Cybersecurity

keyboard typing

Significant Case Developments

P.F. Chang’s Seeks Dismissal of Data Breach Class Actions, Arguing the Existence of an Express Contract and Lack of Damages Preclude Claims
Lewert v. P.F. Chang’s China Bistro, Inc., No. 1:14-cv-04787 (N.D. Ill.).

As we described in July and September, P.F. Chang’s was hit with three putative class actions following its announcement of a point-of-sale data breach. On August 29, P.F. Chang’s moved for dismissal of the first two cases, now consolidated in the Northern District of Illinois. In their complaints, plaintiffs John Lewert and Lucas Kosner alleged that by failing to safeguard customer information, P.F. Chang’s breached an implied contract and violated consumer protection laws. The plaintiffs did not bring a breach of express contract claim. P.F. Chang’s argues that the plaintiffs acknowledge the existence of an express contract by alleging that “a portion of the services [they] purchased” at P.F. Chang’s was “compliance with industry-standard measures” for data security and that they were “deprived of the full monetary value of [their] transaction.”

double red triangle arrows Continue reading “Cybersecurity Litigation Monthly Newsletter”

keyboard typing

“Cyber liability insurance” is often used to describe a range of insurance policies, in the same way that the word cyber is used to describe a broad range of information security related tools, processes and services. Everyone is talking about the need for “stand alone” cyber liability insurance policies. These stand-alone cyber liability insurance policies basically cover expenses related to the management of a breach, e.g, the investigation, remediation, notification and credit checking. However, cyber liability coverage is also found in some existing insurance policies, including kidnap and ransom and professional liability coverage. There may also be some limited coverage through a crime policy if electronic theft is added to that policy.

double red triangle arrows Continue reading “Cyber Liability Insurance: Where’s the Beef?”

Online Password

You are general counsel to a company, and your CEO steps into your office, clutching his iPhone in one hand and wiping sweat from his brow with the other, and tells you that a compromising photograph of him was stolen from his phone and posted online. You start thinking not if, but when, shareholders will discover this embarrassment, how much it will cost the company and what legal action to take.

double red triangle arrows Continue reading “Your Client is Hacked and Personal Information is Leaked Online – Now What?”


Ed note: This post originally appeared on Peter S. Vogel’s Internet, Information Technology & e-Discovery Blog.

Since the plaintiff did not a file a lawsuit against John Doe, the Texas trial court had no jurisdiction to allow the plaintiff to take the deposition of “Trooper,” an anonymous blogger who launched on on-line attack on the CEO of a company who lives in Houston. In the case of In Re John Doe a/k/a “Trooper” on August 29, 2014 the Texas Supreme Court ruled 5-4 the pre-litigation discovery seeking John Doe’s identity is unacceptable in Texas, and the discovery to learn the identity of John Doe can only proceed if a lawsuit is filed.

double red triangle arrows Continue reading “John Doe Can Remain Anonymous and Not Be Deposed in Pre-Litigation Discovery”

Ed note: Stat of the Week is a new feature that pulls custom data points from ATL Research as well as noteworthy sources across the web.

Last month at the Gaylord Opryland in Nashville, the International Legal Technology Association (ILTA) held its annual conference. As would be expected, the event generated a tremendous volume of Twitter chatter, much of it focused on statistics. The LexisNexis Business of Law blog has compiled a collection of the most compelling, quirky, or frankly speculative #ILTA14 numbers (e.g., “Prediction: 10 years 40% of the Fortune 500 won’t exist.” – Shirley Crow). Read on for more highlights.

double red triangle arrows Continue reading “Stats Of The Week: #ILTA14 Edition”

Jennifer Lawrence

In case you haven’t heard, over the weekend a whole bunch of celebrities got hacked and nude photos of them leaked onto the internet. Let me just start out by saying that hacking into a celebrity’s phone and stealing her nude photos is just a horrible thing. It’s not a funny joke. It’s not something hackers should be high fiving over. Celebrities have the right to live private lives like everyone else and they have the right to take and keep private photos. On top of the embarrassment of having their private photos available to their parents and all of their fans and every pervert with an internet connection, it could seriously damage their careers. This should be another big warning slap in the face to everyone who stores private or confidential things on the internet, especially lawyers.

