A federal judge slashed attorneys’ fees in a $115 million data breach case settlement between Anthem Inc. and its customers, according to Bloomberg Law.

“The Aug. 16 ruling by Judge Lucy Koh of the U.S. District Court for the Northern District of California closes the long-running lawsuit against Anthem. The case stemmed from a 2015 breach that exposed Social Security numbers, birth dates, and health-care data of 78.8 million customers,” explains reporter Daniel R. Stoller.

The judge ruled that attorneys for the class action plaintiffs are entitled to $31 million in fees, $2 million in expenses, and $132,000 for other operation costs. Class attorneys had requested $37.95 million in fees, or roughly one-third of the total settlement fund, which Koh approved Aug. 15.

Read the Bloomberg Law article.

A post on Dykema’s The Firewall blog considers the question: Who bears the loss from a breach perpetrated by a data breach fraudster: the consumer whose data was compromised, the financial institution where the data was used, or the business that failed to protect the data?

The author, David B. West, writes that the answer depends on which law applies.

“While statutes require banks and their vendors to protect customers’ Personally Identifiable Information (“PII”), the obligation of other businesses to do so is not as well defined,” West explains. “Regulatory obligations to protect data vary by industry and geography.”

He also discusses relying on common law for data breach losses, recovering damages, and the need for consistent ability to recover losses.

Read the article.

Bloomberg Law is reporting that a virtual currency operator accused of running off with investor funds after a 2013 hack and lying to investigators has accepted a plea deal with federal prosecutors in New York.

Reporter Lydia Beyoud writes that Jon E. Montroll of Saginaw, Texas, faces up to 40 years in prison.

Manhattan U.S. Attorney Geoffrey S. Berman said in a July 23 statement accompanying the plea agreement that Montroll “repeatedly lied during sworn testimony and misled SEC staff to avoid taking responsibility for the loss of thousands of his customers’ bitcoins,” in 2013, Berman said.

Read the Bloomberg Law article.

Image by Mike Mozart

Target Corp.’s $17 million class settlement to resolve consumer claims over a 2013 data breach passed Eighth Circuit scrutiny on its second trip to the appeals court, reports Bloomberg Law.

The court rejected an objector’s challenge that the named plaintiffs weren’t adequate representatives for the whole class because they received compensation while others didn’t, according to reporter Perry Cooper.

He explained:

“All class members had the ability to register for credit monitoring, and all of the compromised payment cards undoubtedly were canceled and replaced by the issuing banks,” Judge Bobby E. Shepherd wrote for the U.S. Court of Appeals for the Eighth Circuit.

“Any risk of future harm is therefore entirely speculative,” the court said.

Read the Bloomberg Law article.

Bloomberg Law is reporting that a federal magistrate judge recommended the dismissal of a lawsuit that accuses Reed Smith LLP and Clark Hill PLC of using baseless lawsuits, discovery delays—and even thuggish private eyes—to help a client conceal its criminal activities.

Reporter Samson Habte writes that the recommendation could bring an end to one of several high-stake lawsuits that LabMD Inc. is pursuing against cybersecurity firm Tiversa Inc. and some of the nation’s largest law firms.

In a lawsuit, LabMD accused former U.S. Attorney Mary Beth Buchanan and Bryan Cave Leighton Paisner LLP of trying to prevent a whistleblower from revealing Tiversa hacked LabMD with “FBI surveillance software” it got from Buchanan.

The suit also claimed that Reed Smith and Clark Hill helped Tiversa cover up Tiversa’s allegedly criminal activities. “The firms allegedly did so by bringing baseless defamation suits that drained LabMD’s resources, and by using private investigators to intimidate and silence the whistleblower,” according to Habte.

Read the Bloomberg article.

Bloomberg Law is reporting that a little-noticed lawsuit filed in New York federal court accuses a former federal prosecutor of unethically preventing a whistleblower from telling the FTC that he hacked an embattled company’s files using “FBI surveillance software” that the prosecutor gave him.

The allegations are in a suit against former U.S. Attorney Mary Beth Buchanan and Bryan Cave Leighton Paisner LLP, the global megafirm where she is now a partner, according to reporter Samson Habte.

Plaintiff LabMD Inc., a cancer-screening firm, says it went out of business after falling victim to a “shakedown scheme” by a cybersecurity firm that hacked the lab’s files—and then reported it to the FTC when it refused to pay for “remediation” services.

