Lawyers Beware: Legal Malpractice Suit Arising out of Data Breach

In what may be a new twist on legal malpractice claims, a New York couple filed a complaint against their real estate attorney based on their falling victim to a social engineering data breach. On April 18, 2016, the couple filed a two-count complaint alleging claims for legal malpractice and breach of fiduciary based on the attorney’s use of an AOL email account that allegedly contributed to cyber-criminals being able to hack into the attorney’s account and perpetrate an elaborate wire-transferring heist of almost $2 million in the client’s funds. Robert Millard and Bethany Millard v. Patricia L. Doran, Index No. 153262/2016, Supreme Court of the State of New York, County of New York.

Plaintiffs allege they had retained the defendant to represent them in the purchase of a cooperative apartment in Manhattan, including oversight of their payment of a deposit and oversight of the closing. Plaintiffs allege the defendant had a fiduciary duty to protect her clients’ funds and to insure, as far as reasonably possible, that their purchase would be accomplished “without incident.” She had a further duty to “protect the integrity of the files she kept on her client,” including the confidentiality of her communications with her clients.

The complaint outlines a litany of ways in which the plaintiffs claimed their lawyer breached her duties, including allegations of negligence directed to the type of email account the lawyer used for her professional business as well as her failure to protect the “integrity of both her email system and her computer system.” The alleged “porousness of the lawyer’s computer was not confined to the use of AOL email account. Plaintiffs allege that the attorney’s computer was poorly configured and contained “malware” that potentially enabled third parties to access her computer passwords and client files.

The complaint alleges that the lawyer’s failure to install basic cybersecurity protection led to the hacking by unauthorized third parties. The cybercriminals were then able to proceed with a classic social engineering scheme whereby they were able to use the lawyer’s email account to transmit fraudulent wiring instructions to the clients and receive the funds meant for the plaintiffs’ real estate closing.

What makes this case unique is that it is one of the first cases to assert a claim of legal malpractice based on a data breach. Under Rule 1.6 of the ABA Model Rules of Professional Conduct, “a lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” The case warrants monitoring to see the extent to which a court defines an attorney’s duties to “make reasonable efforts” to protect a client’s information to include adequate cybersecurity measures.

Refining Discovery Requests in Data Breach Litigation: Parties Now Also Face “Proportionality” Considerations

As data breach litigation increasingly involves at least some discovery, disputes are now generating decisions that provide guidelines on the scope of what courts will consider a permissible discovery demands. Impacting their analysis is the recent amendment to Federal Rule of Civil Procedure 26(b)(1) and its shift in focus from relevance to the proportionality of the discovery requested to the needs of the case. Among other considerations, courts will balance the importance of the issues at stake against the burden and cost placed on the parties by the particular discovery requests.

The recent decision by the Magistrate Judge sitting in the Northern District of California, in the In re Anthem, Inc., 15-md-02617 LHK (NC), (N.D. Ca. April 8, 2016), provides insight into what at least some courts may consider targeted and proportional discovery in data breach cases, versus overbroad requests. In that case, the defendants sought discovery in support of their defense of lack of causation between the compromise of plaintiffs’ personally identifiable information (PII) and personal health information (PHI) and any damages. The Court agreed with Anthem that if there was information that plaintiffs’ PII or PHI was comprised before the cyberattack on Anthem, that would be probative of causation. However, it denied defendants’ request for a blanket discovery order compelling all of the named plaintiffs to either provide access to, or produce forensically sound images of, their “computer systems that connect to the internet.”

The Court noted that under the revised discovery rules, not all relevant information must be discovered and found the discovery request “disproportional to the present needs of the case.” Of interest is that in doing so, the Court also expressed concern that in order to get relief for a theft of one’s personal information, the plaintiff would have to undergo a further invasion of his or her privacy by having all personal devices that connect to the internet inspected. However, the Court also noted that defendants could explore more targeted means and gave as an example that if the defendants could show evidence of a specific other compromise to a specific plaintiff, the Court would be receptive to a request for discovery focused on that. The Court accepted the defendants’ analogy to a plaintiff seeking damages for personal injury having to undergo a physical exam, but noted that if a plaintiff has a broken finger, it is unlikely to be ordered to subject their entire body to inspection. Thus, the Court’s reluctance to order the discovery requested appeared to be based on the overbreadth of a request directed uniformly at all plaintiffs and all their connected devices.

While courts have broad discretion in considering discovery request, this decision highlights that parties seeking discovery in data breach lawsuits (as well as in other litigation), will now need to consider more tailored discovery demands to support their claims and defenses than they had used before the amendments to FRCP 26.

No Storefront? No Problem: Deceptive Pricing Moves Online

More than three-dozen deceptive pricing cases have been filed in the last two years alone, with more suits being filed every week. These suits generally claim that the retailer deceives customers into making purchases by listing an inflated and illusory reference price (for example, an “original” price, a manufacturer suggested retail price or a “compare at” price). Although the vast majority of these cases have targeted brick-and-mortar retailers, a handful of recent lawsuits show that online retailers are equally at risk.

