As we move further into 2019, we’d like to give an overview of the trends we see developing in the cybersecurity and data privacy area for the year. We’ll be sure to elaborate on these areas with more details as they unfold.
State legislation continues to move the data privacy ball down the field. The Super Bowl is over, but the analogies continue.
As of 2018, every state legislature had enacted a data breach notification law. This leads us to ask what is next for Justice Brandies’ laboratories of democracy? State governments are now passing laws to protect the personal information of their residents.
Following the footsteps of the California Consumer Privacy Act, Washington would be the second state to adopt a comprehensive privacy law, emulating the consumer rights principles found in the European Union’s General Data Protection Regulation (GDPR). What do California’s and Washington’s laws mean for U.S. companies? Without a federal law, businesses may struggle to stay abreast of the compliance requirements for these well-intended but patchwork legislative solutions.
Cybercrime will find targets that weren’t vulnerable before. It is harder to play defense than offense.
Criminal behavior is often described as a function of opportunity and risk, balancing the value a potential victim offers against the criminal’s perception that a victim is an easy or difficult target. However, unlike traditional crimes, cybercrime does not require physical proximity between the attacker and the victim.
The virtual nature of cybercrime allows single criminals to perform multiple crimes in several locations in rapid succession. This allows criminals to launch hundreds of ransomware attacks against individuals in multiple states each night, and demand a $100 bounty to unlock the infected computer — clearing thousands of dollars per day. On the other side of the cybercrime spectrum is Ryuk, a “big game hunting” threat, targeting large organizations with high ransoms. In the face of these evolving threats, IT professionals and corporate decision makers must accept that cybersecurity will be a Sisyphean task that we all must shoulder.
Data protection liability and cyber insurance coverage are evolving. Judicial recognition of (if not sympathy for) the multitude of data breach threats is expanding.
Like our state legislatures, our state and federal courts are evolving in their approaches to liability in the digital age, at what would normally be considered a feverish pace. In the last two years, the D.C. Circuit, Eighth Circuit and a U.S. District Court in northern California have ruled that plaintiffs had standing to bring lawsuits based in part on the risk of future harm of identity theft.
Similarly, in the summer of 2018, we saw the Second and Sixth Circuit Courts of Appeals published decisions in two spear-phishing cyber insurance coverage disputes that run counter to earlier decisions by the Fifth and Ninth Circuits. The facts in the cases below are distinguishable, but the divergent rulings are worthy of further discussion.
- Covered claim – Medidata Solutions, Inc. v. Federal Ins. Co., 729 Fed. Appx. 117 (2d. Cir. 2018).
- Covered claim – Amer.Tooling Ctr. Inc. v. Travelers Cas. & Surety, 895 F.3d 455 (6th Cir. 2018).
- Not covered – Taylor & Lieberman v. Federal Ins. Co., (9th Cir. 2017).
- Not covered – Apache Corp. v. Great American Ins. Co., (5th Cir. 2016).
What do these decisions mean for companies? Not only do courts seem more receptive to the harms caused by identity theft, but courts are also delving into the factual details of computer scams and frauds when resolving cyber insurance coverage disputes.
Pennsylvania Supreme Court sides with employees
In late Nov. 2018, the Pennsylvania Supreme Court held that the University of Pittsburgh Medical Center failed to exercise reasonable care safeguarding employees’ personal information stored on an internet- accessible computer system. The Court also allowed the plaintiffs to obtain economic damages under the state’s economic loss doctrine under a negligence theory. The court acknowledged it was applying an existing common-law duty to a novel factual scenario as opposed to creating a new duty of care. Because the employees had to provide personal information to employers as a condition of employment, employers have a duty to exercise reasonable care in the protection of that data.
Illinois Supreme Court protects consumer biometric data
Recently, the Illinois Supreme Court unanimously held that individuals do not need to allege or prove actual damages or harm to maintain a private right of action under the Illinois Biometric Information Privacy Act when a private entity fails to comply with the statute’s requirements. The ruling upholds privacy rights of individuals in their unique biological information as defined by the Illinois statute. For a deeper discussion on the Illinois ruling, see Anne Mayette’s and Terry Potter’s article on the Husch Blackwell website regarding the decision.
