From pli’s Course Handbook Communications Law in the Digital Age 2009



Download 445.44 Kb.
Page3/10
Date20.10.2016
Size445.44 Kb.
#6112
1   2   3   4   5   6   7   8   9   10

2. An Unsound Practice
The results of the Carnegie Mellon study may sound alarming, but the SSA assures the public any notion that the researchers exposed “a code for predicting an SSN is a dramatic exaggeration.”84 Acquisti and Gross acknowledge that being able to translate theoretical predictions from a list of deceased into stealing identities of the living hinges on a variety of factors. These include the availability of a targeted person’s birth data and the possibility that a verification service may not allow an attacker repeated attempts to match an SSN before shutting down or prohibiting further attempts.

Real world dangers still persist. Many businesses use SSNs as passwords or for other forms of authentication, a practice that places consumers at risk. This includes being asked to provide only the final four digits, or serial number, since these digits are the most unique to an individual. Both the SSA and the researchers advocate against using SSNs as forms of identification beyond tracking a Social Security account. “Everybody who works in this area knows the numbers are bad passwords,” Acquisti said. “But they still are used that way.”85


F. Massachusetts and Nevada Encryption Laws

Could Become National Standard
Massachusetts and Nevada have taken the lead in mandating safeguards for consumers’ personal information by requiring companies that store or transmit personal information to encrypt the data.86 The regulations formulated by the Massachusetts Office of Consumer Affairs and Business Regulation under the state’s data protection law,

M.G.L. c. 93H, were intended to take effect Jan. 1, 2009, but enforcement for most of the law has been extended until Jan. 1, 2010.87 A similar law in Nevada went into effect on Oct. 1, 2008,88 and was later amended to closely align with the Massachusetts standard by requiring encryption of information in data storage devices. These data protection standards are scheduled to go into effect in Nevada on Jan. 1, 2010.89 Michigan and Washington have also considered similar legislation and the list of states mulling a similar law will continue to grow.

Under both laws, “Personal information” is essentially a combination of a person’s name and one or more of the following: social security number, driver’s license number, credit or debit card account number or another financial account number. “Personal information” does not include what is lawfully obtained through publicly available data.
1. Massachusetts Law
a. To Whom Does it Apply?
The regulations apply to all persons, businesses and legal entities that “own, license, store or maintain personal information about a resident of the Commonwealth.”

b. Encryption Standard
The regulations define encryption generally without referring to a particular strength or technology, other than a form “in which meaning cannot be assigned without the use of a confidential process or key.” The regulations also require businesses that allow access to or share personal information with third parties to take “reasonable steps” to make sure those entities comply with the law.

The state plans to judge compliance on a case-by-case basis according to the size of a business, its available resources, the amount of data stored, and the need for confidentiality. State officials warned that unless a business has its own in-house IT staff, it will probably need to consult an outsider to determine if its computer system meets the encryption requirements. 90



c. Potential Penalties91
Penalties for failing to abide by the regulations could result in enforcement actions by the state Attorney General and may expose a business to damages in a private negligence claim or under another legal theory.
2. Nevada Law
a. To Whom Does it Apply?
The statute applies to data collectors who do business in the state. A “data collector” means government agencies, colleges, universities, corporations, financial institutions and retail operators.

b. Encryption Standard
Nevada law requires the use of encryption software “that has been adopted by an established standards setting body,” such as the National Institute of Standards and Technology. The law requires technology that “renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data.”
c. Potential Penalties

Data collectors that comply with the law but suffer a security breach would have their liability for damages capped at $1,000 per customer for each occurrence. Companies that do not comply would face unlimited civil penalties, according to James Earl, executive director of the state’s task force for technological crimes.92


3. Ramifications across state lines
The two state laws will inevitably have an impact on businesses and residents throughout the country and could soon lead to a de facto national standard. The Massachusetts law applies to any entity that stores personal information “about a resident of the Commonwealth,” meaning all companies that have a national customer or employee base must meet the requirements. The Nevada law applies to data collectors “doing business in this State” so that the information of some residents outside of Nevada is also protected.