Background of Pricing Litigation in the Online Space

Online retailers are far from a new target for these cases. Indeed, one of the first major decisions in deceptive pricing litigation involved online retailer Overstock.com. That suit arose in 2010, when a group of California district attorneys sued Overstock for listing as each product’s reference price either the highest price that Overstock could find anywhere for the product or a price that was calculated by multiplying the item’s wholesale cost by an arbitrary multiplier. Although the website had included a disclosure that purported to explain its reference prices, the disclosure did not reflect Overstock’s actual practices. On Feb. 19, 2014, after a full bench trial, the Alameda County Superior Court held that Overstock’s pricing practices were fraudulent and misleading, and ordered Overstock to pay almost $7 million in civil penalties ($3,500 for each day it used faulty price comparisons). The case is currently on appeal.

In November 2014, a similar lawsuit was filed in the Superior Court of San Diego against Amazon, claiming that the online retailer determines its list prices by using the highest price the item has ever sold for, rather than the item’s “prevailing marketing price.” This case was removed to the Southern District of California, where it was dismissed pursuant to Amazon’s motion to compel arbitration on Oct. 21, 2016. On Amazon’s check-out page, under the heading “review your order,” Amazon includes a notice that says “By placing your order, you agree to Amazon.com’s privacy notice and conditions of use”; the “conditions of use” link included an arbitration agreement and a choice-of-law provision. The court found that the plaintiff agreed to these terms when she completed her purchase and that the terms were enforceable.

In August 2015, Sears became the first brick-and-mortar retailer to be targeted for its online pricing practices. In Teperson v. Sears Roebuck & Co., the plaintiff alleged that the advertised “original prices” on the washer, dryer and refrigerator that he purchased from Sears.com were deceptive, because Sears never actually offered the items at their listed “regular” prices. Sears filed a motion to dismiss the complaint, in which it explained that Sears.com offers visitors the option between paying a discount price or paying the regular price and receiving a gift card worth 10 percent more than the cash savings offered. As an example, Sears explained that the plaintiff opted to purchase his washing machine for $1099.99 rather than the regular price of $1749.99, and thus immediately saved $650.00. Alternatively, he could have opted to purchase the washer at the $1749.99 price point, and to receive a Sears gift card for $715.00. Under this dual-option program, Sears argued, “The prices listed on the Sears website are not ‘sale’ prices, rather they are two separate offers that each provide unique value to the customer.” Alternatively, Sears argued that the court should compel arbitration, because as a member of Sears’ loyalty program, the plaintiff was bound by an arbitration provision in the program’s terms and conditions.

Teperson voluntarily dismissed the case two weeks after this motion was filed. Just weeks later, however, Teperson’s counsel filed an almost-identical action against Sears, on behalf of a different plaintiff, but this time targeting only Sears’ in-store pricing practices. Sears filed a motion to dismiss this second case on March 17, 2016.

$50 Million Settlements Lead to More Pricing Litigation

In late November and early December 2015, two $50 million dollar settlements opened the floodgates for deceptive pricing litigation. Although these settlements involved brick-and-mortar retailers J.C. Penney and Tween Brands (Justice for Girls), the large price tag was more than enough to draw many new plaintiffs’ attorneys into the deceptive pricing arena. As a result, the number of deceptive pricing cases has nearly doubled.

Several of these new suits have targeted retailers that sell goods exclusively online:

  • On Feb. 2, 2016, a lawsuit was filed in the Central District of California against online home goods retailer Wayfair.com. The suit alleges both that Wayfair lists inflated struck-through prices and also claims that Wayfair deceives customers by stating that a given sale would only last for a short duration; listing items that are in fact out-of-stock; or advertising an item as being in limited supply.
  • A similar lawsuit was filed against Art.com on Feb. 16, 2016. There, the plaintiff alleged that Art.com and allposters.com use “perpetual sales” that mislead customers into thinking they are receiving a substantial discount, when in fact the item always sells for the advertised discounted price.
  • Less than a week later, online retailer Zulily.com was targeted for its online discounts. The Zulily complaint, filed Feb. 22, 2016 in the Southern District of New York, alleged that the strike-through prices on the retailer’s “Reborn” collection are deceptive, because items in that collection never sold by Zulily or any other retailer for the listed discount price.
  • On March 17, 2016, online sample sale website Hautelook.com (and parent company, Nordstrom) was sued for inflating the value of vintage Rolex watches sold on its site, in addition to other claims concerning the watches’ quality.

Additionally, several recent lawsuits targeting in-store pricing practices have included allegations that the retailer’s online pricing is also deceptive. Indeed, of the 16 pricing lawsuits we are aware of that have been filed since the beginning of February, 10 have claimed that the retailer used deceptive pricing on its website.

How to Protect Yourself

Several online retailers are already taking steps to protect themselves from similar claims. On Gilt.com, for example, each product description page tells customers, “If there is a slash-through price quoted for this item, please visit our FAQs for information on how the slash-through price was determined.” The FAQ’s in turn, offer a paragraph-long explanation that ends by advising customers, “Nothing can replace your own comparison shopping, however, and notwithstanding our posted slash-through price quotes, if this is an important factor for you in your purchasing decision, we recommend you conduct your own individual search as well.” Similarly, on Ruelala.com, customers can view the website’s pricing policy by clicking on an item’s struck-through price and Overstock now discloses the meaning of MSRP when customers click on the term.

