Hacking Major League Baseball

The FBI and the U.S. Justice Department are investigating whether St. Louis Cardinals officials hacked into the Houston Astros’ internal networks. This appears to be one of the first suspected cases of corporate espionage relating to a professional sports team hacking the database of another team.

According to numerous reports, FBI investigators appear to have uncovered evidence that the Cardinals breached the Astros’ databases, and one database in particular known as “Ground Control,” to obtain information and internal discussions about trades, proprietary statistics and scouting reports. This information could be used for a variety of purposes including knowing what players are being scouted, the team’s scouting methods and other proprietary information of the team.

Reports also indicate that the attack may have been launched to cause problems for Astros’ general manager Jeff Luhnow, who left the Cardinals in 2011. According to some reports, the Cardinals’ officials were concerned that Luhnow may have taken the team’s proprietary information to the Astros. Speculation is that the Cardinals may have simply tried a series of passwords (Luhnow has denied that he used similar passwords while working for the two teams) until they were able to gain access to the Astros’ network. Whether true or not, this is another example of why passwords should not be recycled or used universally across different platforms and applications. Rather, users should use different passwords, mix uppercase, lower case and symbols.

We will continue providing updates to the investigation of the House of (the) Cards, as they occur.

Corona Class Action Against Sony Pictures Survives Motion to Dismiss

After the highly publicized cyber-attack on Sony Pictures Entertainment, Inc., which has been attributed to the so-called Guardians of Peace, Michael Corona, and eight other former Sony employees whose personal information was stolen, filed a class action asserting claims for: (1) Negligence; (2) Breach of Implied Contract; (3) Violation of the California Customer Records Act; (4) Violation of the California Confidentiality of Medical Information Act; (5) Violation of the Unfair Competition Law; (6) Declaratory Judgment; (7) Violation of Virginia Code § 18.2-186.6, and (8) Violation of Colorado Revised Statutes § 6-1-716.

Sony filed a motion to dismiss arguing that the Central District of California lacked subject matter jurisdiction over the action. Specifically, Sony argued that the plaintiffs lacked Article III standing, because they failed to allege a current injury or threatened injury that was certainly impending. Sony further argued that, even if plaintiffs had standing, the suit must be dismissed for failure to state a claim.

On June 15, 2015, the court ruled on the motion to dismiss. The court disagreed that plaintiffs’ allegations were insufficient to establish standing. Relying on Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), Clapper v. Amnesty International USA, Inc., 133 S.Ct. 1138 (2013), and In re Adobe Systems, Inc. Privacy Litigation, 2014 WL 4379916, the court determined that the plaintiffs need only allege a credible threat of real and immediate harm, or certainly impending injury—not a current injury—which they had done by alleging their information was stolen, posted on file-sharing websites for identity thieves to download, and was used to send emails threatening physical harm to employees and their families.

The court’s ruling is consistent with other recent rulings in California, which suggests this is a trend in the prosecution of data breach claims rather than just an outlier. (To read more on this subject, please see our article published in DRI’s For the Defense in February 2015, available here.)

The court then turned to the merits of plaintiffs’ claims. It dismissed four of plaintiffs’ claims and a portion of plaintiffs’ negligence claim. The court dismissed the plaintiff’s negligence claim to the extent it was based on an increased risk of future harm, as there was no cognizable injury. The court also dismissed plaintiffs’ breach of implied contract claim, finding that, while there was an implied employment contract, that there was no indication Sony intended to frustrate the agreement by consciously and deliberately failing to maintain an adequate security system. The court dismissed the California Customer Records Act claim as the plaintiffs were not damaged as Sony customers. Further, the court dismissed plaintiffs’ claims for violation of the Virginia Code and the Colorado Consumer Protection Act, because plaintiffs failed to allege injury resulting from the alleged untimely notification.

Plaintiffs’ negligence claim survived to the extent it was based on actual damages, such as costs associated with credit monitoring, password protection, freezing/unfreezing of credit, obtaining credit reports, and penalties resulting from frozen credit, even though they were prophylactic in nature because they were reasonable and necessary. The court denied the motion to dismiss with respect to plaintiffs’ claim for violation of California Business and Professions Code Section 17200 on the same basis.

Finally, the motion was denied with respect to the California Confidentiality of Medical Information Act claim, because negligent maintenance of records, which allows someone to gain unauthorized access, may constitute a negligent release of medical information within the meaning of the Act. The plaintiffs did not need to allege an affirmative act to maintain this cause of action.