The effects of GDPR enforcement actions and fines will influence U.S. corporate behavior. The EU has a long-arm of jurisdiction too.
In 2018, there was a significant amount of attention (and anxiety) over GDPR’s implementation. The first GDPR enforcement action was brought by the first UK’s Information Commissioner’s Office (ICO) against Canadian-based AggregateIQ (AIQ). Not only did the ICO order AIQ to delete the personal data of UK residents stored on its network — if the company fails to comply with this order, it could be subject to a fine of €20 million Euros. In January 2019 France’s La Commission Nationale de L’Informatique et des Libertes (CNIL) fined Google €50 million Euros. Google’s fine is the largest GDPR penalty issued by a regulator to date.
What should a U.S. company expect when it comes to GDPR enforcement? As the penalty against Google shows, GDPR enforcement can be brought against any foreign company that processes personal data of individuals residing in the EU. U.S. companies offering goods and services to the EU, or having an establishment within the EU and are monitoring the electronic behavior of individuals, are subject to GDPR enforcement.
Evolving threats and expanding liability will push companies to minimize the data they retain. Companies need to drain their digital swamps.
In recent years as data storage capacities rose and the costs fell, companies and individuals fell into the habit of saving everything. Most of us have become digital hoarders either at work or at home. But in the face of data breaches and expanding liability (judicial and regulatory), companies need to reassess their data retention practices — if only to reduce the quantity of data that is vulnerable to attack. Information governance policies are an effective tool to meet this goal, and they go hand-in-hand with a company’s eDiscovery practices. As our eDiscovery team leader Megan Scheiderer advised General Counsels in 2018, company legal departments responding to lawsuits, document subpoenas or government investigations are overseeing the data collection and production processes.
Information governance committees and policies can help companies get their digital houses in order to mitigate the risk of future legal and regulatory compliance actions.
Food for thought. There is little “good” news in this article, and the tasks and threats can feel overwhelming. We know that cybersecurity and data privacy are difficult challenges, but advice and resources are available to assist companies to navigate through the process and respond to threats as they arise.
About the author: A Denver-based partner of Husch Blackwell’s Technology, Manufacturing & Transportation team, Erik Dullea focuses his practice on administrative/regulatory law, with an emphasis on heavily regulated industries and government contractors. He represents mine operators in MSHA enforcement actions, energy and industrial companies in OSHA enforcement actions, and advises airlines and their pilots challenging FAA and DOT enforcement actions. Erik advises government contractors on transactional matters, bid protests and civil litigation. He holds an active security clearance and has 20 years of experience in the aviation industry as both a Navy pilot and a commercial pilot. Erik is a co-chair of Husch Blackwell’s Unmanned Aircraft Systems practice group.
Agreement between User and www.shalemag.com
Welcome to www.shalemag.com. The www.shalemag.com website (the “Site”) is comprised of various web pages operated by SHALE Oil & Gas Business Magazine (“SHALE Magazine”). www.shalemag.com is offered to you conditioned on your acceptance without modification of the terms, conditions, and notices contained herein (the “Terms”). Your use of www.shalemag.com constitutes your agreement to all such Terms. Please read these terms carefully, and keep a copy of them for your reference.
www.shalemag.com is a News and Information Site.
Shale Oil & Gas Business Magazine is a publication that showcases the dynamic impact of the energy industry. The mission of SHALE is to promote economic growth and business opportunities and to further the general understanding of how the energy industry contributes to the economic well-being of Texas and the United States as a whole. Shale’s distribution includes industry leaders and businesses, service workers, entrepreneurs and the public at large.
Visiting www.shalemag.com or sending emails to SHALE Magazine constitutes electronic communications. You consent to receive electronic communications and you agree that all agreements, notices, disclosures and other communications that we provide to you electronically, via email and on the Site, satisfy any legal requirement that such communications be in writing.