Before posting a pricing policy online, however, retailers should beware that online policies and advertisements may be used against them in deceptive pricing cases. In Branca v. Nordstrom, for example, the plaintiff pointed to the fact that Nordstrom Rack’s website advertised “30-70 percent off original prices each and every day” in support of her claim that Nordstrom Rack’s pricing is deceptive. The court dismissed that claim, finding that the plaintiff did not allege that plaintiff actually viewed or relied on those representations. More recently, suits against more than a half-dozen discount retailers (including Ross, Burlington Coat Factory and Zulily) have quoted the retailer’s pricing policy to support the claim that the reference price meant something different than what the plaintiff customer thought at the time of purchase.

(originally published on Law360 on March 24, 2016)

Jimmy John’s – More Than Fast Delivery

Once again, a federal court in Illinois has addressed what types of claims arising from a data breach can survive a motion to dismiss. On March 29, 2016, Judge Harold A. Baker from the Northern District of Illinois issued his opinion, Barbara Irwin v. Jimmy John’s Franchise LLC, et.al. (No. 1:14-cv-2275, N.D. Ill. March 29, 2016), granting in part, and denying in part, the defendants’ motion to dismiss. The court let proceed plaintiff’s claims for breach of implied contract and breach of Arizona’s Consumer Fraud Act. It dismissed plaintiff’s other claims for negligence, unjust enrichment, and claims under the Illinois Personal Information Protection Act and Illinois Consumer Fraud and Deceptive Practices Act. The court also dismissed plaintiff’s claims under the Arizona data breach statute and for bailment after plaintiff failed to respond to the defense arguments for dismissal of those claims. The court found that plaintiff did not have Article III standing to pursue a claim for declaratory relief for remedies for future injury she claimed due to unspecified weaknesses in Jimmy John’s current security measures. The court’s decision provides guidance on the standards federal courts use to evaluate the types of claims that plaintiffs can pursue when data breaches involve compromise of credit card information occur.

Barbara Irwin, an Arizona citizen, filed a nine-count complaint against Jimmy John’s Franchise, LLE, Jimmy John’s Enterprises, LLC a/k/a Jimmy John’s LLC (“Jimmy John’s”), an Illinois headquartered franchisor, on behalf of herself and as class representative based on a 2014 data breach involving Jimmy John’s. Irwin purchased food products from Jimmy John’s at one or more of its locations in Arizona. Irwin swiped her debit and credit cards to complete the purchases. Thereafter, in July 2014, Jimmy John’s learned that it was a victim of a data breach, potentially exposing its customer’s personal and financial information to unauthorized third parties. Irwin’s credit card was used fraudulently at least five times between August 25 and September 2, 2014. According to the allegations in the Complaint, Jimmy John’s did not announce the data breach until September 24, 2014.

It is interesting to note that Irwin, an Arizona citizen, whose debit and credit cards were used at Jimmy John’s operations in Arizona, chose to file her proposed class action in federal court in Illinois. She chose to assert not only common law but also statutory claims based on Arizona and Illinois law. Irwin did not respond to Jimmy John’s Motion to Dismiss the claims based on the Arizona data breach statute. The court found that plaintiff had stated a plausible claim under the Arizona Consumer Fraud Act. As a nonresident, she did not have standing to assert a claim under the Illinois Consumer Fraud Act.

Irwin alleged that she and other members of the class entered into implied contracts with Jimmy John’s by virtue of an agreement that Jimmy John’s would “safeguard and protect their personal information” and, in the event of a breach, to timely and accurately notify its customers. In rendering his decision, Judge Baker noted that Jimmy John’s had cited to the decision in Lovell v. P.F. Chang’s China Bistro, Inc., 2015 WL 4940371 (W.D. Wash. Mar. 27, 2015). In that case, the district court rejected the claim for breach of implied contract under Washington law where the claim was based on plaintiff’s “unilateral, specific expectations of a particular cyber security standard and daily auditing.” In reaching the opposite conclusion in Irwin v. Jimmy John’s, Judge Baker relied on dicta in Lovell that “offer and acceptance of a credit card as payment of a consumer debt necessarily involves certain implied promises.” As such, under the circumstances, and under Illinois law, Judge Baker found that Irwin had stated a claim for breach of implied contract, citing, In re Michaels Stores Pin Pad Litigation, 830 F. Supp. 2d 518 (N.D. Ill. 2010); and Anderson v. Hannaford Bros., 659 F.3d 161 (1st Cir. 2011).

Judge Baker concluded that when a customer uses a credit card for a commercial transaction, the customer intends to provide the data to the merchant and not to an unauthorized third party. The court found there is an implicit agreement to safeguard the customer’s information to effectuate the contract. In denying Jimmy John’s motion to dismiss the implied contract claim, the court found that Irwin had alleged the existence of an implied contract obligating Jimmy John’s to take reasonable measures to protect Irwin’s information and to timely notify her of a security breach.

