BIPA Accrual will not be Reconsidered by Illinois Supreme Court

2023/07/24

On July 18, 2023, the Illinois Supreme Court denied a rehearing on the issue of Biometric Information Privacy Act (BIPA) accrual. The request for rehearing derived from an opinion by the 7th Circuit, Cothron v. White Castle System, Inc., 20 F.4th 1156 (7th Cir. 2021), holding that “separate claims accrue under BIPA each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d).” In Cothron, a class of employees filed an action against their employer, White Castle, for requiring employees to scan their fingerprints to access computers without first obtaining employee consent. The 7th Circuit ruling, in conjunction with Illinois Supreme Court’s denial of rehearing, means an employer can be liable every time an employee scanned their fingerprints or such information is transmitted without their consent. The dissenting opinion of the Illinois Supreme Court criticized the majority’s interpretation as unable to “be reconciled with the plain language of the statute,” further citing the damage BIPA accrual can cause to businesses. Enacted in 2008, Illinois’ BIPA was one of the first state laws addressing the collection of biometric data. BIPA requires private companies to develop written policies establishing guidelines and retention schedules for the collection, transmittal, and storage of biometric data. Moreover, BIPA requires companies to obtain informed consent prior to the collection. Biometric information, as defined by the Illinois legislature, includes retina or iris scans, fingerprints, voiceprints, or scans of hand or fact geometry. Currently, Illinois, Maryland, New York (and New York City), Oregon (and Portland), Texas and Washington, each have biometric privacy laws in place. Additionally, several other states have proposed similar laws, or included biometric information regulations within comprehensive privacy laws. Notably, not all biometric privacy laws create a private right of action like BIPA or New York City. Read More

The Domination of Cybersecurity

2023/06/27

Key takeaway: Despite the Supreme Court’s recent pronouncement of patent-eligible subject matter, cybersecurity innovation will remain an active area for intellectual property protection through the patent application and prosecution process. Because cybersecurity protection is of critical importance to businesses, it has become commonplace, resulting in a fundamental impact on other areas of the law. Where are practitioners observing the most change – patenting cybersecurity software. The United States Patent and Trademark Office (USPTO) received 1,087 cybersecurity-related patent applications between 2000 and 2022. The U.S. has the world’s largest cybersecurity workforce housing 1.1 million cyber jobs. Companies that invest in cybersecurity protection with the proper internal policy regulations will best be positioned to protect their intellectual property. After the U.S. Supreme Court’s 2014 decision in Alice Corp. v. CLS Bank International, the USPTO began to treat patent applications containing process claims or method claims with a higher level of caution. Process claims or method claims describe an invention as a series of steps to achieve a technical solution and are usually considered to be patent-ineligible subject matter because they are directed to an “abstract” idea. The Alice decision pushed practitioners to draft software patent claims that define the technological steps with specificity and therefore enable the innovative technical solution. Because most patent applications include a background of the invention, it is critical to include a detailed discussion of the technical context of software-driven innovations. Despite patent examiners being technically trained, certain examiners may not have the subject knowledge needed to understand the “uniqueness” or need for the innovation. Practitioners are encouraged to provide the background on how the innovation was developed and the technical needs it addresses within the application. Providing a more descriptive background equips the patent examiner with a better understanding of the innovation’s practical value within the industry. A patent application can include an explanation of how technical challenges were overcome to arrive at the solution, the technical advantages of the solution, and practical results and improvements that can be obtained with the solution. Read More

Privacy vs. Productivity: Risks That Come to Employers

2023/05/31

Takeaway: On both a federal and state level, there has been a concerted push to protect employee privacy more thoroughly. As the law continues to develop or, as in the case of the NLRB, new methods of enforcement come into play, employers must balance the desire to monitor employee activity with the legal risk it may pose. It is in the best interest of employers to keep pace with the evolving body of law and ensure appropriate employee monitoring policies are in place. Since the beginning of the COVID-19 pandemic, there have been many changes to employee privacy laws as more and more employees work remotely. As more technology is developed that allows for new forms of employee productivity monitoring, employers must be aware potential legal exposures. Recently, at the end of 2022, the National Labor Relations Board (“NLRB”) issued Memorandum GC 23-02 signaling a new initiative to protect the privacy of employees from employer methods of monitoring and tracking. As background, Section 7 of the National Labor Relations Act (“NLRA”) guarantees employees the right to unionize and advance their interests, while Section 8(a)(1) makes it unlawful for an employer to interfere with an employee’s Section 7 rights. Of the utmost concern for NLRB General Counsel was the possibility that such oversight by employers would impede the Section 7 rights of employees who engage in protected activity. Shortly thereafter, on April 11, 2023, the NLRB issued a decision in Stern Produce Company and United Food and Commercial Workers, Local 99. The employer, Stern, had installed cameras in their trucks meant to monitor different delivery activities. The employee had covered the camera during his lunch, claiming there was no such policy against doing so in the employee handbook. The employee was subsequently told to uncover his camera by a supervisor. The NLRB ruled this constituted a violation of “Section 8(a)(1) [of the NLRA] by creating the impression of surveillance by accessing the inside-facing camera…and requesting that [the employee] uncover it.” Read More

