Morrison Mahoney  
Connecticut  >>  Massachusetts  >>  New Hampshire  >>  New Jersey  >>  New York  >>  Rhode Island  >>  United Kingdom

Cybersecurity, Data Protection and Privacy Newsletter

July 21, 2021
Please email questions to cybersecurity@morrisonmahoney.com.
Click here to have future newsletters sent to your inbox.  
IN CASE YOU MISSED IT...
  • A Useful Tool: California has launched an online Consumer Privacy Tool that allows consumers to directly notify businesses that do not have a clear and easy-to-find “Do Not Sell My Personal Information” link on their home page as required by the CCPA. The tool, which can be found here, asks guided questions to walk consumers through the basic elements of the CCPA before generating a notification that the user can then email to the business. This email may trigger the 30-day period for the business to cure their violation of the law, which is a prerequisite to the Attorney General bringing an enforcement action.

  • And Another: Speaking of onlne tools, the Cybersecurity & Infrastruture Security Agency has released a new module in its Cyber Security Evaluation Tool (CSET): the Ransomware Readiness Assessment (RRA). The RRA is a self-assessment based on a tiered set of practices to help organizations better assess how well they are equipped to defend and recover from a ransomware incident. CISA has tailored the RRA to varying levels of ransomware threat readiness to make it useful to all organizations regardless of their current cybersecurity maturity. The RRA guides asset owners and operators through a systematic process to evaluate their operational technology and information technology network security practices against the ransomware threat, and provides an analysis dashboard with graphs and tables that present the assessment results in both summary and detailed form.

  • Just Say No (to Cybercrime): According to a recent report, global cybercrime costs are expected to grow by 15 percent per year over the next five years, reaching $10.5 trillion annually by 2025, up from $3 trillion in 2015. If that number holds (and there is no reason to believe that it will not), cybercrime will become more profitable than the entire global drug trade. 

  • Ready for Ransomware The New York State Department of Financial Services (DFS) recently issued new guidance identifying cybersecurity controls that significantly reduce the risk of a ransomware attack and should be implemented by companies wherever possible. While these controls are well known, it’s important to make sure that they are being used. DFS’s guidance includes: (i) train employees in cybersecurity awareness and anti-phishing; (ii) implement a vulnerability and patch management program; (iii) use multi-factor authentication and strong passwords; (iv) employ privileged access management to safeguard credentials for privileged accounts; (v) use monitoring and response to detect and contain intruders; (vi) segregate and test backups to ensure that critical systems can be restored in the face of an attack; and (vii) have a ransomware specific incident response plan that is tested by senior leadership. 
SAVE THE DATE!
Morrison Mahoney Partner Daniel Marvin will be conducting his annual Continuing Legal Education (CLE) course for Lawline.com on September 17, 2021 at 11 a.m. More details will be provided in the coming weeks. Lawline, with over 160,000 members, is the country's lagest provider of attorney CLE.
Connecticut Significantly Amends Breach Notification Statute
Connecticut Gov. Ned Lamont recently signed into law "An Act Concerning Data Privacy Breaches" (the Act”). The Act amends Conn. Gen. Stat. § 36a-701b, which is Connecticut's current breach notification law, in a number of important ways, and goes in effect on October 1, 2021.
First, the Act broadens the definition of "personal information” to include: (i) taxpayer identification number; (ii) identity protection personal identification number issued by the Internal Revenue Service; (iii) passport number; (iv) military identification number or other identification number issued by the government that is commonly used to verify identity;  (v) medical information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (vi) health insurance policy number or subscriber identification number, or any unique identifier used by a health insurer to identify the individual; or viii) biometric information consisting of data generated by electronic measurements of an individual's unique physical characteristics used to authenticate or ascertain the individual's identity, such as a fingerprint, voice print, retina or iris image; or user name or electronic mail address, in combination with a password or security question and answer that would permit access to an online  account. Prior to the Act, Connecticut’s definition of “personal information” included an individual's first name, or first initial and last name, in combination with their Social Security number, driver's license number, state identification card number, Credit or debit card number, or financial account number (in combination with any required security code, access code or password that would permit access to such financial account).