Judge Baker’s decision to allow the breach of an implied contract claim has potentially far-reaching implications for increasing litigation based on data breaches involving the compromise of credit card information. It is difficult to foresee a situation where a consumer’s use of a credit card in a transaction would not give rise to similar argument about “an offer, acceptance, consideration, and a meeting of the minds” as found by Judge Baker in Irwin v. Jimmy John’s. Yet to be determined, however, is the extent to which implied breach of contract claims would be subject to dismissal on the merits at a later stage in the proceeding or the value of such claims, especially if class certification is not granted.

International Shipping Association Releases New Maritime Cybersecurity Guidelines

BIMCO, the Baltic and International Maritime Counsel, one of the largest international shipping associations in the world whose membership represents approximately 65% of the world’s tonnage, recently promulgated guidelines on cybersecurity on board ships in conjunction with other maritime organizations. The guidelines are meant to provide assistance to ship owners and operators on how to assess their operations and are complementary to existing regulations through the International Safety Management Code (ISN) and the International Ship and Port Facilities Security Code (ISPS).

The guidelines focus on six critical aspects of cyber security awareness:

  • Identifying threats and understanding the cyber security threats to the ship;
  • Identifying vulnerabilities within the ship’s cyber security system;
  • Assessing risk exposure and the likelihood of being exploited by external threats;
  • Developing protection and detection measures in order to minimize impact;
  • Establishing contingency plans to reduce the threat’s impacts; and
  • Responding to cyber security incidents.

A link to BIMCO’s press release and the guidelines can be found at: https://www.bimco.org/News/2016/01/04_Cyber_security_guidelines.aspx. If you have any questions about these regulations please contact a member of Sedgwick’s cybersecurity team or e-mail Charlie Davant at Sedgwick’s Miami office at Charles.davant@sedgwicklaw.com.

FCC Chairman Proposes To Provide Broadband Consumers With Choice, Transparency & Security

Next week the Federal Communications Commission (FCC) will vote on a new proposal for privacy rules governing internet service providers (ISP). This follows on the FCC’s decision last year that high-speed internet carriers should be treated as public utilities (providing telecommunications services as opposed to information services). The decision was part of last year’s net neutrality regulations intended to ensure that no content would be blocked and that all data on the internet would be treated the same, regardless of user or content. Those rules expanded the FCC’s oversight authority over service providers.

Pursuant to that authority, this month the FCC’s Chairman Tom Wheeler unveiled a proposal that would restrict the ISP’s ability to share information they collect about their customers. The FCC is expected to vote to formally propose this plan on March 31 and, if adopted, would be followed by a period of public comment.

Chairman Wheeler wrote in a Huffington Post op-ed that ISPs should be held to the same privacy standard as telephone companies:

Think about it. Your ISP handles all of your network traffic. That means it has a broad view of all of your unencrypted online activity — when you are online, the websites you visit, and the apps you use. If you have a mobile device, your provider can track your physical location throughout the day in real time. Even when data is encrypted, your broadband provider can piece together significant amounts of information about you — including private information such as a chronic medical condition or financial problems — based on your online activity.

The information collected by the phone company about your telephone usage has long been protected information. Regulations of the Federal Communications Commission (FCC) limit your phone company’s ability to repurpose and resell what it learns about your phone activity.

The same should be true for information collected by your ISP.

Accordingly, Chairman Wheeler proposed a set of rules that would:

[E]mpower consumers to ensure they have control over how their information is used by their Internet Service Provider. Every broadband consumer should have the right to know what information is being collected and how it is used. Every broadband consumer should have the right to choose how their information bits should be used and shared. And every consumer should be confident that their information is being securely protected.

If approved, the rules would create some of the strongest privacy regulations for any segment of the technology and communications industries. The proposed regulations would put broadband providers under stronger privacy oversight than the internet companies that are monitored by the Federal Trade Commission (FTC), whose ability to create specific privacy rules is more limited.

In the Broadband Consumer Privacy Proposal Fact Sheet, released on the FCC’s website on March 10, Chairman Wheeler explained that the consumer’s relationship with the broadband provider is very different than the one the consumer has with a website. While consumers are able to move from website to website instantaneously, consumers are generally committed to their broadband carrier by virtue of their monthly fees. Because the ISP handles all of the consumer’s network traffic, it has an unobstructed view of all of their unencrypted online activities as well as information relating to their encrypted sites (how often they are visited, the amount of time they spend on such sites, etc.) “When consumers sign up for internet service,” Chairman Wheeler explained, “they shouldn’t have to sign away their right to privacy.”

Chairman Wheeler proposed rules that would provide consumers with the right to (1) exercise control over their personal data, (2) know what information is being collected about them and how its being used, and (3) require broadband providers to take responsibility for protecting consumer data.

