Retailer Successfully Defends Text Messaging TCPA Claim

Earlier this month, the United States Court of Appeals for the Seventh Circuit in Blow v. Bijora upheld a lower court decision rejecting a plaintiff’s claim that she did not consent to receive text messages from the defendant retailer. Plaintiff brought this class action seeking $1.8 billion in damages by alleging that the company’s practice of sending promotional text messages violated the Telephone Consumer Protection Act (“TCPA”) and related state law.

The case involved a Chicago-based retailer, Akira, that engaged a separate company to offer text message marketing services. The text messages informed customers of promotions, discounts, and in-store events. Akira used a variety of methods to collect customers’ cell phone numbers – customers could opt in by providing their cell numbers in the store, by texting to an opt-in number posted in the store, or by filling out an opt-in card.

Plaintiff alleged that Akira violated the TCPA’s prohibition against using an automatic telephone dialing system to make calls without the express consent of the recipient. The court noted that it was undisputed that text messages to a cell phone constitute “calls” within the meaning of the TCPA. The lower court concluded that the system used did not involve an autodialer to send the promotional text messages. Following a detailed analysis of the TCPA and related regulations, the appellate court concluded there were unresolved issues as to whether the system used was in fact a prohibited autodialer. As such, the court concluded that it was premature to grant summary judgment to Akira on the issue of the autodialer.

Nevertheless, the Seventh Circuit granted summary judgment to Akira finding that Plaintiff had in fact consented to receive the text messages. The record demonstrated that she gave her cell phone number to Akira on several different occasions in addition to signing up for a “frequent buyer card” that included her phone number. In addition, upon receipt of her first text message, Plaintiff admitted that she had to confirm agreement by texting “AKIRA” to a short code number and that she received a message instructing that she could end her participation by texting “STOP.” Based on this evidence, the appeals court concluded that Plaintiff had provided express consent to receipt of the text messages.

Although the company prevailed, it is important for companies using this technology to be mindful of the significant regulations that are applicable. Text message (or SMS) promotional marketing is gaining steam as many consumers have migrated to mobile platforms. Any entity that seeks to avail itself of this service must be mindful of the legal and regulatory guidelines that govern text message communications. Similarly, if contracting out these services, companies should ensure that their vendors are compliant with all regulatory requirements.

For further information on the TCPA, click here.

Update: Case Involving Sharing of Passwords May Be Headed to the Supreme Court

Last August, we reported on a Ninth Circuit case in which a former employee was convicted of a crime under the Computer Fraud and Abuse Act (“CFAA”) for accessing and downloading information from his former company’s database “without authorization.”  The former employee has now asked that the U.S. Supreme review the Ninth Circuit’s decision.

The question presented to the high Court is, “Whether a person who obtains an account holder’s permission to access a computer nevertheless ‘accesses a computer without authorization’ in violation of the CFAA when he acts without permission from the computer’s owner.”

According to the petition, the Ninth Circuit decision is at odds with other circuit court opinions that look to the computer owner’s “intentions, expectations, and contractual or agency relationships to determine whether access to a computer is authorized.”

The petition argues that the appellate court’s ruling “exposes a broad range of innocuous, day-to-day activity to criminal prosecution” such as an assistant who logs into an executive’s email account or a spouse who logs on to her husband’s email account. However, as the Ninth Circuit majority stated, “[t]his case is not about password sharing” and noted that the case “bears little resemblance to asking a spouse to log in to an email account to print a boarding pass.” The key issue according to the appellate court is whether the access is without authorization. It would seem that an argument comparing a secretary’s access to access by a former employee is hardly compelling. Still, as noted in our earlier post, companies should at a minimum include in their policies and agreements prohibitions on current employees providing their passwords to former employees or even unauthorized current employees.

A full copy of the former employee’s petition can be found here.

We will continue to monitor this case as it develops.