What lessons can lawyers learn from this unfortunate episode?

double red triangle arrows Continue reading “Why Jennifer Lawrence’s Leaked Nude Photos Should Be Important to Lawyers”

Ed. note: This is the latest installment of the ATL Tech Interrogatories. This recurring feature will give notable tech leaders an opportunity to share insights and experiences about the legal technology industry.

Ajay Patel co-founded HighQ in 2001 and is CEO. He oversees HighQ’s global operations, strategy and client delivery. Ajay brings a solid experience in corporate strategy and business management, having previously held senior positions at Merrill Lynch and Morgan Stanley. Ajay is also a qualified Chartered Accountant, having gained his professional qualification in the London office of PricewaterhouseCoopers. Ajay holds a first class honours in Mathematics and Computer Science from the University of Manchester and a Masters degree in Management Information Systems from the London School of Economics.

1. What is the greatest technological challenge to the legal industry over the next 5 years?

double red triangle arrows Continue reading “The ATL Tech Interrogatories: 7 Questions With Ajay Patel From HighQ”

Ed. note: This is the latest installment of the ATL Tech Interrogatories. This recurring feature will give notable tech leaders an opportunity to share insights and experiences about the legal technology industry.

Drew Lewis serves as eDiscovery Counsel at Recommind. His unique experiences at Recommind coupled with prior experience as a commercial litigator handling all aspects of pretrial and trial practice allows Drew to bring practical solutions to lawyers who are struggling to understand the current and future role of technology in the practice and business of law. Drew continuously fights against inefficiencies in the law and encourages lawyers to shape their own future. Drew believes that the future of the law belongs to lawyers who broaden their world view and see there is much to learn from other disciplines. His goal is to help them not just survive, but thrive as the practice continues to evolve.

1. What is the greatest technological challenge to the legal industry over the next 5 years?

double red triangle arrows Continue reading “The ATL Tech Interrogatories: 7 Questions With Drew Lewis From Recommind”

Ed note: The Telecom Law Monitor is part of the LexBlog Network (LXBN). LXBN is the world’s largest network of professional blogs. With more than 8,000 authors, LXBN is the only media source featuring the latest lawyer-generated commentary on news and issues from around the globe.

The Senate is one step closer to a floor vote on cybersecurity legislation that would address information sharing between the private sector and the government. On July 8, the Senate Select Committee on Intelligence approved a contentious cybersecurity bill known as the Cyber Information Sharing Act (CISA).

The proposed legislation would remove legal barriers to allow private companies to share information regarding cyber-attacks “in real time” with other private companies and the government. Companies sharing information for cybersecurity purposes would be shielded from lawsuits by individuals against the company for sharing that data, regardless of terms of service contracts that may prevent such actions without a customer’s consent. In order to receive the liability protection, private entities would be required to submit information directly to the Department of Homeland Security, which could then share the information with other federal agencies as necessary to address the threat. Additionally, CISA would direct the federal government to share classified and unclassified information with the private sector.

CISA also includes several provisions to protect privacy, such as requiring that companies sharing information remove all personally identifiable data (e.g. names, addresses, and Social Security numbers). The Attorney General would be directed to write procedures to limit government use of cyber information received to “appropriate cyber purposes” and ensure that privacy protections are in place. A full synopsis from the Senate Committee Chair and co-sponsor of CISA, Dianne Feinstein (D-CA), is available here.

Adequate privacy protections have been a continuing sticking point for successful cybersecurity information sharing legislation. The Cyber Intelligence Sharing and Protection Act (CISPA) – the information sharing bill counterpart in the House of Representatives – faced strong privacy objections from civil liberties and public interest groups. When CISPA passed the House in 2013, the White House threated to veto the bill unless it included additional privacy protections.

Even with CISA’s added protections, many privacy groups oppose the bill. Similar to CISPA, these groups remain anxious that the legislation could encourage a company, such as Google, to turn over huge amounts of emails or other private data to the government in the name of cybersecurity. The groups fear that the National Security Agency and other government agencies could gain access to even more personal information through this legislation. Moreover, because CISA provides liability protections to companies sharing information, individuals would have little recourse in the event of abuse.