  1. The proposal sets forth different standards for dealing with different types of customer data. First, the proposal recommends that the customer-broadband provider relationship should be sufficient to allow the provider to collect whatever customer data is necessary to provide broadband services and for marketing the type of broadband service purchased by a customer. Second, the proposal requires the provider to allow a customer to opt out of the provider’s use of customer data for the purposes of marketing other communications-related services and to share the customer data with their affiliates that provide communications-related services. Third, the proposal requires customers to provide express, affirmative opt-in consent for all other uses and sharing of customer data.
  2. The proposal includes specific data breach notification requirements. In the event of a breach, the providers are required to notify: (a) affected customers of breaches of their data no later than 10 days after discovery; (b) the Commission of any breach of customer data no later than 7 days after discovery; and/or (c) the Federal Bureau of Investigation and the U.S. Secret Service of breaches affecting more than 5,000 customers no later than seven days after discovery of the breach.
  3. To protect consumers’ data from breaches and other vulnerabilities, the proposal also includes data security requirements for broadband providers, including an overarching data security standard. The proposal requires broadband providers to take reasonable steps to safeguard customer information from unauthorized use or disclosure. At minimum, it requires broadband providers to adopt risk management practices, implement personnel training practices, adopt strong customer authentication requirements, identify a senior management responsible for data security, and take responsibility for use and protection of customer information when shared with third parties.
  4. These rules would apply only to a company (or part of a company) that provides internet access. For example, only the part of Google that delivers service (Google Fiber) would be subject to the rules.

    Chairman Wheeler’s proposal is available here.

Upcoming Webinar: Why the European GDPR Matters To Your Company

Tuesday, March 29, 2016
10:30 AM PT / 1:30 PM ET
This valuable webinar is made available to you free of charge by ePlace Solutions.

Any company that collects or uses data about a European citizen will be affected by the new General Data Protection Regulation in Europe, regardless of where they are based. US-based companies must be aware of the regulations, as fines for non-compliance can be as high as 4% of the company’s revenue. The new regulation has been highly anticipated, and this webinar will cover several requirements that companies will need to address, including:
• Data Security Standards
• Breach Notifications
• Data Protection Officers
• Cross-Border Data Transfers
• Fines and Penalties

Register Today!
Event ID: 2006
Event Password: 9870
This webinar is pre-approved for 1 CPE unit.
Cost: Free

Join leading cybersecurity attorney, Cinthia Granados Motley to learn:
• How the GDPR impacts American organizations
• How avoid fines and penalties
• How to prepare your organization to comply with GDPR

Who Should Attend:
• Privacy and compliance officers
• Risk managers
• Security, technical and support staff
• Executives and others who are responsible for cyber security governance

Webinar Panel:

Cinthia Granados Motley, Esq., Partner
Cinthia Granados Motley is a member of Sedgwick’s cybersecurity leadership team. Cinthia has an active practice handling data privacy, security, and liability matters, both domestically and internationally. She also advises clients on information governance, e-discovery, and international contract disputes.

Matt Peranick, CIPP/US
Matt Peranick is a Privacy and Data Security Specialist at ePlace Solutions, Inc. Mr. Peranick is responsible for client support, preparing awareness materials and alerts relevant to the privacy and data security landscape, and creating and updating content on our cyber risk management websites. A key focus is held on recommendations and best practices for preventing and mitigating the risk of privacy and data security incidents.

OCR 2016 HIPAA Audits Underway

During the PHI Protection Network Conference in Philadelphia on March 17 and 18, 2016, Barbara Holland, regional manager for the Department of Health & Human Services’ Office for Civil Rights (OCR) Mid Atlantic region, discussed the upcoming HIPAA audits, which are expected to start in a few months.

After initiating a HIPAA audit pilot program in 2012, OCR is now transitioning to an ongoing audit program. Ms. Holland noted that the audit will be begin with “150 covered entities and 50 business associates,” which will be 150 “desk audits,” and 50 on-site audits. Of the 50 on-site audits, 40 will be at covered entities and 10 will be at business associates.

Initially, the program will start with e-mails to covered entities, such as health care providers, insurance plans and clearinghouses, and to business associates that handle protected health information on behalf of covered entities. After the initial e-mail inquiries, the entities will receive a “preaudit questionnaire” seeking details on their business size and operations.

When the program is fully under way, there will be new audit protocols on the OCR website, Holland added. She noted that OCR would provide incentives for preventive action, but be stricter on entities that have recurring problems, including the imposition of monetary penalties. Holland said, “We are beginning to raise our expectations about compliance. We know some people have struggled to comply, but we are expecting more from traditional providers. We have a lower tolerance for noncompliance.”

Companies subject to an audit will receive details of the audit process and their obligations. They will have 10 business days to respond, upon which the OCR will review the information and provide its findings. Companies will then have an opportunity to reply to the findings before a final audit report is completed.

Sedgwick has compiled a seasoned team of well-trained attorneys in the area of patient privacy who stand ready to assist clients in meeting the requirements of HIPAA compliance and in responding to these upcoming HIPAA audits. We recommend the following 10 steps to help prepare for an OCR HIPAA Audit:

  1. Conduct, test and document a HIPAA risk analysis to identify the risks that threaten the confidentiality, integrity, or availability of protected health information and have a corrective action plan in place to address any identified deficiencies.
  2. Document policies and procedures specific to your organization and ensure they are implemented.
  3. Document and designate a security official and a privacy official who will be responsible for the development and implementation of the policies and procedures required by the HIPAA Security Rule and Privacy Rule, as well as be the point of contact for audits and questionnaires.
  4. Train employees from the boardroom to the mailroom on policies and procedures and conduct follow up awareness training.
  5. Perform a defensible HIPAA assessment. Identify what measures are in place to ensure PHI is secured and evaluate whether you are storing and disclosing PHI only as necessary.
  6. Maintain an inventory of any and all devices that access ePHI and make sure they are properly secured.
  7. Maintain a record of which devices are encrypted and when. Encryption is a growing area of focus for HHS and OCR and it can be safe harbor to HIPAA breach notification requirements.
  8. Know who your business associates are, maintain a list, and have business associate and subcontractor business associate agreements in place.
  9. Maintain policies and procedures for security incidents.
  10. Have an internal and external incident response team, with retention agreements in place.