Second, the Act shortens the time permitted for breach notification from ninety days to sixty days from discovery of the breach, unless a shorter time is required under federal law.
Third, the Act eliminates the prior statute’s provision that allowed notification to be made after the completion of an investigation to determine the nature and scope of the incident, to identify the  individuals affected, or to restore the reasonable integrity of the data. Instead, the Act provides that if a company identifies additional residents of this state whose personal information was breached or reasonably believed to have been breached following sixty days after the discovery of such breach, the person shall proceed in good faith to notify such additional residents as expediently as possible.
Fourth,  in the event of a login credential breach, the Act requires that notice to affected  residents be provided in electronic or other form that directs the resident whose personal information was breached or is reasonably believed to have been breached to promptly change any password or security question and answer, as applicable, or to take other appropriate steps to protect the affected online account and all other online accounts for which the resident uses the same user name or electronic mail address and password or security question and answer. As with similar statutes, if the user’s email address is breached, notice may not be given pursuant to email, for obvious reasons.
Fifth, the Act allows for a HIPAA safe harbor by providing that any company that is subject to and in compliance with the privacy  and security standards under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act ("HITECH") shall be deemed to be in compliance with the Act’s notification provision, provided that (1) any person required to  provide notification to Connecticut residents pursuant to HITECH shall also provide notice to the Attorney General not later than the time when notice is provided to such residents if notification to the Attorney General would otherwise be required under he Act.
Finally, the Act provides that all documents, materials and information provided in response to an investigative demand shall be exempt from public disclosure, provided the Attorney General may make such documents, materials or information available to third parties in furtherance of such investigation
SEC Brings First Enforcement Action Under Disclosure Rule
The Securities and Exchange Commission recently announced that it settled charges against First American Financial Corporation for allegedly violating Rule 13a-15(a) of the Exchange Act relating to disclosure controls. According to the SEC’s order, on May 24, 2019, a cybersecurity journalist notified First American of a vulnerability with its application for sharing document images that exposed over 800 million images dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information.  In response, according to the order, First American issued a press statement on the evening of May 24, 2019, and furnished a Form 8-K to the Commission on May 28, 2019.
However, according to the order, First American’s senior executives responsible for these public statements were not apprised of certain information that was relevant to their assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk.  In particular, the order found that First American’s senior executives were not informed that the company’s information security personnel had identified the vulnerability several months earlier, but had failed to remediate it in accordance with the company’s policies.  The order also found that First American failed to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning the vulnerability was analyzed for disclosure in the company’s public reports filed with the Commission.
The First American enforcement action is the first-ever finding of a violation under Rule 13a-15(a) with respect to disclosure controls and procedures related to cybersecurity risks. The SEC first addressed these issues in 2011 and 2018 guidance, when it counseled companies to evaluate such controls with respect to cybersecurity and make sure that they maintain comprehensive policies and procedures related to cybersecurity risks and incidents in a way that allows company management to make accurate disclosures concerning those risks. It seems the long, long guidance period is over, and the SEC is ready to get serious about enforcement.
US Supreme Court Yet Again Weighs in on Article III Standing in the Data Privacy Sector
On June 25, 2021, just a week before the end of the US Supreme Court’s 2020-21 term, the Court issued a decision in the matter of TransUnion LLC v. Ramirez, building upon its Spokeo precedent regarding the actual harm standard with respect to Article III standing in data privacy litigation.Sergio Ramirez, the lead plaintiff in a class of purportedly similarly situated individuals, visited a car dealership with his wife and father-in-law in February 2011 seeking to purchase a vehicle. After Ramirez and his wife selected a vehicle and negotiated a price, the dealership ran a credit check on them. Ramirez’s credit report, produced by TransUnion, notified the dealership that Ramirez’s name matches a name on the Office of Foreign Asset Control (OFAC) database. A salesman at the dealership told Ramirez that it would not sell the car to him because his name was on a “terrorist list.” Thereafter, Ramirez communicated with TransUnion and requested his credit file. At first, TransUnion’s mailing did not mention the OFAC alert. A follow-up mailing did mention the alert yet did not include a summary of Ramirez’s rights. Eventually, TransUnion removed the OFAC alert.
