Wednesday, December 28, 2016

Cyber Security Claims


Cyber security claims are seldom tempered with an entities acknowledgement of its insecurity of electronically stored information (ESI) and handling of consumer personal identifying information (PII).  The efforts and planning executed, though they may be diligent, they cannot anticipate cyber incidents and breach incidents nor should their efforts to prevent them be overstated.  All attention by entities appears to be dedicated on external caused anticipated incidents and little is focused on the internally sourced events.  Seldom do entities envision the internally sourced incident, such as human error, theft, or neglect.  Balance is required and much care is needed before publicly claiming the quality of its data security.  For instance, the risk from internal unauthorized access to trade secrets leading to misappropriation is realistic, yet under appreciated.  This is not to spawn an environment of distrust in the workplace.   Of course, it is difficult to swallow that employees would pilfer company knowledge, designs, formulas, or even the companies R&D new software specs for self-gain.  Word to the wise if you are a business, swallow it fast and be ready.  Since the vulnerability can arise from external as well as from internal actors any claims to the public of the quality of handling data securely is being assessed as a possible business representation.  Such cyber security claims should consider internal vulnerabilities to data handling and as well as the externally sourced causes that we read too much in the news.

From an internal point of view, a business’s or agency’s imminent vulnerability is through personnel and their mishaps, forgetfulness, or deliberate sabotage.  This of course is in addition to external concerns.  Always the employee with the increasing frequent absences draws a cause for concern and some form of a query, especially an employee who has access to critical company information.  This concern is so realistic that it has motivated states to promulgate their own version of a uniform rendition on trade secrets and provisions addressing computer crimes.  Some promulgation allows for civil and monetary remedies when business data is compromised because of someone exerting unauthorized access either internally or externally sourced.

With the ease of ESI transmission, unauthorized access becomes all too prevalent for the business insurance companies to fathom the risk.   This reality is augmented by the anonymous activity through shadow bots, exchanges and other means that leave the business owner holding client data, innovative plans, beta testing new processes, without protective leverage.  Backdoor access is always a possibility especially among those of trust who have a mutual gain in the prosperity of the enterprise.  Worst case events are what gave rise to FUTSA and CADRA in Florida[1]  and many other states that appreciated the seriousness.

The insecurity of data security in the cyber world, unfortunately, is by the nature of storing ESI and transmitting ESI in our day-to-day business endeavors.  Customer information, as well as business assets, are at play in the realm of cyber insecurity.  Security is only as secure as the weakest link in the chain of transmission.  As vulnerability is realized in its present state, the urgency then is to focus not only on firewalls and other aspects but on internal employee training, policies, non-disclosure agreements, vendor contracts, vendor’s due diligence to cyber security, cyber insurance policies (vendors cyber insurance) and their coverage reviews, and vetting vendors’ cyber liability coverage before inking a deal.

Can a business claim safeguarding its data assets to engender public confidence in the security of ongoing credit card transactions, storage of its personal account information, the transfer of its customers’ medical records, or the updating of financial records, if it has not properly vetted its vendors' cyber security practices?  The qualified claim itself draws also the risk of misrepresentation before the regulatory eyes of the Federal Trade Commission.  ESI is business as usual and the role of risk management is to realize not only the external aspect of cyber intrusion but to also balance that attention with internal constructs to anticipate the unpredictable.

It is obvious that consumer data security claims by many businesses seek to settle the fears and doubts of many consumers engaging in electronic payments.  however, those representations should be tempered with an accurate description of its practices to keep consumer information and transaction data secure.  Such claims if proven to lack implementation, the claimed training, diligent assessment and evaluation, investment in reasonable resources, or even testing, will be scrutinized.   Several agencies have been tasked with a different scope of authority to do that.  It is important to note that data security has been allocated to be under the auspices of the Dodd-Frank Act.[2]  Information protection regarding consumer confidential information has been the responsibility of the Federal Trade Commission under Gramm-Leach-Bliley Act. Deceptive business practices of covered financial institutions fall under the Consumer Financial Protection Bureau (CFPB), section 1031(a) and 1036(a)(1) of the Consumer Financial Protection Act of 2010, for the purposes of enforcing federal consumer financial laws.

The veracity of business claims of protecting consumer data and payment processing is a candidate for scrutiny.   Failure to meet the security claims will be deemed as a deceptive business practice.  The CFPB has stressed the importance of attending to the integrity of digital payment system security.  It has as well emphasized the growing reliance and trust that consumers are displaying entrusting their private information and financial information as they execute electronic transactions. In a recent press release, it has stated: “It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”

While the FTC, Office of the Comptroller of Currencies (OCC) and other federal banking agencies are authorized to police the handling of data security, the CFPB which is tasked to review consumer information of financial institutions, reviews the processes of online payment platforms.  One incident worth noting in this post, is the CFPB's review of the claims made by Dwolla, Inc.  Dwolla is an online payment transaction platform that had provided payment processing services through the Department of the Treasury’s payment portal.  In an Order issued in CFPB's administrative proceeding, Dwolla  was determined to have committed deceptive data security representations to the public.  The consent order states that Dwolla’s communications made false statements about its data safety processes, e.g., of its use of encryption, that its practice surpassed the Payment Card Industry (PCI) standards.  Conversely, the CFPB asserts that Dwolla did not do several of the following, though Dwolla claimed to do so: provide acceptable data security training to its employees, establish acceptable and appropriate date security policies and practices, timely and regular risk assessments, and use encryption. These aspects are considered crucial in the pursuit of providing data security and claiming a level of quality to the cyber security in place.