If you have any questions, please feel free to reach a member of our Cybersecurity team or send us an email at Cinthia.motley@sedgwicklaw.com or Robert.bohner@sedgwicklaw.com.

New Twist on Email Service of Process upon Foreign Corporations

Increasingly, federal courts are permitting plaintiffs to effect service of process by email upon foreign defendants pursuant to Rule 4(f)(3) of the Federal Rules of Civil Procedure. When applying FRCP 4(f)(3), the courts continue to exercise broad discretion to grant or deny the use of email service on foreign defendants on a case by case basis, depending upon the specific factual circumstances and demonstrated compliance with the Rule. .

The recent case of Bazarian Int’t Fin. Assoc. v. Desarollos Aerohotelco, et. al., 2016 WL 471273 (D.D.C. 2016) analyzes this email service issue, but with a new twist: Whether email service upon a foreign defendant’s U.S. counsel is also good service.

Quick Snapshot of Federal Rules for Service of Process

FRCP 4(h) provides that service upon foreign corporations may be effected in a variety of ways, including any manner provided for in FRCP(f), when service is accomplished “at a place not within any judicial district of the United States.” FRCP(f)(1) authorizes service by any internationally agreed means of service that is reasonably calculated to give notice, such as service authorized under the Hague Convention. FRCP(f)(3) authorizes service by any other means not prohibited by international agreement, as the court orders.

Email service is not specifically enumerated as an acceptable form of service under either FRCP(f)(1) or FRCP(f)(3).

The Facts: The plaintiff, a U.S company, filed suit in the federal district court for the District of Columbia against Venezuelan, Curacaoan, and Aruban companies, among other defendants, for breach of an investment agreement to lease and develop a luxury hotel resort in Aruba. The investment agreement was signed by the lead defendant, a Venezuelan company, but the agreement purported to be binding upon any successors or related entities. The plaintiff alleged that the other corporate defendants were successors or related entities to the lead defendant, and the agreement contained a forum selection clause providing that the District of Columbia courts would have jurisdiction to adjudicate any and all rights of the parties under the agreement.

After commencing the suit, the plaintiff attempted without success to effect service of the complaint upon the defendants. As to the lead defendant, the plaintiff attempted to effect service pursuant to FRCP(f)(1) and the Hague Convention. However, after a period of months, the plaintiff obtained no confirmation from the U.S. Embassy in Venezuela regarding the Venezuelan’s Central Authority’s efforts to complete service of the complaint upon the Venezuelan company. As to the other remaining foreign defendants, the plaintiff alleged that it was unable to identify any addresses in Venezuela, Curacao or Aruba.

Faced with these service problems, the plaintiff filed a motion with the district court for leave under FRCP(f)(3) & (h) to serve the defendants by registered mail and email to their U.S. counsel who was located in Florida and currently representing them in a separate, unrelated action pending in Connecticut. The court granted this motion and authorized the email service. After service was effected, the defendants moved to dismiss the complaint.

The Court’s Decision

The court denied the defendants’ motion to dismiss the complaint. The court first determined that it could exercise personal jurisdiction over all the defendants by virtue of the forum selection clause that was contained in the investment agreement. In short, the court found that the forum selection clause was binding upon the lead defendant that signed the investment agreement and binding upon the remaining defendants, which the court found were sufficiently alleged by the plaintiff to be successors or related entities to the lead defendant.

The court then denied the defendants’ motion to dismiss for insufficient service of process, rejecting three principle arguments that were raised by the defendants: (1) email service to their U.S. counsel was not proper because FRCP(f)(3) was not applicable for serving a foreign defendant within the U.S., (2) plaintiff failed to show a sufficient prior effort to effect service via the Hague Convention pursuant to FRCP(f)(1), and (3) email service was not permitted by the Hague Convention and violated the local rules of Curacao and Aruba, which did not authorize email service to their counsel.

We discuss each argument in turn and the court’s rulings.

Email Service upon U.S. Counsel

The defendants argued that email service could not be effected upon their U.S. counsel pursuant to FRCP(f)(3) because such service occurred within the U.S and, therefore, was expressly prohibited by FRCP(h). In rejecting this first argument, the court reasoned that email service to defendants’ U.S. counsel did not constitute service on the defendants within in the U.S., because the defendants’ counsel merely functioned as a “conduit” or “mechanism” to complete the service of process and give notice of the suit to the defendants in their own countries. Interestingly, the court also concluded that this email service was proper without requiring a showing that the defendants had specifically authorized their counsel to accept service of the complaint on their behalf.