Many businesses already have encryption requirements that would meet or come close to meeting the new state laws. However, many attorneys are advising clients to err on the side of caution and address the encryption issue now rather than later. Doing so, they urge, will not only expedite compliance with any future laws, but also help ease fears of events such as stolen laptops that often lead to security breaches.


G. Class Actions in ID Theft and Data Breach Cases
1. Lost Laptops Lead to Lawsuits
a. VA Agrees to Compensate Veterans Who Were Put at Risk of Identity Theft
On Jan. 27, 2009, the U.S. Department of Veterans Affairs (VA) agreed to pay $20 million to settle a class action lawsuit that alleged the VA failed to adequately protect American military personnel from identity theft.93 A laptop computer and external data storage device was stolen from the home of a VA employee on May 3, 2006. The computer and data storage device contained a copy of a collection of personal information for about 26.5 million people, including active and retired military veterans and their sources. The plaintiffs, a group of veterans advocacy groups, alleged that VA Secretary R. James Nicholson unlawfully allowed the department to maintain a database of veterans’ personal information that was not related to claims for benefits.94

U.S. District Court Judge James Robertson preliminarily approved the settlement on Feb. 11, 2009.95 According to its terms, all veterans, their spouses and military personnel who suffered actual damages as a result of the theft will receive a minimum of $75 and a maximum of $1,500 on all valid claims. These claims include the costs to protect or monitor personal financial information, expenses incurred as a result of physical manifestations of severe emotional distress and other reasonable expenses. Any remainder of the $20 million settlement after the payout of valid claims and attorney fees will be paid to veterans charities.


b. Starbucks Employee Files Suit After Personal Information Stolen
A Chicago-area Starbucks employee filed a class action lawsuit against Starbucks after a laptop containing the personal information of about 97,000 Starbucks employees was stolen in late October 29, 2008.96 In a security breach notification letter the Seattle-based coffee maker sent to the Office of the Maryland Attorney General, Starbucks said it concluded the laptop probably did contain personal information.97 Starbucks offered to pay for credit monitoring services for one year for its employees whose personal information may be exposed as a result of the theft, according to the letter.

The lawsuit filed by Laura Krottner on behalf of all Starbucks employees whose personal information was contained in the stolen laptop accuses the company of fraud and breach of contract for its pledge to protect employees’ personal information. The suit asks that Starbucks be ordered to pay for credit monitoring services for at least five years and that Starbucks receive periodic compliance audits from an outside company about the security of its computer systems. According to the complaint, Starbucks in 2006 lost four laptops that contained the personal information of 50,000 former and 10,000 then-current employees.


c. Mere Risk of Identity Theft Not Enough to Support Claims
In Ruiz v. Gap, Inc., 622 F. Supp. 2d 908 (N.D. Cal. 2009), a federal judge dismissed claims of negligence and breach of contract against a data owner and its service provider because the plaintiffs could not show they were victimized beyond being exposed to an increased risk of identity theft. Joel Ruiz filed the class action lawsuit on Nov. 13, 2007, against Gap, Inc. and its service provider, Vangent, Inc., after a thief stole two laptop computers from Vangent containing unencrypted Social Security numbers and other personal information of Ruiz and about 750,000 other Gap job applicants.98

On April 6, 2009, U.S. District Judge Samuel Conti found that Ruiz had standing to bring his suit because the theft of the laptop exposed him to an increased risk of identity theft. However, Conti granted summary judgment to the defendants. On the negligence claim, Conti noted that Gap had already agreed to pay for one year of credit monitoring and that any potential risk not mitigated by that monitoring did not amount to the sort of “appreciable harm necessary to assert a negligence claim under California law.”99 On the breach of contract claim, Conti found that “[b]ecause Ruiz has not been a victim of identity theft, he can present no evidence of appreciable and actual damage as a result of the theft of the two laptop computers.”100


2. ‘Truncation’ Requirement of FACTA
Many attempted class action lawsuits have been filed in federal courts alleging “truncation” violations of the Fair Credit Reporting Act, as amended by the Fair and Accurate Credit Transaction Act (FACTA), 15 U.S.C. § 1681c(g). The law aims to protect consumers against identity theft by prohibiting businesses from printing more than the last five digits of a credit or debit card or the card’s expiration date on an electronic receipt. FACTA provides for civil damages between $100 and $1,000 per violation and the possibility of punitive damages. Courts have recognized individual claims to recover amounts within the proscribed statutory range, but have issued mixed rulings on granting class certifications in “truncation” cases where the potential punitive awards could be disproportionate to the actual harm suffered by customers.

