Posts by possingeradmin:
Posted on: 22 May 2014
In a decision issued today (05-22-2014), the Washington Supreme Court expanded the coverage of Washington’s Law Against Discrimination (WLAD) Chapter 49.60 RCW to require reasonable accommodation of an employee’s religious practices. Kumar v. Gate Gourmet, Inc. No. 88062-0 In a decision written by Justice Sheryl Gordon McCloud, the Court articulated an expanded duty for employers to accommodate the religious practices of their employees. In this particular case the employer’s policy of requiring employees to eat food provided by the employer violated the religious dietary requirements of several employees. The trial court’s previous dismissal of the Plaintiffs’ claims was reversed and the case remanded back to the Superior Court. The full decision can be seen here: Kumar v. Gate Gourmet, Inc. No. 88062-0
HAS COMCAST BECOME THE LATEST TARGET?: LATEST DATA BREACH POSES COMMUNICATIONS CHALLENGES FOR COMMUNICATIONS GIANT
Posted on: 10 Feb 2014
No matter how this data security breach story develops, if you are a Comcast customer, you should probably change your passwords now. In what may be the latest in a series of high-profile computer security breaches, Comcast had at least 34 of its servers hacked on February 6, 2014 by NullCrew FTS. After publishing a list of Comcast’s mail servers and a link to the root file with the vulnerability it used to penetrate Comcast’s system on Pastebin (Read Here), the information remained exposed and available for the next 24 hours. The following day, February 7, 2014, the company issued a limited press-release with regard to the security breach on Multichannel news. In that press-release, Comcast stated that the company “currently [has] no evidence to suggest any personal customer information was obtained in this incident.” This press release, which was released to only one on-line media outlet, has been heavily criticized by several media and security writers, who allege that the company has hushed and minimized what was likely to have been a serious on-line attack. (Read Here and Here). It is too early to tell whether any of Comcast’s customer’s data was compromised in this attack or not, or whether Comcast ultimately has any liability. However this particular incident illustrates the difficult position a company can find itself when a computer security breach is made public shortly after the breach occurs. A company in the midst of a computer security breach must deal with several simultaneous issues in real time, including technology, business operation, legal compliance, and public relations – the larger the company the more difficult these things can be to coordinate. The typical bases of liability from consumers for a company facing a computer security breach that involves the disclosure of private customer information typically comes down two essential bases of liability: (1) did the company fail to adopt reasonable safeguards against a computer security breach, and (2) did the company fail to timely notify affected consumers. Other causes of action, including “invasion of privacy” have been brought in several data breach cases to date, but the legal theory of most cases find themselves within the framework of failure to protect, and failure to timely notify. In the case of the Target breach (which occurred between November 27, 2013 and December 15, 2014), Target notified its affected customers via email and set up a special web page linked to its home page within days after the breach came to light, and regularly updated this website. (I wrote about the Target Data Security Breach in January 2014) As of the writing of this article, no such similar actions appear to have been taken by Comcast. Depending on the facts that emerge, this may not be an unusual response. Those that are familiar with data security breaches know that there are oftentimes a number of time consuming steps that are required to properly respond to a breach. The first step usually includes identification and understanding the nature and scope of the breach, and then being reasonably sure that the threat has been contained and remedied. Depending on the complexity of the attack, this can sometimes take weeks to investigate and complete. In some instances, there is a requirement to coordinate with law enforcement, which itself can take significant time especially when the attack has occurred in more than one jurisdiction. If an attack is ongoing, a premature disclosure can tip off the hackers that the company and law enforcement are on to them. Determining what data (including customer data) was actually accessed or affected can also take several weeks. In the weeks and months to come, these details are likely to emerge if the likely suing customers make it past the preliminary pleading stages and proceed into discovery. One challenge that may be faced by Comcast is that the vulnerability that was apparently exploited by NullCrew FTS was reported in December 2013, but was never patched by Comcast. NullCrew FTS has taken credit for another hack of a large Telecom (Bell Canada), and apparently had contacted Bell Canada two weeks before making disclosure of its hacking activities that exposed more that 22,000 user names and passwords of the Canadian company. To the degree that plaintiff’s lawyers will be able to show that Comcast could have patched this apparent security breach, this could be a potential basis of liability to the company. One study indicates that in hindsight 97% of data security breaches would have been avoidable through simple or intermediate controls. In the meantime, Comcast is faced with the challenge of investigating and responding to this recent data breach, and simultaneously managing the reputation damage that naturally flows from incidents of this kind. A proactive approach to communicating with customers is often crucial for maintaining customer loyalty and trust. This is a difficult situation for any company finding itself in. As a final reminder: If you are a Comcast customer, you should probably change your password.
