Technology and Cybersecurity Torts
The Lamber Goodnow Team: At the Intersection of Legal and Technological Innovation
Technology is an ever-growing part of our lives. The Technology and Cybersecurity Tort team at Lamber Goodnow assists clients with important technology-related legal issues.
We are proud to be thought leaders in this area, regularly providing legal analysis to local and national media outlets.
Security in this time of rapid innovation is considerably more complicated than tying up your horse or locking your car. More than ever, what people are trying to protect – and cybercriminals are attempting to steal – is intangible information stored in a box called a hard drive or remotely in the “cloud”. If data is lost or stolen, the consequences can be devastating. Cybercrooks can exploit sensitive financial and medical information, expose private secrets and destroy computer files.
Hacking and Data Breaches
We want to think our personal and financial information is secure. But how secure is it?
Over the last several years, stories of hacks and data breaches have garnered national headlines. Cyberthieves have obtained personal information not just from online sites (145 million eBay users), but also from brick-and-mortar business with online operations, including banks (83 million accounts at JP Morgan) and retail stores (debit and credit card information of 56 million Home Depot customers and 40 million Target customers). In the case of Sony, cyberterrorists destroyed internal company servers and publicly posted sensitive business and personal information for the world to read.
The potential legal claims that are available to victims of data breaches depend on what the hackers do with the information. A cyberthief who steals and sells financial information may be liable for identity theft and wire fraud. A hacker that posts embarrassing information online may be subject to claims for invasion of privacy and intentional infliction of emotional distress.
In many cases, the victims of large-scale data breaches are unable to recover from the criminals directly. The attackers may be hard to locate or may not have the financial ability to pay for the harm they cause. As a result, the primary avenue for relief for injured consumers in such attacks is typically a class action lawsuit against the company from which the data was stolen. Class action lawsuits for data breaches have been brought against a variety of companies, including TD Ameritrade, TurboTax, Target, Home Depot, Sony and others.
Class action lawsuits typically include allegations of negligence. The company that stored the data may have neglected to take reasonable steps to implement, update and follow adequate security measures. Another potential claim is if a company failed to inform customers that their personal or confidential information was breached after the company became aware of a data breach. California has a law requiring notification in such circumstances, and federal legislation is under consideration.
Additional claims may be brought if hackers use stolen data to commit identity theft.
Identity theft has become a commonplace crime. According to the Bureau of Justice Statistics, more than 17 million people were victims of identity theft in 2014.
Identity thieves use a variety of methods to steal personal data. High-tech methods include hacking, malicious software (malware), exploiting weaknesses in browser security and brute force password attacks. Low-tech methods include dumpster diving, skimming information from credit cards, diverting mail and watching people type login credentials in public places (shoulder surfing).
Even though identity theft is a crime – under both federal and state law – it can be difficult to recover compensation for losses. Banks typically cover the out-of-pocket losses associated with credit card fraud, but there can be other significant costs. Fixing the damage caused to business relationships and credit scores can take hundreds of hours. Victims of identity theft are often left feeling violated, frustrated and angry.
There are a number of federal statutes and regulations that assist in pursuing legal claims for identity theft, some of which are industry-specific. For example:
- Identity Theft and Assumption Deterrence Act of 1998. Makes identity theft a Federal crime with penalties of up to 15 years of imprisonment and a maximum fine of $250,000.
- Fair Credit Reporting Act (FCRA). Promotes accuracy, fairness and privacy of consumer information contained in the files of consumer reporting agencies.
- Federal Wiretap Act (FWA). Prohibits the intentional interception, disclosure and use of any electronic communication.
- Computer Fraud and Abuse Act (CFAA). Provides criminal penalties for a person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.”
- Identity Theft Enforcement and Restitution Act of 2008. Enhances the CFAA to make it easier for private individuals to recover compensation from cybercrooks.
- Health Insurance Portability and Accountability Act (HIPAA). Protects and regulates the use of medical records and information.
- Red Flags Rule. Requires financial institutions and certain creditors to develop, implement and administer programs to prevent identity theft.
- Gramm-Leach-Bliley Act. Requires financial institutions to protect consumer data.
These laws provide for governmental enforcement through criminal or civil regulatory procedures. The CFAA and FCRA also include the ability for injured individuals to sue if the law is violated (known as a private right of action). Even in situations where a statute does not explicitly authorize a private right of action, an argument can be made that the company was negligent if it didn’t follow the standards and requirements set forth in the statute.
Common law negligence arguments may be effective if a company failed to take reasonable precautions to safeguard information or failed to provide notice to customers after it learned of a breach. If a defendant was holding confidential, financial or medical records, there may be a heightened fiduciary duty to exercise care in protecting the information.
Big Data and the Cloud
Individuals and businesses are being inundated with data. It’s easy to fill up an entire hard drive with cute videos of grandkids and kittens.
As data grows exponentially, so does the need for storage. An increasingly popular option is to use online storage, also known as the “cloud”.
Cloud storage comes with risks – whether the provider will remain in business, whether the information you upload still belongs to you, your ability to access your data based on the provider’s bandwidth and uptime and, of course, security risks.