Nevertheless, in February 2012, Ramirez sued TransUnion, alleging three violations of the Fair Credit Reporting Act (FCRA): 1) TransUnion failed to follow reasonable procedures to ensure the accuracy of the information in his credit file; 2) the first TransUnion mailing did not include the fact that Ramirez’s name was a potential match for a name on the OFAC list; and 3) TransUnion did not provide a summary of rights “with each written disclosure." At trial, Ramirez testified as to his experience at the dealership. The jury returned a verdict in the plaintiffs’ favor, awarding each class member $984.22 in statutory damages and $6,353.08 in punitive damages, amounting to more than $60 million for the stipulated class of 8,185 members who purportedly had OFAC alerts in their credit file maintained by TransUnion. Within the class, 1,853 members had a credit report disseminated by TransUnion to potential creditors. The Ninth Circuit affirmed.
On appeal to the Supreme Court, the issue was whether the 8,185 class members had Article III standing—in particular, whether the Plaintiffs established a “concrete harm” sufficient to satisfy the standing requirement to proceed with their case. Article III standing has been a common issue discussed in federal courts, including the Supreme Court, and in this newsletter, in data privacy litigation. When a data breach occurs, the plaintiffs are often able to cancel their credit cards and take other actions so as to not suffer any compensable harm. In some other cases, a statute is violated but is insufficient to produce a compensable claim as the plaintiff cannot establish a concrete harm. TransUnion v. Ramirez is a case where the defendant violated a statute, the FCRA, but the concrete harm was in question.
Based on the facts of the case, Ramirez suffered a concrete harm when an inaccurate credit report caused him to be denied the opportunity to purchase a vehicle. The Court distinguished between the 1,853 class members whose credit reports were disseminated to third parties and those whose credit reports were not. In an opinion written by Justice Kavanaugh, the Court stated that the 1,853 suffered a concrete injury in fact akin to defamation and the other class members did not. In this regard, the Court stated that the mere existence of misleading information in TransUnion’s internal credit files does not constitute a concrete harm—the risk of future harm to those class members was too speculative to support Article III standing. The lower court decision was reversed and remanded. Four justices dissented: Thomas, Kagan, Sotomayor, and Breyer.
Looking forward, consumers on the plaintiff side of data privacy litigation can expect that they will be held to a rigorous standard to establish a concrete harm not only in data breach litigation but also in data privacy litigation where a data privacy statute has been violated. Organizations on the defense side have received a roadmap for a powerful argument that can insulate them from liability in many potential data privacy lawsuits. Plaintiffs and defendants alike should consult with experienced data privacy counsel about how the TransUnion case impacts them and how they might adjust their litigation strategy in light of this important Supreme Court decision regarding Article III standing.
Connecticut Joins Ohio and Utah in Prohibiting Punitive Damages If Reasonable Cybersecurity Safeguards are Maintained
On October 1, 2021, “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” (PA 21-119) will take effect in Connecticut, and will create statutory protections against punitive damages in tort actions arising from data breaches. The statute provides that in any cause of action founded in tort that is brought under the laws of the state or in the courts of the state and that alleges that the failure to implement reasonable cybersecurity controls resulted in a data breach concerning personal information or restricted information, courts shall not assess punitive damages against a covered entity if such entity created, maintained and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that conforms to an industry recognized cybersecurity framework.
So, what does Connecticut believe to be and an industry recognized cybersecurity framework? There are five: (i) the "Framework for Improving Critical Infrastructure Cybersecurity" published by the National Institute of Standards and Technology; (ii) the National Institute of Standards and Technology's special publication 800-171; (iii) The National Institute of Standards and Technology's special publications 800-53 and 800-53a; (iv) The Federal Risk and Management Program's "FedRAMP Security Assessment Framework"; and (v) The Center for Internet Security's "Center for Internet Security Critical Security Controls for Effective Cyber Defense."