The court also placed great emphasis on three additional factors: (1) the defendants had negotiated a forum selection clause in the investment agreement and had deliberately chosen the D.C. courts as the venue to litigate claims arising from the investment agreement, (2) the defendants had availed themselves of the U.S. legal system by specially appearing in the other unrelated U.S. litigation, and (3) the service upon U.S counsel was reasonably calculated to notify the defendants about the suit.

No Requirement of Exhaustion of Other Means of Service

The defendants next argued that the plaintiff was required to first show that it had made sufficient efforts to serve the defendants pursuant to the Hague Conventions as provided in FRCP(f)(1). The court flatly disagreed holding that email service under FRCP(f)(3) is not dependent upon a finding of prior exhaustion of all other possible methods to effect service upon a foreign defendant. Instead, the court found that court-directed email service is as favored as other possible methods of service under FRCP(f), and the plaintiff was not required to show any minimum threshold effort to serve the defendants via the Hague Convention or other international agreement.

Email Service Not Prohibited by International Law

Finally, the defendants argued that the email service was not permitted under the Hague Convention and not authorized under the laws of Aruba and Curacao. However, the court found these arguments unavailing after determining that email service was not expressly prohibited by either the Hague Convention or the laws of the defendants’ host countries. According to the court’s analysis, the Hague Convention simply does not list email service as a possible method of service, but this is not tantamount to a rejection of the use of email service in appropriate situations. In addition, the court determined that so long as not prohibited by international agreement the court has discretion to authorize email service — even if not authorized by the host countries’ laws — when the service is reasonably calculated to notify the defendants of the suit in a timely manner.

Big Takeaways

• In appropriate circumstances, email service upon a foreign defendant’s U.S, counsel may be good service without having to first resort to traditional service of process that is recognized under international agreements such as the Hague Convention – particularly where the foreign defendant has previously appeared in other U.S. actions.

• In contract disputes, forum selection clauses not only can be enforced to establish personal jurisdiction upon a foreign defendant, but they also may have some relevance in defeating a motion to dismiss the action for insufficient service of process.

Smile – I’m Recording You: The First Amendment and Right (or not) to Record

In science, the term “observer effect” refers to changes that the act of observation will make on a phenomenon being observed. Pennsylvania district court has just ruled that there is no First Amendment right to video police officers while in the line of duty because merely observing is not expressive activity. Fields v. City of Philadelphia, No. 14-5264 (E.D. Pa., February 19, 2016). Given the ubiquity of devices and technologies capable of making video and sound recordings and the impact of decision such as Fields on newsgathering and other potential implications, the holdings of this case counsel us to do a quick review of recent cases and the state of the law in this area.

The issues in Fields arose out of two separate but related incidents, one in which Temple student Richard Fields used his cell phone to photograph approximately twenty police officers standing outside a home hosting a party. An officer approached him after he took the picture and asked him to leave. Fields refused, and the officer detained him, handcuffed him, emptied his pockets, took his cell phone and searched his phone. The officer placed Fields in a police van while citing him for Obstructing Highway and Other Public Passages then returned the cell phone and released Fields from custody. The officer did not appear for the court hearing on the citation.
In the other incident, self-described “legal observer” Amanda Geraci, following training at Cop Watch Berkley, attended a public protest against hydraulic fracturing near the Pennsylvania Convention Center and carried a camera with her to videotape the scene. During the protest, Philadelphia police arrested one of the protestors. Geraci alleged that as she moved closer to get a better view and hoped to videotape the incident, an officer “attacked her” by physically restraining her against a pillar and preventing her from videotaping the arrest. The police released Geraci and did not arrest or cite her.

Fields and Geraci filed separate actions under 42 U.S. C. § 1983 seeking damages for constitutional injuries, including First Amendment retaliation inflicted by individual Philadelphia police officers and their employer City of Philadelphia. However, the court found there was “no First Amendment right under our governing law to observe and record police officers absent some other expressive conduct.” Third Circuit precedent, Kelly v. Borough of Carlisle, recognizes “videotaping or photographing the police in the performance of their duties on public property may be a protected activity” and, “more generally, photography or videography that has a communicative or expressive purpose enjoys some First Amendment protection.” However, activities observing and recording the police may not be protected unless accompanied by an “expressive component.”

The Field court reviewed several post-Kelly district court decisions in support of its analysis. In Fleck v. Trustees of Univ. of Pennsylvania the court “granted summary judgment to defendant officers on plaintiffs’ claim officers violated their First Amendment rights when seizing a video camera after plaintiffs allegedly refused to shift the camera away from officers’ faces after being ordered to do so.” Fields cites Fleck for the proposition that “the right to record matters of public concern is not absolute” and, in the context of qualified immunity, “our case law does not clearly establish a right to videotape police officers performing their official duties.” Fields also cites to Gaymon v. Borough of Collingdale in which the court rejected qualified immunity for the officers where plaintiff videotaped police while verbally protesting police harassing her husband during an arrest. Gaymon held that “It is indisputable that ‘the First Amendment protects a significant amount of verbal criticism and challenge directed at police officers,” and that “the freedom of individuals verbally to oppose or challenge police action without thereby risking arrest is one of the principal characteristics by which we distinguish a free nation from a police state.”