In Har




Harris v. Best Buy Co., Inc., 254 F.R.D. 82, 90 (N.D. Ill. 2008), the court certified a class of at least 100 members on the basis that “whether an award is unconstitutionally excessive is best decided after the class is certified, so that the Court can evaluate the defendant’s conduct and whether the defendant made an attempt to control its exposure.” Similarly, in Brittingham v. Cerasimo, Inc., 621 F. Supp. 2d 646, 650 (N.D. Ind. 2009), the court reinstated a proposed class action based on the merchant failing “to significantly limit the Plaintiffs’ risk of identity theft” by printing more than five digits of their debit and card numbers along with the expiration date on their receipts.

However, in Bateman v. American Multi-Cinema, 252 F.R.D. 647, 651 (C.D. Cal. 2008), the court declined to certify a class action against a movie theater chain that printed eight digits on a credit card receipt. The action sought potential damages between $29 million and $290 million and the court was “not persuaded by Plaintiff’s argument that an increased risk of identity theft, however slight, is sufficient to constitute actual harm.” Similarly, in Leysoto v. Mama Mia I., Inc., 255 F.R.D. 693 (S.D. Fla. 2009), the court declined to certify a class action that sought between $4.6 million and $46 million in damages against a restaurant with $40,000 in net assets. The court reasoned that to certify the class would give the plaintiffs the ability to “dangle the Sword of Damocles over Defendant, without any showing of actual economic harm.”101


3. Indiana Court Finds ID Theft Concerns

Validate Driver’s License Policy
In Leone v. Commissioner, Indiana Bureau of Motor Vehicles, 906 N.E.2d 172, (Ind. App. 2009), the court found that the Indiana Bureau of Motor Vehicles did not violate state law by requiring holders of driver’s licenses and state identification cards to make sure their names in the BMV’s database match those on file with the Social Security Administration.

The Indiana BMV, like similar agencies in at least 45 other states, has an agreement to verify its records with those of the SSA. In matching Social Security numbers between the two systems, the BMV found that the names of some license and card holders did not match those on file with the SSA. The BMV sent notices to those with name discrepancies placing the burden on them to correct the information or risk invalidation of their driver’s license or ID card. The court noted that discrepancies between the two systems often occurred because of legal name changes, using a nickname with one agency and not the other, or a name change due to marriage.

In denying a motion from a certified class seeking an injunction to prohibit enforcement of the policy, the court wrote that while it agreed a person is legally entitled to change his or her name, “it does not follow that all others, including government agencies like the BMV, are required to simply accept the word of the applicant that he is who he claims to be.”102

The court did find that the policy violated the due process rights of card and license holders because of uncertainties in whether a person should correct their information with the BMV, SSA, or both agencies. However, the court refused to grant the injunction because “the policy effectively blocks a well-known avenue for identity theft by making it much more difficult to appropriate another’s social security number in order to obtain state identification.”103


4. ‘Undeveloped’ Maine Law Excuses Grocer

From Liability for Data Theft
In re: Hannaford Bros. Co. Customer Data Security Breach, 613 F. Supp. 2d 108 (D. Me. 2009), District Judge D. Brock Hornby applied what he described as “still undeveloped” Maine law to find a grocery store chain was not liable for the fraudulent charges to customers’ credit and debit cards as a result of a third-party stealing the customers’ electronic payment data from the chain. In his ruling to dismiss the contract-related claims against a Maine-based supermarket chain, Hornby wrote that state law only allows customers whose financial data is stolen to recover against a merchant when the merchant’s negligence caused the loss to the consumers’ account.

Hornby wrote that a reasonable jury could not find “an unqualified guaranty of confidentiality by the merchant is ‘absolutely essential’ to the contract for a sale of groceries” because there were no reason to believe customers would stop using their cards in lieu of a 100 percent guaranty of data safety.104 However, Hornby allowed the one plaintiff whose bank did not reimburse her for the fraudulent charges to proceed against the grocer on claims of breach of implied contract, negligence, and a deceptive act under Maine’s Unfair Trade Practices Act, 5 M.R.S.A. §§ 205-214.


