A terminated executive who accessed co-worker emails in the process of reporting possible company wrongdoing lost his appeal on several grounds. In Brown Jordan Intl, Inc. v. Carmicle, the Eleventh Circuit found that the employee violated both the Stored Communications Act (SCA) and the Computer Fraud and Abuse Act (CFAA).

Carmicle reported to the company concerns about the preparation of a second set of financial projections to the detriment of shareholder value. Carmicle acknowledged that he obtained much of the information by secretly accessing co-worker emails. He did so by using a universal password issued as part of an email conversion after employees failed to create their own personal password. Carmicle subsequently was terminated after an investigator found his allegations of impropriety were without merit (among other reasons).

The appellate court upheld the ruling that Carmicle violated the CFAA despite his argument that Brown Jordan suffered no “loss” as required by the law. Carmicle argued that there was no damage because the company did not experience an “interruption of service” and there was no damage to the computers.   However, the company maintained it suffered a loss by, among other things, engaging an outside consultant to assess how Carmicle accessed the emails. Based on this expense, the appellate court found the company sustained a “loss” under CFAA. The court held that “loss” can include the reasonable costs incurred in connection with responding to a violation, assessing the damage done, and restoring the affected data to the condition prior to the violation.

Finally, the court rejected Carmicle’s argument that his access was authorized under the SCA based on a company policy stating that employees have no expectation of privacy and that the company has the right to monitor email communication. The Eleventh Circuit found that it would be “unreasonable” to permit someone to exploit a generic password to access emails without prior authorization and without any suspicion of wrongdoing.

Notwithstanding the outcome in this case, companies are reminded to take steps to ensure privacy protocols are in place and up-to-date. In this day and age, it is reasonable to assume that someone – whether from outside the company or within – may seek access to your network.

The Department of Health and Human Services Office of Civil Rights (“OCR”) fined a Texas hospital $3.2 million for its impermissible disclosure of unsecured electronic protected health information (ePHI) and non-compliance over many years with multiple standards of the HIPAA Security Rule.

Children’s Medical Center of Dallas filed breach reports with OCR in 2010 and again in 2013. The first report indicated the loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport on November 19, 2009. That device contained the ePHI of approximately 3,800 individuals. On July 5, 2013, the medical center filed a separate HIPAA Breach Notification Report with OCR, reporting the theft of an unencrypted laptop from its premises sometime between April 4 and April 9, 2013. The Hospital reported the laptop contained the ePHI of 2,462 individuals.

OCR’s investigation found that, despite knowledge of the risk of maintaining unencrypted ePHI on its devices as early as 2007 (identified through medical center’s own risk assessments), the medical center failed to implement risk management plans and failed to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until at least April 9, 2013. When announcing the fine, OCR stated “a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.” This fine indicates that even with the change of administration, OCR seems likely to continue its aggressive approach to HIPAA enforcement.

This action demonstrates again the importance of creating a culture of security where your employees are cognizant of the potential ill-effects of failing to safeguard personal information. This is especially true as OCR’s enforcement activities are not simply focused on the harm to individuals, but instead focus on compliance. HIPAA covered entities and business associates should regularly assess their risk of disclosing protected health information and – -just as importantly – address the issues identified during those assessments which would include the implementation of appropriate safeguards and conducting regular HIPAA training for employees.

In today’s digital age, security tends to be thought about in terms of firewalls, malware, encryption and other safeguards for electronic systems. But the security of those systems, as well as an organization’s facilities, people and other critical assets depends significantly on physical security as well. We are delighted to share below some thoughts from an ASIS board certified expert in security management, Scott Soltis, CPP and CEO of HMS Security & Risk Management Solutions.

The protection of assets in all forms, people, property and information is critical to the success of all organizations.  This article highlights access control and physical security models and summarizes many industry “best practice” concepts.

The need for physical security and premise protection has been in existence for thousands of years. Access control can be found in historical architecture.  Dating back to the time of Caesar, the need to protect a physical structure can be found by use of gates, walls and other barriers.  In the dark ages, many kingdoms were protected atop high mountains or hills, or used motes and drawbridges to keep unauthorized persons from gaining access to their castles.

With modernization, physical security has quickly transcended from traditional locks and keys to the most sophisticated computerized and network based electronic access control systems, which can utilize unique credentialing approaches to identify/authorize an individual into an area. As companies expand and compete in the global marketplace, security program are being pressured for more efficiency and cost reduction.  Companies with global competition, also face the threat of industrial espionage.

