owner of a copyright must consider the fair use doctrine in formulating a good faith belief in connection with a takedown notice.  In what it called a “case of first impression,” the court denied Universal Music’s motion to dismiss Lenz’s claim for misrepresentation under 17 U.S.C. § 512(f). Judge Jeremy Fogel refused to allow immediate appeal of this order. The Ninth Circuit opinion, largely affirming the trial court’s later denial of Universal’s motion for summary judgment, underscores these issues and illustrates the discovery/evidentiary issues parties face in litigating a DMCA misrepresentation claim with fair use implications.


If De-Elevator Tries to Bring U Down (or Ur Uploaded Video)

Lenz videotaped her young children dancing in her family’s kitchen to the song “Let’s Go Crazy” by Prince. Lenz titled the video “Let’s Go Crazy # 1″ and uploaded it to YouTube. The audible portion of the song includes the lyrics “C’mon baby let’s get nuts” and the song’s distinctive guitar solo. At one point in the video, Lenz asks her toddler, “Do you like the song?” Universal sent a takedown notice demanding that YouTube remove Lenz’s video from the site. YouTube removed the video the following day and sent Lenz an email notifying her that it had done so in response to Universal’s accusation of copyright infringement. Lenz responded by sending YouTube a DMCA counternotification asserting that her video constituted fair use of “Let’s Go Crazy” and thus did not infringe Universal’s copyrights. YouTube reposted the video on its website about six weeks later.   (“Let’s Go Crazy # 1″ has now been viewed over 1 million times.) Lenz then filed suit against Universal alleging misrepresentation pursuant to 17 U.S.C. § 512(f) on the ground that Universal failed to consider “fair use” before it sent its takedown notice. Lenz alleged that Universal issued the removal notice not in “good faith,” but only to appease Prince because Prince “is notorious for his efforts to control all uses of his material on and off the Internet.”


Look 4 the Purple Banana

As it had in its motion to dismiss, Universal contended in its motion for summary judgment and on appeal that copyright owners cannot be required to evaluate the question of fair use prior to sending a takedown notice because fair use is merely an excused infringement of a copyright rather than a use authorized by the copyright owner or by law, and that even if a copyright owner were required by the DMCA to evaluate fair use with respect to allegedly infringing material, any such duty would arise only after a copyright owner receives a counternotice and considers filing suit. Universal argued that this construction of the law is compelled because fair use is a defense to an action and that Congress had not incorporated defenses into the “good faith” certification required of copyright owners. Further, Universal argued that its reading of the statute finds substantial support in Rossi v. Motion Picture Ass’n of America, Inc., 391 F.3d 1000, 1004-06 (9th Cir. 2004), cert. denied, 544 U.S. 1018 (2005), which held that Congress’ use of the term “knowingly” in § 512(f) made the test for liability for misrepresentation under the DMCA subjective, not objective. As Universal put it in its motion to certify denial of the motion to dismiss:

An inquiry into the propriety of a party’s consideration of fair use inevitably will lead to calls (as Plaintiff makes in this case) for a post hoc assessment of the reasonableness of the copyright owner’s evaluation of whether the material makes fair use of the copyright. (emphasis in original)

The district court’s order denying immediate appeal, however, stated that:

The Court did not hold that every takedown notice must be preceded by a full fair use investigation. . . . Rather, it recognized, as it has previously, that in a given case fair use may be so obvious that a copyright owner could not reasonably believe that actionable infringement was taking place. See Online Policy Group v. Diebold, Inc., 337 F. Supp. 2d 1195, 1204 (N.D.Cal. 2004) (emphasis added).

The district court’s use of the term “reasonable” and citation to Diebold (which Judge Fogel also wrote) are telling. Diebold had sent takedown provisions aimed at removing posts of its internal emails discussing problems with its electronic voting machines. Diebold’s claims of copyright infringement were therefore directed at stifling the very discussion that made posting the emails fair use to begin with. Diebold, however, also included an objective standard as part of its test, holding that “‘knowingly’ means that a party actually knew, should have known if it acted with reasonable care or diligence, or would have had no substantial doubt had it been acting in good faith, that it was making misrepresentations.” This appears to conflict with Rossi, which holds that: “A copyright owner cannot be liable simply because an unknowing mistake is made, even if the copyright owner acted unreasonably in making the mistake.” The proper test for a “bad faith” standard under the DMCA may be the legal equivalent of the “purple banana” of Prince rock-n-roll lore (Sed quid in infernos dicet?).


Dr. Everything’ll Be Alright (or Not)

Ultimately, following discovery, the parties filed cross-motions for summary judgment on Lenz’ § 512(f) claim. The trial court ruled, again, that the copyright holder must consider the fair use doctrine prior to sending a takedown notice, that Lenz could proceed to trial under both the “actual knowledge” theory and the “willful blindness” doctrine, and certified its order for interlocutory appeal. The Ninth Circuit rejected Universal’s legal position that, because fair use is classified as an “affirmative defense,” it “excuses otherwise infringing conduct.” Rather, the court held that 17 U.S.C. § 107 created a type of noninfringing use and that fair use is therefore “authorized by law.”

The Ninth Circuit’s opinion also affirmed that Lenz presented evidence that Universal did not form any subjective belief about the video’s fair use – one way or another – because it failed to consider fair use at all, and knew that it failed to do so. Thus, a jury must decide whether Universal’s actions were sufficient to form a subjective good faith belief about the video’s fair use or lack thereof. In so holding, the opinion expressly followed the holding in Rossi to reject Lenz’s argument to impose “a subjective standard only with respect to factual beliefs and an objective standard with respect to legal determinations.” However, the opinion also cites to Diebold as an example of where a “copyright holder who pays lip service to the consideration of fair use by claiming it formed a good faith belief when there is evidence to the contrary is still subject to § 512(f) liability.”

However, though ruling that the willful blindness doctrine may be asserted in support of a § 512(f) claim as a general conclusion, the Ninth Circuit reversed the district court’s denial of Universal’s motion for summary judgment on willful blindness because its holding, that “Universal has not shown that it lacked a subjective belief” there was a high probability that the video constituted fair use, improperly reversed the burden on the issue. While willful blindness legally remains a ground for misrepresentation under section 107, the quantum of evidence required to overcome a defendant’s motion for summary judgment under this holding will be difficult to ever mount.