Please continue to monitor our blog for more updates on the Corona case and other news on privacy and data security.

Privacy and Security on the Internet of Things

Like it or not, technology is becoming inextricably entwined with the fabric of our lives. Our cars, our homes, even our bodies, are collecting, storing and streaming more personal data than ever before. In 2015, Gartner, Inc. forecasts the number of connected “things” will reach 4.9 billion, up 30 percent from 2014. By the year 2020, that number is expected to reach 25 billion.

We are moving toward a world where just about everything will be connected. Yes, this will include smartphones, computers and tablets. It will also include everyday objects like car keys, thermostats and washing machines. Google is even developing ingestible microchips that could serve as “electronic tattoos.” This disruptive shift, known as the Internet of Things (IoT), will be a powerful force for business transformation. Soon all industries and all areas of society will be impacted directly by the transition.

As companies evolve to adapt to meet the consumer expectations in this new uber-connected world, they must be aware of the risks involved. No, I’m not talking about machine turning on man in a Terminator-like scenario. But make no mistake, the challenges and risks for both businesses and consumers are no less scary than a shape-shifting cyborg.

In the rush to jump into this connectivity, companies will face multiple considerations. Strategic decisions might involve an upgrade in technology, a move to cloud-based storage, or network integration of all new products or services. However before taking any action, it is essential to weigh the privacy and security risks that go hand in hand with the collection of personal data.

While data breach might be the first risk that comes to mind, there are a number of legal issues that could become major problems if not addressed.

Data Security

The IoT will create massive amounts of data that will necessarily be linked to personal identifying information to be useful. Employees, customers and affiliates will be interacting with countless devices all day long, usually without being aware they are doing so. There will be many new and perhaps unforeseen opportunities for data breaches.

Unintended Consequences

Designers and manufacturers of devices for the IoT may be accountable for unintended consequences. We have already seen instances of persons taking over video cameras connected to computers to “spy” on people. It’s not a stretch to think that these spies will also monitor devices connected to the internet to find out when a home is unoccupied.

Liability

The IoT will rely on devices to perform many tasks that are now subject to the risks of human error. Even with the best of designs there will be issues of where liability falls when, for example, a self-driving car or some other automatous device malfunctions or is otherwise involved in an untoward outcome. There will likely be an evolving body of law establishing the allocation of fault in such circumstances.

Regulation

The federal and perhaps state governments will regulate the IoT. Such regulations will impact how organizations design and use IoT devices. As in other fields, regulation can both strengthen and impair an organization’s position in its market. Proactively addressing such issues can save an organization considerable expense and allow it to better control its risk.

Companies and organizations must plan for the regulations, potential liabilities, and consumer privacy issues related to the IoT now to avoid crippling legal nightmares later. In the absence of regulations, corporations will need to be cognizant of the need to self-regulate by developing and enforcing an effective set of best practices. While the “Internet of Things” may sound futuristic, in reality… the future is now.

Leon Silver is a co-managing partner at Gordon & Rees’ Phoenix office, Chair of the firm’s Retail & Hospitality Practice Group and a member of the firm’s Commercial Litigation, and Privacy & Data Security Practice Groups. Andy Jacob is a member of the Appellate and Commercial Litigation Practice Groups.

Data Privacy and Security Meets the Legal Industry

Huron Legal has recently reported that law firms are getting smarter about addressing data privacy and security issues. Aside from the efforts these law departments, law firms, and other service providers are making to protect sensitive and confidential data, the overall focus on privacy and recent data breaches is affecting the legal sector just like any other sector. According to the article, the four biggest trends in data privacy in the legal industry are the following:

  • Law Firms as Clients: As law firms become increasingly more involved with privacy issues, they are becoming more sophisticated consumers of external legal services. They are placing the information governance practices of vendors and third party legal service contractors under much greater scrutiny than ever before.
  • Opportunity Versus Threat: Although one could expect to see more pushback from law firms on newer stringent data security requirements, instead law firms seem to be responding to these heightened client demands and seeing them as a differentiator when competing for business. Demonstrating an ability to deal with sensitive and often high-value matters from an information perspective makes good business sense.
  • Privacy by Design Vendors: Legal vendors are largely playing catch-up in data privacy issues. For a long time, the tools they provided for legal services were narrow. But now legal vendors need to rise to the same challenge. Additionally, these vendors need to design both the software and processes with privacy in mind. This includes considering the “privacy by design” principles before they become hindrances to the sale of services.
  • Data Privacy Moves Fast: The most important consideration when dealing with privacy and security is understanding that it is an evolving field. Since the definitions and laws are changing, both within the U.S. and abroad, everyone in the legal industry needs to be prepared for change and to be flexible. The laws today may be different in two years, so planning with that in mind is critical.