The order also outlined a list of actions required to address the findings with a five-year horizon within which Dwolla is ordered to comply with the stipulated items, report the actions taken to remedy the findings, and to record all implementations and findings, and continuously submit as scheduled monitoring compliance reports.  From this case financial technology businesses involved in payment processing should carefully screen their representations on their communications, websites, advertisements, and press releases, related to their practices and standards.  Failure to apply what is claimed to be in practice and failure to not exercise due diligence in safeguarding confidential financial consumer information will be punishable devoid of there ever being consumer harm.  Advertisements and marketing efforts in this competitive and growing payment processing industry should be tempered with a sober realization of what is implemented in the daily cycle of transactions and in the keeping of records.   Thus, a fine was imposed on Dwolla, that had to be paid within ten days of the order and they will be monitored for the next five years.

The lessons about handling data security are hard to learn when an entity becomes subject to a cyber incident or a regulator seeks to audit processes.  What can be said about cyber security and any claims about how it is employed, is that upon a cyber incident hitting one's business or entity, all will be scrutinized by outside individuals claiming damages and by the regulators asserting that reasonable diligence was not employed to secure ESI and secure consumer personal identifying information (PII).  Transparency will soon be forced upon to the chagrin of the business or entity that experiences a cyber incident whether internally or externally sourced, or is found after an audit that it is out of compliance. Hence, cyber security efforts need to be assessed before there are any claims and such efforts must be evaluated, tested, and improved upon.

 

[1] Florida Uniform Trade Secrets Act (FUTSA), Chapter 688, Florida Statutes; Sec. 812.081, Florida StatutesComputer Abuse and Data Recovery Act, Sec. 668.801, Florida Statutes (“CADRA”).

 

[2] The Dodd–Frank Wall Street Reform and Consumer Protection Act (Pub.L. 111–203, H.R. 4173; commonly referred to as Dodd-Frank) was signed into federal law July 21, 2010.

Saturday, October 22, 2016

Trade Secrets in Databases


Database as a Trade Secret

Trade secrets in database records fall victim to many who seek the potential value of stored records from a variety of entities, either from government agencies and competitor businesses, to also include medical and financial enterprises, and even from their own employer or client.  Intruding into another’s database is becoming too common in our economy and database intrusion was a pivotal issue in a landmark Ninth Circuit case, United States v. Nosal.  While the case largely engaged discussion on the scope of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, the case also addressed the issues of trade secrets under the Economic Espionage Act (“EEA”), 18 U.S.C. § 1831 et seq.[1]  As the Ninth Circuit notes in its Order, Nosal was convicted on two counts of trade secret theft under the EEA.  Nosal was charged with unauthorized downloading, copying and duplicating of trade secrets and unauthorized receipt and possession of stolen trade secrets which violated §§ 1832(a)(2) & (a)(4) of the EEA.

The key to the analysis of the handling of the trade secret intrusion issue of the case was the sufficiency of the evidence to support a finding.  The Court weighed into the Economic Espionage Act and determined that the EEA requires that there be intent to convert a trade secret and intending or knowing that the offense will injure [an] owner of that trade secret.  In so doing it saw that the requirement of Nosal knowing that the receipt or possession of a trade secret with knowledge that it was “stolen or appropriated, obtained, or converted without authorization, was instrumental in laying the foundation for establishing the condition for a violation.  Though Nosal challenged the sufficiency by raising that the information culled was sourced from public records and that it could not be deemed as a misappropriation of a trade secret, or for that matter, a trade secret.

The Court made a clear distinction by analogizing the subject before it to other trade secret cases involving technical drawings, scientific formulas, specimens and data results in research, or aeronautical assessments in engineering designs. The Court reasoned that the EEA’s scope is not limited to select segments of the industry, but that the EEA encompasses financial and business information.[2]  While it cited the definition of trade secrets under the Act, it emphasized technical as well as financial and business information that is intended by the owner to be kept secret because of the economic value import of the secret itself.  Furthermore, the Court reasoned that its value was engendered by it not being generally known to the public.[3]  The Court opined that what Nosal sought and acquired was “classic examples of a trade secret that derives from an amalgam of public and proprietary source data”  and that the “data came from public sources and other data came from internal, confidential sources.”[4]  The Court gave import to the effort and system of research and algorithm employed to compose the record database that made it unique and not commonly searched information.

As the Ninth Circuit so clearly articulated about the characteristic of the data record sought by Nosal, “Instead, the nature of the trade secret and its value stemmed from the unique integration, compilation, cultivation, and sorting of, and the aggressive protections applied to, the Searcher database.”[5]  Its analysis borrowed from an Eight Circuit case, Conseco[6] and a Tenth Circuit case, Hertz[7] where customer lists were taken by employees.  The customer lists in question were unique by their form, manner of cataloging, and analysis that was involved in the list’s composition.  The Eight Circuit stated that they were trade secrets as they are ““specialized” computer program that was “unique” to Conseco.””  Similar to the Hertz case, the process involved to gather and organize the data made it a trade secret.