Global Cyberattack Exploits Known Vulnerabilities

As you likely know by now, international cybercriminals launched a worldwide ransomware attack last Friday with the European law enforcement agency Europol reporting over 100,000 affected organizations in 150 countries, including the U.S. Reports indicate that health care providers, universities, and other large companies were all targeted. The Department of Health and Human Services also confirmed evidence of the attack occurring within the U.S. The attack exploited a known vulnerability in the Microsoft operating system, for which a patch is available. The Department of Homeland Security is encouraging all Americans to update their security systems and back up data to prevent possible loss, and is also reminding users not to click on unfamiliar links or open unfamiliar documents in emails.

We echo DHS, and urge all organizations to take steps to help protect against an attack from occurring, while strengthening response preparedness should an attack occur. For regulated entities, this means at a minimum heeding compliance with applicable cybersecurity regulations, including training and creating awareness among all workforce members who can access the organization’s IT systems. For assistance with prevention or preparedness, or if you think you were the victim of a security incident as the result of these recent attacks, or otherwise have had your IT systems compromised, do not hesitate to contact Jackson Lewis’ 24/7 Data Incident Response Team to assist you with the next steps. We are available 24/7 at 844-544-5296 or breach@jacksonlewis.com.

Falling on the heels of President Trump’s Executive Order on cybersecurity, this global attack is sure to increase pressure on implementation of the directives outlined in this order and elevate our nation’s public and private cybersecurity readiness to the fore of political discussion. And with the impending selection of a new FBI director, look for cybersecurity to be a topic of questioning for whoever faces the gauntlet of Senate confirmation for this position. The apparent paralyzing effect of this attack across sectors of critical infrastructure such as telecom, rail, finance and health and human services highlights the need for law enforcement at all levels to be well versed in cyber competency. But it also serves as a reminder that human error, from lax cybersecurity practices to errant email handling, remains one of the top vulnerabilities facing organizations and enterprises today.

Law Firms: Updated Cybersecurity Primer and Other Resources

Several years ago, we published a short primer for law firms intending to provide a brief discussion of key cybersecurity issues, including some helpful steps for safeguarding the client personal and confidential information they maintain. Since then, attacks against firms have increased, ethical rules are tightening, and clients are growing concerned.  In at least one instance – and likely more to follow – client concerns resulted in litigation between firm and client over the adequacy of the firm’s cybersecurity safeguards.

We updated that primer (download here). We also prepared a two-part webinar series to help firms think through their cybersecurity risks. Part One provides an overview of the legal, contractual and ethical risks firms face. Part Two discusses some best practices for navigating client service agreements, breach response and assessments.

The recent global ransomware attack should spur all organizations to think about what they are doing to safeguard their systems and data. Of course, doing something now and leaving those efforts on the shelf is not the right approach. The process of evaluating risks and implementing steps to address those risks is ongoing.

President Trump’s Executive Order on Cybersecurity…

On May 11, 2017 – after weeks of anticipation – the White House released an Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.  There could not be better timing with a global cyberattack unleashing ransomware against governments and companies in nearly 100 countries around the globe. This newly released Executive Order is a virtually complete re-cast of the draft Executive Order, with everything but the General Provisions in new format, structure and language.  The core concepts that were included in the prior draft, however, appear to be consistent in the final EO (with the promised tweaks).

The EO is intended to modernize, improve and maintain the infrastructure of federal agency information technology and coordinate the efforts of these agencies, and thereby provide for increased risk management. The heads of federal agencies will

be held accountable by the President for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data.

These measures must be taken in accordance with the NIST cybersecurity standards (or any successor thereto).  Risk management reports detailing measures taken to date and action plans for implement the NIST cybersecurity standards must be provided to the Office of Management and Budget and the Secretary of Homeland Security within 90 days of the EO (or, at light speed for government). Within 60 days of these reports, the Director of OMB and his designated posse must report to the President on whether the agency reports are appropriate and sufficient, together with a plan to implement through policies and additional measures that may be needed (aligned with the NIST cybersecurity standards), as well as budgetary needs.