Under these holdings on the legal standards for DMCA misrepresentation, discovery will likely be similar to actual malice libel cases, often very extensive with the need to adduce evidence of the defendant’s “state of mind” from circumstantial evidence and the need to controvert and impeach witnesses’ proclamations to prove the case. It also seems likely that at least some cases will see the invocation of the “advice of counsel” defense, which may lead to the always disturbing image of counsel on the witness stand. Given the ongoing interplay of fair use and copyrights, copyright owners, content providers, and Internet service providers may well feel that Lenz had it mostly right: throw a kitchen dance party—just don’t invite the videographer, unless your attorney is also on the guest list.

10 Million Patients Affected by Fifth Major Healthcare Provider Data Breach of 2015

On August 5, 2015, Excellus BlueCross BlueShield discovered that as many as 10 million of its clients’ information may have been exposed in a sophisticated data breach campaign dating back to December 2013. The potentially compromised data included:

  • Credit card numbers
  • Social Security numbers
  • Dates of birth
  • Mailing addresses
  • Telephone numbers
  • Member identification numbers
  • Financial account information
  • Claims information

While some of this information had been encrypted by Excellus, the attackers were able to gain administrative access to the company’s network, thereby circumventing the encryption protection by accessing decryption keys available to administrators. The company has hired Mandiant Incident Response Services of FireEye, Inc. to investigate the breach and counsel Excellus on remediation solutions. Although Excellus claims not to have yet uncovered evidence that any of the exposed data was exfiltrated, Excellus will be mailing a letter to affected parties, providing them with information about the breach and ways that they can protect themselves from identity theft. They will also be providing two years of free credit monitoring for any individuals exposed by the breach.

With this attack, Excellus becomes the fifth major health care provider to disclose a breach since the beginning of 2015. The largest was Anthem Healthcare, which affected 80 million patients, followed by Premera (11 million users), Excellus (10 million users), UCLA Health Systems (4.5 million users), and CareFirst (1.1 million users). Each of these companies has since become the target of class action lawsuits by affected individuals. For a breached company, the damages exceed the cost and potential liability posed by litigation; they also face substantial damage to their brands and reputations, incur credit monitoring costs for exposed individuals, and could be fined by the Department of Health & Human Services for violations of HIPAA’s Security Rule.

It’s no mystery why health care providers are the target of attacks – each of these entities is a repository of correlated personal data for millions of people. Whether for medical record-keeping or billing for services, providers are encouraged to document information thoroughly and retain records for a substantial (and often indefinite) period of time. To draw an analogy, if information were currency, healthcare providers are virtual “banks” – and often poorly secured “banks” at that.

Typically, when you ask a layman about HIPAA requirements, they often refer to the disclosures mandated by the Privacy Rule (which governs the safeguarding of Protected Health Information by covered entities). However, in April 2003, the Department of Health & Human Services enacted the Security Rule, whereby covered entities possessing Electronic Protected Health Information (EPHI) were required to implement three categories of security safeguards: administrative, physical, and technical. For each category, the Security Rule sets forth security standards, each with its own set of “required” and “addressable” implementation specifications. While “required” specifications must be adopted and implemented strictly according to the Security Rule, “addressable” specifications are typically left to the individual covered entities to implement as they deem appropriate (subject to administrative agency review). Enforcement of the Security Rule is left to the Department of Health & Human Services, who conducts investigations and hearing on HIPAA violations and has the authority to level civil penalties of up to $50,000 per violation, with an annual cap of $1.5 million.

While HIPAA’s Security Rule provides healthcare providers with some guidance on how to adequately secure their networks, the task is daunting to say the least. In the face of ever-mounting malpractice claims and complicated billing procedures, providers are advised to create and retain records like no other business (with the possible exception of the finance industry). However, the focus of healthcare providers is on providing high-quality medical care, in as efficient and cost-effective manner as possible. Doctors and patients are more concerned about the quality of the medical care provided than the information security safeguards deployed by the hospital’s IT department. Accordingly, in too many instances, security concerns are focused on necessary regulatory compliance, rather than implementing security best practices. In addition, technologies that can either streamline the provision of care or provide enhanced functionality are embraced before their security implications can be adequately assessed.

Take, for example, the vulnerability of connected medical devices. In June 2015, security firm TrapX released a report claiming that attackers were using unprotected medical devices in order to maintain a foothold in healthcare networks. According to the report, based on investigation of client providers and company-sponsored analysis of common medical devices, TrapX claimed that attackers were able to infect an unmonitored PACS (Picture Archive and Communications System) radiologic imaging system with malware, which spread to a key nurse’s workstation, from which confidential hospital data was exfiltrated to China. These devices are typically not scanned by security monitoring systems and are a stable platform from which to launch attacks through the provider’s networks. In another instance, attackers infected a blood gas analyzer in a hospital laboratory and installed a “backdoor” into the network, through which they were able to harvest credentials from other network systems. These devices, connected to the hospital’s network, pose a substantial risk to the provider if they are not adequately secured.

While it is yet unknown whether vulnerable medical devices played a part in the five major healthcare provider attacks this year, the Food and Drug Administration issued a safety notice in August 2015, warning that an infusion pump used by hospitals throughout the country was vulnerable to a cyber attack. While this was the first time the FDA had issued a warning such as this, it was not the first reported incident of medical record exposure resulting from a vulnerable medical device. In March 2015, Cleveland-based MetroHealth System discovered malware and an installed “backdoor” in three computers in its cardiac catheterization lab, which had apparently infiltrated the network in July 2014. The breach affected as nearly 1,000 patients, whose names, birth dates, dates of service, height, weight, and other medical record data had potentially been compromised. While the MetroHealth breach was miniscule in comparison to the five breaches listed above, each incident reveals that vulnerabilities exist, that attackers are actively seeking to breach healthcare provider networks, and the larger the provider, the greater the risk posed to both the provider and its patients.

The Third Circuit Court of Appeals’ Wyndham Decision Gives a Green Light to the FTC to Sue Businesses for Lax Cybersecurity Practices Under the Unfairness Prong of Section 5 of the FTC Act

On August 24, 2015, the Third Circuit Court of Appeals affirmed denial of Wyndham Worldwide Corporation’s motion to dismiss the FTC’s lawsuit against it. This ruling is significant for several reasons. First, the ruling finds the FTC has the authority to regulate corporate data security practices under the unfairness prong of Section 5 of the FTC Act (“Section 5″). Second, the FTC is not required to publish regulations or rules as to what reasonable data security practices are before suing businesses for lax cybersecurity practices under the unfairness prong of Section 5.