H. Hacking: Threats and Consequences
1. Hacker Can Be Sued for Fraud Under

Securities Exchange Act
In Securities and Exchange Commission v. Dorozhko, No. 08-0201-cv, 2009 U.S. App. LEXIS 16057, 2009 WL 2169201 (2nd Cir. July 22, 2009), the court ruled that a man accused of hacking into a computer system to gain advance notice of a company’s quarterly earnings could be sued for fraud under § 10(b) of the Securities Exchange Act of 1934, 15 U.S.C. § 78j (b). The ruling eliminates the burden on the SEC to show the alleged hacker violated a fiduciary duty, which is a part of the generally accepted theories of insider trading.105

In early October 2007, Oleksandr Dorozhko, a Ukranian national and resident, opened an online trading account and spent almost all of his $42,500 investment on “put” options in IMS Health, Inc., which the SEC says amounted to a risky bet that the stock price of IMS would sharply decline. IMS had hired Thomson Financial Inc. for its Web-hosting services. The SEC alleges that on Oct. 17, 2007, hours before the scheduled public release of IMS’s quarterly earnings, Dorozhko hacked into Thomson’s computer system and that within six minutes of Thomson receiving the report, Dorozhko sold all of his IMS options for an overnight profit of $286,456.106

The decision reversed a district court decision that relied on three Supreme Court cases107 in refusing to grant the SEC an injunction which would have frozen Dorozhko’s assets from the sale. In his opinion, Circuit Court Judge Jose A. Cabranes wrote that although breaching a fiduciary duty satisfies the requirement of a “deceptive device” under § 10(b) of the Act, “what is sufficient is not always what is necessary, and none of the Supreme Court opinions considered by the district court require a fiduciary relationship as an element of an actionable securities claim under § 10(b).”108 The case was remanded to determine “whether the computer hacking in this case involved a fraudulent misrepresentation that was ‘deceptive’ within the ordinary meaning of Section 10(b).”109
2. Former Secret Service Informant Indicted in ‘Largest’ ID Theft Case Ever
On Aug. 17, 2009, a man who authorities say formerly helped the Secret Service hunt computer attackers, but also fed information to criminals, was indicted in what the Department of Justice called the largest reported data breach in U.S. history.110 According to the U.S. Attorney’s Office in Newark, N.J., the indictment describes a scheme between October 2006 and May 2008 in which more than 130 million credit and debit card numbers along with account information were stolen from Heartland Payment Systems, based in Princeton, N.J., 7-Eleven Inc., and Hannaford Bros. Co.111

Prosecutors say Albert Gonzalez, of Miami, Fla., acted with two unnamed Russian conspirators to hack into the computer systems of the corporate victims after conducting reconnaissance at various retail locations. The scheme eventually reached a point where the trio conducted “real-time interception” of credit and debit card data being processed by the corporations.

The trio had a goal of selling the data to others who would use it to make fraudulent purchases, but the success of this plan was not known, according to prosecutors.112 Gonzalez was previously indicted in New York and Massachusetts in 2008 for his involvement in conspiracies relating to data breaches of multiple companies. He was also arrested in 2003 in New Jersey for his role in ATM and debit card fraud. Gonzalez was being held in the Metropolitan Detention Center in Brooklyn, New York.113
3. TechCrunch Stirs Ethical Debate By Publishing Hacked Documents
In July 2009, the technology Web site TechCrunch published some of the “more than 300 confidential Twitter documents and screenshots” that TechCrunch says it received via e-mail from a hacker who swiped the information from Twitter.114 After combing through the vast amount of information, TechCrunch published documents that revealed, among other things, Twitter’s goal of becoming the first social networking site to reach one billion users, a pitch for a Twitter-based TV show, and plans for future revenue-producing models.115