The EO also covers cybersecurity of critical infrastructure, building upon Executive Order 13636, ordered by President Obama in 2013. Headed by the Secretary of Homeland Security, a designated group of agencies will collaborate to tag measures that could be taken by federal agencies to support the cybersecurity of critical infrastructure in collaboration with identified critical infrastructure entities.  This group must provide a report to the President within 180 days of the EO.  Additionally, an “open and transparent” process will be used to foster collaboration among agencies and other stakeholders to reduce botnet threats.  A cast of agencies is designated to lead this effort, work with the stakeholders, and provide a report which would be publicly available in preliminary format within 240 days after the EO and final within one year of the EO.  (The term “appropriate stakeholders” is defined as “any non-executive branch person or entity that elects to participate in an open and transparent process” as established by the Secretaries of Homeland Security and Commerce.)

The third and final topic covered by the EO addresses cybersecurity for the nation, to address “strategic options for deterring adversaries and better protecting the American people from cyber threats,” a means to address international cybersecurity priorities, and workforce development in the cybersecurity field.   Assigned groups of agencies will submit reports to the President on these matters in 90 days, 90 days and 120 days, respectively.

We will look forward to more on the reports under the EO, as they inform the direction ahead.

Company Awarded Damages After Former Employee Hacks Its Systems and Hijacks Its Website

A company can recover damages from its former employee in connection with his hacking into its payroll system to inflate his pay, accessing its proprietary files without authorization and hijacking its website, a federal court ruled. Tyan, Inc. v. Yovan Garcia, Case No. CV 15-05443- MWF (JPRx) (C.D. Cali. May 2, 2017).

The Defendant worked as a patrol officer for a security company. The company noticed that its payroll system indicated that the Defendant was working substantial overtime hours that were inconsistent with his scheduled hours. Upon further investigation, the company learned that that the Defendant accessed the payroll system without authorization from the laptop in his patrol car. When the company confronted him, the Defendant claimed a competitor hacked the payroll system as a means to pay him to keep quiet about his discovery that the competitor had taken confidential information from the company. A few months later, shortly after the Defendant left the company, the company’s computer system was hacked and its website was hijacked. The company later filed suit against the Defendant alleging he was responsible for the hack and the hijacking.

Following a bench trial, the court concluded the Defendant had used an administrative password the company had not given him to inflate his hours in its payroll system. The court also found the Defendant hijacked the company’s website and posted an unflattering image of the company’s owner on the website. In addition, the court found the Defendant engaged in a conspiracy to steal confidential files from the company’s computer system by accessing it remotely without authorization and destroyed some of the company’s computer files and servers.

The court concluded that the aim of the conspiracy in which the Defendant was engaged was twofold: first, to damage his former employer in an effort to reduce its competitive advantage; and second, to obtain access to those files that gave his former employer its business advantage, and use them to solicit its clients on behalf of a company he started. The court also found that by accessing the company’s protected network to artificially inflate his hours and by participating in the conspiracy to hack the company’s systems, the Defendant was liable for violations of the Computer Fraud Abuse Act, the Stored Communications Act, the California Computer Data Access and Fraud Act, and the California Uniform Trade Secrets Act.

As a result of Defendant’s misconduct, the court awarded the company $318,661.70 in actual damages, including damages for the inflated wages the company paid the Defendant, the cost of consultant services to repair the damage from the hack, increased payroll costs for time spent by employees rebuilding records and databases destroyed in the hack, the resale value of the company’s proprietary files, and lost profits caused by the hack. The court declined to award punitive damages under the California Uniform Trade Secrets Act, but left open the possibility that the Plaintiff may recover its attorneys’ fees at a later date.

Take Away

Companies are reminded that malicious insiders, in particular disgruntled former employees, with access to areas of the system external hackers generally can’t easily access, often result in the most costly data breaches.