The FTC alleged that Wyndham’s cybersecurity practices were “unfair” to consumers because Wyndham, among other things, (1) stored customer’s payment card information in unencrypted readable text, (2) permitted the use of easily-guessed passwords, (3) failed to use firewalls to limit access, (4) used out-of-date operating systems that lacked security updates for 3 years, (5) permitted servers to connect to the company’s network through default user ID’s and passwords, (6) failed to maintain an accurate inventory of computers, (7) failed to adequately restrict third-party vendors’ access to the company’s network, (8) failed to use reasonable measures to detect unauthorized access or to conduct security investigations, and (9) did not follow proper incident response procedures.   As a consequence, according to the FTC, Wyndham suffered 3 hacking attacks wherein payment card information for over 619,000 consumers was accessed, resulting in over $10 million in fraud loss.

The ruling confirms that the FTC is not required to provide notice of specific cybersecurity standards before suing a company for unfair practices under Section 5. The court found businesses are not entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity practices are required, but are only entitled to notice of whether their conduct falls within the meaning of the FTC Act itself, not the FTC’s interpretation of the FTC Act. According to the court, businesses have fair notice that cybersecurity practices, as a general matter, can form the basis of an unfair practice, given the 2007 FTC Guidebook “Protecting Personal Information: A Guide for Business” and the cost–benefit analysis inherent in Section 5’s definition of unfair conduct. (A practice is unfair if it causes consumers injury which is not reasonably avoidable and is not outweighed by countervailing benefits to consumers or to competition). The cost-benefit analysis for corporate cybersecurity includes the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity. After the second hack of Wyndham’s systems, the court declared it should have been “painfully clear” that Wyndham’s conduct failed the cost-benefit analysis.

The court expressed skepticism during oral argument over consulting consent decrees and brochures for legal guidance, but ultimately found complaints and consent decrees in administrative cases published on the FTC’s website and in the Federal Register provided notice of what cybersecurity practices failed the cost-benefit analysis for unfair conduct under Section 5. Accordingly, businesses and their counsel should review the FTC’s brochures, complaints, and consent decrees to ensure that their data security practices meet the standards suggested by the FTC.

Another significant aspect of the Third Circuit’s ruling involves the role Wyndham’s privacy policy played, which the court found directly relevant to whether Wyndham’s conduct was unfair. One of the elements of an unfair practice under Section 5 is whether a consumer cannot reasonably avoid injury from the defendant’s conduct. The FTC persuasively argued that consumers could not reasonably avoid injury because Wyndham’s misleading privacy policy overstated its cybersecurity practices. (Wyndham’s privacy policy stated that it safeguarded its customers’ information by using “standard industry practices” and took “commercially reasonable efforts … and other appropriate safeguards.”)   The Court declared that a company acts unfairly, not just deceptively under Section 5, when it publishes a privacy policy “designed to attract customers concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, [and] exposes its unsuspecting customers to substantial financial injury…” This analysis is significant because privacy policies have long been a source of the FTC’s enforcement actions for deceptive conduct under Section 5, but now can serve as source of enforcement power under the unfairness prong of Section 5.

What remains unknown is how far reaching the effect of this decision will be. This ruling is only in the Third Circuit so it is possible other Circuits may disagree if faced with similar questions. In addition, the Court’s rulings involved a motion to dismiss. The Court only evaluated the sufficiency of the pleadings, taking what was alleged by the FTC as true. This means Wyndham’s ultimate liability, and the potential liability of other businesses alleged by the FTC to have unfair data security practices, is not yet known. Nonetheless, we can expect to see the FTC continuing its active enforcement activity, including unfairness grounds in the FTC’s actions against businesses for failure to reasonably secure and protect consumer information.

New York Court Refuses to Imply Private Right of Action Into Data Privacy Laws, But Allows a Negligence Claim Based on Alleged Failure to Protect Medical Data

A New York state trial court issued a recent decision that neatly demonstrates the present risk of private litigation over data privacy breaches in New York by dismissing 10 out of 11 counts in a data privacy case. In Abdale v. North Shore-Long Island Jewish Health System, Inc. (Index No. 02367/2013), class action plaintiffs alleged that a group of health care providers had failed to adequately protect their confidential medical and personal information, and allowing their information to fall into the possession of thieves. According to their complaint, the plaintiffs’ confidential information on both hard copy and electronic documents were found to be in the possession of accused criminals as a result of the defendants’ failures. Some plaintiffs even alleged specific losses stemming from the disclosures, such as stolen tax refunds. Based on these facts, the complaint therefore alleged a laundry list of common law and statutory causes of action:

  1. Negligence per se based upon violations of New York’s data breach notification law, General Business Law §899-aa;
  2. Negligence per se based on violations of New York’s law on patient access to their medical information, Public Health Law §18;
  3. Negligence per se based upon violations of New York’s law on the privacy of social security numbers, General Business Law §399-ddd(4);
  4. Negligence per se based on violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104-191, 110 Stat. 1936 (1996 );
  5. Negligence per se based on violations of the Health Information Technology for Economic and Clinical Health Act (HITECH), 42 USC §17921-53;
  6. Violations of New York’s General Business Law §349, forbidding deceptive acts and practices by businesses;
  7. Breach of contract;
  8. Breach of fiduciary duty;
  9. Negligence;
  10. Breach of the implied covenant of good faith and fair dealing; and
  11. Misrepresentation.

In analyzing the defendant medical providers’ motion to dismiss, the trial court first addressed each of the negligence per se claims and found that none of the federal or state statutes provided individual patients or consumers to assert a private cause of action for violations.

With respect to the consumer protection law, General Business Law §349, the Plaintiffs had alleged that defendants had failed to protect their information despite publishing privacy policies and notices asserting that they would do so. The court, however, found that the defendants’ privacy statements “do not constitute an unlimited guaranty that patient information could not be stolen or computerized data could not be hacked.” Accordingly, the court ruled that, as a matter of law, the defendants failure to protect their patients’ information “did not misled the plaintiffs in any material way and does not constitute a deceptive practice within the meaning of the statute.”

The court next dismissed four out of five common law claims for failure to plead the necessary factual predicates. The Plaintiffs’ breach of contract and good faith and fair dealing claims were dismissed due to their failure to allege specific contractual relationships with the defendants and to identify specific contract terms that were breached. The Plaintiffs’ breach of fiduciary duty claim was dismissed for failure to meet the heightened pleading burden for such claims under New York law. Finally, the Plaintiffs’ misrepresentation claim was dismissed for the failure to allege, with respect to each defendant individually, a failure to disclose information about the existence of the privacy breaches despite a duty to do so.