Media ethicists and commentators debated whether TechCrunch crossed an ethical line by publishing the stolen documents. Al Tompkins of Poynter Online framed his concern in the context of a changed media landscape that he feared could lead to an erosion of journalistic ethics. “I worry that because we now have new competitive pressures from nontraditional sources such as bloggers, Twitterers, etc., we will be tempted to lower our standards and publish under the notion that confidential documents ‘will get out there anyway,’” Tompkins wrote.116

TechCrunch founder Michael Arrington was forthright in explaining the Web site’s decision. “We publish confidential information almost every day on TechCrunch,” Arrington wrote. “This is stuff that is also ‘stolen,’ usually leaked by an employee or someone else close to the company, and the company is very much opposed to its publication. In the past we’ve received comments that this is unethical. And it certainly was unethical, or at least illegal or tortious, for the person who gave us the information and violated confidentiality and/or nondisclosure agreements. But on our end, it’s simply news.”117

Twitter said in its blog that the stolen documents did not reveal “some big, secret plan for taking over the world,” but that the publication “could jeopardize relationships with Twitter’s ongoing and potential partners.” Twitter specified that the hacker retrieved the company documents by accessing an employee’s e-mail account and not by hacking into the Twitter server.118


4. Accused Hacker Loses Bid to Prevent

Extradition from UK
An autistic man who a United States prosecutor said was charged with “the biggest military computer hack of all time” lost his bid to avoid extradition from the United Kingdom on charges dating back to 2002.119 The England and Wales High Court on July 31, 2009, ruled that 43-year-old Gary McKinnon should face extradition because that is “a lawful and proportionate response to his offending,” according to the ruling issued by Judge Stanley Burnton in the Queen’s Bench Division.120 McKinnon’s family has tried to prevent his extradition by arguing he has Asperger’s syndrome and that he could be a suicide risk if sent to the United States.121 McKinnon’s lawyer, Karen Todner, said she planned to appeal the decision.122

A federal grand jury in Virginia indicted McKinnon in 2002 of seven counts of computer-related crimes in 14 crimes after he was accused of breaking into 97 computers belonging to NASA, the Department of Defense and several branches of the military soon after the Sept. 11, 2001, terrorist attacks.123 The indictment alleged McKinnon deleted critical system files and obtained classified information and encrypted passwords from the computers. McKinnon claimed he was searching for evidence of UFO’s and his lawyers portray McKinnon as an eccentric, but harmless man who did not have any malicious intent.124


5. British Tabloid Embroiled in Phone

Hacking Scandal
The British tabloid News of the World, published by a subsidiary of media mogul Rupert Murdoch’s News Corporation, reportedly paid about $1.6 million to quietly settle various lawsuits involving allegations of phone-hacking by its reporters, according to a July 8 report by The Guardian of London.125 Murdoch denies that the newspaper ever made any settlement payments for alleged phone hacking, and critics and other media outlets have suggested that The Guardian’s reporting amounts to little more than media mud-slinging.126

The Guardian reported that News of the World’s publisher, News Group Newspapers, attempted to settle the lawsuits to avoid revealing evidence that News of the Word journalists were repeatedly hiring private investigators to illegally hack into the mobile phone messages of numerous public figures, including cabinet ministers, members of Parliament, actors and sports stars. The Guardian claimed to have discovered the information by researching the 2006 criminal investigations of News of the World reporters Clive Goodman and Glenn Mulcaire for alleged phone hacking.

News Group Newspapers is a subsidiary of News International, which is owned by Murdoch’s News Corporation.



The Guardian report cited a Metropolitan police source who said that during the investigation of the reporters, officers found evidence of News Group staff hiring private investigators to hack into “thousands” of mobile phones, and “another source with direct knowledge of the police findings” put the figure at “two or three thousand” different phones. A subsequent New York Times report cautioned that The Guardian report could not be independently verified, observing that it cited unnamed police sources and no sources for its claim that News International paid $1.6 million in damages and legal costs.127 But on July 21, Bloomberg News reported that News of the World editor Colin Myler testified before a parliamentary committee that James Murdoch, Rupert’s son, had authorized the payment of $1.1 million to settle a claim against the newspaper.128

Download 445.44 Kb.

Share with your friends:
1   2   3   4   5   6   7   8   9   10




The database is protected by copyright ©ininet.org 2024
send message

    Main page