Steps should be taken to mitigate insider threats including:

  • Limiting remote access to company systems
  • Increased monitoring of company systems following a negative workplace event such as the departure of a disgruntled employee
  • Changing passwords and deactivating accounts during the termination process

BTI Names Jackson Lewis one of the Top Cybersecurity Firms

The BTI Law Firms Best at Cybersecurity 2017, a report issued by the BTI Consulting Group (pdf), lists Jackson Lewis as one of the country’s top law firms for cybersecurity and data privacy. The report was compiled “based solely on in-depth telephone interviews with leading legal decision makers,” representing more than 15 different industry segments in organizations with $1 billion or more in annual revenues. Our cybersecurity team is grateful for the recognition from our clients.

Cybersecurity and privacy issues are among the most challenging for virtually all of our clients. Today, organizations contend with vast amounts of data, an expanding, multi-layered regulatory environment, technology that evolves at a blistering pace, and sophisticated cybercriminals who can wreak havoc from thousands of miles away. Our Privacy, e-Communication and Data Security Group is committed to helping our clients navigate these cybersecurity challenges through a variety of services, such as:

  • workthruITtm. Our online applications provide helpful resources including a data breach readiness assessment, a data security assessment and a comprehensive survey of the country’s data breach notification laws. And, there are more cybersecurity and privacy apps coming. Learn more about workthruITtm here.
  • Data Incident Response Team. A tidal wave of ransomware attacks, spearphishing scams and other forms of data breach have victimized thousands of organizations. Having handled more than 500 data incidents, and as part of our commitment to client service, we announced recently a 24/7 Data Incident Response Team to be available on a moment’s notice in the event of a security incident. Learn more about our Data Incident Response Team here.
  • Prevention and Compliance: Assessments, Policies and Training. Of course it is better to avoid a breach than to experience one. So, our team works with clients to assist them with conducting risk assessments, developing policies and procedures, and training their workforce. We strive to understand our clients’ industries because not only is there likely to be different legal requirements, the customary practices and expectations in the industry also are different.
  • Vendor Selection and Management. A cybersecurity program is only as strong as its weakest link and that link could be an organization’s third party service provider. We help organizations assess their vendors’ cybersecurity capabilities, as well as negotiate and draft cybersecurity agreements including business associate agreements to help our clients minimize the risks their vendors present.
  • Government Inquiries and Litigation. We represent our clients before federal and state agencies as well in litigations to respond to claims, inquiries, investigations and compliance reviews involving cybersecurity and privacy.

Cybersecurity and privacy are necessary considerations for doing business today, and we are excited to partner with our clients to help them safely and efficiently maximize the opportunities that information and technology present. Artificial intelligence, internet of things, and “Big Data” present even greater opportunities ahead, with an even greater need to supply adequate time, resources and effort toward cybersecurity and privacy.

Small Healthcare Provider Pays $31,000 for Failing to Have a Business Associate Agreement With File Storage Vendor

Disclosing protected health information (PHI) to a business associate without a compliant business associate agreement (BAA) is an improper disclosure under the HIPAA privacy and security regulations. According to the HHS Office for Civil Rights (OCR), an error like that can cost a small healthcare provider $31,000.

OCR recently announced a resolution agreement (pdf) with the Center for Children’s Digestive Health, S.C. (CCDH), a “small, for-profit health care provider with a pediatric subspecialty practice that operates its practice in seven clinic locations in Illinois.” According to the resolution agreement, OCR apparently learned of the missing BAA while investigating CCDH’s file storage vendor, FileFax, Inc., which stored CCDH’s PHI. Responsible for enforcing the privacy and security rules under HIPAA, OCR then commenced a compliance review of CCDH. It reported finding that neither CCDH nor FileFax could produce a signed BAA applicable to periods that CCDH had shared PHI with FileFax.  Without an admission of liability, CCDH agreed to resolve the matter by paying $31,000 and agreeing to comply with a comprehensive Corrective Action Plan (CAP).

