Archive for the 'Corporate Law' Category

Entrepreneur Magazine: “What to Do If Your Business Gets Hacked”

Todd Ruback December 5th, 2011

Privacy attorney Todd B. Ruback was quoted in an article found in today’s Entrepreneur Magazine entitled “What to Do If Your Business Gets Hacked” by Riva Richmond.  The article can be found at http://www.entrepreneur.com/article/220807.

The information contained in this blog is intended solely for informational purposes; it is a advertising publication of DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis, Lehrer & Flaum P.C.This publication is intended to alert recipients of developments in the law and is not intended to provide legal counsel, advice or opinion on any specific facts or circumstances. The contents are intended as general information only. You are urged to consult a member of this firm or your own attorney concerning your particular situation and any specific legal questions you might have.

Privacy Case of the Week Newsletter- Issue #2

Todd Ruback November 7th, 2011

Privacy Case of the Week Newsletter

Issue 2

November 7, 2011

By Todd B. Ruback, Esq., CIPP, CIPP/IT

This issue is not about a privacy case, but rather is an update on the California and Texas data breach notification laws. 

California

The amended state data breach notification law, S.B. 24, goes into effect on January 1, 2012 and mandates that businesses and state agencies that are required to provide notice to state residents because of incurred data breaches must, in addition to their other obligations, also do the following:

  1. Notify the California Attorney General if notification for any one breach is greater than 500 state residents
  2. Notices must be specific and include:

-          Type of information breached

-          Time of the breach

-          Toll free number of the major Credit Reporting Agencies

       3.  If breaches are greater than 500,000 state residents or will cost more than $250,000 to send notices, then in addition to posting notice of the breach on their website and in major statewide media, such as newspapers, the business must notify the California Office of Privacy Protection (State agencies must notify the California Office of Information Security).

Additionally, Covered Entities under HIPAA are deemed to be compliant with the S.B. 24 if they are in compliance with the data breach notification requirements under HIPAA.

Texas

Texas recently expanded the breadth and reach of its state data breach notification law through the passage of H.B. 300.  Under the amended law residents of states which do not presently have a state data breach notification law (Alabama, Kentucky, New Mexico and South Dakota) must be notified of a data breach incurred by a business that conducts business in Texas.  Unfortunately the law does not define “conducts business in Texas”.  The law provides for penalties to the company for non-compliance of its obligation to notify non-Texas residents who are not covered by another state’s data breach notification law.  For non-Texas residents whose states do have a state data breach notification law, H.B. 300 provides that they too must receive notice.  However, if a business complies with the respective state’s data breach notification law, then it is deemed to have complied with H.B. 300.

The amended law adds penalties for non-compliance.  Under the old law the state could impose fines of up to $50,000 for each violation of the state data breach notification statute. In addition to this potential penalty, H.B. 300 provides for statutory penalties of up to $100 per individual per day for failure to provide notice, not to exceed $250,000 for a single breach. Additionally, the state Attorney General may also recover its reasonable expenses for enforcement actions.  The maximum penalty for any one data breach in Texas under H.B. 300 is now $300,000 plus expenses.

Texas also modified its definition of sensitive personal information to include not only name plus social security number, government issued identification card number or financial account number, but also personally identifying information such as the physical or mental health condition, or the health care that was given to a person, or information about the payment about such health care.

H.B. 300 also amends the state’s Health and Safety Code to impose privacy and security requirements that are stricter than HIPAA’s requirements. These more stringent privacy and security requirements on health care extend to entities that are neither “Covered Entities” or Business Associates” under the HIPAA definitions.   Under H.B. 300 a “Covered Entity” is any entity that handles Protected Health Information (as defined by HIPAA). For these entities they must now implement training programs and provide notices to consumers about electronic disclosures that the Covered Entity makes.  In essence, the amended law in Texas imposes new privacy compliance obligations on business that were previously not under the auspices of HIPAA at all.