Posted on: 29 Jan 2014
In a recent article appearing in “Inc.”, titled “The Psychological Price of Entrepreneurship” author Jessica Bruder discusses some of the unique psychological challenges faced by entrepreneurs. The article addresses the fact that for all of the success stories that are out there concerning business ventures that make it big, even for the successful business person the road to that success has often been marked with bouts of anxiety and despair. As a lawyer, I have seen some of these issues come up in the representation of start-up clients as well as having experienced some of these feelings myself along the way. It is a good read both as an entrepreneur and as a trusted adviser to entrepreneurs; in many ways reassuring that business leaders are not alone in moments of defeat as well as triumph.
Posted on: 14 Jan 2014
The recent Target (and now Neiman-Marcus) data security breach provides a clear illustration of the challenges faced by businesses that must comply with the various data breach notification laws. As of the writing of this article, what is known is that for 19 days (between November 27 and December 15) computer hackers gained “unauthorized access” to Target’s customers’ names, credit or debit card numbers, card expiration dates, and three-digit CVV security codes. [link] Target initially revealed on December 19 (four days after the end of the attack) that 40 million payment cards had been affected. Following the initial disclosure, it was released that some 70 million of Target’s customers’ “personal information” had been compromised in the attack. The company has been cooperating with law enforcement officials including the Department of Justice and the Secret Service. An effective response to a business data security breach requires a multidisciplinary approach. And, this includes expertise in information technology (IT), forensics, law, and public relations among others; all of which most often occurs in a highly fluid environment. For any company doing business in more than one state, the multiple and often contradictory requirements of data breach notification laws create an additional layer of complexity that must be addressed when a data security breach occurs, particularly when there is a breach that involves “personal information”. Current Law of Data Security Breach Notification At this time, 46 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have data breach notification requirements for breaches of “personal information.” Only four states; Alabama, Kentucky, New Mexico, and South Dakota, do not have data breach notification laws. Currently there is no federal law covering data breach notifications, and as such, there is no national standard. Federal laws creating a national standard for data security breaches of personal information have been introduced to Congress since 2005, but to date no national standard has yet been enacted. [See. Note 1] In the meantime, businesses are left to navigate the 50 separate legal regimes of the various states and U.S. Territories. Although there are similarities between these laws, there are also significant differences. Personal Information and Notification Triggering Events When faced with a data security breach, one of the first questions to be answered by a company is whether “personal information” has been accessed or not; this is the typical trigger for state breach notification laws. Although most states have a common definition of what constitutes “personal information”, there are different elements. The typical definition includes the customer’s name (usually first name, or first initial and last name) and at least one of the following pieces of information: Social Security Number, driver’s license number or state identification card number, or financial information (typically a credit card or debit card number, account number and any codes or passwords needed to access them). In the case of Target, the information involving their customers likely included this combination of data, and triggered for them the requirement for notification. It is after this initial threshold that has been crossed that the complexities begin. Each of the current data breach notification statutes has differing circumstances under which a breach of personal information must be disclosed. Some states impose the requirement if personal information “was or is reasonably believed to have been” obtained by an unauthorized person (regardless of whether or not it is likely that the customer will become a victim of fraud, identity theft, or other harm). Other states take the approach that notification is required if there is a reasonable likelihood that some kind of harm will result on account of the unauthorized access to personal information. In addition, some states impose the duty to conduct a prompt investigation in order to determine whether or not personal information has or will be misused, while other states do not impose any specific requirements for how this determination is to be made. Method, Content, Timing (and Delay) of Notifications The method and content of notifications to customers also vary from state to state, as well as the issue of timing. For most companies, including that of the case of Target, the timing of notifications can create particular challenges. Most state statutes set out time limits for notifications as well as acceptable grounds for delay. Most states with data breach notification laws allow companies to delay notification if it is deemed necessary to accommodate a law enforcement investigation. Some states also allow companies to delay notification if it is deemed necessary to investigate the incident and or restore system security. In the case of Target, notification appears to have occurred at least four days after the last day of the attack [See. Note 2]. In the case of Neiman Marcus, the delay in notification appears to have been over a month following the attack. These requirements can pose particularly difficult situations on businesses, which may still be in the process of investigating and dealing with the technological aspects of a data breach, while still needing to operate a business. In the case of both Target and Neiman-Marcus [See. Note 3] the timing of the breach itself was a significant issue; it does not take much to realize that the announcement of a breach of customers’ personal information during the middle of the holiday shopping season would pose a significant business threat n light of the potential impact of lost sales. Yet as is the case for every business facing this kind of situation, the potential cost of non-compliance with the notification requirements can be significant. Damages and Penalties Not all states have specific provisions for penalties for failure to comply with notification requirements. However, those that do have such provisions are varied. Some states provide for “maximum civil penalties per breach”, which other states calculate the penalty to be assessed by the number of customers affected by the breach. In other states, the damages are assessed on the basis of how long the delay in notification continued beyond the required time frames. Other states take […]