The only claim that survived was the negligence claim, in which Plaintiffs alleged that they gave confidential information to certain of the defendants, who promised to safeguard it, but that the defendants’ employee instead stole their data and sold it to third parties. The trial court found that these allegations sufficiently stated a claim against the defendants that allegedly received the information.

Although this is just one case, the trial court’s decision suggests that New York courts are not eager to imply private causes of action into statutes that do not explicitly authorize them. On the other hand, holders of confidential information must recall that these statutes continue to be enforceable by regulators and/or prosecutors and the court’s decision to allow the Plaintiffs’ negligence claim to continue indicates that at least this judge found that a common law tort could easily stretch to fit business failures to protect confidential information.

Online Retailers Increasingly at Risk of Website Accessibility Lawsuits

Given the lack of formal guidance on website accessibility under the Americans with Disabilities Act (ADA), “www” might as well stand for the “Wild, Wild, West.” Twenty-five years after ADA first passed, there are still unclear guidelines in place for how companies should make their websites accessible to disabled visitors. Plaintiffs have taken advantage of this uncertainty—and the series of recent enforcement actions and statements of interest issued by the Department of Justice (DOJ)—by bringing a flurry of suits against retailers.

As website accessibility lawsuits continue to rise, retailers cannot afford to wait for formal guidance before taking steps to protect themselves.

Background on Accessibility Lawsuits

These cases are not new. In 2006, for example, the National Federation of the Blind brought suit against Target, claiming that the retailer violated Title III because blind people were unable to access much of the information on the defendant’s website, nor purchase anything from its website independently. In September 2008, the parties settled for a $6 million class reward; the judge later awarded $3.7 million in attorney’s fees and costs.

The more recent cases are based on the same basic premise: they claim that by failing to make their websites accessible to blind or deaf visitors, the sites violate Title III of the ADA, which imposes upon places of public accommodation an obligation to “furnish appropriate auxiliary aids and services where necessary to ensure effective communication with individuals with disabilities.” Although these lawsuits have arisen across the country, a substantial number are filed in California under both the ADA and California’s Unruh Civil Rights Act, which provides for up to $4,000 in penalties per violation.

In the last year or so, at least thirteen website accessibility lawsuits have been brought in the Central District of California alone. The vast majority of these lawsuits involve retailers and the vast majority of these cases settled almost immediately after they were filed (before filing a response or attending a case management conference).

Retailers Forced to Rely on Limited DOJ Guidance

Until recently, the only guidance in this area came from an Advanced Notice of Proposed Rulemaking (ANPRM) that the DOJ issued in 2010, in which it announced that it would issue new regulations under Title III of the ADA to address the accessibility of public accommodations websites. The proposed rule was expected to be released this year, but has since been delayed until April 2016 (though a recent DOJ statement of interest emphasizes that there is no scheduled date for publication of a final rule). The DOJ is expected to issue specific regulations applicable to Title II ADA entities (such as universities) before then; these regulations may shed light on how the DOJ plans to approach its Title III rule.

In the absence of formal guidance, retailers should look at a series of recent DOJ consent decrees and statements of interests for direction on how to comply with the ADA. In general, the DOJ has recognized the W3C Web Content Accessibility Guidelines 2.0 (“WCAG 2.0”) as a standard for compliance. WCAG 2.0 calls for companies to provide text alternatives for non-text content; provide captions and other alternatives for multimedia; create content that can be presented in different ways, including by assistive technologies, without losing meaning; make it easier for users to see and hear content; make all functionality available from a keyboard; give users enough time to read and use content; not use content that causes seizures; help users navigate and find content; make text readable and understandable; make content appear and operate in predictable ways; help users avoid and correct mistakes; and maximize compatibility with current and future user tools.

Under the WCAG 2.0, there are three levels (A, AA, and AAA) that a company can attain, based on how successfully it meets the standards. Last year, the Department of Transportation adopted WCAG 2.0 Level AA as the legal standard that governs the websites of airline carriers under the Air Carrier Access Act.

The DOJ first published guidance on website accessibility in March 2015 as part of its legal agreement with H&R Block. The DOJ had alleged that H&R Block violated the ADA by denying disabled individuals full and equal enjoyment of online and mobile tax-preparation materials and services. In the consent decree, the DOJ called on H&R Block to meet many of the WCAG 2.0 standards, including using captions, text alternatives, audio descriptions, and other mechanisms to make the website more accessible. Additionally, the agreement imposed a series of administrative requirements. H&R Block agreed to:

  • Appoint a Web Accessibility Coordinator reporting directly to the Chief Information Officer, who will provide regular reports about the Web Accessibility Program;
  • Establish a Web Accessibility Committee;
  • Adopt a Web Accessibility Policy;
  • Maintain a disabled-accessible mechanism for website visitors to provide comments, recommendations, and questions regarding accessibility of the website;
  • Implement procedures to provide customer assistance to disabled customers;
  • Train employees responsible for website content on accessibility requirements;
  • Test all web content for accessibility before it is put into production; and
  • Retain a third-party accessibility consultant.

Additionally, in November 2014, the DOJ announced that it entered into a settlement agreement with America’s leading Internet grocer, Peapod LLC and Ahold U.S.A. Inc. The DOJ alleged that was not accessible to people with visual or hearing impairments. Peapod agreed to ensure that its website and mobile applications conform to the Web Content Accessibility Guidelines 2.0 Level AA Success Criteria (WCAG 2.0 AA), and to follow many of the administrative remedies laid out in the H&R settlement.

The Question of Equivalent Alternatives

Unfortunately for retailers, it is currently unclear whether a company can meet its obligations under the ADA by offering users an alternate way to access the information and services made available on its website.

For years, retailers took comfort in the 2010 ANPRM’s suggestion that a website does not necessarily have to be accessible, as long as the company offers an equivalent alternative way to access the goods and services made available on the website. It explained:

[C]overed entities with inaccessible websites may comply with the ADA’s requirement for access by providing an accessible alternative, such as a staffed telephone line, for individuals to access the information, goods, and services of their website. In order for an entity to meet its legal obligation under the ADA, an entity’s alternative must provide an equal degree of access in terms of hours of operations and range of information, options, and services available. For example, a department store that has an inaccessible website that allows customers to access their credit accounts 24 hours a day, 7 days a week in order to review their statements and make payments would need to provide access to the same information and provide the same payment options in its accessible alternative.