Penalties for healthcare violations under H.B. 300 range between $5000 per negligent violation to $25,000 for knowing or intentional violations, to $250,000 per violation in which the covered entity knowingly or intentionally uses PHI for financial gain.  There is an annual cap on liability of $250,000, but for repeat offenders where there is a pattern of violations, a court may impose a penalty of up to $1,500,000 annually.

Conclusion:

In a situation of a breach to a company conducting business in Texas where only residents of Alabama, Kentucky, New Mexico or South Dakota are affected, the long arm of Texas may impose penalties and fines for non-compliance with the amended Texas data breach notification law. Penalties and fines are increased to the higher end of the national scale.  Further, any company conducting business in Texas that handles PHI under the expanded concept should actively review its processes to identify any risks and vulnerabilities, so it may impose controls to mitigate such risk.

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC (www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in privacy matters.  For additional information about the matters in this bulletin or in the firm’s Privacy and Technology Law Group, please contact Todd B. Ruback, Esq., CIPP, CIPP/IT.

Todd B. Ruback, Esq., CIPP, CIPP/IT is chair of the Privacy and Technology Law Group at the law firm of DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, P.C. He is also chairman of the Privacy Special Committee of the New Jersey State Bar Association.  He represents insurance carriers as a data breach attorney, providing incident response services and defense litigation. He also performs privacy audits to determine the gaps and maturity of a company’s privacy processes, as well as implements privacy best practices.  He can be reached at 908-757-7800 x196 or by email at truback@newjerseylaw.net.

The information contained in this blog is intended solely for informational purposes; it is a advertising publication of DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis, Lehrer & Flaum P.C.This publication is intended to alert recipients of developments in the law and is not intended to provide legal counsel, advice or opinion on any specific facts or circumstances. The contents are intended as general information only. You are urged to consult a member of this firm or your own attorney concerning your particular situation and any specific legal questions you might have.

Privacy Case of the Week Newsletter Issue 1

Todd Ruback October 28th, 2011

Privacy Case of the Week Newsletter

Issue 1

This issue of the Privacy Case of the Week Newsletter features Anderson v. Hannaford Bros., Co., No. 10-2384 and No. 10-2450 (1st Cir. Oct. 20, 2011).  In this data breach class action law suit the Appellate Court in Maine focused on a narrow set of facts in determining that the plaintiffs had legally recognized damages and thus could survive a Motion to Dismiss.  In Hannaford the defendant was targeted in 2007 by hackers who penetrated the defendant’s computer network for the express purpose of stealing credit/debit card information and ultimately did steal 4.2 million credit/debit card numbers. The trial court dismissed the plaintiffs’ causes of action for negligence and breach of an implied contract, stating that under Maine law damages for the cost and effort associated with mitigation against identity theft were too remote to be foreseeable by the defendant. The Appellate Court took up the case upon the narrow issue of whether the plaintiffs, who had not suffered fraud losses, but had incurred costs and expended efforts to protect their identity and mitigate losses, had damages that were reasonably foreseeable.

 Under Maine law a plaintiff may recover damages under negligence and contract claims for reasonable out-of-pocket mitigation costs and expenses.  The Appellate Court held that because this particular breach targeted credit/debit card information, it was reasonable for the affected consumers to spend money to protect their identities by purchasing credit insurance and also having new credit/debit cards issued. In its holding the Appellate Court distinguished between the targeted hacking of a network with the purpose of stealing credit/debit card information and other types of data breaches such as the inadvertent loss of laptops, in which the loss of the equipment is not linked to a deliberate attempt to commit credit card fraud.  Although other credit card based breach litigation have generally resulted in dismissal at the trial court level, the Appellate Court distinguished Hannaford from those cases because in Hannaford approximately 1800 of the 4.2 million credit/debit cards stolen, or 0.00042%, actually suffered some degree of identity theft or misuse.  Thus, the defendant had notice and was aware that the identity theft or misuse had occurred.