The full article is here. Our Privacy & Data Security Group will continue to monitor the implications of privacy issues within the legal services sector.

FCC Fines Prompt AT&T to “Zealously Guard” Customers’ Personal Information

On April 8, 2015, the Federal Communications Commission (“FCC”) announced its largest ever data security settlement requiring AT&T to pay $25 million to resolve an investigation into data security breaches at its call centers in the Philippines, Mexico, and Colombia. AT&T’s privacy violations involved the unauthorized disclosure of the names, full or partial Social Security Numbers, and other protected customer proprietary network information (“CPNI”) of nearly 280,000 U.S. customers.

The initial focus of the FCC’s investigation was a 168-day long breach beginning in November 2013 at AT&T’s call center in Mexico where thousands of customer accounts were accessed and sold without authorization. The buyers, who were likely trafficking stolen cell phones, submitted nearly 291,000 handset unlock requests to AT&T’s Mexico call center. Similar breaches occurred in Columbia and the Philippines, where a combined total of approximately 211,000 customer accounts were accessed without authorization.

In response, the FCC brought charges of violations of Sections 222 and 201(b) of the Communications Act (the “Act”) against AT&T for failure to timely report the breaches. Section 222 of the Act requires companies like AT&T to take every reasonable precaution to protect customer data, including CPNI, and to take reasonable measures to discover and report attempts to access CPNI, including notifying law enforcement “as soon as practicable, in no event later than seven (7) business days, after reasonable determination of the breach.” Section 201(b) of the Act prohibits unjust and unreasonable practices.

4-28AT&T notified law enforcement of the Mexico call center breach on May 20, 2014, over a month after it began its internal investigation, and several months after the actual breach. In an effort to mitigate the breach, AT&T notified victims of the breach and the California Attorney General, terminated its relationship with the Mexico call center, mandated the uniform use of partial social security numbers in all call centers, and developed new customer account monitoring and phone access/unlock policies.

The FCC settlement also mandates the implementation of a permanent, strict compliance plan that requires AT&T to:

  1. designate a senior compliance manager who is a certified privacy professional;
  2. complete a privacy risk assessment reasonably designed to identify internal risks of unauthorized access, use, or disclosure of personal information and CPNI;
  3. implement an information security program reasonably designed to protect CPNI and personal information from unauthorized access, use, or disclosure;
  4. prepare a compliance manual to be distributed to all covered employees and vendors; and
  5. regularly train employees on its privacy policies and applicable privacy legal authorities.

AT&T is required to report any noncompliance to the FCC and must file regular compliance reports for the next three years.

The FCC has taken the position that phone companies are expected to “zealously guard” their customers’ personal information and that the FCC “will exercise its full authority against companies that fail to safeguard the personal information of their customers.” This position tracks the trend of active enforcement of consumer data security breaches over the past year. To that end, companies in possession of CPNI and other protected customer information should heed the Agreement and “look to [it] as guidance” for protecting customer information and avoiding liability under Sections 222 and 201(b) of the Act.

We expect that other telephone companies/carriers will continue to evolve and implement heightened security measures in response to this settlement, and the FCC will surely investigate those companies who are not in compliance.

Image courtesy of Flickr by Michael Weinberg

Target Ends Dispute With Mastercard Over 2013 Data Breach

Following the highly publicized data breach affecting Target retail stores in 2013, the retail giant has agreed to pay up to $19 million to MasterCard credit card issuers worldwide to compensate them for the costs of canceling accounts, creating new accounts, and issuing new cards. MasterCard is urging card issuers to accept the deal, which calls for Target to pay the card issuers by the end of the second quarter.

In late 2013, Target suffered a massive data breach in which 110 million customer records were stolen, which included 40 million credit card numbers. In an attempt to be proactive, Target informed financial institutions about credit cards that may have been compromised and offered free credit counseling to its consumers to combat the onslaught of litigation that was to follow. As a result of the breach, which was highly publicized, many other retail establishments became victims of their own data breaches, spurring numerous lawsuits nationwide.