Providers of storage may be liable if data is lost, stolen or sold based on tort and contract claims. A company that fails to take reasonable precautions to protect customer data may be liable in tort. Failure to abide by contracts, privacy policies and marketing promises may result in contract liability and fraud.
The Internet of Things and Malware
With the advent of the Internet of Things, concerns about malicious software (malware), privacy and hacking are no longer limited to computers, smartphones and mobile devices. Everyday objects ranging from cars to coffee makers are being connected to the Internet and, therefore, can be accessed and controlled remotely. According to Gartner, an information technology research company, there will be over 20 billion connected devices by the year 2020.
This is good news if you want to turn your toaster on remotely, but bad news if a cybercriminal wants to wreak havoc in your life.
Malware that contains viruses, worms or Trojan Horses can arrive in an email, an internet download, a file, a fraudulent app or an altered app. Malware can be difficult and expensive to fix and remove. Its effects can range from annoying to damaging, including loss of information and destruction of computing devices.
Malware attacks are no longer limited to computers. They are now occurring on mobile phones and mobile device apps. Although Apple products have traditionally been safer, no device is immune from attack.
It’s not just inanimate objects that are at risk. People are being connected to the Internet through medical device implants and animals are connected through tracking transponders.
Practicing safe computing and using anti-virus protection can help prevent loss of data and damage to computing devices, though it’s not foolproof. Preventing a home security system or Wi-Fi network from being hacked can be trickier. But how do you protect your microwave or car from hacks, and what can do you if your device is attacked?
When an internet-connected device is hacked, pursing civil remedies can be challenging if the identity of the cyberperpetrator is unknown. Legal action may be possible against makers of the device for failure to reasonably anticipate and prevent foreseeable threats. Depending on the circumstances, claims may include negligence, negligence per se, product liability, breach of contract, breach of warranty and other legal theories.
Data Privacy versus National Security
The rise in terrorism has revived the national debate about privacy rights versus national security. In our post-9/11 world, consumer privacy is often at odds with national security. How much power should the government have to review personal communications and access personal data in order to keep us safe? Whose data should they be able to review and under what circumstances?
As consumers complete a growing number of tasks online – things like shopping and banking – they expose more information about themselves and therefore need greater security and encryption options. In exchange for this convenience, they voluntarily turn over personal data to the companies that provide the service.
Do technology companies like Apple, Google and Facebook have a social responsibility to cooperate with the government’s requests for information? Should companies like Facebook, Hushed, Telegram and Snapchat be required to maintain data on their servers – and for how long? How much lost privacy are consumers willing to exchange for increased security?
There are several potentially potent constitutional challenges that could be brought depending on what Congress decides to do, including those based on the freedom of association and the freedom of speech rooted in the First Amendment. A similar battle has been unfolding in the federal circuit courts based on NSA surveillance measures. In May, 2015, the 2nd Circuit Court of Appeals unanimously held that portions of the NSA’s collection efforts were illegal. Other circuits may come down in different ways, and this is the type of issue that could eventually end up before the Supreme Court.
Social Media and Online Content
Social media is here to stay. More than half of the population of the United States has a profile on a social networking site. Every day, Facebook receives more than four billion visits. Checking in is as easy as clicking a few buttons on your mobile device.
Online content is available as soon as it is posted, and it may be viewable permanently. Even if a person deletes their post, the content may have been saved on a server, caught with a screenshot, re-tweeted or forwarded.
Free speech and expression are protected by the First Amendment, but there are limits. Speech that infringes on another person’s rights may result in civil legal claims and even criminal charges.
Here are some common legal issues relating to online content:
Civil Privacy Rights and Invasion of Privacy
Regardless of how the broader policy debates about privacy and security unfold, our legal system continues to offer protections to persons whose privacy rights are violated. The right to privacy can be enforced through the court system by filing a lawsuit for invasion of privacy.
There are four main types of invasion of privacy claims:
- Intrusion of Solitude – intruding on a person’s private affairs, such as intercepting private information.
- False Light – spreading false information or innuendo.
- Appropriation of Name or Likeness – using someone’s appearance, which may include impersonating another person.
- Public Disclosure of Private Facts – publishing information that is truthful but would be objectionable to someone if made public.
The same rules apply for online defamation lawsuits as for offline claims. Generally speaking, defamation occurs when a false factual statement is published and causes injury. Truth is a defense, but it may be hard or expensive to prove. Although opinions are not defamatory, simply rephrasing a fact as an opinion will not shield the author from liability.
Cyberbullying and Cyberharassment
Cyberbullying and cyberharassment involve intimidating, stalking, threatening or harassing another person using technology such as the internet or mobile phones. It is a growing phenomenon in the digital age and, unfortunately, children are too often the victims. About half of all teenagers have been victims of some form of cyberbullying. The attacks can inflict lasting emotional scars on a young child.
All states have laws addressing bullying, and most of these laws address electronic harassment or cyberbullying. Most states have passed laws requiring school districts to create bullying and harassment policies. It is currently unclear whether and to what extent a school is legally responsible for off-campus and after-school harassment.