On June 25, 2015 the DOJ seemed to shift position in cases against Harvard and MIT filed by the National Association of the Deaf. These cases alleged that the universities failed to caption online video content, and thus violated the ADA and Section 504 of the Rehabilitation Act. The universities argued both that the cases should be dismissed because neither statute applies to websites, and that the DOJ should wait for the web regulations to take effect. In its “statements of interest” in both cases, the DOJ explained that the 2010 ANPRM was issued to offer guidance to covered entities on how to meet their “pre-existing obligations” to make their websites accessible. This seems to suggest that companies are responsible for making their websites accessible, regardless of whether they can provide for an equal degree of access through other means.

In light of these statements of interest, retailers should no longer assume that they are not responsible for making their websites accessible.

Websites Not Associated with a Physical Location

Another area of uncertainty is whether a website is subject to the ADA if it does not have a nexus to any physical place of public accommodation.

In April 2015, the Ninth Circuit in Earll v. eBay Inc. became the first Circuit Court to address this issue, holding that a nexus is required. In simple terms, this means that web-only businesses are not places of public accommodation under Title III.

Although no other Circuit has reached this precise issue, the Third and Sixth Circuits have each held that Title III does not apply where there is not a sufficient connection between the discrimination the plaintiffs alleged and a physical place. In both cases, the courts found that a long-term disability plan by an employer and administered by an insurance company does not fall within the purview of Title III; because the plaintiffs in both cases received disability benefits through their employment, the courts found that they did not have a connection to their insurance company’s office and thus were not discriminated against in connection with a public accommodation.

The Eleventh Circuit has interpreted Title III somewhat more broadly, finding that it covers both tangible barriers (such as those that prevent a disabled person from entering a building) and intangible barriers to a physical place (such as eligibility requirements or discriminatory policies).

Conversely, the First and Seventh Circuits have found that Title III applies even in the absence of some connection to a physical place.[1] Similarly, the Second Circuit has expressed that Title III “is not only obligated by the statute to provide disabled persons with physical access,” but has not yet considered a case in which a defendant operated no physical space open to the public but nevertheless provided goods or services to the public.

Both the District of Massachusetts and District of Vermont have found that Title III covers entities providing exclusively web-based services to the public. In both cases, the courts explained that, “excluding businesses that sell services through the Internet from the ADA would ‘run afoul of the purposes of the ADA and would severely frustrate Congress’s intent that individuals with disabilities fully enjoy the goods, services, privileges, and advantages available indiscriminately to other members of the general public.”


Until more formal or specific guidance becomes available, retailers should evaluate their websites under the WCAG 2.0 Guidelines, and make any necessary changes as soon as possible. Given the lack of clarity, companies should also consult with counsel with expertise in this area to explore what other changes they should consider to protect themselves.

[1] Carparts Distrib. Ctr., Inc. v. Auto. Wholesalers Assn. of New England, 37 F.3d 12, 19 (1st Cir. 1994); Doe

  1. Mutual Omaha Ins. Co., 179 F.3d 557, 559 (7th Cir. 1999); Morgan v. Joint Admin. Bd., Ret. Plan of the Pillsbury Co. and Am. Fed’n of Grain Millers, AFLCIO-CLC, 268 F.3d 456, 459 (7th Cir. 2001).

Second Wave of Auto-Renew Lawsuits Makes Business Model Risky

In the past several years, subscription-based product and service providers have emerged in almost every sector. People are buying baby supplies, razors, groceries and cloud space by using a model once reserved for magazines. For a monthly fee, startups also offer services such as transportation, personal assistance, and dress rentals — as companies continue to thrive using the monthly subscription model, more startups continue to launch.

Although subscription-based services can benefit consumers by offering simplicity and lower prices, legal issues emerge when customers claim that they did not knowingly agree to continue paying for future products or services. In the past several months, these customers have filed several class action lawsuits against retailers of all kinds, pursuant to both state and federal laws.

Automatic Renewal Laws

To date, at least 16 states have enacted statutes regulating automatic renewals to varying degrees.[1] While these statutes vary in strictness, they generally require companies to disclose automatic renewal policies in a clear and conspicuous manner. Additionally, some statutes require companies to obtain customers’ affirmative consent before charging a credit card, and to disclose how to cancel the subscription and avoid future recurring payments.

Not surprisingly, California’s Automatic Renewal Law (ARL), California Business and Professions Code § 17600, et seq., is perhaps the strictest state statute. The ARL prohibits retailers from charging consumers’ credit card, debit card or bank account for ongoing orders without their explicit consent. Under the law, businesses who automatically renew customers’ orders must state the automatic renewal or continuous service offer terms in a “clear and conspicuous” manner before the order is finalized; this means that the terms must be in a larger or contrasting type that “clearly calls attention to the language,” and that the disclosure must be made before and in immediate proximity to the signature line or online authorization button. Before charging a customer, a company must obtain her “affirmative consent” to the renewal policy. Additionally, businesses must provide customers with a copy of their terms, including information on how to cancel the subscription. The law applies to contracts entered into by any California resident, regardless of where the company is located. After the ARL took effect in December 2010, at least 11 class action lawsuits targeting companies’ automatic renewal practices have been filed, several of which have already been voluntarily dismissed

In January 2015, New York introduced legislation similar to the California law (NY Senate Bill 40), which would require customers’ express consent before charging them for a renewal. This new bill would be much stricter than New York’s current law regulating automatic renewal offers. Other states with fairly strict statutes include Connecticut, Oregon, Illinois, Georgia, and Florida.

 Renewed Interest in Auto-Renew Actions

This is not the first time that retailers have been sued pursuant to the ARL or other auto-renew laws. In 2013, a series of class action lawsuits targeted the automatic renewal policies of popular music and video streaming companies. The plaintiffs in each of these cases claimed that the company failed to clearly and conspicuously disclose that they would charge the customer a recurring payment, either after an initial payment or after a free trial expired. Almost all of these suits were brought in California and reached confidential settlements soon after they were filed.

A second wave of these suits began this past December 2014, weeks after Sirius XM agreed to a $3.8 million settlement in a case brought by 45 states and the District of Columbia. Since then, actions have been filed against SeaWorld, Birchbox (subscription beauty service), LifeLock (identity theft protection provider), AAA (roadside assistance provider), Blizzard Entertainment (producers of the online role-playing game World of Warcraft), Tinder (dating app), and Blue Apron (food delivery app). This list of companies is markedly different from those in the first wave: In addition to expanding outside the music and video streaming context, the Plaintiffs’ bar has shown its willingness to bring actions against startups like Birchbox and Tinder. As more companies adopt subscription-based business models, it is almost certain that these actions will continue to arise.