Apart from individual consumers filing class action lawsuits across the country against Target, credit card issuers, which include banks, credit card companies, and other financial firms, incurred hard costs of cancelling accounts and issuing replacement cards with new account numbers. While individual consumers filing data breach lawsuits had to overcome Clapper in arguing that an injury-in-fact did occur instead of speculative damages, credit-card issuers and financial institutions had actual damages to move forward on their claims. As a result, Target has negotiated a deal only with MasterCard to this point.  It is possible that Target is also negotiating a similar agreement with Visa.

Image courtesy of Flickr by Mike Mozart

‘Twas the Season for Data Breaches

With the recent hacks into Sony’s system and the emails sent to Home Depot’s customers regarding the breach of its system, data breach is no longer some fantastical notion that only plays out in a 1980s sci-fi movie. It is a real threat to businesses and their employees and customers, and that threat rises during the holiday season, when the average consumer spends approximately $800 on gifts for family, friends, and co-workers.

Venture back with me to December 2013, when Target Corporation announced that it was hacked, which resulted in 110 million of its customers having their credit- and debit-card information stolen. When I came across a recent ruling in that case, my reaction was: “Oh, yes. I vaguely remember that happening,” and I might have even been a customer who received an email from Target explaining the breach. My point is that, as consumers, the shock has worn off, and we are not surprised to hear about such breaches. But businesses cannot be so cavalier—the courts require vigilance in the protection of data.

As we have reported on our blog, multiple lawsuits arose shortly after Target’s announcement, resulting in the consolidation of all federal cases into In re: Target Corp. Customer Data Security Breach Litig., which involved claims brought by financial institutions on one hand, and by consumers on the other.  Just last month, the District of Minnesota ruled largely in favor of the financial institutions on Target’s motion to dismiss, making it clear that Target breached its duty to maintain adequate security systems.

Just in time for the holiday season, the now famous Sony breach (which, in part, resulted in the cancellation of most theater showings of the movie, “The Interview”) has triggered at least five class-action complaints filed in California federal court against Sony Pictures Entertainment, Inc.  The hacking incident allegedly exposed volumes of confidential emails, social security numbers, and salary and medical information of Sony’s former and current employees.  The gist of the complaints is that Sony, despite being aware that hackers were able to breach their system, “failed to develop, maintain, and implement internet security measures on its corporate network,” and this led to the catastrophic data breach that one complaint calls an “epic nightmare.”  Just last week at the Consumer Electronics Show, Sony’s CEO, Kazuo Hirai described the hack, noting that Sony and its current and former employees “were the victim[s] of one of the most vicious and malicious cyber attacks in recent history.”

The class action filed in Los Angeles Superior Court also blames Sony for its decision regarding “The Interview,” since the film allegedly sparked the ire of hackers who were not pleased with the subject matter (a planned talk show assassination of North Korea’s leader, who was heavily parodied).  In addition to its limited theatrical release, it was recently reported that the film has earned over $30 Million in online and on demand sales.

It is too early to predict the outcome of these actions, but it is likely that the federal complaints regarding Sony will ultimately be consolidated.  As with most data breach cases, we anticipate heavily briefed motions to dismiss on standing and other grounds.  We will, or course, track these cases and provide updated reports as developments unfold.

Card Issuers Are Foreseeable Victim in Target Data Breach Cases

In an important decision on standing in data breach cases, the United States District Court in Minnesota issued an Order last week denying Target’s attempt to dismiss all claims brought by financial institutions.  The card issuing banks complaint alleges Target (1) was negligent in failing to have sufficient security in place to prevent hacking of customer data; was (2) violated and was negligent per se for violating Minnesota’s Plastic Security Card Act (the Act); and (3) is liable for negligent misrepresentation in failing to advise the plaintiffs of the insufficient security measures.

Target moved to dismiss the negligence claims on the grounds it had no duty and did not breach any duty to the plaintiffs because there was no special relationship between the parties, and the harm if any, was an unforeseeable result of a third party’s (the hackers’) conduct.  The court disagreed and found that plaintiffs had sufficiently alleged that, whether premised upon the hackers’ conduct or Target’s own alleged disabling of a security feature and failing to react to warning signs in its system, the harm to the card issuers was a foreseeable consequence.  In addition, the court found the existence of a duty was bolstered by legislative intent under the Act, which was designed to protect customer data associated with cards, such as those issued by plaintiffs.