Victims may be able to pursue tort claims such as harassment, defamation and intentional infliction of emotional distress. A legal restraining order or injunction may be appropriate. Potential claims may exist against parents or school districts for failing to take action against known bullies.
A variety of additional legal claims may be available for improper online publication of content. Intentional, outrageous statements that cause severe emotional distress may give rise to a claim for intentional infliction of emotional distress. Statements that damage an actual or potential business relationship may support a claim for intentional interference with contractual relations.
If improper, embarrassing, derogatory or personal information is published in violation of the terms and conditions of the hosting website, it may be possible to force the site to remove it. If posted information violates a confidentiality agreement, a lawsuit can be brought for breach of contract. The publication of photographs may violate copyright laws. A person who demands compensation for the removal of photographs or information they publish may be liable for extortion.
Mobile Banking and Mobile Transactions
Mobile devices, including tablet computers and smartphones, are overtaking traditional desktop and notebook computers. Even when you’re at home sitting on the couch, it’s often easier to pick up a mobile device to buy something online than walk into the next room to use a larger computer.
Conducting banking and other transactions while on-the-go is convenient, but there are potential pitfalls. Thieves can use malware and fraudulent apps to steal your financial and personal data. Unencrypted data transmissions can be snatched out of thin air by cybercriminals.
If you lose your mobile device, you could be in big trouble, especially if you programmed your password into your mobile banking or shopping app. Even if you installed a lock screen, a thief with sufficient technical expertise may be able to access your device and the information stored in its memory.
Cell phone encryption can help protect data. Both Google and Apple are working to increase security on their mobile devices. The FBI, on the other hand, is seeking to have mobile devices include a “backdoor” so that authorities can access the data to track terrorists. It is unclear under what circumstances such data could be accessed. According to a 2014 United States Supreme Court decision, police officers must generally obtain a warrant before searching the contents of a mobile phone. (http://www.supremecourt.gov/opinions/13pdf/13-132_8l9c.pdf)
Physical credit cards are still the safer alternative to mobile transactions. Credit card security has increased with the addition of embedded microchips. While this won’t eliminate credit card fraud, the consumer typically isn’t responsible for unauthorized charges.
Victims of mobile device hacks and attacks are typically faced with the same problem as other types of hacking victims when it comes to locating cybercriminals and obtaining justice from them. The more likely avenue for obtaining compensation for injuries is if a company that handled or stored the information was negligent in securing data or violated its written terms or promises.
We are bombarded with advertising messages on a daily basis. Most ads are unwanted and unsolicited. Advertising spam has moved beyond robotic telemarketing phone calls and spam faxes. Innovations in technology have resulted in email spam, text message spam and intrusive pop-up ads.
The CAN-SPAM Act of 2003 implemented certain regulations and restrictions on commercial emails and text messages. The law provides a limited private cause of action for internet access services but not to individuals.
More options are available when it comes to junk faxes and robocalls. The Telephone Consumer Protection Act of 1991 (TCPA) and the Junk Fax Prevention Act of 2005 prohibit unsolicited faxes, recorded solicitations and other activities such as violating the National Do Not Call Registry, though some exceptions apply. These laws grant individuals a private right of action, with statutory damages equal to $500 for each violation and up to $1,500 for each willful violation.
Virtual Reality and Virtual Worlds
Virtual reality involves using a computer to create a simulated three-dimensional world. It is predicted that the virtual reality market could reach $7 billion by 2018.
A growing area of virtual reality involves virtual worlds, such as InWorldz, Second Life and IMVU. From its inception in 2003, the virtual world of Second Life grew to 1 million regular users by 2013. That’s approximately the population of San Jose, California.
Online virtual worlds can be amazingly complex and life-like. They enable users to mirror everyday life, including starting a business, going to school, opening a bank account and buying goods and services. Some users find these interactive universes so alluring (or addictive) that they are spending more time in their virtual world than in the real world.
There are many unanswered legal questions when it comes to virtual reality in general and virtual worlds in particular. They include:
- Can you “own” a virtual product such as a home or spaceship?
- Is an avatar considered your “intellectual property”?
- Is an attack on your avatar the same as an attack on you personally?
As in other cutting-edge technology areas, the landscape is moving much more rapidly than legislatures and courts. In the meantime, questions are typically answered by resorting to existing “real life” laws.
The terms and conditions of the online provider may govern what behaviors are appropriate in the online world. By playing the game or entering the virtual world, a user may be giving consent to those contractual terms. In some games, pursuing acts that would carry criminal or civil consequences in real life is part of the game and, in fact, how a player advances to higher levels.
Users who have been harmed by engaging in a virtual world may have legal options they can pursue. Privacy laws provide protection for personal information. Outrageous conduct by another player may form the basis of a claim for intentional infliction of emotional distress. A trademark might protect the appearance of an avatar. At least one court has ruled that investing in virtual shares in an enterprise existing only in cyberspace may trigger securities laws in the real world.
If you have questions about technology or cybersecurity torts or would like more information about the Lamber Goodnow Technology and Cybersecurity Tort Practice Group, please contact us.