LabMD’s complaint alleges Buchanan gave FBI surveillance tools to Tiversa Inc., which then allegedly used the tool to hack LabMD. It also alleges Buchanan unethically represented the whistleblower in FTC proceedings to keep him from divulging how Tiversa received the hacking tool.

Read the Bloomberg article.

Hunton & Williams LLP has posted an on-demand webinar discussing the Securities and Exchange Commission’s recently released cybersecurity guidance.

For the first time since its last major staff pronouncement on cybersecurity in 2011, the SEC has released new interpretive guidance for public companies that will change the way issuers approach cybersecurity risk, the firm says on its website.

Presenters are partners Lisa Sotto, Aaron Simpson and Scott Kimpel, and senior associate Brittany Bacon. They discuss the new guidance, along with changes in regulatory obligations under EU law with respect to the upcoming GDPR and historical SEC enforcement actions related to cybersecurity.

Watch the on-demand webinar.

Troutman Sanders will host a complimentary webinar that will cover the legal landscape surrounding data based products. The event will be Thursday, March 22, 2018, 3-4 p.m. Eastern time.

“In the last few years, the right to privacy has been hotly debated in the United States. What critics do not understand or appreciate is that the next technological paradigm is completely dependent on improvements both to the quality and quantity of data,” the firm says on its website.

Webinar speakers will cover the ongoing evolution of the legal landscape for data-based products, so that organizations can continue to succeed in their development of data-based products.

Register for the webinar.

Reuters reports that Supreme Court justices on Tuesday wrestled with Microsoft Corp’s dispute with the U.S. Justice Department over whether prosecutors can force technology companies to hand over data stored overseas, with some signaling support for the government and others urging Congress to pass a law to resolve the issue.

“The case began when Microsoft balked at handing over a criminal suspect’s emails stored in Microsoft computer servers in Dublin in a drug trafficking case. Microsoft challenged whether a domestic warrant covered data stored abroad” according to reporters Lawrence Hurley and Dustin Volz.

Two of the justices, Ruth Bader Ginsburg and Sonia Sotomayor, questioned whether the court needed to act now,  considering the fact that Congress is considering bipartisan legislation that would resolve the legal issue.

Read the Reuters article.

Law firms may not be the safe repository of client confidences—such as trade secrets and merger plans—that they once were, as hackers recognize firms as prized vaults of proprietary corporate data, warns Bloomberg Law. And clients are starting to view law firm data breaches as serious business considerations.

Daniel R. Stoller talked with Christopher Dore, privacy partner at plaintiff-side firm Edelson PC in Chicago, who told him that “if hackers want to get data from Alphabet Inc.’s Google, the best path may be through a law firm rather than directly from the company, because the law practice likely has an almost ‘unlimited variety of data.'”

And Lucian T. Pera, legal ethics partner at Adam and Reese LLP in Memphis, Tenn. and former treasurer of the American Bar Association, told Stoller: “Cybersecurity protections are becoming a serious factor in client decision-making,” at law firms, and large firms stand to lose business if they don’t take care of cybersecurity.

Read the Bloomberg article.

Zapproved has published a report providing insights from a PREX17 summary on meeting the new GDPR rules by May 2018. The summary may be downloaded free of charge.

In May 2018, the General Data Protection Regulation (GDPR) will go into effect, requiring companies that do business in Europe to adjust their strategies for data management. The GDPR standardizes data protection law across the member countries, but it doesn’t specifically address preservation and discovery for U.S. legal proceedings.

The PREX17 session summary, “Data Privacy, the GDPR and Security All in One” explores the practical considerations for this transition with insight from Intel’s Dan Christensen, U.S. Magistrate Judge Elizabeth Laporte and Jeane Thomas, Partner at Crowell & Moring LLP.

It discusses strategies to address:

• Article 30 requirements for detailed record keeping
• U.S vs EU perspectives on cross-border discovery and personal privacy rights
• ISO2l701 certification

Download the summary.

As evidence that cyberattacks continue to threaten electric infrastructure in the United States, a report issued in December by cybersecurity firm FireEye indicates that critical infrastructure industrial control systems (ICS) could be susceptible to a new type of malware, reports Morgan Lewis in its Power & Pipes blog.