Robinson v. Fetterman and Montgomery v. Killingsworth, says Fields, hold only that the right to observe and record is protected by the First Amendment only in certain contexts. In Robinson, the court held videotaping in conjunction with an intent to chronicle or criticize the alleged unsafe manner in which officers inspected trucks on a state roadway is “speech” critical of the government. An “individual observing and videotaping for the stated purpose of challenging or protesting police conduct is expressive conduct entitled to First Amendment protection.” Killingsworth stands for the proposition that “Peaceful criticism of a police officer performing his duties in a public place is a protected activity under the First Amendment.” Fields found that the citizens videotaping and picture-taking in Montgomery, Gaymon, Fleck and even Robinson all contained some element of expressive conduct or criticism of police officers and are “patently distinguishable from Fields’ and Geraci’s activities.”

I would note the inconsistency in Fields’ reference to summary judgment in favor of the officers in Fleck even though there was “expressive conduct” at issue in that case – “refusing to shift their cameras away from officers’ faces.” Fleck, involving a case of people preaching at and blocking the entrance to a mosque carrying handheld cameras that they literally stuck in the officers’ faces, actually found that there “was no First Amendment right where” the plaintiffs “actively impeded efforts to restore order.”

But the larger issue here is the emerging circuit split in which the Third Circuit is in the minority among those circuits that have considered the free speech right to openly record police activity. The Eleventh Circuit held there is a “First Amendment right, subject to reasonable time, manner and place restrictions, to photograph or videotape police conduct” because the First Amendment protects the right to record matters of public interest, Smith v. City of Cumming, 212 F.3d 1332, 1333 (11th Cir.2000). The First Circuit held that the right to film government officials was clearly established in that circuit, Glik v. Cunniffe, 655 F.3d 78 (1st Cir.2011), as has the Seventh Circuit, American Civil Liberties Union of Illinois v. Alvarez, 679 F.3d 583 (7th Cir.2012). The Ninth Circuit recently held there is a clearly established constitutional right to photograph the scene of an accident during a police investigation, Adkins v. Limtiaco, 537 Fed. Appx. 721, 722 (9th Cir.2013).

In the leading case of ACLU v. Alvarez, the fact pattern was essentially chosen by the ACLU to test the Illinois wiretap statute as applied to a “program of promoting police accountability by openly audio recording police officers without their consent when: (1) the officers are performing their public duties; (2) the officers are in public places; (3) the officers are speaking at a volume audible to the unassisted human ear; and (4) the manner of recording is otherwise lawful.”. Nevertheless, Alvarez unambiguously finds

The act of making an audio or audiovisual recording is necessarily included within the First Amendment’s guarantee of speech and press rights as a corollary of the right to disseminate the resulting recording. The right to publish or broadcast an audio or audiovisual recording would be insecure, or largely ineffective, if the antecedent act of making the recording is wholly unprotected, as the State’s Attorney insists.

Those who follow high court First Amendment will be interested to note that Alvarez relied upon the sometimes criticized Citizens United v. FEC, 558 U.S. 310, 130 S.Ct. 876, 896, 175 L.Ed.2d 753 (2010) for the straightforward application of the principle that “[l]aws enacted to control or suppress speech may operate at different points in the speech process.” Alvarez put it that “the eavesdropping statute operates at the front end of the speech process by restricting the use of a common, indeed ubiquitous, instrument of communication. Restricting the use of an audio or audiovisual recording device suppresses speech just as effectively as restricting the dissemination of the resulting recording.”

However, cases have distinguished from Alvarez even while acknowledging the force of its holding. For example, in the case of Rezvanpour v. SGS AutoServices, Inc., 2014 WL 3436811 (C.D. Cal. July 11, 2014), SGS was sued in a class action suit for its policy of recording its scheduling end-of-lease vehicle inspections on behalf of automobile dealers across the country in violation California Penal Code section 632.7, which prohibits nonconsensual recording of communications involving at least one cellular telephone. The court narrowly reads Alvarez by questioning whether SGS could claims its protection in that the purpose of recording customer phone calls was for “service observing”-essentially monitoring the calls for quality assurance- and not for later dissemination. Ultimately, SGS distinguished Alvarez on grounds the California statute was more narrowly drawn, affecting only the targeted cell phone communications instead of all communications.

The case of Raef v. Superior Court, 193 Cal.Rptr.3d 159(Cal. App. 2015) involved Raef’s challenge charges of driving in willful and wanton disregard for the safety of others (count 1) and following another vehicle too closely (count 2), both with the intent to capture a visual image of another person for a commercial purpose. He argued these ran afoul of Alvarez because the “[a]udio and audiovisual recording are communication technologies, and as such, they enable speech.” The court rejected this on grounds that, “[a]ssuming the intent to take a photograph or make a recording is an intent to engage in an expressive, or potentially expressive, activity, that intent is subject to section 40008 not because of the ‘communicative impact’ of the intended activity, but because of the ‘special harms’ produced by the conduct it motivates.”

These cases show the many areas these constitutional issues impact and the conflicting authority and logic used. So far, no case has invoked the “observer effect” as part of its analysis. But we are watching.

LexBlog