Although the Hannaford holding is contrary to the general trend in data breach litigation, the particular set of facts in this case is so narrow that one should not infer a swing in the data breach litigation pendulum. However, insurance carriers and their insureds would be wise to shift their approach in underwriting by keeping in mind that there is now precedence in distinguishing between breaches that target credit/debit card information and inadvertent data breaches.

Todd B. Ruback is head of the Privacy and Technology Law Group at DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, P.C. ( www.dbnjlaw.com ). He is also chairman on the Privacy Committee of the New Jersey State Bar Association.  He can be reached at truback@newjerseylaw.net or by phone at 908-757-7800 x196. His practice focuses on data breach incident response, litigation defense, and data breach prevention.

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC (www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in privacy matters.  For additional information about the matters in this bulletin or in the firm’s Privacy and Technology Law Group, please contact Todd B. Ruback, Esq., CIPP, CIPP/IT.

The information contained in this blog is intended solely for informational purposes; it is a advertising publication of DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis, Lehrer & Flaum P.C.This publication is intended to alert recipients of developments in the law and is not intended to provide legal counsel, advice or opinion on any specific facts or circumstances. The contents are intended as general information only. You are urged to consult a member of this firm or your own attorney concerning your particular situation and any specific legal questions you might have.

Law Firm Announces Privacy Risk Assessments and Privacy/Data Protection Audits of Outsourcing Providers

Todd Ruback March 30th, 2011

Todd B. Ruback, Esq, CIPP, CIPP/IT, through the law firm of DiFrancesco, Bateman, Colely, Yospin, Kunzman, Davis & Lehrer, P.C., is now providing privacy risk assessments and privacy/data protection audits of outsourcing providers. These services are valuable to any organization that is going through a RFP process as part of its due diligence, as well as its on-boarding process and compliance requirements to do annual vendor check-ups. As part of the services the law firm goes through a series of proprietary checklists to ensure that your outsourcing partners are complying with the highest privacy standards, laws and regulations to protect not only your customer and employee personal information, but also your organization’s trade secrets and confidential information.

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC ( www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in  technology and privacy matters. For additional information about the matters in this bulletin or in the firm’s insurance practice, please contact Todd. R. Ruback, Esq. who heads our Technology and Privacy Law Department

Tags: , , , , , , ,

A Year After Stengart: What’s Changed?

SteveK March 28th, 2011

It’s been a year since the New Jersey Supreme Court decision in Stengart v. Loving Care Agency. 990 A2d 650 (2010) and what has changed?  The Stengart case shook the world of employment law because it is one of the first cases to provide that an employee has an expectation of privacy in personal, password protected, web-based emails sent on a company computer through a company server, irrespective of the fact that the employer had a computer use policy in effect at the time.  The Court held that the Plaintiff had a subjective expectation of privacy in her emails because they were password protected and she did not save them on the company computer, as well as the fact that the emails were between her and her attorney, which is a fiduciary personal relationship.  When the company captured the emails from her computer after she left employment and shared those emails with their defense attorneys, the defense attorneys had an obligation to not read them because the emails were privileged and to promptly return them to the Plaintiff’s attorneys.

 Will Stengart mean that employees have an unfettered expectation of privacy in personal emails at work so long as they are sent and received on a web-based platform and are password protected?  Probably not.  That would be a broad end-run around a company’s computer use policy and that isn’t the message from the Court in Stengart.  Rather, Stengart may end up meaning that employers have to be more precise in giving adequate warning to their employees that the contents of emails from a personal account may be monitored.  Employers will have to drill into specifics in their computer use and internet use policies, so that any argument that the policy or policies are ambiguous is obviated.  As the Court in Stengart held, “Our conclusion that Stengart had an expectation of privacy in e-mails with her lawyer does not mean that employers cannot monitor or regulate the use of workplace computers.”  The Court went on to say that ”Companies can adopt and enforce lawful polices relating to computer use to protect the assets, reputation, and productivity of a business and to ensure compliance with legitimate corporate policies….But employers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy. 

