What’s Up Next on the Hacking Block?

By on June 30, 2015

From Home Depot to Target to Sony, the world is not lacking in the massive-data-breach department. These hacks have opened up a host of problems for the companies involved, including lawsuits and the implementation of more secure systems to protect sensitive data, as well as for the individuals whose personal and/or financial information may have been compromised. But surely our federal government is safe from hackers, right? The answer, unfortunately, is no.

The Office of Personnel Management (“OPM”) is a federal governmental organization that is “responsible for personnel management of the civil service of the Government,” and it strives “to make the Federal government America’s model employer for the 21st century.” But in April 2015, OPM discovered and began investigating a data breach of up to 4.2 million of its employees’ records. The information included the employees’ names, Social Security numbers, and dates of birth. Then on June 8, 2015, OPM announced that it was looking into a second breach, this one involving “background investigations of current, former, and prospective Federal government employees.” On June 18, 2015, however, OPM officials acknowledged that this second hack occurred a full year ago. Individuals affected by the first data breach were notified between June 8, 2015, and June 19, 2015. The investigation regarding the second breach is still ongoing, but it is now estimated that up to 14 million people will be affected by the two breaches. Id.

It is thought that Chinese hackers are responsible for both hacks in a possible attempt to compile an extensive database on government workers. Id. President Obama is considering economic sanctions against China, but at this point it is not clear that the Chinese government was behind the attacks. And it must be crystal clear that these were Chinese-government-sponsored hacks, or the U.S. will be placed in a very difficult position: China has an undeniably strong position in the global economy, and the U.S. and Chinese economies are closely intertwined. Any sanctions efforts by the U.S. would almost certainly be met with staunch opposition from China that could affect the U.S. economy.

It is important to investigate who is responsible for the hacks, but the House Oversight and Government Reform Committee (“Committee”) is also inquiring as to how OPM allowed the hacks to occur. The Committee conducted a hearing on June 16, 2015, regarding the OPM breaches. Many lawmakers placed the blame on the policies and systems on which OPM relied for data protection and stated that OPM’s leadership should resign. The Committee wanted to know why OPM did not abide by the 2014 recommendation of the Office of the Inspector General to shut down eleven of its computer security systems. OPM blamed legacy systems dating back to 1985 because they could not be encrypted.

It is unclear whether OPM’s leadership will resign in the face of this hacker disaster. But what is clear is that more research and investigation into what went wrong and how to prevent future attacks will continue. Our Privacy & Data Security Group will continue to monitor and report on the implications of government data breaches.

Filed under Data Breach, House Oversight and Government Reform Committee, Office of Personnel Management

Hacking Major League Baseball

By on June 25, 2015

The FBI and the U.S. Justice Department are investigating whether St. Louis Cardinals officials hacked into the Houston Astros’ internal networks. This appears to be one of the first suspected cases of corporate espionage relating to a professional sports team hacking the database of another team.

According to numerous reports, FBI investigators appear to have uncovered evidence that the Cardinals breached the Astros’ databases, and one database in particular known as “Ground Control,” to obtain information and internal discussions about trades, proprietary statistics and scouting reports. This information could be used for a variety of purposes including knowing what players are being scouted, the team’s scouting methods and other proprietary information of the team.

Reports also indicate that the attack may have been launched to cause problems for Astros’ general manager Jeff Luhnow, who left the Cardinals in 2011. According to some reports, the Cardinals’ officials were concerned that Luhnow may have taken the team’s proprietary information to the Astros. Speculation is that the Cardinals may have simply tried a series of passwords (Luhnow has denied that he used similar passwords while working for the two teams) until they were able to gain access to the Astros’ network. Whether true or not, this is another example of why passwords should not be recycled or used universally across different platforms and applications. Rather, users should use different passwords, mix uppercase, lower case and symbols.

We will continue providing updates to the investigation of the House of (the) Cards, as they occur.

Filed under Data Breach, Data Breach Investigations

Corona Class Action Against Sony Pictures Survives Motion to Dismiss

By on June 19, 2015

After the highly publicized cyber-attack on Sony Pictures Entertainment, Inc., which has been attributed to the so-called Guardians of Peace, Michael Corona, and eight other former Sony employees whose personal information was stolen, filed a class action asserting claims for: (1) Negligence; (2) Breach of Implied Contract; (3) Violation of the California Customer Records Act; (4) Violation of the California Confidentiality of Medical Information Act; (5) Violation of the Unfair Competition Law; (6) Declaratory Judgment; (7) Violation of Virginia Code § 18.2-186.6, and (8) Violation of Colorado Revised Statutes § 6-1-716.

Sony filed a motion to dismiss arguing that the Central District of California lacked subject matter jurisdiction over the action. Specifically, Sony argued that the plaintiffs lacked Article III standing, because they failed to allege a current injury or threatened injury that was certainly impending. Sony further argued that, even if plaintiffs had standing, the suit must be dismissed for failure to state a claim.