Workplace violence and active violence in the workplace remains a consistent threat to U.S. companies and organizations. While this article doesn’t focus on the importance of organizations having a comprehensive workplace violence prevention program, the existence of a successful physical security program provides a core-mitigating factor to protect employees against the threat of harm.  Physical security programs help to reduce business risks and susceptibility to lawsuits and civil litigation, and assist in the protection of the assets of an organization.

Developing a Physical Security Program

A typical physical security program requires multiple layers of protection with layers becoming progressively more difficult to access closer inward toward the asset. Each layer will have multiple controls that will aid in the protection of the assets.  The function of each of the physical security layers is to deter, detect, delay, deny, and defend against loss.

In order for the physical security program to be effective, it is incumbent on the organization to develop and maintain controls to include policies and procedures, personnel management and training, physical barriers and controls, access control equipment, and adequate reporting and records management processes or systems.

Prior to deploying a physical security program, it is recommended that a qualified security professional conduct a Threat, Vulnerability/Risk Assessment (TVRA). This assessment should include but not be limited to:

  • determining the existing levels of security,
  • identifying areas of improvement in the physical security program,
  • establishing the appropriate levels of protection needed, and
  • recommending controls to enhance the overall security program.

Following the completion of the TVRA, a security program can be designed/modified to meet the needs of the organization and ensure that the security program and is adaptable to manage existing as well as future threats. A well-implemented security program will include a continual improvement process that ensures the program is adjusted to environmental changes, and ensures regular updates that tests the effectiveness of the program elements.

Having a qualified security professional implement a security program will reduce an organization’s security risks and more importantly provide a method for organizations to meet the duty of care, which would be expected by its employees.

For more information on this topic, contact Scott Soltis at: scott.soltis@hmsent.com

With the proliferation of satellite navigation systems and smart phones, many employers have contemplated using GPS tracking to increase efficiency, and frankly, to keep a better eye on their employees during the work day. The use of GPS tracking in a vehicle can be lawful, there are some limitations to keep in mind.

First, you have to keep in mind an employee’s potential right to privacy while in the company vehicle. Make sure you have a policy in place that informs the employee that the vehicle has a GPS system installed that will track their whereabouts. If the GPS system has other functionality, like tracking speed, gas consumption and driving behaviors, the employee should be put on notice of those things as well. Some GPS systems also have video and audio recording features. All of those things should be explicitly disclosed to diminish the employee’s expectation of privacy while operating the company vehicle.

Second, there are a number of states that limit when and how a GPS system can be installed. For example, in California there is no statute expressly limiting the installation of a GPS system on a company vehicle, but California Penal Code section 637.7 limits when a GPS system can be installed on someone else’s vehicle. However, if you obtain consent from the owner, lessor or lessee of the vehicle consents to the installation of the GPS device.

Minnesota’s restriction on the installation of a GPS tracking device is similar, but broader in its application. (Minn. Stat. 626A.35.) Instead of limiting only installation of a tracking device, Minnesota’s statute prohibits use of a mobile tracking device without a court order, unless consent is obtained from the owner “of the object to which the mobile tracking device is attached…” There are similar laws in Tennessee (Tenn. Code § 39-13-606) and Texas (Texas Penal Code § 16.06).

These statutes create a conundrum for employers who have their employees install GPS tracking apps on their smart phones. Arguably, the statutes would not cover that situation because both statutes say that the tracking device has to be “attached”, and it’s not clear if the installation of an app means the app is “attached.” With the ambiguity in the wording of the statutes, if an employer is going to require the installation of a tracking app on a smart phone, the best practice to avoid potential invasion of privacy claims is to obtain express consent from the employee. Just like a GPS device, the employee should be put on notice of the types of data and information the app will track.

There are additional considerations like when the tracking device is tracking the employee. To avoid invasion of privacy claims, tracking devices should not be active when the employee is not working.

This area of the law continues to change, but its pace is behind the changes in technology so it is important to consult with your employment counsel before implementing new technologies.

On February 2, 2017, the IRS issued a warning to all employers regarding the resurgence of a W-2 based cyber scam. The scam, which targets the corporate world during tax season, is currently “spreading to other sectors, including school districts, tribal organizations and nonprofits.” (irs.gov/news-events).