 Will Stengart mean that there is a narrow expectation of privacy in personal emails at work when the emails are with an attorney and fall under the attorney-client privilege?  Probably not.  If that were the case, the Court would not have gone through its detailed logic in arriving at its holding.  Instead, it could have simply said personal emails at work with an attorney are privileged and are not discoverable.  But it did not say that.  In fact, the Court went to great lengths to discuss a concept called a “subjective expectation of privacy” and also to discuss computer use policy ambiguity. 

 The Stengart message is that an employer would be wise to not construe Stengart too narrowly in thinking its application is only for attorney-client communication; nor should an employer construe Stengart too broadly in thinking that an employee now has an unfettered expectation of privacy in his emails so long as the emails meet certain criteria, namely that they are password protected and are sent on a web-based platform.  Rather, a cogent course for an employer to take is the middle ground.  There may well be an employee expectation of privacy in emails that are sent on a password protected web-based platform, regardless of whether it is with the employee’s attorney, unless there are pro-active steps taken by the employer to obviate a subjective expectation of privacy and to clarify any computer use or internet use policy ambiguities.  Employers should consider not only revising their computer use and internet use policies to be more precise as to this point, but also should consider the design and implementation of a rigorous and consistent employee training programs that include employee acknowledgements. 

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC ( www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in  technology and privacy matters. For additional information about the matters in this bulletin or in the firm’s insurance practice, please contact Todd. R. Ruback, Esq. who heads our Technology and Privacy Law Department

Tags: , , , , , , , ,

A.M.Best Podcast on Insurance and Privacy Law

SteveK January 19th, 2010

Steven Kunzman and Todd Ruback of the firm recently participated in a podcast with A.M Best regarding developments in privacy law and related insurance issues. To hear the podcast go to: http://www3.ambest.com/bestfeed/insurancelaw/Insurance_Law_Podcast_40.mp3

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC ( www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in insurance coverage matters as well as technology and privacy matters. For additional information about the matters in this bulletin or in the firm’s insurance practice, please contact Steven A. Kunzman, Esq. who heads our Insurance Coverage Department; for additional information about the firm’s technology and privacy practice, please contact Todd. R. Ruback, Esq. who heads our Technology and Privacy Law Department

Tags: , ,

10th Circuit Court Allows PRP to Intervene to Challenge CERCLA Settlement.

SteveK December 8th, 2009

On November 10, 2009 the Court of Appeals for the the10th Circuit permitted Union Pacific Railroad (UPR) to intervene in the CERCLA action for the purpose of challenging a pending settlement between 44 other PRPs and the U.S. 

 In U.S. v. Albert Investment Company, et. al. the 10th Circuit Court weighed in on a dispute among courts in various jurisdictions as to whether protection of the right of contribution under Section 113 is an interest that is legally sufficient to permit intervention as of right. The Court held that it is and reversed a decision of the District Court denying UPR’s motion to intervene.

 The U.S. had negotiated a settlement with the 44 PRPs for the Double Eagle Lubricants Superfund Site in Oklahoma City. The 12-acre site was owned by UPR as a result of its acquisition of the Missouri Pacific Railroad Company. The U.S. filed suit against the 44 PRPs to effectuate the settlement by entry of a Consent Decree that provided the PRP group protection from suit. UPR, which had been sued separately, moved to intervene in the suit against the 44 since the Consent Decree would provide immunity from the contribution claims of UPR. The Court reasoned that when Section 113(f) is read as a whole that it is clear that a contribution right exists until it is eliminated by a settlement. The Court concluded that a delay in the proceedings to address UPR’s challenge would do no more than delay the allocation of costs among all the PRPs (including UPR) since the remediation was complete. Further, the Court held that the statutory right to contribution is worthy of protection. Finally, the Court held that UPR’s failure to agree to settlement does not diminish its right to intervene. The Court noted that the trial court might still decide against UPR and extinguish its contribution right; however, that does not make them any less interested or impair its interest in the disposition of the case. The Court also held that UPR’s right to comment on the settlement during the notice-and-comment period required for lodging of a Consent Decree was insufficient to protect UPR’s statutory rights because, in part, only a decision by a court on the claims of the intervenor would be subject to appellate review.