In essence, the purported value of a data record to be become and be considered a trade secret originates in the manner in which the owner pursued its composition, characteristic, cataloging, purpose, use, and its intended unique use and storage from others to use and see.  Its custodial handling is as well important to analyze, especially how it is dealt with in personnel policies and employment manuals for employees to follow and management to enforce.

[1] Computer Fraud and Abuse Act of 1986, Pub. L. No. 99-474. , § 2(g)(4), 100 Stat. 1213-15.  CFAA was later expanded to protect any computer “used in interstate or foreign commerce or communication.” Economic Espionage Act of 1996, Pub. L. 104-294, § 201(4)(B), 110 Stat. 3488, 3493 (codified as amended at 18 U.S.C. § 1030(e)(2)(B)).
[2] Order, Ninth Circuit, #14-10037, at p. 32.

[3] Footnote 15 of the Order stated as follows: Congress recently amended § 1839, replacing “the public” with “another person who can obtain economic value from the disclosure or use of the information.” Defend Trade Secrets Act of 2016, Pub. L. No. 114-153, § 2(b)(1)(A), 130 Stat. 376, 380.
[4] Order, at p. 34.

[5] Order, at p. 34.
[6]Conseco Finance Servicing Corp. v. North American Mortgage Co., 381 F.3d 811 (8th Cir. 2004).

[7] Hertz v. Luzenac Grp., 576 F.3d 1103, 1114 (10th Cir. 2009) (holding that a customer list may be a trade secret where “it is the end result of a long process of culling the relevant information from lengthy and diverse sources, even if the original sources are publicly available”).

Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web." Copyright 2016, all rights reserved Lorenzo Law Firm, P.A.

Tuesday, October 11, 2016

Internet Information the Malady of Doxing, “You’ve been Doxed”

Internet information that is available to read on the Internet about someone or anyone to see is startling.  There is a lot to be said about the amount of information available on the Internet.  Many are surprised on how their information got on the Internet and the ease with which public information and personal information can be retrieved and researched.  It goes without saying about how freely users of social media disclose their personal information.  Some personal information may seem benign and harmless but put together with key identifying credentials and someone’s life is open for all to read on the Internet.  Data brokers play an integral role in the vast amount of aggregated information that floats around the Internet.
What others do with the available information on the Internet about someone presents the malady of doxing.  Why would it be important to anyone to know that a particular individual had a speeding ticket fifteen years ago, other than to a potential employer for employment involving driving? Why would anyone be interested that someone filed bankruptcy, other than an employer or a financial institution resorted to for a home loan?  There is indeed a lot that is unsaid about Internet doxing and where the line crosses into cyber bullying and possible online defamation.
At first blush, one would consider that publicly accessible information is benign and does not have weight to its impact on the person.  Furthermore, one would consider that the reporting of the researched information about someone is as well harmless, especially if the information is considered a public record.  What is missed in that calculus is the use of the information and the motive for sharing the information on the Internet.  What is also missed in that calculus is whether the information posted on the Internet about someone is factual and is it accurate.  This consideration raises defamation and invasion of privacy questions that could very well render the poster of the Internet content liable to the exposed talked about person.  Worse is when the person posting was negligent in posting on the Internet false information about someone.  The careless disregard for the truth by the person posting information and content on the Internet about someone else runs a great risk of facing a solid defamation lawsuit including other defamation related counts. Such careless disregard for the truth is compounded when that person knew or should have known the truth to be other than what was communicated on the Internet.
Simply speaking, retrieving otherwise private information about someone on the Internet may cross the line and essentially be considered a form of harassment or cyber bullying. States across the United States have promulgated such provisions addressing cyberbullying and online harassment.  Both California and New Jersey have vehemently addressed the problem with using the Internet to harass someone and New Jersey has even considered it a crime.  It is also outlandish to collect a person’s home address, date of birth, and other personal information through an unauthorized background check and drop it into the Internet realm without permission.  Such an act could face serious charges.
The damaging impact upon the doxxed individual is compounded by virtue of the Internet.  The original post could be deleted from the Internet but there is also the possibility that the posted content goes viral with hundreds or thousands of views and comments cross-linking sharing the post.  Of course, thus far this post has been referring to the indexed realm of the Internet that is captured by search engines such as Google, Bing, Yandex, Vimeo, Dogpile, and Yahoo, just to name a few.  The far open and far reaching content in the unindexed Internet realm stands to linger for years on the Internet and available for anyone to read.  As this post had briefly commented, the malady of doxing presents an unavoidable issue for everyone to wrestle with for years to come as information lingers on the internet as it is propagated further perpetuating its effect.

Originally posted at http://lorenzolawfirm.com/internet-information-malady-doxing-youve-doxed/.


Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web." Copyright 2016, all rights reserved Lorenzo Law Firm, P.A.
 