On June 15, 2015, the court ruled on the motion to dismiss. The court disagreed that plaintiffs’ allegations were insufficient to establish standing. Relying on Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), Clapper v. Amnesty International USA, Inc., 133 S.Ct. 1138 (2013), and In re Adobe Systems, Inc. Privacy Litigation, 2014 WL 4379916, the court determined that the plaintiffs need only allege a credible threat of real and immediate harm, or certainly impending injury—not a current injury—which they had done by alleging their information was stolen, posted on file-sharing websites for identity thieves to download, and was used to send emails threatening physical harm to employees and their families.

The court’s ruling is consistent with other recent rulings in California, which suggests this is a trend in the prosecution of data breach claims rather than just an outlier. (To read more on this subject, please see our article published in DRI’s For the Defense in February 2015, available here.)

The court then turned to the merits of plaintiffs’ claims. It dismissed four of plaintiffs’ claims and a portion of plaintiffs’ negligence claim. The court dismissed the plaintiff’s negligence claim to the extent it was based on an increased risk of future harm, as there was no cognizable injury. The court also dismissed plaintiffs’ breach of implied contract claim, finding that, while there was an implied employment contract, that there was no indication Sony intended to frustrate the agreement by consciously and deliberately failing to maintain an adequate security system. The court dismissed the California Customer Records Act claim as the plaintiffs were not damaged as Sony customers. Further, the court dismissed plaintiffs’ claims for violation of the Virginia Code and the Colorado Consumer Protection Act, because plaintiffs failed to allege injury resulting from the alleged untimely notification.

Plaintiffs’ negligence claim survived to the extent it was based on actual damages, such as costs associated with credit monitoring, password protection, freezing/unfreezing of credit, obtaining credit reports, and penalties resulting from frozen credit, even though they were prophylactic in nature because they were reasonable and necessary. The court denied the motion to dismiss with respect to plaintiffs’ claim for violation of California Business and Professions Code Section 17200 on the same basis.

Finally, the motion was denied with respect to the California Confidentiality of Medical Information Act claim, because negligent maintenance of records, which allows someone to gain unauthorized access, may constitute a negligent release of medical information within the meaning of the Act. The plaintiffs did not need to allege an affirmative act to maintain this cause of action.

Please continue to monitor our blog for more updates on the Corona case and other news on privacy and data security.

Filed under Cyberattacks, Cybercrime, Data Breach, Data Breach Class Actions, Data Privacy, Medical Records

New Law to Restrict New York City Employers from Considering Credit History

By and on June 4, 2015

On April 16, 2015, the New York City Council overwhelmingly passed a bill that prohibits employers from using consumer credit history in hiring potential employees. Mayor Bill de Blasio signed the bill into law on May 6, 2015, which means the law goes into effect on September 3, 2015.

The proposed legislation, called the Stop Credit Discrimination in Employment Act (“Act”), will affect companies that consider consumer credit history (whether by credit report or otherwise) in making hiring decisions. It also bans the use of credit history for any employment purpose, not just for hiring. An employer could therefore not base any decision affecting, for example, compensation or the terms or conditions of employment on credit history.

It is important to note that, although this Act uses terms like “consumer credit reports,” it should not be confused with “consumer reports” that many may be familiar with from the federal Fair Credit Reporting Act, which can include all forms of background checks (though, unlike the Act, only if done by a third party). The scope of information covered by the Act is much more limited and truly only covers credit-related information.

The Act does not, however, apply in all circumstances. It contains several exemptions. It does not apply to:

  • employees required to possess security clearance under federal or state law;
  • employees required to be bonded under City, state, or federal law;
  • employees with signatory authority over third-party funds or assets valued at $10,000 or more;
  • employees with a fiduciary responsibility to their employer and authority to enter into agreements valued at $10,000 or more;
  • police officers;
  • employees at the department of investigation in a law enforcement position or who perform an investigative function;
  • certain employees subject to background investigation by the department of investigation;
  • non-clerical employees with access to trade secrets, intelligence information, or national security information; and
  • employees with authority to modify the company’s digital security systems.

Although ten states and the City of Chicago also ban employers from checking the credit history of job applicants, the proposed legislation for New York City is broader. For example, eight of the other jurisdictions exempt financial institutions, which the New York City legislation does not do.

The Act does not specify penalties or damages for using credit history in making an employment decision. Instead, the bill modifies the New York City Human Rights Law, Section 8-101 et seq. of the Administrative Code of the City of New York. The Act thus effectively creates a new “protected class” and allows a private cause of action for discrimination against an employer that uses such information. An employer found liable for using credit history in making employment decisions would consequently be treated the same as one engaging in an unlawful discriminatory practice on the basis of age, race, national origin, gender, and the like. These damages are among the broadest of all employment discrimination protection statutes and include the potential for back pay, front pay, unlimited compensatory damages, and unlimited punitive damages.

Attorneys in Gordon & Rees’s New York Employment Practice Group are available to assist employers with any questions or concerns regarding the above.

Filed under Consumer Credit History, New York City Human Rights Law, Stop Credit Discrimination in Employment Act