According to the report, a piece of malware called “TRITON” triggered the emergency shutdown capability of an industrial process within a critical infrastructure ICS.

“In 2013, hackers believed to be operating on behalf of a state-actor managed to take partial control of the Bowman Avenue Dam near Rye Brook, New York. More recently, reports emerged this past summer that hackers gained access to the operational grid controls of US-based energy firms,” write J. Daniel Skees and Arjun Prasad Ramadevanahalli.

Read the article.

Six years ago, former Manhattan lawyer Tor Ekeland traded in his fat paycheck for a not-so-lucrative private practice as one of a handful of defense lawyers who specialize in computer crimes.

Mother Jones profiles the 48-year-old, who says his boring corporate job for leading to alcoholism.

Reporter A.J. Vicens writes that Ekeland has strong feelings about the perceived nefarious intent of the Computer Fraud and Abuse Act. Hackers “scare people. They make them feel vulnerable; there’s a hysteria about it.”

Ekeland has defended hackers against charges ranging from probing the defenses of municipal websites to conspiring to access federal email accounts.

Read the Mother Jones article.

Zapproved has published a complimentary recap of the PREX17 keynote address by Pulitzer Prize-winning journalist Glenn Greenwald, which explores the boundary layer between law and technology in the connected society.

In the fallout of the Edward Snowden NSA leaks, he explores the reasons why monitoring and evaluating the impact of our technology are crucial and discusses in detail:

• When weighing the importance of privacy, consider all of your personal information from all of your email accounts, social profiles and medical profiles.
• Ten years ago technology was the number one way privacy was compromised. Now, technology is the number one leading tool for how privacy is protected.
• Digital surveillance has become so prevalent and consequential that the NSA’s motto for their citizen surveillance programs is “Collect it all.”

Download the keynote summary.

By Eric Begun
King & Fisher Law Group, PLLC

In its 10-Q filing for the quarter ended September 30, 2017, Merck & Co., Inc. stated the following:

On June 27, 2017, the Company experienced a network cyber-attack that led to a disruption of its worldwide operations, including manufacturing, research and sales operations. … [T]he Company was unable to fulfill orders for certain other products in certain markets, which had an unfavorable effect on sales for the third quarter and first nine months of 2017 of approximately $135 million. … In addition, the Company recorded manufacturing-related expenses, … as well as expenses related to remediation efforts … , which aggregated $175 million for the third quarter and first nine months of 2017.

Worth noting, this $310 million amount likely does not include all legal fees, forensic costs, and all other costs, expenses, and losses related to the cyber-attack. Nor does it appear to include other costs, expenses, and losses that may be indirectly revealed elsewhere in Merck’s business or operations. The attack in question is the NotPetya ransomware attack, which impacted countless companies worldwide on June 27 of this year.

Lost Business Resulting from Ransomware
Merck’s announcement is remarkable for several reasons, especially for those who negotiate technology contracts and agreements with data privacy and security implications. First, it’s noteworthy in its relatively clear quantification of lost business resulting from the ransomware attack. That is, often it is difficult to quantify lost business, lost sales, and consequential damages when negotiating liability provisions related to data security and information security in technology agreements and other commercial contracts. This is not to say that Merck’s recitation of these amounts is a new rule-of-thumb or benchmark, but it may start a conversation.

Quantifiable Losses
Second, the loss numbers reported by Merck are not small ones. It is common to discount publicly announced forecasts of ransomware impacts that are viewed as extreme – $75 billion per year, according to one recently cited resource. But the concreteness of Merck’s number and the specificity of the ransomware attack merits attention.

Ransomware is Fact-Specific
Third, the Merck announcement implicitly underscores the criticality of the precise facts surrounding the NotPetya ransomware attack and the unique business and situation of Merck. Not all ransomware or malware attacks can cause the same sort or amount of losses reported by Merck, nor does the same ransomware or other malware give rise to the same quality or quantity of losses for every corporate victim. When negotiating data privacy and data security provisions in commercial technology contracts and similar agreements, it is important for all sides to consider the specific circumstances and risks related to the transaction and parties in question.