Monday, September 26, 2016

Internet Speech Immunity

Internet speech immunity exceptions are sought frequently by individuals and businesses who are affected by someone else’s comments about them via an online site.  Online sites are today’s marketplace of ideas to enhance the “competition of the market.”[1]  And so, the claim usually asserted is a defamation claim directed to the website from where the content of the comment is displayed.  The assertion is underscored by a belief that the website is responsible for the publication of the statement either slander as it is conveyed verbally in a video or libel in written form displayed on a website.  The issue presented by the amount of social interaction freely exchanging views which may be directed at a particular entity or person is to determine the balance between freedoms of speech, i.e., protected speech and unprotected speech.  The element of having a harmful effect may or may not be pertinent in light of the level of publicity of the plaintiff, the truthfulness of the libel or slander, the public import of the statement, and the political value of the statement rendered to the discourse.
Amid the plethora of defenses that include truth, privilege, lack of malice, illegality, there is the social import or political value defense known as Anti-SLAPP.  The classical meaning of the acronym is to address the events that lead to a strategic lawsuit against public participation (SLAPP).  Anti-SLAPP was garnered by states to address the need to foster free speech and discourse, either in petition form or just free speech rights. The belief is that in the marketplace of ideas, with ideas being exchanged, an element of truth arises.  The expectation is that the process of openness of exchanges will bring to light incorrect conceptions.  The opposition to any light arising is based on this fear that their views may be rendered weak or incorrect in society; hence,  they seek to silence discourse and potential dissident views.
The merit behind the Anti-SLAPP promulgation was to essentially reduce the number of frivolous lawsuits.  Such suits would be driven to prevent or censor the speech or the activity of public display.  The concern among judges and lawyers is that a SLAPP action is always the case responding and opposing an exercise of free speech.  The SLAPP vehicle may be instrumental to challenge a lawsuit that seeks to silence free speech, especially if the targeted speech is one of public import or political value, even from the media.  But, when the targeted speech attempts to convey falsehoods to the public about a private person, the speech loses its protection.
However, the other concern is when the site is used as a platform to organize activity aimed at harming other people, equivalent to using the postal service.  Groups seeking to commit crimes against others, as in the facts described in Fields v. Twitter, use online platforms to carry out their plans.  The idea is that if the platform prohibited such communications, that act, and its involved communicated organization would have been prevented.  That expectation of monitoring conduct touches upon “policing” issues and “privacy” issues that are beyond the scope of this post.
This previous concern leads into the consideration of when a site is used to voice negative comments about someone or a business and it is claimed to be the cause of  harming someone’s social and business reputation.  The argument asserted is that the site could have prevented the comments from posting trying to apply Section 230 under the Communications Decency Act (CDA).  The claim then seeks to establish that the online site is none other than a publisher and should be held responsible, especially when the comments could be fabrications used by the online site.  This was the tone of the claims and discussion in Kimzey v. Yelp.
What stands out in Kimzey is the angle that transcends from allowing a statement or comment to be displayed towards seeking to establish that the comment was a fabrication and that it was instrumentally contrived by the online site itself.  The argument goes that the online site authored the review and used it as a marketing means.  The court stressed that arguing the potential falsity of a comment or review does not lend itself to disallow the online site’s immunity.  Furthermore, any assessment drawn by the online site to evaluate the comment by users is based on user comments providing the information or data that essentially provides the online site to evaluate the comment and establish a measuring or rating of the comments.  While there is a measure of discretion in setting the measuring, it is the users that provide the information that aids the Internet site’s grading of the comment pertaining to the subject who is claiming defamation.
The world of the web is here to stay and will be a part of our lives forever, especially as Internet law evolves.  As we continue to interconnect via mobile apps and the Internet our voices carry with a broader effect.  The uses of Anti-SLAPP to address silencing speech efforts or defamatory claims or the need to resort to Section 230 to immunize an online site from a defamatory claim for comments displayed on its platform are all instrumental in enhancing communication exchange in society.  As Oliver Wendell Homes, Jr. coined in his dissent in Abrams v. the United States, “The ultimate good desired is better reached by free trade in ideas — that the best test of truth is the power of the thought to get itself accepted in the competition of the market.”
[1] Quoted phrase of Justice Oliver Wendell Homes 1919.
Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web." Copyright 2016, all rights reserved Lorenzo Law Firm, P.A.