With respect to the omission claim, i.e. Target’s purported failure to advise of security deficiencies and its disabling a security feature, the court found that plaintiffs had adequately pled Target’s knowledge of facts unknown to plaintiffs and specific claims that Target had misled the adequacy of its security in public representations (including Target’s online Privacy Policy and Target’s agreement to comply with Visa and MasterCard Operating Regulations).  However, the court noted that plaintiffs had failed to specifically allege reliance on the omissions, and, instead, only asserted they had suffered injury.  In light of the need to specifically plead the element of reliance, the court granted Target’s motion on this claim, with leave to for plaintiffs to amend their complaint to add facts/claims of reliance on the omissions.

With respect to the statutory claims, the Act prohibits the retention of cardholder data by persons or businesses conducting business in Minnesota and, following a data breach involving violation of the statute, requires reimbursement of costs to the card issuer.  The court found Target’s argument that the Act only applies to Minnesota transactions to be without merit, stating “it applies equally to Minnesota companies’ data retention practices with respect to in-state and out-of-state transactions.”.

Target’s other arguments on the statute are more interesting and create a debate between the parties as to whether the hackers’ theft of data from the cards’ magnetic stripe (though allegedly stored by Target servers prior to transmission to the hackers) versus the theft of data maintained by Target itself result in a violation of the Act regarding retained data.  While the resolution of that issue will eventually be determined if the case is adjudicated on the merits, the court found that, for purposes of the present motion, plaintiffs allegation that Target stored the information for longer than permitted under the Act, which increased the scope of the breach, was sufficient to state a claim upon which relief can be granted.

In sum, the claims pass muster (at least at the pleading stage), and the financial institutions have standing to proceed.

Image courtesy of Flickr by Mike Mozart

A Brief Summary of “Risk Management for Replication Devices” (Draft NISTIR 8023) by the NIST Computer Security Division

Last month, the Computer Security Division of the National Institute of Standards and Technology (NIST) released a draft publication titled “Risk Management for Replication Devices” (Draft NISTIR 8023). The full draft publication is here (with an excellent security risk assessment table and flowchart at the end).  The draft is of particular interest to individuals who are responsible for the purchase, installation, configuration, maintenance, disposition, and security of replication devices (RDs), including acquisitions; system administration; information system and security control assessment and monitoring; and information security implementation and operations.

Here is a summary of the key provisions of the draft:

  • RDs include copiers, printers, three-dimensional (3D) printers, scanners, 3D scanners, and multifunction machines when used as a copier, printer, or scanner. Even today, many organizations may not have an accurate inventory of RDs or recognize what functionality each device possesses, especially with respect to information (data) storage, processing, and transmission. This publication provides guidance on protecting the confidentiality, integrity, and availability of information processed, stored, or transmitted on RDs.  RDs are often connected to organizational networks, have central processing units that run common commercial operating systems, store information internally on nonvolatile storage media, and may even have internal servers or routers.
  • The publication advises that before placing RDs into operation, configure each RD securely and implement appropriate security controls. There are numerous secure installation and configuration practices to consider and implement. Each device may have unique capabilities and security options.

Some practices to consider (with associated NIST SP 800-53 security controls in parentheses) include:

  • Disable unused physical and network ports (CM-7).
    • Implement physical security, e.g., locks (PE-3).
    • Whitelist/blacklist specific MAC addresses, IP addresses/address ranges, or email addresses
      (AC-18, SC-7).
  • Disable unused physical and network ports (CM-7).
    • Implement physical security, e.g., locks (PE-3).
    • Whitelist/blacklist specific MAC addresses, IP addresses/address ranges, or email addresses
      (AC-18, SC-7).
  • Configure image overwrite capability.
    • Enable immediate image overwrite (MP-6).
    • Schedule regular off-hours overwrite with three-pass minimum (MP-6).

As for disposal of the RDs, sanitize RDs when they are no longer needed by an organization or will be repurposed or stored by doing the following (with associated NIST SP 800-53 security controls in parentheses):

  • Wipe/purge or destroy nonvolatile storage media (MP-6).
  • Change or reset passwords and other authentication information, e.g., user pins (IA-5).
  • Reset configurations to factory default settings (CM-6).

Organizations are encouraged to review the draft publication during the public comment period and to provide feedback to NIST no later than Oct. 17. Email comments to sec-cert@nist.gov, or mail the National Institute of Standards and Technology, Attn: Computer Security Division, Information Technology Laboratory, 100 Bureau Drive (Mail Stop 8930), Gaithersburg, MD 20899-8930.