SEC Proposes Three New Cybersecurity Rules to Enhance Consumer Protection and Market Security

2023/04/11

On March 15, 2023, the United States Securities and Exchange Commission (SEC) took a major step towards strengthening cybersecurity in the financial sector by proposing three new rules. These rules aim to improve privacy, data security, and compliance measures while addressing the growing need for transparency in the constantly evolving digital landscape. The first proposed rule involves amendments to Regulation S-P. Regulation S-P enforces privacy, data security, and data disposal rules on broker-dealers, investment advisers, and investment companies under the SEC’s authority pursuant to the Gramm-Leach-Bliley Act. The amendments would require covered institutions to implement a written incident response program, notify affected individuals of data breaches, and maintain written records to document compliance with Regulation S-P rules. The second proposed rule introduces Rule 10, which would require specific entities performing critical services in support of the U.S. securities market, collectively referred to as “market entities,” to maintain and regularly update written policies and procedures addressing cybersecurity risks. It would also require market entities to provide immediate written notice to the SEC of significant cybersecurity incidents, and publicly disclose summary descriptions of cybersecurity risks and incidents. The third proposed rule pertains to amendments to Regulation Systems Compliance and Integrity (SCI), which was adopted in 2014 and applies to specific entities and their automated systems supporting key security market functions. The proposed amendments aim to expand the scope of entities covered by Regulation SCI, enhance the regulation’s requirements, and necessitate the inclusion of key third-party providers in required Business Continuity/Disaster Recovery (BC/DR) testing. These new cybersecurity rule proposals demonstrate the SEC’s commitment to safeguarding consumer information and fortifying cybersecurity measures within the financial sector. By amending Regulation S-P, introducing Rule 10, and revising Regulation SCI, the SEC aims to create a more secure and transparent environment for both market participants and consumers. The public comment periods for these proposals will remain open for 60 days after publication in the Federal Register. Read More

Twitter Data Breach Nightmare – Millions of Subscriber’s Data Remains at Risk

December 1, 2022

Takeaway: Hackers cannot be underestimated, and companies need to take cybersecurity policy seriously. Earlier this year, a massive Twitter data breach occurred. Researchers are learning that the data breach was significantly more severe than initially reported. In the first reports, one hacker was suspected of exploiting a vulnerability within the system. The vulnerability exposed subscribers’ Twitter IDs, login names, names, phone numbers, and email addresses. It is now known that several hackers downloaded personal data using the same vulnerability. Reports are showing a new list containing the data of millions of Twitter subscribers. This new list is different from the earlier reported list which contained 5.4 million records. What’s worse is that the 5.4 million record list is currently being shared for free with other hackers. And there is, additionally, a list of 1.4 million subscribers with suspended Twitter accounts whose information is being exploited. Most websites have data tracking, and the tracking is collected to generate personalized marketing. Women and men usually experience marketing tailored depending on gender. This data can also be sold to governments. And the number of trackers can vary by site. One can expect a retailer to have more tackers than say, for example, a non-profit. Interestingly, a recent survey found that the number of trackers may also reflect the attitude organizations have towards privacy depending on where you are situated in the world. Websites in Hong Kong have on average 45 trackers, the highest average worldwide. Websites in the United States have on average 33 trackers, the third-highest average. While websites in Canada have on average 16 trackers, the eighth highest average. Internet users can limit the number of trackers by adjusting their privacy settings, regularly deleting cookies, clearing out their cache, and enabling their browser’s “do not track” feature. Companies, however, must actively participate with their internal cybersecurity and legal departments providing services to ensure that patches are regularly being run, employees are being educated on cybersecurity risks, policies are continuously updated, etc. Read More

Cybersecurity Insurance: Circuit Courts Weigh in on Insurers’ Liability for an Insured’s Losses Stemming from a Data Breach