Monday, September 19, 2016

Data Security Practices

Data security practices are increasingly becoming a theme among management and employees in the administration of business and their daily work process.  The common element in data breaches is the element of human negligence, training or the underestimation of needed attention.   The extent that incidents are occurring, information technology personnel and operations personnel are finding themselves needing to collaborate more frequently than ever.  This change in organizational administration is occurring at levels of state and federal government and in the private sector involving banking, legal, accounting, and insurance industries.  The effort, one may say, is to enhance the quality or rigor of data security employed by the particular entity.  Data breaches are not all the same but they do have one commonality in that the goal of the subject is always confidential data (CD), personal health information (PHI), electronic personal health information (ePHI), or personal identifiable information (PII).  Regardless of the nomenclature used to define what is at the stake, the rigor or quality of the efforts is beginning to be questioned by entities originally deemed to not have authority to engage in this type of scrutiny.  We have blogged on the needed care entities should take to ensure that their representation about their data security practices is not exact.  When an entity claims a certain level of data security method, the Federal Trade Commission (FTC) could very well deem it a deceptive business practice.
The care that should be employed to attend to data handling and transfers is not to be overstated to avoid a finding similar to Dwolla, Inc.’s experience regarding the representations.  One matter that comes to mind in this post is the case involving LabMD, Inc.  LabMD is a company that administered a medical laboratory which among its services also provided cancer screening detection services for physicians. The FTC had filed in 2013 a complaint against LabMD.  In its complaint, it alleged that LabMD is  subject to Section 5 of the FTC Act because it misrepresented its actual data security efforts.  LabMD’s practice was questioned.  The FTC argued that LabMD did not exert reasonable efforts to secure data of personal information and that its networks were not attended to as they should. The FTC commenced its investigation as a result of data security incidents at LabMD.   There was a tossing and turning exchange in this matter between the three, i.e., the FTC, the 11th Circuit, and LabMD.
From the initial complaint that commenced in Georgia District Court, it was noted that LabMD patient information available on the Internet.  The data or electronic personal health information (ePHI) was actually searchable in a peer-to-peer network.   LabMD was facing claims that it failed to prevent unauthorized disclosure  of ePHI.  Its motion to dismiss was unsuccessful, despite its strong argument.  LabMD argued that the FTC did not authority.   The FTC had filed an administrative case in District Court in Georgia.  The District Court had to determine if indeed the FTC had a say over the handling of ePHI.
The toss thereafter was when the district court denied LabMD’s motion to dismiss and LabMD proceeded to appeal to the Eleventh Circuit Court of Appeals.  The turn was not only that the Eleventh Circuit ruled against LabMD’s appeal.  The turn was that it was hoped that the Court would opine on the FTC’s enforcement authority.  What we learned is that the Circuit Court determined that there was an administrative remedy step that was required.  The Court ruled that LabMD had remedies to exhaust[1] before it was able to engage on the issues presented.  The resulting turn at that stage was an administrative law lesson.
What proceeded thereafter was as expected.  An administrative proceeding ensued where an ALJ determined that harm was not demonstrated.   The ALJ reasoned that short of finding harm, the Commission did not meet what FTC Act Sec. 5 required.  The FTC subsequently reversed the ALJ’s determination.  In its ruling, the FTC stated that LabMD did not exert the best efforts to secure the data.  It found that it did not monitor how the files were handled and it did not employ a system to detect if there was an intrusion.  These steps were deemed to be basic means of protecting confidential data. The FTC concluded that LabMD’s conduct posed an ‘unfair act’ for the public to trust and it was inconsistent with FTC Act Sec. 5.  What is noteworthy, is that nowhere in Section 5 of the FTC Act does it provide the FTC authority to address the need to protect medical records or maintain their privacy.
Nevertheless, the FTC proceeded to conclude that the disclosure was tantamount to harm because of the neglect that LabMD did by not training employees adequately on handling medical records, and not monitoring its firewall.  LabMD’s conduct resulting in disclosure of medical personal information is a substantial injury under Sec. 5 of the FTC Act.  The FTC did not look into whether the information was used in the open market.  The FTC just looked at the fact that there was an unauthorized disclosure of PHI.  LabMD is now obliged to implement a “CISP” (comprehensive information security program) and become proactive to inform individuals and conduct frequent audits.  The key point to note about this matter that resulted with the FTC suing LabMD is that harm may just be more about the unauthorized disclosure due to neglect than the harm actually experienced by the individuals and that the FTC is exerting a greater authority than originally conceived it had regarding data security.
[1] Administrative Procedure Act - 5 U.S. Code § 704 - Actions reviewable
Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web." Copyright 2016, all rights reserved Lorenzo Law Firm, P.A.