In the first Tinder lawsuit, filed in late April 2015 in the Central District of California, the plaintiff alleges that when the dating app transitioned from being a free service to charging a monthly fee, it failed to clearly and conspicuously disclose that its subscription would automatically renew each month. This action was voluntarily dismissed on July 21, 2015. In late May 2015, two additional cases were filed against Tinder in San Luis Obispo County and Los Angeles County Superior Courts.

In early March 2015, two cases were filed in the Southern District of California against startup Birchbox, which delivers beauty products each month to its subscriber customers. The two cases were consolidated on April 30, 2015 and the plaintiff filed an amended complaint for the consolidated action on May 14, 2015. Both plaintiffs purchased subscriptions from the startup (one of their original complaints explains that the service appeared in the plaintiff’s shopping cart as “Women’s Rebillable Monthly Subscription”). Despite the seemingly transparent name of the subscription, however, plaintiffs claim that Birchbox violated the ARL and California’s Unfair Competition Law by failing to clearly and conspicuously disclose or obtain customers’ consent to the service’s automatic renewal and continuous service terms. In their amended complaint, the plaintiffs claim that the terms should have been “in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks,” and included during the check-out process (instead, they were included in the website’s “Terms and Conditions” section). The parties are scheduled to attend mediation on September 16, 2015, and the case is stayed pending that mediation until October 1, 2015.

The most recent of these suits was filed in June 2015 against Blue Apron, and was removed on July 21, 2015. Similar to the Tinder and Birchbox cases, the complaint alleges that the cooking ingredient delivery app violated the ARL by failing to prevent its automatic renewal terms in a clear and conspicuous manner, charging consumers for continuous service, without their consent, and failing to provide information on how to cancel the subscription.

In March 2015, the Middle District of Florida refused to dismiss the case brought against SeaWorld, which claims that SeaWorld breached its payment plan contract by automatically renewing and charging customers for annual passes to its parks for the upcoming year without their consent and before the current 12-month period ends. The parties attended mediation on May 11, 2015, but were unable to reach an agreement. In late June 2015, the court set the jury trial for March 2017.

The cases against AAA, Lifelock, and Blizzard have each already been voluntarily dismissed.

 Federal Enforcement

In addition to being subject to state auto-renewal laws, all companies are subject to the Federal Trade Commission Act, 15 U.S.C. § 41, et seq., which requires stores to honestly and clearly disclose their auto-renewal policies.

Since 2011, the FTC has filed suits in Nevada, Maryland, and Washington against companies for unfair or deceptive business practices related to their automatic renewal policies. The most recent suit was brought against DIRECTV in March 2015 in the Northern District of California. One claim in the FTC’s action is that the company violates the FTC Act by automatically charging customers for premium channels after their free trial for those channels expires. On April 2, 2015 DIRECTV admitted that it offered free trials of premium channels for a limited time, after which it begins charging customers for those channels unless they cancel, but claimed that the terms of these promotions were clearly and conspicuously disclosed to consumers.

Congress’s enactment of the Restore Online Shoppers’ Confidence Act (ROSCA) provides the FTC and state attorneys general with an additional basis for targeting companies’ renewal policies. ROSCA generally prohibits charging online consumers for goods or services through a “negative option feature” to an agreement, whereby the customer’s silence or failure to cancel the agreement is treated as acceptance of the offer. In other words, ROSCA requires companies to obtain consent from customers before signing them up for a free trial that automatically turns into a paid subscription. A seller may only avoid this requirement by clearly and conspicuously disclosing the material terms of the agreement before obtaining the customer’s billing information, obtaining the customer’s express consent before making the charge, and providing a simple way to stop the recurring charges. Even though ROSCA took effect in 2011, the FTC did not bring its first action under the law until October 2014. The FTC has brought ROSCA claims against at least three businesses since then, including DIRECTV, which indicates the Commission’s increased interest in enforcing this law. DIRECTV also asserted eleven affirmative defenses, including failure to state a claim, equitable doctrines, and lack of jurisdiction and standing. The FTC filed a motion to strike some of these defenses in early June 2015, and DIRECTV filed a reply on June 22, 2015. On July 1, the court issued a scheduling order, calling for the FTC to file an amended complaint by August 1, 2015.

On June 16, 2015 the Central District of California entered a Temporary Restraining Order and the FTC issued a complaint, alleging that since at least 2010, a number of defendants had marketed and sold skin care products on a variety of websites in violation of ROSCA, the FTC Act, and the Electronic Funds Transfer Act (“EFTA”). According to the complaint, the defendants advertised “risk free trials” to receive skin care items, suggesting that consumers would only pay $4.95 or less in shipping costs. According to the complaint, defendants failed to adequately disclose that they would charge consumers’ credit or debit accounts for the trial product, typically as much as $97.88, after a 10-day period, and that customers would be automatically enrolled in subscription plans whereby they were automatically sent more products and charged recurring fees each month. The FTC specifically noted that because the goods often did not arrive until ten days after the order was placed, it was impossible for many customers to return opened products within the ten-day period in order to avoid the $97.88 fee. Additionally, the complaint alleged that defendants failed to adequately disclose that returned items would be subject to a $15 restocking fee.

As the FTC continues to vigorously enforce ROSCA in new industries, retailers using the subscription or automatic renewal models should ensure that their advertisements and terms are compliant.

Penalties for Violating Automatic Renewal Laws

The penalties for violating state automatic renewal statutes can be serious. California’s ARL, for example, allows for liability under other laws, such as California’s Unfair Competition Law, and also provides that any goods tendered to a customer pursuant to a non-compliant automatic renewal policy “shall for all purposes be deemed an unconditional gift to the consumer.” Plaintiffs’ lawyers claim that, under this provision, retailers must provide restitution to the consumer for 100 percent of gross revenues received pursuant to the automatic renewal, even if the consumer actually wanted or anticipated the renewal. Notably, this provision only refers to “goods” and not to “services.”

Although many of the settlements in past auto-renew cases have been confidential, those with public terms show the potentially high value of these cases to Plaintiffs’ attorneys. As mentioned above, Sirius XM settled an automatic renewal case for $3.8 million in December 2014. In September 2014, Angie’s List settled an auto-renewal suit brought in Indiana for $2.8 million.

Given the potentially high penalties for violating state automatic renewal laws, companies that sell subscription-based goods, services, or memberships should make sure that their user agreements comply with local regulations. To help ensure compliance, companies should consult counsel with expertise in this area before enacting automatic renewal policies. The recent uptick in litigation — which has been brought against startups and established companies alike, in a wide variety of industries — shows that no company is immune from these potentially expensive actions.