If you use this site, you are responsible for maintaining the confidentiality of your account and password and for restricting access to your computer, and you agree to accept responsibility for all activities that occur under your account or password. You may not assign or otherwise transfer your account to any other person or entity. You acknowledge that SHALE Magazine is not responsible for third party access to your account that results from theft or misappropriation of your account. SHALE Magazine and its associates reserve the right to refuse or cancel service, terminate accounts, or remove or edit content in our sole discretion.
Children Under Thirteen
SHALE Magazine does not knowingly collect, either online or offline, personal information from persons under the age of thirteen. If you are under 18, you may use www.shalemag.com only with permission of a parent or guardian.
You may cancel your subscription at any time. Any cancellations made after 14 days of service will not qualify for a refund. Please contact us at email@example.com with any questions.
Links to Third Party Sites/Third Party Services
www.shalemag.com may contain links to other websites (“Linked Sites”). The Linked Sites are not under the control of SHALE Magazine and SHALE Magazine is not responsible for the contents of any Linked Site, including without limitation any link contained in a Linked Site, or any changes or updates to a Linked Site. SHALE Magazine is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by SHALE Magazine of the site or any association with its operators.
Certain services made available via www.shalemag.com are delivered by third party sites and organizations. By using any product, service or functionality originating from the www.shalemag.com domain, you hereby acknowledge and consent that SHALE Magazine may share such information and data with any third party with whom SHALE Magazine has a contractual relationship to provide the requested product, service or functionality on behalf of www.shalemag.com users and customers.
No Unlawful or Prohibited Use/Intellectual Property
All content included as part of the Service, such as text, graphics, logos, images, as well as the compilation thereof, and any software used on the Site, is the property of SHALE Magazine or its suppliers and protected by copyright and other laws that protect intellectual property and proprietary rights. You agree to observe and abide by all copyright and other proprietary notices, legends or other restrictions contained in any such content and will not make any changes thereto.
You will not modify, publish, transmit, reverse engineer, participate in the transfer or sale, create derivative works, or in any way exploit any of the content, in whole or in part, found on the Site. SHALE Magazine content is not for resale. Your use of the Site does not entitle you to make any unauthorized use of any protected content, and in particular you will not delete or alter any proprietary rights or attribution notices in any content. You will use protected content solely for your personal use, and will make no other use of the content without the express written permission of SHALE Magazine and the copyright owner. You agree that you do not acquire any ownership rights in any protected content. We do not grant you any licenses, express or implied, to the intellectual property of SHALE Magazine or our licensors except as expressly authorized by these Terms.
Use of Communication Services
The Site may contain bulletin board services, chat areas, news groups, forums, communities, personal web pages, calendars, and/or other message or communication facilities designed to enable you to communicate with the public at large or with a group (collectively, “Communication Services”). You agree to use the Communication Services only to post, send and receive messages and material that are proper and related to the particular Communication Service.
By way of example, and not as a limitation, you agree that when using a Communication Service, you will not: defame, abuse, harass, stalk, threaten or otherwise violate the legal rights (such as rights of privacy and publicity) of others; publish, post, upload, distribute or disseminate any inappropriate, profane, defamatory, infringing, obscene, indecent or unlawful topic, name, material or information; upload files that contain software or other material protected by intellectual property laws (or by rights of privacy of publicity) unless you own or control the rights thereto or have received all necessary consents; upload files that contain viruses, corrupted files, or any other similar software or programs that may damage the operation of another’s computer; advertise or offer to sell or buy any goods or services for any business purpose, unless such Communication Service specifically allows such messages; conduct or forward surveys, contests, pyramid schemes or chain letters; download any file posted by another user of a Communication Service that you know, or reasonably should know, cannot be legally distributed in such manner; falsify or delete any author attributions, legal or other proper notices or proprietary designations or labels of the origin or source of software or other material contained in a file that is uploaded; restrict or inhibit any other user from using and enjoying the Communication Services; violate any code of conduct or other guidelines which may be applicable for any particular Communication Service; harvest or otherwise collect information about others, including e-mail addresses, without their consent; violate any applicable laws or regulations.
SHALE Magazine has no obligation to monitor the Communication Services. However, SHALE Magazine reserves the right to review materials posted to a Communication Service and to remove any materials in its sole discretion. SHALE Magazine reserves the right to terminate your access to any or all of the Communication Services at any time without notice for any reason whatsoever.