Website Crawling and Data Scraping Thoughts

Website crawling and data scraping have burdened the growth of e-commerce as website owners are witnessing their data scraped.  The legal questions have lingered.  Many questions stand out.  The prevalence of crawling and scraping has become too of the norm for those using web content for business, research, or marketing purposes. The common theme is that website scraping is used by those who are seeking a short cut in order to catch up to their competition, seeking to emulate their competition, or are seeking to extract information that would otherwise involve too much time.  The crawling can be useful for enhancing search relevance, indexing, and accuracy.  The software used is not unique.  It could be automated just to extract information similar to what search engines do plus do an additional feat by converting the data useful within a database.  The data being sought can be extracted from many types of sources.  As it could be used by potential newbie business desiring to start at some equal footing, they could seek to get their data from booking websites, yelp, eBay, or even a directory.  The potential scrapers can seek to go after a business they desire to emulate.  The purposes for which website scraping is pursued gives “big data” gathering a new image with unsavory impressions.
The reality is that the Internet is not without the existence of web crawlers and scrapers which are instrumental to the analysis of website performance in sync with search words and traffic volume measuring.  Yet, the method of using web crawlers to either aggregate news content or enhance the relevancy of search result has drawn attention to the legal consequences and the legal issues they cause.  To the scrapped website business, the potential arguments could very well be from the spectrum of a violation of the website’s terms of use to the occurrence of computer abuse.  Between them is a list of legal considerations which include trespass to chattel, copyright infringement, trademark infringement, and unauthorized access to computer information all in the name of online data collection for better or for worse.  The for worse consideration embraces conceptions of a software application tasked to collect online data through scripts, also known as “bot”, and the depicted analysis of the data. These bots give the impression of human actual online interaction.  Nevertheless, the legal questions and impact of a bot’s online website data scraping work are diverse.
Among the legal issues is the issue raised regarding the violation of the terms of use that are stated on websites that prohibit the scraping and crawling essentially copying of the respective websites content and data.  The argument can embrace the notion of contract by which if one uses or visits the website there is the understanding that visitors are bound by the terms of use (ToS) of the website.  Doing such an act that violates the ToS of a website, construes a breach of contract argument, without going into the details – in this short note – addressing the aspects of “clickwrap” and “browsewrap agreements.  Both hinge on informed consent and the means of expressing a user’s consent and the user’s clear ‘constructive knowledge’ vis-à-vis the prominence of the ToS on a website.  The glaring prominence of the ToS and conditions for a website user to be aware are pivotal to establish a breach of terms of use.  The actual event of reading the terms is immaterial.  However, the same cannot be said when the crawling or scraping is done by a bot that is not scripted to read and consent to a website’s ToS.  The means by which this is technically done skirts the legal elements of ‘consent’, ‘constructive knowledge’, and ‘prominent and clear notice’ that are required to establish a form of breach.  The arguments hovering on prohibiting uses of a website have reached the point of discussing commercial and personal uses, with the former being the one restricted and prohibited by the ToS.
In addition to the ToS concern, there is the copyright infringement issue with website scraping data and content.  The ultimate question is to determine which aspects provides the best argument.  The Copyright Act seeks to protect the expressions whether they be in a visibly readable form or in a digital form on a server.  The Copyright Act may not be effective in addressing or preempting the use sought to be addressed by the website owner.  For instance, if the crawling and scraping are not done for commercial purposes, the Copyright Act may not yield the leverage necessary.  Yet, Facebook’s case against Power.com which was underscored by the Copyright Act was effective in that the defendant was aggregating Facebook’s data unto another site and that was in violation of Facebook’s terms.  The Northern District Court of California denied defendant’s motion to dismiss determining that scraping involves the copying that Facebook explicitly restricts in its ToS.
Aside from the copyright infringement issues, there are considerations that scraping a website or crawling a website against the owner’s ToS is tantamount to unauthorized access or exceeding the permitted use of a website and its content.  Such a view resorts to the Computer Fraud and Abuse Act (CFAA) that points to the unauthorized access of a computer system and also points to exceeding the scope of use that is permitted.  The use of a website must have exceeded what was authorized coupled with an express and clear statement on the website of what was a prohibited use or activity on the website regarding its content and data. Conjoined with this consideration is the often articulated defensive crutch of ‘fair-use’.   Yet, scraping website content does not inherently engender to be the beneficiary of the ‘fair-use’ argument.
Furthermore, web crawling and scraping bring as well the concerns for determining the existence of damages if website content and website data is considered as ‘chattel’.  As argued by eBay against Bidder’s Edge, the website platform content and data was argued to be chattel to which Bidder’s Edge trespassed.  eBay also argued that the defendant’s act interrupted eBay’s operation.  However, the effectiveness of the argument must rely on the existence of damages.   Without damages, the argument withers and courts do not see trespass to chattels as a workable argument against website scraping and crawling.  A frequently used argument against web crawling and scraping is the Digital Millennium Copyright Act (“DMCA”) which resorts to restricting fair-use of content. What is interesting is the actual bypassing that takes place to circumvent a website’s measures to restrict web crawling and scraping. The DMCA provides an enforcement means for copyright rights of a websites digital content.
The complexity created by the use of bots is elusive and evident.  Also evident is that the fair use defense along with the absence of damages and the potential absence of the element of consent and constructive knowledge will continue as points of contention, as website owners oppose web scrapers.  The legal issues thus far have crossed from intellectual property and contract concerns to unauthorized access to a network or computer system, raising the specter for continued legal disputes over website scraping.
Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web." Copyright 2016, all rights reserved Lorenzo Law Firm, P.A.