 This decision has potentially significant implications with regard to settlement of CERCLA matters. The government would have to be wary of bringing a separate suit against secondary PRPs  in anticipation of a quick settlement, expecting to be able to carve out other PRPs.

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC ( www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in environmental matters. For additional information about the matters in this bulletin or in the firm’s environmental practice, please contact Steven A. Kunzman, Esq. who heads our Environmental Department.

Tags:

Privacy, Insurance: Legal Considerations

SteveK November 16th, 2009

By

Steven A. Kunzman, Esq.

And

Todd B. Ruback, Esq., CIPP

Privacy Overview

 The pervasive use of the Internet as a business platform and for the collection, use and transmission of personal information presents fertile ground for the growth in claims arising from data breaches and improper privacy practices. As these claims arise, they will undoubtedly be tendered to insurers for defense and indemnification under various commercial policy forms, including those recently developed to provide coverage for privacy claims.[1] Insurance companies must be cognizant of the changing winds on the privacy landscape.  Due to increasing regulatory compliance requirements and a spike in privacy related litigation flowing from record setting data breaches, organizations and insurance carriers will undoubtedly be faced with privacy as a significant risk component to business.  According to Verizon Business’s 2009 Data Breach Investigation Report, 2008 saw more reported data breaches than the previous four years combined, with 285 million records breached. [2]  The Poneman Institute estimated in its 2009 Annual Study that the average cost for a data breach exceeded $200 per record for organizations that were first time victims of a data breach.[3]  Numerous class action suits for privacy violations have been filed, the most famous of which is against Heartland Payment Systems, for a massive breach caused by external hackers.[4]  Additionally, the FTC and Attorneys General of states across the country appear to be stepping up enforcement actions against companies for improper privacy practices.

 The likelihood of an organization facing a privacy-related claim for liability or a regulatory enforcement action for improper privacy practices has increased significantly.  Concordantly, claims for coverage under insurance polices will increase significantly over the coming years. Although the present anticipated harm to any individual does not appear to be significant, these claims will have an impact on an insurer by increasing costs for claims processing, investigation, incident response management, complying with statutorily required breach notification processes, litigation defense and payment of claims, particularly the costs for any class action claims.

Privacy Litigation and its Impact Upon the Insurance Carrier

 Some background in privacy issues is helpful to put these potential claims into an understandable context. There are two components to privacy:  data protection and privacy practices.  Both components are governed in large part by either regulation or statute, and in some cases by common law. 

 Data Protection:            Data Protection encompasses the security of data that contains personal information.  There are generally three elements to security: technical, physical and administrative.  Industries such as financial services and healthcare have security standards as respectively enumerated in the Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA).  Further, the payment card industry has created its own technically objective security standard, PCI-DSS, which applies to many organizations that accept payment cards.

 A security breach may take many forms, some of which include the unauthorized access to personal information by   an external source such as a hacker or an outsourced service provider, the unauthorized access to personal information by an internal source such as an employee or contractor, or something as simple as the theft of a company laptop that contains personal information 

Private party lawsuits against companies for failing to protect data due to deviation from certain standards are based upon a negligence theory.  To date plaintiffs have had difficulty prevailing on negligence claims, although there have been numerous and significant settlements.[5]  The challenge plaintiffs have faced is in proving actual damages that were proximately caused by the defendant’s failure to protect personal information.6  Some courts, however, are beginning to view data breach litigation in a similar light to toxic tort medical monitoring claims in that the threat of future harm may be sufficient to sustain a claim.7  If this “future risks” approach to data protection litigation gains traction, then insurance companies can look forward to more protracted and costly litigation, with the potential for significant jury awards under the class action umbrella.