Ransomware Impacts Are Not Necessarily Per-Record
And, fourth, the Merck report sheds light on the financial repercussions of ransomware, as opposed to other malware and hacking activities. That is, there are a number of industry and other reports and surveys that speak to the financial and other impacts of data breaches and security breaches on a per-record basis (for example, cost per record, records per breach, etc.). The 2017 Ponemon Institute Cost of a Data Breach Study, Verizon’s 2017 Data Breach Investigations Report, and Gemalto’s Breach Level Index Findings for the First Half of 2017 are just a few. However, in many cases the particular per-record numbers reported do not provide a clear picture of the financial effects of ransomware, which often is not the kind or scope of cyber-attack that can be assessed on a per-record basis.

Merck’s 10-Q for the third quarter of 2017 is definitely not a quick-fix answer to the question of how much a ransomware attack would or could financially impact a company. However, for attorneys, contract professionals, and others who draft and negotiate technology agreements and contracts and, specifically, information and data security and privacy provisions, the Merck quarterly report is potentially meaningful.

The U.S. Supreme Court declined last week to consider two cases concerning the Computer Fraud and Abuse Act (CFAA), leaving certain questions unresolved regarding liability for computer hacking and the prospect for potentially harsh criminal and civil penalties, according to a post on the website of Androvett Legal Media & Marketing.

“Given the current state of the law, someone could potentially be put in jail or subject to civil liability under the CFAA in one jurisdiction and not in another for the very same act,” said attorney Shain Khoshbin of Dallas-based Munck Wilson Mandala. “In fact, someone could be potentially criminally prosecuted and civilly liable simply for password sharing.”

The CFAA was originally intended to criminally prosecute individuals who accessed classified information by hacking into government computers. The federal statute was later amended to allow private civil actions for violation of the act. This allowed businesses to take the offensive against hackers and those who improperly access digital assets stored in computers.

“As the definition of ‘computer’ continues to expand, and computer networks continue evolving to include social media platforms, cloud storage and a wide variety of subscription-based services, the CFAA will undoubtedly continue to be tested in the court system,” said Khoshbin.

“The CFAA is a valuable tool for businesses to use as part of their crisis management plan for data breaches, and to seek justice from those who improperly access electronic assets. But the judiciary or Congress needs to address and resolve some important issues so the law can be applied consistently.”

Join Our LinkedIn Group

Businesses are adapting to the new reality of cybersecurity threats by shoring up technology and educating employees regarding best practices and risks associated with an online presence, writes Marc C. Tucker, a partner in Smith Moore Leatherwood LLP.

“A business’s electronic data is quickly becoming its most valuable asset— an asset worth protecting,” he explains. “If data is trusted to a third party, the parameters of what is expected to keep your data safe should be memorialized in a contract with that service provider.”

“Strategic third-party contracting practices will not eliminate all cyber risks but is an additional arrow in the quiver as you strive to protect sensitive data.”

Read the article.

Join Our LinkedIn Group

While the majority of businesses at risk for criminal hacking are major institutions that deal with a lot of data — such as banks — the idea that small and midsize businesses aren’t a target is mistaken, reports the Chicago Tribune.

Reporter Corilyn Shropshire credits that analysis to Richard Sypniewski, CEO and managing director of Sagin, a management consulting and IT management firm.

Sypniewski said nonprofit institutions are at greater risk for criminal hacking than some other targets.

“According to [a Better Business Bureau] study, 90 percent of cyberattacks on business come from phishing emails and 90 percent of those phishing emails are ransomware, in which scammers breach a company’s operating system with software designed to block access or hold data hostage until a sum of money is paid,” writes Shropshire.

Read the Chicago Tribune article.

Join Our LinkedIn Group

By Eric Begun
King & Fisher

You’re thinking that something about the title of this post sounds familiar, right? Information technology (IT) vendors and third party service providers have been in the spotlight for security breaches for some time (see, for example, vendor-based security lapses affecting Target, CVS, and Concentra, as just a few), and it doesn’t sound surprising that an IT vendor has been sued related to a security incident. After all, whether you’re an IT vendor or an IT customer, if you draft or negotiate contracts for a living, these situations are what you try to contract for, right?