2022/11/08

Takeaway: When a cybersecurity-related incident occurs, an insured should not automatically assume a standard commercial general liability (CGL) policy issued by an insurer will cover their losses, as CGL policies generally afford coverage to an insured for losses resulting from bodily injury and property damage. An insured’s cybersecurity losses can encompass much more, such as losses arising from a data breach concerning confidential or personal information of a client or customer, i.e., third parties who fall outside of the scope of an insured’s traditional CGL policy. Therefore, to ensure cyber coverage exists in the wake of a cyber incident, an insured should make certain that potential cyber-related losses are included within the “four corners” of the underlying insurance policy to secure a defense and, more importantly, coverage from an insurer. Key Point: In determining whether there is a duty to defend, a court must follow the “Eight Corners” Rule and look at the “four corners” of the complaint and the “four corners” of the underlying insurance policies.[1] In other words, an insurer is obligated to defend its insured if the factual allegations of the complaint, on its face, encompass an injury that is actually or potentially within the scope of the policy.[2] Discussion: Recently, an increasing number of legal battles over whether losses related to cybersecurity incidents are covered by an insured’s policy have tested the applicability of the underlying policy. For example, an Eleventh Circuit panel addressed whether a ‘computer fraud’ policy issued by Great American Insurance Company to Interactive Communications International, Inc. and HI Technology Corp. (together, “InComm”) excluded coverage for losses involving fraud.[3] InComm sold “chits” – each of which had a specific monetary value – to consumers, who can then “redeem” them by loading their value onto a debit card.[4] Between November 2013 and May 2014, InComm lost $11.4 million when fraudsters manipulated a glitch in InComm’s computerized interactive-telephone system that enabled them to redeem chits multiple times, with each duplicative redemption of an already-redeemed chit defrauding InComm of the chit’s value.[5] Read More

Labeling Devices for Cybersecurity Protection

2022/10/21

Takeaway: Security labels on internet-connected devices are on the horizon for companies that manufacture and want to sell such devices worldwide. Last week, the White House National Security Council announced plans for a consumer products cybersecurity labeling program aimed at improving digital safeguards on internet-connected devices. On October 19, 2022, 50 representatives from different industries including tech, consumer product, and manufacturing convened to discuss the cybersecurity labeling program that is planned to launch in the Spring of 2023. In conjunction with its announcement, the White House also released a fact sheet outlining various cybersecurity initiatives. In its fact sheet, the White House recommends three or four cybersecurity standards that manufacturers can use as the basis for labels that communicate the risks of using internet-connected devices. Additionally, the administration is working with the European Union to align its Cybersecurity Act standards with those of the cybersecurity labeling program.  The White House envisions that products with cybersecurity labels will be sold globally. The idea is for the standards under consideration to rate products based on how often manufacturers deploy patches for software vulnerabilities or whether a device connects to the internet without a password. The White House hopes this program will incentivize companies to invest in cybersecurity because they will be rewarded for participating in the program whilst customers are provided with safer products. Part of the process will include using the National Institute of Standards and Technology to create labels according to the specifications of a product. The initial stage of the program includes the creation of bar-like labels on products that consumers can scan with their phones for updated security details. The remaining stages will be released as the White House continues to develop the program. Protecting connected devices has been an ongoing issue for some time now. Companies should stay alert as the White House releases more information in the coming year. Read More

CISA Announces New Binding Operational Directive to Manage Federal Civilian Agency Threats

2022/10/06

Takeaway: The latest directive from CISA will enhance federal agencies’ ability to identify vulnerabilities in their networks to prevent and respond to cybersecurity incidents. On October 3, 2022 the Cybersecurity and Infrastructure Security Agency (CISA) announced Binding Operational Directive (BOD) 23-01 entitled Improving Asset Visibility and Vulnerability Detection on Federal Networks.[1] The aim of BOD 23-01 is “to make measurable progress toward enhancing visibility into agency assets and associated vulnerabilities.”[2] A binding operational directive is a compulsory direction to the executive branch, departments and agencies for purposes of safeguarding federal information and information systems.[3] BOD 23-01 applies to any agencies operating as a Federal Civilian Executive Branch (FCEB) agency such as the Department of Justice, the Department of Education, and the Department of Health and Human Services.[4] The directive also applies to any entity acting on behalf of a FCEB agency that “collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.”[5] BOD 23-01 focuses on (1) asset discovery, or identifying what IP-assets reside on an agency’s networks and detecting their associated IP addresses and (2) vulnerability enumeration, or detecting and reporting vulnerabilities on those assets such as outdated software or missing updates. The directive lists mandatory actions and reporting requirements that FCEB agencies must implement by April 3, 2023. For example, each FCEB agency must perform automated asset discovery every 7 days. FCEB agencies have discretion in determining the method and technology to complete this task, but BOD 23-01 requires that the discovery must cover the entire IPv4 space at minimum. Additionally, each agency must initiate vulnerability enumerations every 14 days. All FCEB agencies must initiate the collection and reporting of performance data within 6 months of the publication of BOD 23-01 in order to allow CISA to automate oversight and monitoring. Collectively, these actions enhance an agency’s ability to automatically detect vulnerabilities and prevent exploitation of any weaknesses in their networks. Read More