This cyber-scam is simple, but highly successful. It consists of an e-mail sent to an employee in the Human Resources or Accounting department from an executive within the organization. Both the TO and FROM e-mail addresses are accurate internal addresses, as are the sender’s and recipient’s names. The e-mail requests that the recipient forward the company’s W-2 forms, or related data, to the sender. This request aligns with the job responsibilities of both parties to the email.

Despite appearances, the e-mail is a fraud. The scammer is “spoofing” the executive’s identity. In other words, the cyber-criminal assumes the identity and e-mail address of the executive for the purpose of sending what appears as a legitimate request. The recipient relies on the accuracy of the sender’s e-mail address, coupled with the sender’s job title and responsibilities, and forwards the confidential W-2 information. The forwarded information goes to a hidden e-mail address controlled by the cyber-criminal.

When successful, the cyber-criminal obtains a trove of sensitive employee data that may include names, dates of birth, addresses, salary information, and social security numbers. This information is used to file fake tax returns and requests for tax refunds and/or sold on the dark web to perpetrators of identity theft.

The IRS gives examples of these W-2 e-mail requests on its website:

  • “Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
  • “Can you send me the updated list of employees with full details (name, Social Security Number, Date of Birth, Home Address, Salary).”
  • “I want you to send me the list of W-2 copy of employees wage and tax statement for 2016. I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”

These cyber-scams, known as business email compromise (BEC) attacks, or CEO spoofing, are a form of ‘spear phishing.’ Spear phishing targets a specific victim using personal or organizational information to elicit the victim’s trust. The cyber-criminal obtains and uses information such as personal and work e-mail addresses, job titles and responsibilities, names of friends and colleagues, personal interests, etc. to lure the victim into providing sensitive or confidential information.  Quite often, the scammers cull this information from social media, LinkedIn, and corporate websites. The method is both convincing and highly successful.

While an organization can use firewalls, web filters, malware scans or other security software to hinder spear phishing, experts agree the best defense is employee awareness. This includes ongoing security awareness training (see our white paper with best practices for setting up a training program) for all levels of employees, simulated phishing exercises, internal procedures for verifying transfers of sensitive information, and reduced posting of personal information on-line.

Although simple, the W-2 e-mail scam can have a devastating impact on an organization and its employees. And, although equally simple, employee awareness can help prevent it.

Instances of W-2 or similar attacks should be reported to the IRS at phishing@irs.gov and the Internet Crime Complaint Center of the FBI.

 

Mary Costigan is working with our Privacy, e-Communications and Data Security Group as part of an externship with Pace University Law School’s New Directions for Attorneys Program.

On January 9, 2017, lawmakers in the House re-introduced legislation, the Email Privacy Act, which, if enacted, would require the government to obtain a court-issued warrant to access electronic communications, including emails and social networking messages, from cloud providers (e.g., Google, Yahoo) when such communications are older than 180 days. Current law, the Electronic Communications Privacy Act (ECPA), only requires court-issued warrants for electronic communications that are 180 days old or less, but authorizes law enforcement and some government agencies — such as the SEC — to obtain electronic communications from cloud providers with a subpoena, issued by a prosecutor without approval of a judge, if the communications are older than 180 days.

Supporters of the Email Privacy Act point out that, when Congress enacted the ECPA in 1986, electronic storage was expensive and email service providers typically deleted electronic communications within 90 days.  Congress, when enacting the ECPA, did not require warrants for electronic communications that were older than 180 days, because such communications were, to the limited extent any existed, considered “abandoned property.” Supporters of the Email Privacy Act contend that Congress looked at then existing technology and never contemplated that one day many people would store their electronic communications with email service providers for well beyond 180 days. The Email Privacy Act would, according to supporters, fix this outdated flaw in the ECPA.

Federal agencies, which have relied on the ECPA, have pushed for there to be no changes to the law. In a 2013 letter to Senate Judiciary Committee, the Chair of the SEC stated, in opposition to similar legislation, that a warrant requirement would block the SEC from obtaining digital content from service providers, and has recently reaffirmed these sentiments. The SEC is a civil agency and lacks authority to issue warrants, relying instead on subpoenas for investigations.