The Health Information Technology for Economic and Clinical Health (HITECH) Act made a number of changes to HIPAA, including to the rules concerning “business associates.” Among those changes were updates to BAAs that the HIPAA rules require covered entities to maintain with their business associates. A covered entity’s business associates include third-party service providers, such as: claims administrators, accounting firms, law firms, consultants, cloud and other data storage providers.

The regulations make clear that even though business associates are directly subject to many of the HIPAA privacy and security requirements, BAAs remain necessary for compliance. A starting point for BAA compliance is the set of sample provisions posted by the OCR. However, there are other issues that parties to a BAA will want to address, such as: specificity concerning the safeguards that should be in place, data breach coordination and response, indemnity, cybersecurity insurance, and agency status. More information about business associates and BAAs can be accessed here.

Covered entities also should remember that the HIPAA regulations are not the only rules that require written assurances from third-party service providers concerning security of personal information. A number of state laws (e.g., California, Massachusetts, Maryland, New Mexico, New York, Oregon) require businesses to have contracts with third-party service providers to safeguard personal information. Of course, even in the absence of a federal or state law, taking steps to ensure vendors secure the confidential information they are provided, such as through a detailed data security agreement, is a prudent practice.

Six Tips to Consider in Hiring Privacy and Data Security Experts

Facing increasingly pervasive issues relating to privacy and data security companies are faced with what qualifications they should think about when looking to hire experts in these areas, and their role within the company is becoming increasingly vital. Moreover, unlike hiring for other positions it is common that a CEO lacks the knowledge and background to adequately assess whether such an individual has the right expertise, and later on how they are performing in the position. While there is no “one size fits all” checklist, the following are some factors to consider:

  1. Certification: Various certifications are available to privacy and data security experts. In evaluating whether a privacy or data security expert candidate has the necessary and appropriate knowledge and skills for such a position, companies should consider whether the candidate has received any relevant certifications. For example, professionals in these areas may have one or more certifications through the International Association of Privacy Professionals and/or the Information Systems Security Certifications Consortium, Inc. While not necessarily dispositive as to whether a candidate is qualified for a position, a certification in the areas of privacy and/or data security may evidence a candidate’s interest in, experience with, and maintenance of current knowledge about issues in these areas.
  2. Technical Knowledge and Practical Experience: A candidate with strong technical knowledge may be better positioned to identify potential threats to privacy and data security and to determine how best to prevent and address any such threats. Perhaps even more compelling than a candidate’s technical knowledge is his or her demonstrated practical experience in the application of such knowledge.
  3. Legal and Regulatory Knowledge: Another factor to consider is a candidate’s familiarity with and understanding of laws and regulations applicable to privacy and data security issues. A candidate who is well-versed in these areas may be more qualified to ensure compliance with pertinent laws and regulations in both domestic and international contexts.
  4. Policy: In addition to understanding applicable laws and regulations, privacy and data security experts should be able to understand, interpret, and prepare policies to best ensure compliance with such laws and regulations. Among other things, a strong candidate should possess knowledge about whether the company is legally permitted to use employees’ or customers’ personal information; whether specific information is subject to specific to more stringent rules based on the type of data involved; and whether personal information, if used, might lead to public relations issues or other business-related concerns.
  5. Networking: Expert candidates who engage in networking and attend conferences or similar events could be more up-to-date on relevant issues and laws in the areas of privacy and data security. Candidates who have presented at conferences or written articles about relevant issues may have a heightened commitment to their field, knowledge of pertinent subject matter, and understanding of the nuances of issues that can or may arise, as well as how to address any such issues if they do in fact occur.
  6. Independence and Analytical Skills: An expert who does not demonstrate independence and analytical skills may not be a good fit for an organization. Companies should look to an expert candidate’s ability to work independently and thoroughly analyze issues pertaining to overall privacy and data security issues and to particular incidents.