 Privacy Practices:            Privacy practices that may be subject to claims include: improper collection, use, or transfer of personal information; the improper collection of information using unauthorized cookies, spiders, spy ware, or other technological means; failure to protect personal information according to a company’s posted online privacy statement; having a privacy statement that does not meet regulatory requirements8 spamming, improper faxing or telemarketing, and the commission of privacy torts such as the invasion of privacy.  For companies that transact online business in not only the United States, but also the European Union (EU) where the laws on privacy practices are greatly different, compliance become complex and risk of an improper privacy practice rises greatly.

 Companies committing improper privacy practices are often subject to multiple layers of penalties or fines not only in the EU but also in the United States.  For example, if a company fails to protect personal information according to its posted online privacy statement, it may be subject to an investigation and penalties from both the Federal Trade Commission (FTC) and state authorities for unfair/deceptive online trade practices,9 in addition to the potential private claims for violations of state consumer protection laws.  In essence, a company may pay three times for the same transgression in the US.  Although insurance policies generally exclude coverage for regulatory or enforcement actions by governmental bodies, the exposure is presented in private litigation, which may require aggressive defense of the regulatory claim.  It appears, however, that some of the new privacy insurance policies may offer coverage for regulatory matters. 

 Insurance Coverage:  Coverage Part B of a typical Comprehensive General Liability  (CGL) insurance policy generally includes coverage for damages cause by “personal injury” and “advertising injury.” Although those representing the insured often consider this section of the insurance policy to provide an expansive grant of coverage, this coverage is usually considered by the insurer to be limited to a number of specified claims such as personal injury, which is often defined in a CGL policy as “an injury arising out of…violation of an individual’s right of privacy.”  Part B of the policy states that the insurance applies to personal injury if “caused by an offense…[a]rising out of the conduct of your business, excluding advertising, publishing, broadcasting or telecasting done by or for you.” These policy forms were surely designed without any contemplation of the current risks since they have only come into existence with the pervasive use of computers and the Internet to transact business. In addition, there may be issues as to when the “injury” has taken place; at the time of the breach or the time when the personal injury is actually sustained.  In order to be able to properly evaluate and assume the risks some insurers have, therefore, developed policies to specifically address the risks presented. Undoubtedly if claims continue to rise and develop as anticipated, insurers may dispute coverage and/or respond to the claims being asserted based upon polices that, at the time of issuance, did not envision the present risk of injury caused by data breach.  Management of the risk therefore requires a thorough understanding of the nuances of the laws and requirements of   best of breed privacy practices

 Conclusion

The changing privacy landscape will have a tangible impact on an insurance carrier’s costs of responding to claims under the personal injury and advertising portions of the CGL policies and under specifically designed policies.  Foresight in addressing these

risks and an understanding of the landscape of privacy laws and issues will be an

essential component to underwriting the risks and defending the claims.

 End Notes

 

[1] Zurich North America Commercial Expands Security, Privacy Insurance Coverage, http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=218400572

2 Verizon Business 2009 Data Breach Investigations Report, By Wade Baker, April 15, 2009

3 Poneman Institute’s Fourth Annual US Cost of Data Breach Study, By Dr. Larry Poneman, January 2009

4 In Re: Heartland Payment Systems, Inc. (626 F. Supp 2d 1336; 2009 U.S. Dist. LEXIS 81493) (Order 

  granting consolidation of class action lawsuits.)

5 See, In re TJX Cos. Retail Sec. Breach Litig., 246 F.R.D. 389; 2007 U.S. Dist. LEXIS 87920 (over $40M settlement) and Department of Veterans Affairs Data Theft Litigation, No. 06-0506 (D.D.C. January 27, 2009) ($20M settlement)

6 See, Forbes v. Wells Fargo Bank, N.A., 420 F. Supp2d 1018, 1021 (D.Minn.2006); Giordano v. Wachovia Sec., LLC., 2006 2177036 (D.N.J. July 31, 2006) (unpublished); Guin v. Brazos Higher Educ. Serv. Corp., Inc. 2006 WL 288483 (D. Minn.) Feb 7, 2006 (unpublished); Hendricks v. DSW Shoe Warehouse, 444 F. Supp. 2d 775, 783 (W.D. Mich. 2006)