The Email Privacy Act has bi-partisan support in the House, with four Republicans and five Democrats signed on as original co-sponsors of the legislation. The Email Privacy Act has not been introduced in the Senate, and it remains unclear if any senator will sponsor the legislation in that chamber. Senator Lee (R.-Utah), who sponsored the same legislation in the 114th Congress, reportedly does not plan to introduce it again. It is also unclear at this time if President Trump would sign this legislation into law if it passes both the House and the Senate.

In 2016, during the 114th Congress, the Email Privacy Act passed the House unanimously but then stalled in the Senate Judiciary Committee after Senator Cornyn (R-Texas) offered a controversial amendment that would have provided the FBI with expanded surveillance power.

We will continue to monitor this important legislation and post updates as there are new developments.

A class action alleging Viacom illegally obtained and disclosed personally identifiable information from children under the age of thirteen through the Nickelodeon website recently reached the end of line (almost) when the class’ petition for writ of certiorari was denied by the Supreme Court this month. The high court chose not to further define the contours of what constitutes “personally identifiable information” and “disclosure.”

The drafters of the 1988 Video Privacy Protection Act (“the Act”) likely had no idea that the law passed nearly thirty years ago would be raised to challenge the practice we each encounter hundreds of times per week—tracking of our IP addresses through the use of cookies on websites. The law prohibits disclosure of personally identifying information relating to viewers’ consumption of video-related services. When passed, lawmakers probably envisioned video rental clerks being prohibited from sharing the list of videos a particular renter selected with others. Now, in a world where the number of viewers and followers is equivalent to profits for all who sell, information gained from IP addresses makes it possible for companies to target individuals in a way that was probably never imagined.

The Third Circuit decided as a matter of first impression that Viacom had not disclosed personally identifiable information in violation of the Act when it shared IP addresses, collected through cookies, with Google for its use in targeted advertising. The court did identify that there is a split of authority regarding whether or not “static digital identifiers,” such as IP addresses, constituted personally identifiable information because they could, in theory, be combined with other information to identify an individual. Other courts, including the First Circuit, have held that any unique identifier, including an IP address combined with GPS coordinates, could constitute personally identifying information. This decision also stands in contrast with a recent EU ruling, Breyer v. Bundesrepublik Deutschland, E.C.J., No. C-582/14, which held that under certain circumstances IP addresses could constitute personal data protected under EU data protection law. However, in the Nickelodeon case, the court determined the information could not be used to identify a specific individual without extraordinary effort and that the information had not been disclosed.

Advice for Businesses

Businesses striving to not run afoul of the Act can learn valuable lessons from this case. First, do not think narrowly when identifying “personal information.” It is not always as straightforward as a Social Security number or bank account number. Think about combinations of information that could enable another person or entity to identify a specific individual. Second, use caution when sharing information about customers or employees—even when it might seem innocuous or unlikely that specific individuals could be identified. Third, do not promise more privacy or data security than you actually provide. The class claim alleging Viacom collected personal information about children, despite its promise not to do so, lives on and the court described that violation as “highly offensive.”

 

We are pleased to announce that Mary Costigan will be joining our Privacy, e-Communications and Data Security group today as part of an externship with Pace University Law School’s New Directions for Attorneys Program. Mary’s desire to return to legal work in this area shows the continued interest in cybersecurity and privacy issues and the surge in demand for expertise in this exciting and evolving space. We are honored that Jill Backer, Asst. Dean for Career and Professional Development Pace University School of Law and Director of the New Directions Program reached out to us to support the Program and help develop Mary’s expertise. Welcome Mary!

The New Directions for Attorneys Program assists attorneys in returning to traditional law practice or an alternative legal career. Its participants are graduates of many different law schools, and have practiced in numerous types of settings, including not-for-profit organizations, government agencies, law firms, corporations, and others. According to Ms. Backer, “the Program is critical in getting successful attorneys who stepped away from practice for a few years, back to work.” The Program has been in existence for 10 years and touts more than 260 alumni. The Program has been recognized numerous times in the media, including The New York Times, Bloomberg News, MORE Magazine, The Huffington Post, The Harvard Business Review, CNN, and many others. 

You can find more information about the Program here. In the meantime, we are looking forward to working with Mary.

On January 13, current FTC chairwoman Edith Ramirez announced that she would resign from her position effective February 10, 2017. Ramirez was instrumental in increasing the FTC’s cybersecurity enforcement authority, going after a wide range of data security related private offenders and demonstrating the FTC’s cyber “watchdog” status.