SHALE Magazine reserves the right at all times to disclose any information as necessary to satisfy any applicable law, regulation, legal process or governmental request, or to edit, refuse to post or to remove any information or materials, in whole or in part, in SHALE Magazine’s sole discretion.
Always use caution when giving out any personally identifying information about yourself or your children in any Communication Service. SHALE Magazine does not control or endorse the content, messages or information found in any Communication Service and, therefore, SHALE Magazine specifically disclaims any liability with regard to the Communication Services and any actions resulting from your participation in any Communication Service. Managers and hosts are not authorized SHALE Magazine spokespersons, and their views do not necessarily reflect those of SHALE Magazine.
Materials uploaded to a Communication Service may be subject to posted limitations on usage, reproduction and/or dissemination. You are responsible for adhering to such limitations if you upload the materials.
Materials Provided to www.shalemag.com or Posted on Any SHALE Magazine Web Page
SHALE Magazine does not claim ownership of the materials you provide to www.shalemag.com (including feedback and suggestions) or post, upload, input or submit to any SHALE Magazine Site or our associated services (collectively “Submissions”). However, by posting, uploading, inputting, providing or submitting your Submission you are granting SHALE Magazine, our affiliated companies and necessary sublicensees permission to use your Submission in connection with the operation of their Internet businesses including, without limitation, the rights to: copy, distribute, transmit, publicly display, publicly perform, reproduce, edit, translate and reformat your Submission; and to publish your name in connection with your Submission.
No compensation will be paid with respect to the use of your Submission, as provided herein. SHALE Magazine is under no obligation to post or use any Submission you may provide and may remove any Submission at any time in SHALE Magazine’s sole discretion.
By posting, uploading, inputting, providing or submitting your Submission you warrant and represent that you own or otherwise control all of the rights to your Submission as described in this section including, without limitation, all the rights necessary for you to provide, post, upload, input or submit the Submissions.
Third Party Accounts
You will be able to connect your SHALE Magazine account to third party accounts. By connecting your SHALE Magazine account to your third party account, you acknowledge and agree that you are consenting to the continuous release of information about you to others (in accordance with your privacy settings on those third party sites). If you do not want information about you to be shared in this manner, do not use this feature.
The Service is controlled, operated and administered by SHALE Magazine from our offices within the USA. If you access the Service from a location outside the USA, you are responsible for compliance with all local laws. You agree that you will not use the SHALE Magazine Content accessed through www.shalemag.com in any country or in any manner prohibited by any applicable laws, restrictions or regulations.
You agree to indemnify, defend and hold harmless SHALE Magazine, its officers, directors, employees, agents and third parties, for any losses, costs, liabilities and expenses (including reasonable attorney’s fees) relating to or arising out of your use of or inability to use the Site or services, any user postings made by you, your violation of any terms of this Agreement or your violation of any rights of a third party, or your violation of any applicable laws, rules or regulations. SHALE Magazine reserves the right, at its own cost, to assume the exclusive defense and control of any matter otherwise subject to indemnification by you, in which event you will fully cooperate with SHALE Magazine in asserting any available defenses.
In the event the parties are not able to resolve any dispute between them arising out of or concerning these Terms and Conditions, or any provisions hereof, whether in contract, tort, or otherwise at law or in equity for damages or any other relief, then such dispute shall be resolved only by final and binding arbitration pursuant to the Federal Arbitration Act, conducted by a single neutral arbitrator and administered by the American Arbitration Association, or a similar arbitration service selected by the parties, in a location mutually agreed upon by the parties. The arbitrator’s award shall be final, and judgment may be entered upon it in any court having jurisdiction. In the event that any legal or equitable action, proceeding or arbitration arises out of or concerns these Terms and Conditions, the prevailing party shall be entitled to recover its costs and reasonable attorney’s fees. The parties agree to arbitrate all disputes and claims in regards to these Terms and Conditions or any disputes arising as a result of these Terms and Conditions, whether directly or indirectly, including Tort claims that are a result of these Terms and Conditions. The parties agree that the Federal Arbitration Act governs the interpretation and enforcement of this provision. The entire dispute, including the scope and enforceability of this arbitration provision shall be determined by the Arbitrator. This arbitration provision shall survive the termination of these Terms and Conditions.