Copy and Paste at Your Own Peril: Class Action Based on Collection of Pasteboard Data Fails

Plaintiff Derek Mastel brought a class action lawsuit against defendants Miniclip SA (“Miniclip”) and Apple Inc. (“Apple”) arising out of the discovery that a mobile app produced by Miniclip collected and maintained information that users copied and pasted.  Mastel alleged that Apple’s iOS operating system has a “Pasteboard” which operates similar to the copy-paste function on a computer.  Pasteboard saves only one set of copied text at a time, so when a user copies a set of text, any previously copied text is deleted from the program.  Apple allows app developers to view, copy, and save the text stored in Pasteboard when the user opens the app.  Miniclip is a developer of mobile apps played on electronic devices, including iPhones.  Mastel’s lawsuit focused on Miniclip’s game 8 Ball Pool, which allegedly copied numerous sets of text from his Pasteboard, including his name, email, phone number, address, addresses of friends and relatives, and personal and private messages sent to friends and relatives.   
The Plaintiff class alleged four causes of action: a) violation of the California Invasion of Privacy Act (CIPA); b) invasion of privacy under the California Constitution; c) violation of the Stored Communications Act; and d) violation of California’s Unfair Competition Law (UCL).  The Defendants filed a motion to dismiss, which the district court granted on July 14, 2021.
With regard to the CIPA claim, the court noted that the statutory language limits claims to two main categories—a) intentional wiretapping or b) willfully attempting to learn the contents of communications in transit over a wire—or attempting to use or communicate information obtained through these two activities or aiding someone in doing any such activity.  The court determined that the statutory language limits “intentional wiretapping” to telephone or telegraphs, and that the Pasteboard is a function where the iPhone is operating more as a computer than as a telephone, causing the intentional wiretapping claim theory to fail.  The claim theory for willfully trying to learn contents of communications in transit failed because the complaint did not allege that Miniclip’s app accessed Plaintiff’s data during transmission—only after.
With respect to the invasion of privacy claim, the court rejected the Defendants’ standing arguments, yet nevertheless dismissed the claim on the grounds that the alleged conduct did not rise to the level of “egregious” or “highly offensive” conduct necessary for an invasion of privacy claim to survive a motion to dismiss
The court concluded that the SCA claim failed because the text contained on the Pasteboard is not in “electronic storage” as defined by the statute.  The SCA typically applies to internet service providers, and the “electronic storage” covered by the law is either a) temporary, intermediate storage incidental to electronic transmission; or b) storage for backup purposes.  Storage on the Pasteboard is neither—it is for the purpose of copying and pasting text.
Finally, the UCL claim failed because the Plaintiff did not establish an economic injury.  The Plaintiff could have established an economic injury in one of two ways: a) alleging the loss of cash payments; or b) alleging that the personal information collected by Miniclip itself had value.  The court concluded that the Plaintiff did neither.  Accordingly, all of the Plaintiff’s claims failed.
The court’s dismissal of Plaintiff’s lawsuit in no way is an endorsement of the Defendants’ actions.  Instead, it simply underscores the difficulty and complexity of navigating data privacy litigation—the occurrence of questionable data practices, without more, will not guarantee success in court.  In any event, consumers and organizations alike are wise to consult with experienced data privacy counsel regarding their data rights.
This communication, which we believe may be of interest to our clients and friends is for general information only. It is not a full analysis of the matters presented and should not be relied upon as legal advice. If you have received this email in error, please notify the sender immediately and destroy the original message, any attachments, and all copies. This may be considered attorney advertising in some jurisdictions. If you have any questions about the items above or Morrison Mahoney's Cybersecurity, Data and Privacy Protection practice, please feel free to contact Daniel Marvin at dmarvin@morrisonmahoney.comWith 180 attorneys and 10 offices throughout the Northeast, Morrison Mahoney LLP is one of the leading business and litigation firms in the region. We provide a wide array of legal services covering cybersecurity, litigation, transactional, appellate and insurance coverage practice areas. For more information about the firm, visit our web site at: www.morrisonmahoney.com.
Wall Street Plaza, 88 Pine Street, Suite 1900 | New York, NY 10005
Phone: 212-825-1212 | www.morrisonmahoney.com
Manage your preferences | Opt out using TrueRemove®
Got this as a forward? Sign up to receive our future emails.
View this email online.
This email was sent to .
To continue receiving our emails, add us to your address book.
Subscribe to our email list.