Right…but…the recent federal class action suit filed in Pennsylvania against Aetna and its vendor surfaces several new privacy and security considerations for vendors and their customers. The vendor in question was not an IT vendor or service provider. Instead, the plaintiff’s allegations relate to Aetna’s use of a mailing vendor to send notification letters to Aetna insureds about ordering HIV medications by mail. According to the complaint, the vendor used envelopes with large transparent glassine windows – windows that did not hide the first several lines of the enclosed notification letters. The plaintiff asserts that anyone looking at any of the sealed envelopes could see the addressee’s name and mailing address – and that the addressee was being notified of options for filling HIV medications. As a result, the vendor and Aetna are alleged to have violated numerous laws and legal duties related to security and privacy.

For all vendors and service providers, but especially those that don’t focus primarily on privacy and security issues, the Aetna complaint is enlightening. To these vendors and service providers, and to their customers: Do your customer-vendor contracts and contract negotiations contemplate what Aetna and its mailing vendor may not have?

• Do your contracts for non-IT and non-healthcare services fully consider the risk of privacy and security litigation? A noteworthy facet of the Aetna case is that the mailing vendor was sued for privacy and security violations that were not exclusively due to the customer’s acts or omissions. That is, while the contents of the mailer certainly were key, the vendor’s own conduct as a mailing services provider (not an IT or healthcare provider) was instrumental in the suit being filed against the vendor (and Aetna). Vendor services that previously didn’t, or ordinarily don’t, warrant privacy or security scrutiny, may, after all, need to be looked at in a new light.
• Do your contract’s indemnification and limitation of liability clauses contemplate the possibility of class action litigation? Class action litigation creates a path for plaintiffs to bring litigation for claims that otherwise could not and would not be brought. Class action litigation against data custodians and owners for security breaches is the norm, and the possibility and expense of class action litigation is frequently on the minds of their attorneys and contract managers who negotiate contracts with privacy and security implications. But, for vendors and service providers providing arguably non-IT services to these customers – the idea of being subject to class action litigation is often not top-of-mind.
• Before entering into a contract, have you considered whether the specific vendor services being provided to the particular customer in question implicate laws you hadn’t considered? Vendors that operate in the information technology space – and their customers – generally are well-aware of the myriad of privacy and security laws and issues that may impact the vendors’ business, including, as a very limited illustration, the EU General Data Protection Regulation, HIPAA, New York Cybersecurity Requirements, Vendors that aren’t “IT” vendors (and their customers), on the other hand, may not be. For example, the Aetna mailing vendor may not have contemplated that, as alleged by the Aetna plaintiff, the vendor’s provision of its services to Aetna would be subject to the state’s Confidentiality of HIV-Related Information Act and Unfair Trade Practices and Consumer Protection Law.
• Have you considered which specific aspects of vendor services may directly impact potential legal liability, and have you adequately identified and addressed them in the contract? No, this is not a novel concept, but it nonetheless bears mention. A key fact to be discovered in the Aetna litigation is whether it was Aetna, or the vendor, that made the decision to use the large-window envelopes that, in effect, allegedly disclosed the sensitive and personally identifiable information. Given the current break-neck pace at which many Legal and Contract professionals must draft and negotiate contracts, however, unequivocally stating in a contract the details and descriptions of every single aspect of the services to be provided is often impractical (if not impossible). But, some contract details are still important.

Whether or not this class action suit is an outlier or is dismissed at some point, consider data security and other privacy and security issues in contracts and how vendor or service provider conduct may give rise to a security breach or security incident.

Join Our LinkedIn Group

Lisa Sotto, chair of Hunton & Williams’ global privacy and cybersecurity practice and managing partner of the firm’s New York office, has been selected as an arbitrator in connection with the EU-US Privacy Shield Framework Binding Arbitration Program.

The Program, developed by the U.S. Department of Commerce and European Commission, provides the terms under which Privacy Shield organizations are obligated to arbitrate claims, pursuant to the Recourse, Enforcement and Liability Principle. The binding arbitration option applies to certain “residual” claims as to data covered by the EU-US Privacy Shield. The purpose of this option is to provide a prompt, independent and fair mechanism, at the option of individuals, for resolution of claimed violations of the Principles not resolved by any of the other Privacy Shield mechanisms, if any.

In a release, the firm said Sotto has received widespread recognition for her work in the areas of privacy and cybersecurity. She chairs the US Department of Homeland Security’s Data Privacy and Integrity Advisory Committee. She is regularly sought after by media outlets and industry publications for her professional insights and appears regularly on national television and radio news programs.