Whether CISA becomes law in 2014 will depend not only on how quickly it can pass a floor vote but also how easily the Senate bill can be reconciled with CISPA, the House counterpart passed last year. Though CISA passed the Senate committee with bi-partisan support, Senate Democrats are already wavering on support due to concerns of insufficient privacy protections. If CISA manages to pass the Senate, there is a chance the House and Senate can agree to a reconciled bill. Representative Mike Rogers (R., Mich.), chairman of the House Intelligence Committee and co-sponsor of CISPA, stated publicly that the committees were close to agreement on harmonizing their respective cyber threat information-sharing bills, and had narrowed down their difference to a few, discrete issues. However, with less than 15 legislative days before the August recess and all eyes focused on the upcoming mid-term elections in November, if this cybersecurity legislation has any hope of moving forward Congress will need to do something it rarely does: act quickly.

Ed note: This piece is from the official blog for the telecom practice of Kelley Drye & Warren LLP.

In the wake of a number of high-profile cybersecurity events — from the Heartbleed bug to the Target breach — cybersecurity has become a red-hot issue in Washington, D.C. Earlier this month, in a major address delivered at the American Enterprise Institute, Federal Communications Commission Chairman Tom Wheeler announced a new cybersecurity initiative to create a “new paradigm for cyber readiness” in the communications sector.

As described by Wheeler, the FCC’s cybersecurity initiative will be led by the private sector, with the Commission serving as a monitor and backstop in the event that the market-led approach fails. In particular, the FCC will “identify public goals, work with the affected stakeholders in the communications industry to achieve those goals, and let that experience inform whether there is any need for next steps.” Chairman Wheeler stressed that the new paradigm must be dynamic, more than simply new rules, and the Commission will rely on innovation by the private sector.

The Commission’s efforts will be guided by four principles, including commitments to:

1. preserving the qualities that have made the Internet an unprecedented platform for innovation and free expression, so that Internet freedom and openness is not sacrificed in the name of enhanced security;
2. privacy, i.e., enabling personal control of one’s own data and networks;
3. cross-sector coordination, e.g., among regulatory agencies; and
4. the multi-stakeholder approach to global Internet governance and an opposition to any efforts by international groups to impose Internet regulations that could restrict the free flow of information in the name of security.

Expect FCC staff actions to be organized around the following elements:

(1) Information Sharing and Situational Awareness. The Commission is looking into legal and practical barriers to effective sharing of information about cyber threats and vulnerabilities in the communications space. Specifically, the Chairman noted that “companies large and small within the Communications communications sector must implement privacy-protective mechanisms to report cyber threats to each other, and, where necessary, to government authorities.” Moreover, where a cyberattack causes degradations of service or outages, the Chairman stated that “the FCC and communications providers must develop efficient methods to communicate and address th[e] risks.” To that end, the Chairman noted that the FCC is actively engaged with private sector Information Sharing and Analysis Organizations, and with other federal agencies, to improve threat information sharing and situational awareness.

(2) Cybersecurity Risk Management and Best Practices. Noting the work of the Communications Security, Reliability and Interoperability Council (CSRIC) in developing voluntary cybersecurity standards, Chairman Wheeler called upon communications providers to work with the Commission to set the course for years to come regarding how companies in that sector communicate and manage risk internally, with their customers and business partners, and with the government. In addition, the Commission will be seeking information to measure the implementation and impact of the CSRIC standards.

(3) Investment in Innovation and Professional Development. Chairman Wheeler has asked the FCC Technological Advisory Council (“TAC”) to explore specific opportunities where “R&D activity beyond a single company might result in positive cybersecurity benefit for the entire industry.” Specifically, the FCC will “identify incentives, impediments, and opportunities for security innovations in the market for communications hardware, firmware and software.” Further, the FCC will work with NIST and academia to “understand the current state of professional standard and accountability,” as well as “where the FCC might positively contribute toward further professionalization of the workforce.”

This initiative could have significant impact on telecommunications and technology companies. Cybersecurity already is a top priority for CSRIC. A new working group was established within CSRIC and work is underway to update the industry’s cybersecurity best practices. The primary goal is to align the industry’s cybersecurity activities with the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework Version 1.0 released in February 2014. Industry members are encouraged to participate in the process. Based on the current timeline, CSRIC will vote to approve the new best practices in March 2015.

Kelley Drye & Warren’s attorneys recently presented a webinar discussing cybersecurity updates and considerations for the telecommunications and technology industries. To listen to a recording of The Cybersecurity Review webinar, please click here.

Page 1 of 212