Last Wednesday, January 25, President Trump’s administration announced that Maureen K. Ohlhausen would replace Ramirez as acting FTC chair. Ohlhausen, a Republican, has been an FTC commissioner since 2012, and was one of two remaining commissioners at the FTC including Terrell McSweeny, a Democrat. In addition, the new administration will have the opportunity to fill three new commissioner positions for the five-member panel, at least one of which must be a Democrat.

Ohlhausen’s has an extensive career at the FTC which began in 1997 in the FTC’s General Counsel’s Office. Later she served as an advisor to former FTC Commissioner Orson Swindle, and has served as both an FTC Deputy Director and Director of the Office of Policy Planning. Barak Obama appointed her as an FTC commissioner on April 4, 2012.

Upon Ohlhausen’s appointment as acting FTC Chairwoman, Ohlhausen released a statement that she “will safeguard competition…[and] work to protect all consumers from fraud, deception, and unfair practices”.  Similarly in 2014, she noted, “the commission should use its limited resources to pursue cases that involve consumer harm” and voiced her concerns over the “procrustean problem with prescriptive regulation.”

Moreover, Ohlhausen is known for her critique of excessive government regulation, stating in a recent speech that such regulations result in “suffer[ing]” that extends beyond large corporations.  Instead, Ohlhausen believes that the FTC should employ “a philosophy of regulatory humanity that has been absent in recent years…and be mindful of the private and social costs that government actions inflict.”  In addition, Ohlhausen recently stated in an FTC report that self-regulation is a valid form of consumer protection against privacy infringements.  Such statements suggest that Ohlhausen will take a more “pro-business” approach than under Ramirez’s leadership, aimed at limiting regulatory actions that may impede the benefits of data usage and limit competition.

Nonetheless, Ohlhausen has only been appointed as acting FTC chair, and it has been reported that President Trump advisor, Peter Thiel, is conducting a search for a permanent candidate.

New York State Attorney General Eric T. Schneiderman announced a settlement with Acer Service Corporation (a Taiwanese computer manufacturer) relating to the NYSAG’s investigation of a breach of Acer’s data. The data breach, first reported in June, 2016, involved data for over 35,000 customers throughout the United States, Canada and Puerto Rico, including 2,250 customers who resided in New York.

The accessed data included credit card data, and more specifically, names, addresses, email addresses, card numbers, expiration dates, security codes and user names and passwords – critical information for the customers involved. The data that was accessed covered transactions over an almost 12 month period, from May 12, 2015 through April 28, 2016.

Reports indicated that the information was accessed because Acer had inadvertently stored it in an unsecured format, when debugging mode was enabled on the e-commerce platform. According to the NYSAG investigation, Acer had misconfigured its website allowing directory browsing for unauthorized users.  At least one hacker took advantage of these vulnerabilities, by obtaining information through hundreds of electronic requests for customer data.

As a result of Acer’s failure to protect sensitive customer information for almost a one year period, the NYSAG fined Acer $115,000 and required Acer to implement enhanced data security practices. These enhanced data security practices include:

  • The designation of specific employees to coordinate and supervise Acer’s privacy and security program;
  • A designated individual to be notified if personal information is saved or stored in an unencrypted manner on Acer’s systems;
  • Employee training on data security, consumer privacy and obligations to maintain the integrity of consumer information, on an annual basis for all employees who handle personal information;
  • Staff training on data breach notification requirements for staff who will input, maintain, store or transfer personal information;
  • The identification of significant risks to the confidentiality and security of personal information that reasonably could lead to the unauthorized access, misuse, alteration or other compromise of the information – including newly identified security vulnerabilities – on a regular basis.
  • The implementation of safeguards to control risks, such as multi-factor authentication for remote access, an intrusion detection system, quarterly vulnerability assessments and annual penetration testing, together with testing of systems, controls and safeguards on a regular basis.
  • Ensuring that service providers agree to implement/maintain appropriate safeguards and have the capability to do so.

The Acer data breach was considered to be relatively small in scope – but as the NYSAG settlement indicates, even a data breach on this scale can carry heavy burdens for the entity suffering the breach. Thus, in addition to reminding businesses about some best practices to consider implementing to safeguard personal information, the NYSAG’s investigation makes clear that not only large breaches will come under the office’s scrutiny.