Requirements of Cybersecurity Expert Testimony in the Third Circuit

2022/09/14

Takeaway: In many data breach cases, a cybersecurity expert may evaluate whether the company’s security measures were reasonable and appropriate or, alternatively, if the company lacked the requisite technology to detect a breach. In some circumstances, however, a party’s proposed expert may be challenged on the basis of unfair prejudice. Yet, under the Third Circuit’s “generally liberal standard of qualifying experts”, such a challenge was recently overcome by a party whose expert had advanced IT credentials, 20+ years of relevant professional experience, and offered an opinion with probative evidentiary value that outweighed any danger of unfair prejudice. Key Points: Rule 702 of the Federal Rules of Evidence sets forth the standards for admissible expert testimony. As explained by the Third Circuit Court of Appeals: “Rule 702 has three major requirements: (1) the proffered witness must be an expert, i.e., must be qualified; (2) the expert must testify about matters requiring scientific, technical or specialized knowledge [, i.e., reliability]; and (3) the expert’s testimony must assist the trier of fact [, i.e., fit].”[1] Regarding the first requirement, qualification, the Third Circuit has stated that it has “a generally liberal standard of qualifying experts.”[2] “Rule 702 requires the witness to have ‘specialized knowledge’ regarding the area of testimony. The basis of this specialized knowledge can be practical experience as well as academic training and credentials.”[3] When addressing the second requirement, reliability, the Third Circuit has derived from the seminal case of Daubert the following non-exclusive factors for determining reliability: “(1) whether a method consists of a testable hypothesis; (2) whether the method has been subject to peer review; (3) the known or potential rate of error; (4) the existence and maintenance of standards controlling the technique’s operation; (5) whether the method is generally accepted; (6) the relationship of the technique to methods which have been established to be reliable; (7) the qualifications of the expert witness testifying based on the methodology; and (8) the non-judicial uses to which the method has been put.”[4] Read More

Bad Actors Continue to Exploit Log4Shell Vulnerabilities

2022/09/07

Takeaway: CISA and CGYBER recommend all organizations who did not immediately apply available patches to assume Log4Shell compromise and initiate threat hunting activities. In December 2021, the world was held hostage by hackers who found certain vulnerabilities in Log4Shell and exploited them. As part of this exploitation, suspected and advanced threat actors implanted loader malware on compromised systems with embedded directives enabling remote command and control. A confirmed compromise showed that these actors were able to infiltrate a disaster recovery network and collect sensitive data. Cybersecurity agencies and governmental policy bodies acted immediately against these threats and released patches and Malware Analysis Reports MAR-10382580-1 and MAR-10382254-1 detailing hack workarounds. But the threat was omnipresent. The Cybersecurity and Infrastructure Security Agency (CISA) and the United States Coast Guard Cyber Command (CGYBER) recently released a warning in July to network defenders that cyber threat actors continue to exploit CVE-2021-4423 (Log4Shell) in VMware Horizon and Unified Access Gateway (UAG) servers to infiltrate organizations that failed to apply patches. Organizations are encouraged to read MAR-10382254-1 which provides examples of malware samples including indicators of comprise (IOCs) and detection signatures. What organizations must do now is: Install fixed builds, updating all affected VMware Horizon and UAG systems to the latest versions. If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, organizations must treat all affected VMware systems as compromised. Minimize the internet-facing attack surface by hosting essential services on a segregated demilitarized (DMZ) zone, ensuring strict network perimeter access controls, and implementing regularly updated web application firewalls (WAFs) in front of public-facing services. For the full article and specific examples of Log4Shell threat events, go to: https://www.cisa.gov/uscert/ncas/alerts/aa22-174a * This blog is available for informational purposes only and is not considered legal advice on any subject matter. By viewing blog posts, the reader understands there is no attorney-client relationship between the reader and the blog publisher. Read More