[1] These include California (Cal. Bus. & Prof. Code §§ 17600-17606), Connecticut (Conn. Gen. Stat. § 42-126b), Florida (Fla. Stat. § 501.165), Georgia (O.C.G.A. § 13-12-3), Illinois (815 ILCS 601/10), Louisiana (La. Rev. Stat. § 9:2716), Maryland (Md. Code Com. Law § 14-12B-06), New Hampshire (N.H. Rev. Stat. § 358-I:5), New York (N.Y. Gen. Oblig. Law § 5-903), North Carolina (N.C. Gen. Stat. § 75-41), Oregon (Or. Rev. Stat. §§ 646A.293, .295), Rhode Island (R.I. Gen. Laws § 6-13-14), South Carolina (S.C. Code § 44-79-60), South Dakota (S.D. Codified Laws § 49-31-116), Tennessee (Tenn. Code §§ 62-32-325, 47-18-505), and Utah (Utah Code § 15-10-201).

How Your Company Can Defend Itself Against Cyber-Extortion


Sensational headlines about major data breaches have become common. The most typical scenarios are those in which hackers access personal data about a company’s customers and use that data for identity theft. But another type of fast-growing hack, so-called cyber extortion, may be even more damaging. In this type of attack, hackers essentially kidnap data and hold it for ransom.

For both companies and their customers, the rise of cyber extortion is alarming. There are, however, steps that can be taken to help mitigate risk. For sure, companies who are proactive both pre- and post-breach are generally better positioned when it comes to their customers’ data.


There are, unfortunately, many methods of attack employed by cyber extorters.   For example, these criminals can initiate an attack far outside a company’s network through a distributed denial of service (DDoS). Here, thousands of “zombie” computers, taken over by hackers without the knowledge of the computers’ owners, are used to simultaneously bombard a target website, knocking it offline. DDoS attacks can be especially damaging to enterprises such as e-commerce companies that rely on user access to their websites to conduct business.

Apart from DDoS attacks, cyber criminals may seek to break into company’s networks. Once inside, hackers can follow any number of avenues to extort money from their victims.

Tactics may include: encrypting data that exist in business systems; disabling critical business systems; or blocking access to corporate sites. In any case, victims are severely handcuffed by hackers until a “ransom” is paid.

Hackers may also redirect part or all of a corporate website by altering DNS settings and holding the original destination hostage. Or, they may also steal intellectual property and threaten to sell it to competitors.

Hackers even pose as cyber security specialists and offer to identify weaknesses and fix them for a fee. Instead, they find exploitable weaknesses in corporate networks and threaten to notify the press or competitors unless payment is made.

The same malware used on individuals can be adapted for corporate espionage. Criminals might commandeer a computer microphone or camera in a boardroom or executive office to film or record confidential meetings. Using that business intelligence, hackers could extort a company, sell its secrets to rivals, or manipulate company stock with calibrated releases of privileged information.

Perpetrators of these and other forms of cyber extortion range from organized crime rings to disgruntled employees. Indeed, attacks are even more insidious when launched from the inside. Law enforcement has engaged in a number of significant investigations in recent months involving former or disgruntled company employees. In many of these cases, employees attempted to extort money from employers by threatening to expose privileged information or activate malware. These recent incidents cost victimized businesses from $5,000 to $3 million.


The hack of Sony Pictures Entertainment in late 2014 prior to its release of the film “The Interview” drew more attention than any previous cyber-extortion plot and could ultimately cost Sony millions in revenues and reputational damage. The facts surrounding this breach and its potentially long-reaching impact have been widely reported.

For the purpose of this article, it is important to note that the average company may think a lower public profile protects it from such a potentially damaging cyber extortion. But while the Sony hack was unprecedented in its scope and the public interest it generated, the assistant director of the FBI’s Cyber Division said it was likely that 90 percent of U.S. corporations — large, midsized and small — are equally vulnerable to such an attack.

Ashley Madison

More recently, some 37 million users of Ashley Madison are reportedly at risk for extortion after hackers stole information – including nude pictures and credit card data – from the site on the night of July 19, 2015. Hackers claim to have completely compromised the user database and financial records of the site, which caters to anonymous customers seeking extramarital affairs.

A statement from Avid Life Media, the parent company of Ashley Madison, confirmed the hack and stated that personal information posted online by hackers had been deleted. It is unknown, however, how many people accessed the leaked and highly sensitive personal information before it was taken down.

Why Companies “Dummy Up” and Pay Up

While breaches like Sony Pictures and Ashley Madison dominate headlines, midsized companies actually may be the most vulnerable. For a number of reasons, smaller organizations may fail to invest in adequate security measures to protect themselves, fearing that even minor changes to day-to-day operations might jeopardize profitability. These companies may also lack the personnel or resources to effectively respond to cyber extortion attempts. They are, however, viewed as having deep-enough pockets to attract cyber extortionists.

The vast majority of cyber extortion attempts go unreported. When it comes to insider attacks specifically, three-quarters of the time companies deal with the matter internally and do not disclose the incident to authorities, according to a 2014 cybercrime survey by Carnegie Mellon University.

To many companies, it appears cheaper and less disruptive to pay the ransom than to hire a third-party, or even devote internal resources, to respond to the breach. Many businesses simply can’t afford the loss of revenues if their site goes down and stays down for any length of time.

Alternatives to Capitulation- what companies can do

While it can be tempting for a company to try to buy itself out of a problem, capitulating to terrorist-like demands also carries risks. There is never a guarantee that the criminals will not come back for more, and customers and business partners may lose confidence in the company should they discover that paying off extortionists was acceptable.

Additionally, paying a ransom does not address the underlying vulnerability the criminals exploited in the first place. Only an investigation, in conjunction with law enforcement experienced in such crimes, can reveal the weaknesses that allowed the attack to occur. It can also help to identify remediation that will prevent similar attacks and potentially reveal other weaknesses that can be fixed.

How to Deal With Cyber Extortion — Before and After It Occurs

Once a company or individual becomes a victim of cyber extortion, the number of good options dwindles quickly. Rather than react after the fact, corporate leaders need to have a response plan in place so mitigating the risk of cyber extortion schemes can be the main focus.

A comprehensive plan should include:

  • A list of stakeholders to be informed.
  • Predetermined and defined lines of communication that will speed information sharing.
  • Appropriately trained and informed leaders empowered to make decisions during an incident.
  • A process for the continuous updating of information technology systems and security policies (at least quarterly) to keep pace with changes in business and technology.
  • Established relationships with law enforcement (local, state and/or federal) to reduce the chance of a slow, confused response.