Wednesday, August 31, 2016

Data Breach Notification and the Ransomware HIPAA Question

Notification of a data breach is a worrisome step of any governmental entity, association, medical office, law office, data management entity, and even of a school or university. The provisions that attempt to address this progressing act of cyber attempts to acquire data, of any sort, are evolving.   An initial reaction to an incident is how to inform the relevant entities that something has happened while overwhelmingly concerned with trying to prevent a spread or reoccurrence, let alone minimizing the potential harm.  Certain states require immediate notification to individuals whose personal health information (PHI) or their electronic health information (ePHI) been compromised.  By compromised, it is meant that the PHI has been obtained by someone or entity without authorization.  There are responsibilities that covered entities under the Health Insurance Portability and Accountability Act (HIPAA) are expected to follow and meet.  The key point to note is the element of electronic transmittal, storage, and administration of health records. Another key point is the stress on protecting PHI and ePHI.  Along with these points is the ever so important consideration of the shared responsibilities of the ‘business associates’ who are so integral daily in the operations of handling ePHI and PHI records, though not a healthcare provider, a health plan, or a health care clearinghouse. These business associates serve as third-party responsible entities in handling PHI and are affected by ransomware cyber incidents.
The rate in which cyber events are occurring is so alarming that there is a growing chronicle of cyber incidents in varied sectors of the economy.  The value of personal information and personal health information is at an all-time high which is significantly driving increasing attacks.  The United States Department of Health and Human Services (HHS) pursuant to HIPAA, has provided guidelines  for business associates and covered entities to implement as they operationally address the data breaches and ‘ransomware’ incidents, beyond the inherent notification requirements that may apply contingent on state notification laws.  On this point regarding the state notification laws impinging on covered entities and business associates, note should be taken that over 40 states have implemented some form of data breach incident notification regime.  Among them, they have their differences in addressing how to react to the incidents.  Aspects of a definition of what is ‘personal’ are imperative to triggering a required notification by a business associate and or a covered entity and those aspects differ among states.  Another difference is the required content in the notices as well as the requirement to inform governmental agencies of the incident.
As common steps are prescribed to address a data breach it is important to be aware of how they take place.  The intelligent variety of ways data breaches is emerging catch many information technology specialists by surprise.  Intrusions, which can occur with email attachments, phishing messages, hard intrusions breaching networks, and even websites, can achieve the goals of ransomware.  The ransomware characteristics are varied.  One aspect seeks to deny the covered entity’s or business associates’ record files.  This may be done by an expedient encryption process.  The covered entity or business associate is not informed by the hacker of the encryption key.  Once paid, it is hoped that the hacker releases the information or provided a key to decrypt the record files, but that is not always the case.  There have been incidences that captured data is forcefully transferred to another data storage location where in effect the data no longer resides in the covered entities or business associates network.  This latter scenario is a nightmare.
Nevertheless, the importance of learning what to do now before it happens is critical to the integrity of a covered entity or business associate.  The HHS points are some of the similarly required steps that the Federal Trade Commission is seeking to impose on entities it has cited leaning with great emphasis on prevention which is after all the name of the game.  For instance, the imperative of conducting ‘scheduled’ and frequent backups has not only the benefit of retaining the data that could minimize the damage that could be done if the data is ultimately destroyed or transferred to a remote server, but it allows for operational recovery.  The guidelines also stress the need for testing the restorative process. The examination should highlight how the entity can recover and if its efficiencies and protections are implemented on a restorative posture.  The restorative testing should as well assess its process when using remote storage retrieval rather than just an online connected network.  The concern is that if the backup is online and synced with the online network, the malware can infiltrate that system and compromise any measures taken to address how to recover from ransomware attack.
Entities overwhelmingly are expected to undertake not only plan to train personnel in handling data, personal health information, and electronic files, but as well anticipate how to respond to a cyber incident.  Appropriately training personnel on the noticeable signs of cyber attempts; though, that is only as precise and effective as yesterday’s cyber incident.  But what is expected is that staff should be made aware of their responsibility to not visit questionable sites nor open unknown emails.  An entity’s effort in conducting risk assessments before they occur and after is expected.  The entity’s plan reacting to an incident should be anticipated and rehearsed to ensure that services are not compromised. The assessment of risk will tell if there is a notification requirement.  That risk assessment will screen for how the encryption was effective and how much of the data was encrypted.
The notification requirement issue is the ultimate concern that trips certain entities.  Counsel can be instructive not only in communications with the insurer that covers the cyber incidents within the entity’s General Commercial Liability Insurance (GCLI) but in communicating with law enforcement and in crafting the notice that is sent to effect individuals whose records were compromised.  Depending on the state, determines the notice and its contents.  Depending on the nature of how the data of PHI and ePHI was administered by the covered entity and the business associate, as well determines if there is a noticeable incident under HIPAA. Here the question hinges on the implementation of encryption as a protective tool by the entity.  The privacy requirement stated under HIPAA says ‘acquisition, use or disclosure of personal health information …compromises the privacy of the personal health information.”  From this vantage point, the risk assessment will be telling of what can be done to remedy the incident.  If the cyber incident acquiring encrypted data then there has not occurred a noticeable cyber incident under HIPAA, however, state laws may require notification.  Risk assessment is needed that accounts for the scope of the risk, the effectiveness of the encryption, the assessment of what data was actually compromised, and to what extent the data was compromised.  Each incident will require a case-by-case assessment in order to determine compliance as well as vulnerabilities, including the notification requirements that will be triggered by the nature and extent of the ePHI and PHI compromise in unauthorized hands.
Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web." Copyright 2016, all rights reserved Lorenzo Law Firm, P.A.