While these examples are not an exhaustive list of factors organizations should consider, they provide some important considerations for companies when interviewing and hiring privacy and data security experts.

New Mexico Enacts Data Breach Notification Act

On April 6, 2017, New Mexico Governor Susana Martinez signed HB 15, making New Mexico the 48th state to enact a data breach notification law.  The law has an effective date of June 16, 2017 and follows the same general structure of many of the breach notification laws in other states.

Importantly, the definition of personal identifying information (PII) under New Mexico’s Data Breach Notification Act includes biometric data (“a record generated by automatic measurements of an identified individual’s fingerprints, voice print, iris or retina patterns, facial characteristics or hand geometry that is used to uniquely and durably authenticate an individual’s identity when the individual accesses a physical location, device, system or account.”).  We have seen a number of states (e.g. Illinois) implement or amend their own data breach notification laws to include elements such as biometric data.

The Data Breach Notification Act includes three key components: (i) Disposal of PII; (ii) Security Measures for Storage of PII; and (iii) Notification of a Security Breach.

Disposal of PII:

Under the Act, organizations are required to arrange for the proper disposal of records containing the PII of New Mexico residents when they are no longer reasonably needed for business purposes.  Proper disposal means shredding, erasing, or otherwise modifying the PII contained in the records to be unreadable or undecipherable.

Security Measures for Storage of PII:

Organizations must implement and maintain – and contractually require their service providers and vendors to implement and maintain – reasonable security procedures and practices to protect the PII they own or license from unauthorized access, destruction, use, modification, or disclosure.  Unlike California, New Mexico has not yet provided guidance on what constitutes reasonable security procedures and practices.  Nevertheless, all organizations should be implementing safeguards to protect the personal and company information they maintain.

Notification of a Security Breach:

In the event of a breach, the Act provides:

  • Notification must be provided to each New Mexico resident within forty-five (45) calendar days following discovery of the breach.
  • If the person maintains or possesses PII of a New Mexico resident (but is not the owner or licensee) notification must be provided to the owner or licensee of the PII within forty-five (45) calendar days following discovery of the breach.
  • Notification to each New Mexico residents must include:
    • The name and contact information of the notifying person;
    • A list of the types of PII reasonably believed to have been subject to the breach;
    • The date(s), or estimated dates(s), of the breach;
    • A general description of the breach;
    • The toll-free numbers and addresses of the major consumer reporting agencies;
    • Advice directing the recipient to review account statements and credit reports to detect errors; and
    • Advice informing the recipient of their rights pursuant to the federal Fair Credit Reporting Act.
  • In the event of a breach affecting more than 1000 New Mexico residents, notification must be provided to the New Mexico Attorney General and the major consumer reporting agencies within forty-five (45) calendar days following discovery of the breach.  Such notice must include a copy of the notification sent to affected residents.
  • Notification may be delayed at the request of law enforcement or as necessary to determine the scope of the breach and restore the integrity, security, and confidentiality of the system.
  • A risk of harm trigger.  Specifically, notification is not required if, after an appropriate investigation, the person determines the breach “does not give rise to a significant risk of identity theft of fraud.”
  • The Act does not apply to a person subject to GLBA or HIPAA.

Under the Act, the New Mexico Attorney General may bring an action for injunctive relief and an award of damages for actual costs or loses, including consequential financial losses.  If a violation of the Act is knowing or reckless, a civil penalty of the greater of $25,000 or, in the case of failed notification, $10 per instance of failed notification up to a maximum of $150,000.

Breach notification laws continue to evolve and it is imperative for organizations to be prepared to respond appropriately.  If you need assistance with a data incident or data breach, please contact our 24/7 Data Incident Response Team at 844-544-5296 or breach@jacksonlewis.com.

LexBlog