Companies can also take a number of steps to lessen the likelihood that they will fall victim to cyber extortion or extortion:

  • Identify all potential internal and external threats by:
    • Monitoring social media.
    • Staying on top of public forums related to your business.
    • Identifying employees who may want to harm your company.
  • Audit computer networks to identify and assess vulnerabilities. Questions include:
    • Are software patches being applied in a timely fashion?
    • Does the network have segmentation so that an attack in one area won’t impact others?
    • Are there access controls in place for your data?
    • Are network logs collecting sufficient detail and maintained for a long enough period of time to allow for proper historical investigation?
    • Do you know where all your endpoints are and are network topology maps up to date? This especially is important because networks are dynamic, with companies continually adding and removing servers and distributing new devices to employees.


Cyber extortion crimes will only grow more complex over time. Criminals are continually changing their patterns of attack. While no company can protect itself perfectly, it can make smart investments in due diligence, response plans and sensible security based on rigorous risk assessments of what they stand to lose in the event of such an attack.

Remotely Hijacked Vehicles and Androids – How Vulnerable Is Your Personal Tech?

On Tuesday, July 21, 2015, Wired magazine published an article discussing a vulnerability in the Chrysler Uconnect feature through which an attacker may gain remote access to the vehicle’s CAN bus, allowing the attacker to manipulate not only the vehicle’s climate control and infotainment systems, but more importantly its transmission, braking, and steering controls. The security researchers who discovered the vulnerability, Chris Valasek and Charlie Miller, had received a grant in 2013 from the Pentagon research arm DARPA and in 2014 demonstrated the ability to control a vehicle by directly connecting their laptops to the vehicle’s CAN bus. The significance of their most recent research is the ability to target vehicles remotely using the Uconnect’s linkage to the Sprint cellular network. Through the network, Valasek and Miller were able to obtain the GPS coordinates, VIN number, make, model, and IP address for vehicles anywhere in the country, so long as they were connected to the Sprint network. Valasek and Miller are scheduled to provide briefings on their research at the Black Hat USA conference on August 5-6 and at the DefCon conference on August 7-8.

For almost nine months, the researchers have been sharing their research with Chrysler, which allowed the company to quietly create and release a patch to address the vulnerability. Initially, the patch was only available by taking an affected vehicle to the dealer for service or downloading the patch onto a USB device from the company’s Uconnect website. On Thursday, July 23, Chrysler and Sprint implemented a set of security controls on the Sprint network, designed to detect and block attacks across the network regardless of whether vehicles themselves have been patched. Valasek and Miller tested the exploit following the network patch and were unable to access Miller’s Jeep remotely, prompting a tweet by Valasek commending Chrylser and Sprint on the fix. On Friday, July 24, announced a recall of approximately 1.3 million vehicles, including the 2015 model year Dodge Ram pickup, Dodge Challenger and Viper, and the Jeep Cherokee and Grand Cherokee SUV’s. However, rather than returning vehicles to the dealer for maintenance, the recall will involve a USB drive being sent to owners by mail, which will patch the vulnerability when inserted in the vehicle.

The article and demonstration also brought attention to new legislation introduced by Senators Ed Markey (D-Mass.) and Richard Blumenthal (D-CT) on July 21. Five months ago, Sen. Markey released a report entitled “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk,” based on responses he had received sixteen major automobile manufacturers, prompted by letters from Markey. The new bill, cited as the “Security and Privacy in Your Car Act of 2015″ (or “SPY Car Act of 2015″), would require that all vehicles manufactured two years after the enactment of corresponding regulations must adhere to certain cybersecurity standards, including but not limited to equipping “[a]ll entry points to the electronic systems of each motor vehicle manufactured for sale in the United States … with reasonable measures to protect against hacking attacks” and incorporating “isolation measures to separate critical software systems from noncritical software systems.” The bill would also require that all data collected by the vehicle must be “reasonably secured” to prevent unauthorized access while the data is stored onboard, in transit, and in any remote storage or use. In addition, vehicles must be equipped with capabilities to “immediately detect, report, and stop attempts to intercept driving data or control the vehicle.” Any manufacturer not in compliance may be held liable for a civil penalty of up to $5,000 per violation.

The bill would also call on the National Highway Safety and Transportation Administration (NHTSA) and the Federal Trade Commission (FTC) to create a new set of regulations manufacturers would be required to adopt in order to comply with the law. The FTC, who released a report in January 2015 entitled “Internet of Things: Privacy & Security in a Connected World” addressed the issue of connected-vehicles and potential risks posed if an attacker were able to remotely access a vehicle’s controls through its telematics system, similar to the attack carried out by Miller and Valasek. They recommended certain best practices related to all IoT devices (including connected-vehicles), promoting “security by design” (making security and privacy priorities in the design phase rather than post-market features) and continued monitoring (and where feasible, patching) of devices by manufacturers throughout their life cycle. Against this backdrop, it remains to be seen whether these recommended best practices will be incorporated into the SPY Act’s regulatory requirements if the bill becomes law.

In another disclosure in advance of the Black Hat USA and DefCon conferences next week, Israeli enterprise mobile security company Zimperium zLabs revealed on Monday, July 27, a vulnerability that could expose up to 95% of all Android smartphones to control by a remote attacker, all from a single text message. To put this in perspective, as many as 950 million Android phones may be susceptible to this disclosed exploit. The vulnerability, nicknamed “Stagefright,” allows an attacker to embed a virus within a video file, which is then sent to the device via MMS, executing without any interaction from the device’s owner. The vulnerability would also allow the attacker to erase their trail, deleting the infected message before it can be viewed by the user. The only information necessary to launch the attack is the victim’s cell phone number. There are potential temporary fixes being disclosed online, including changing your device’s settings to prevent auto-retrieval of MMS messages, allowing users to screen messages before downloading.

The full details of the vulnerability will be disclosed in a briefing at Black Hat, but Zimperium had already shared details of the bug to Google in April in order to give the company sufficient time to remedy the flaw and distribute a patch to its partners. Google responded promptly and has already distributed the patches to manufacturers, but is now waiting on manufacturers to distribute the patches to their customers. However, because the Android OS has been modified by so many manufacturers, resulting in a fragmented kaleidoscope of slightly-varied mobile operating systems, there is no single readily-accessible unified fix for all Android devices. One concern expressed among the information security community is that manufacturers may not move quickly to distribute patches, particularly for legacy devices no longer on the market. Consistent with the FTC’s promoted best practices of monitoring and supporting legacy devices after the product is released to the market, it remains to be seen how quickly Android phone manufacturers release the patch to their users.