Data Breach Notification and the Ransomware HIPAA Question

Notification of a data breach is a worrisome step of any governmental entity, association, medical office, law office, data management entity, and even of a school or university. The provisions that attempt to address this progressing act of cyber attempts to acquire data, of any sort, are evolving.   An initial reaction to an incident is how to inform the relevant entities that something has happened while overwhelmingly concerned with trying to prevent a spread or reoccurrence, let alone minimizing the potential harm.  Certain states require immediate notification to individuals whose personal health information (PHI) or their electronic health information (ePHI) been compromised.  By compromised, it is meant that the PHI has been obtained by someone or entity without authorization.  There are responsibilities that covered entities under the Health Insurance Portability and Accountability Act (HIPAA) are expected to follow and meet.  The key point to note is the element of electronic transmittal, storage, and administration of health records. Another key point is the stress on protecting PHI and ePHI.  Along with these points is the ever so important consideration of the shared responsibilities of the ‘business associates’ who are so integral daily in the operations of handling ePHI and PHI records, though not a healthcare provider, a health plan, or a health care clearinghouse. These business associates serve as third-party responsible entities in handling PHI and are affected by ransomware cyber incidents.
The rate in which cyber events are occurring is so alarming that there is a growing chronicle of cyber incidents in varied sectors of the economy.  The value of personal information and personal health information is at an all-time high which is significantly driving increasing attacks.  The United States Department of Health and Human Services (HHS) pursuant to HIPAA, has provided guidelines  for business associates and covered entities to implement as they operationally address the data breaches and ‘ransomware’ incidents, beyond the inherent notification requirements that may apply contingent on state notification laws.  On this point regarding the state notification laws impinging on covered entities and business associates, note should be taken that over 40 states have implemented some form of data breach incident notification regime.  Among them, they have their differences in addressing how to react to the incidents.  Aspects of a definition of what is ‘personal’ are imperative to triggering a required notification by a business associate and or a covered entity and those aspects differ among states.  Another difference is the required content in the notices as well as the requirement to inform governmental agencies of the incident.
As common steps are prescribed to address a data breach it is important to be aware of how they take place.  The intelligent variety of ways data breaches is emerging catch many information technology specialists by surprise.  Intrusions, which can occur with email attachments, phishing messages, hard intrusions breaching networks, and even websites, can achieve the goals of ransomware.  The ransomware characteristics are varied.  One aspect seeks to deny the covered entity’s or business associates’ record files.  This may be done by an expedient encryption process.  The covered entity or business associate is not informed by the hacker of the encryption key.  Once paid, it is hoped that the hacker releases the information or provided a key to decrypt the record files, but that is not always the case.  There have been incidences that captured data is forcefully transferred to another data storage location where in effect the data no longer resides in the covered entities or business associates network.  This latter scenario is a nightmare.
Nevertheless, the importance of learning what to do now before it happens is critical to the integrity of a covered entity or business associate.  The HHS points are some of the similarly required steps that the Federal Trade Commission is seeking to impose on entities it has cited leaning with great emphasis on prevention which is after all the name of the game.  For instance, the imperative of conducting ‘scheduled’ and frequent backups has not only the benefit of retaining the data that could minimize the damage that could be done if the data is ultimately destroyed or transferred to a remote server, but it allows for operational recovery.  The guidelines also stress the need for testing the restorative process. The examination should highlight how the entity can recover and if its efficiencies and protections are implemented on a restorative posture.  The restorative testing should as well assess its process when using remote storage retrieval rather than just an online connected network.  The concern is that if the backup is online and synced with the online network, the malware can infiltrate that system and compromise any measures taken to address how to recover from ransomware attack.
Entities overwhelmingly are expected to undertake not only plan to train personnel in handling data, personal health information, and electronic files, but as well anticipate how to respond to a cyber incident.  Appropriately training personnel on the noticeable signs of cyber attempts; though, that is only as precise and effective as yesterday’s cyber incident.  But what is expected is that staff should be made aware of their responsibility to not visit questionable sites nor open unknown emails.  An entity’s effort in conducting risk assessments before they occur and after is expected.  The entity’s plan reacting to an incident should be anticipated and rehearsed to ensure that services are not compromised. The assessment of risk will tell if there is a notification requirement.  That risk assessment will screen for how the encryption was effective and how much of the data was encrypted.
The notification requirement issue is the ultimate concern that trips certain entities.  Counsel can be instructive not only in communications with the insurer that covers the cyber incidents within the entity’s General Commercial Liability Insurance (GCLI) but in communicating with law enforcement and in crafting the notice that is sent to effect individuals whose records were compromised.  Depending on the state, determines the notice and its contents.  Depending on the nature of how the data of PHI and ePHI was administered by the covered entity and the business associate, as well determines if there is a noticeable incident under HIPAA. Here the question hinges on the implementation of encryption as a protective tool by the entity.  The privacy requirement stated under HIPAA says ‘acquisition, use or disclosure of personal health information …compromises the privacy of the personal health information.”  From this vantage point, the risk assessment will be telling of what can be done to remedy the incident.  If the cyber incident acquiring encrypted data then there has not occurred a noticeable cyber incident under HIPAA, however, state laws may require notification.  Risk assessment is needed that accounts for the scope of the risk, the effectiveness of the encryption, the assessment of what data was actually compromised, and to what extent the data was compromised.  Each incident will require case-by-case assessment in order to determine compliance as well as vulnerabilities, including the notification requirements that will be triggered by the nature and extent of the ePHI and PHI compromise in unauthorized hands.
Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web." Copyright 2016, all rights reserved Lorenzo Law Firm, P.A.