Class Action Waiver
Any arbitration under these Terms and Conditions will take place on an individual basis; class arbitrations and class/representative/collective actions are not permitted. THE PARTIES AGREE THAT A PARTY MAY BRING CLAIMS AGAINST THE OTHER ONLY IN EACH’S INDIVIDUAL CAPACITY, AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PUTATIVE CLASS, COLLECTIVE AND/ OR REPRESENTATIVE PROCEEDING, SUCH AS IN THE FORM OF A PRIVATE ATTORNEY GENERAL ACTION AGAINST THE OTHER. Further, unless both you and SHALE Magazine agree otherwise, the arbitrator may not consolidate more than one person’s claims, and may not otherwise preside over any form of a representative or class proceeding.
THE INFORMATION, SOFTWARE, PRODUCTS, AND SERVICES INCLUDED IN OR AVAILABLE THROUGH THE SITE MAY INCLUDE INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN. SHALE OIL & GAS BUSINESS MAGAZINE AND/OR ITS SUPPLIERS MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE SITE AT ANY TIME.
SHALE OIL & GAS BUSINESS MAGAZINE AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, AVAILABILITY, TIMELINESS, AND ACCURACY OF THE INFORMATION, SOFTWARE, PRODUCTS, SERVICES AND RELATED GRAPHICS CONTAINED ON THE SITE FOR ANY PURPOSE. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, ALL SUCH INFORMATION, SOFTWARE, PRODUCTS, SERVICES AND RELATED GRAPHICS ARE PROVIDED “AS IS” WITHOUT WARRANTY OR CONDITION OF ANY KIND. SHALE OIL & GAS BUSINESS MAGAZINE AND/OR ITS SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION, SOFTWARE, PRODUCTS, SERVICES AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT.
SHALE Magazine reserves the right, in its sole discretion, to terminate your access to the Site and the related services or any portion thereof at any time, without notice. To the maximum extent permitted by law, this agreement is governed by the laws of the State of Texas and you hereby consent to the exclusive jurisdiction and venue of courts in Texas in all disputes arising out of or relating to the use of the Site. Use of the Site is unauthorized in any jurisdiction that does not give effect to all provisions of these Terms, including, without limitation, this section.
You agree that no joint venture, partnership, employment, or agency relationship exists between you and SHALE Magazine as a result of this agreement or use of the Site. SHALE Magazine’s performance of this agreement is subject to existing laws and legal process, and nothing contained in this agreement is in derogation of SHALE Magazine’s right to comply with governmental, court and law enforcement requests or requirements relating to your use of the Site or information provided to or gathered by SHALE Magazine with respect to such use. If any part of this agreement is determined to be invalid or unenforceable pursuant to applicable law including, but not limited to, the warranty disclaimers and liability limitations set forth above, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision and the remainder of the agreement shall continue in effect.
Unless otherwise specified herein, this agreement constitutes the entire agreement between the user and SHALE Magazine with respect to the Site and it supersedes all prior or contemporaneous communications and proposals, whether electronic, oral or written, between the user and SHALE Magazine with respect to the Site. A printed version of this agreement and of any notice given in electronic form shall be admissible in judicial or administrative proceedings based upon or relating to this agreement to the same extent and subject to the same conditions as other business documents and records originally generated and maintained in printed form. It is the express wish to the parties that this agreement and all related documents be written in English.
Changes to Terms
SHALE Magazine reserves the right, in its sole discretion, to change the Terms under which www.shalemag.com is offered. The most current version of the Terms will supersede all previous versions. SHALE Magazine encourages you to periodically review the Terms to stay informed of our updates.
SHALE Magazine welcomes your questions or comments regarding the Terms:
SHALE Oil & Gas Business Magazine
5150 Broadway #493
San Antonio, TX 78209
Effective as of November 27, 2017