7 See, Pisciotta v. Old Nat. Bancorp, 499 F.3rd 629 (7th Cir. Aug. 21, 2007)

8 See, GLBA

9 See, Pinero v. Jackson Hewitt Tax Services, No. 08-3535 (E.D. La. Jan 7, 2009)

 

About the Authors

 Todd B. Ruback, Esq. is chair of the Privacy and Technology Practice at the law firm of DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, P.C.  He is also a Certified Information Privacy Professional (CIPP) and thought leader in the area of privacy law.  He has authored or co-authored numerous publications on privacy and is also a lecturer at various privacy seminars and conferences.  He is a present nominee to be on the Board of Directors of the International Association of Privacy Professionals (IAPP) for the upcoming term of 2010-2015 and will be a speaker at the IAPP International Privacy Convention to be held in Washington, D.C. in April 2010, where he will lecture on trends and risk in privacy litigation. 

 

 Steven Kunzman, Esq. is the chair of the Insurance Coverage Practice of the law firm of DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, P.C.  He has been providing counsel and representation to insurance companies on insurance coverage matters and defense to insurance company clients for over 25 years.  

 

 

Tags: , ,

EPA evaluating revised Preliminary Remediation Goals (PRGs) for Dioxin

SteveK October 20th, 2009

In May of 2009 the EPA Administrator, Lisa P. Jackson, determined that the agency should reassess the risks presented from human exposure to dioxin. This assessment is planned to be completed by the end of 2010. The Office of Solid Waste Emergency Response (OSWER) will be reviewing the current dioxin cleanup guidance which was developed in 1985 in light of current scientific knowledge with the goal to develop interim PRGs with a full review, including public comment. The interim PRGs will be based upon a review of current soil cleanup levels and toxicity values use by the states, the Agency for Toxic Substances and Disease Registry, as well as standards developed in other countries. The OSWER will give consideration to the currently recommended PRGs for Superfund, Federal Facilities, Brownfields and RCRA sites which are 1ppb for residential soil and in the range of 5ppb to 20 ppb in commercial/industrial soil where exposure is due to direct contact. The interim PRGs are intended to be used to evaluate pending cleanup decisions although they will not necessarily be employed as site specific clean-up levels. The PRG levels will be considered as a starting point for sites, but site specific factors, such as exposure frequency or acceptable cancer risk, will be taken into account to develop the site’s baseline risk assessment. The current schedule for the development of the interim recommended PRGs includes the opening of a public comment period this month, October 2009, with the interim recommended PRGs available for public comment in the Federal Register on December 31, 2009. The public comment period is to end in February 2010 and the guidance is to be issued in June 2010 depending on the extent of public comments received.

More information can be found at :www.epa.gov/superfund/policy/remedy/sfremedy/remedies/dioxininterimplan.html

 

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC ( www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in environmental matters. For additional information about the matters in this bulletin or in the firm’s environmental practice, please contact Steven A. Kunzman, Esq. who heads our Environmental Department. 

Tags:

NJ Supreme Court Rejects Award of Counsel Fees to Employer in CEPA Case

SteveK October 19th, 2009

On October 15, 2009, the New Jersey Supreme Court broke new ground in Best v. C&M Door Controls, Inc. holding that a Defendant, employer is never entitled to an award of counsel fees pursuant to the “offer of judgment rules” in a case involving either the Conscientious Employer Protection Act (CEPA) or the Prevailing Wage Act (PWA), two New Jersey statutes protecting employees from retaliation if they engage in certain defined protected activity.

 

Plaintiff, Thomas Best sued his former employer, C&M Door Controls, for violations of the PWA and CEPA, claiming that he was underpaid for certain work covered by the PWA and  that when he complained his employer retaliated.  At some time prior to trial Best made an offer of Judgment, which included fees and costs, in the amount of $100,000; the defendants made counter offers of judgment in the amounts of $15,000 and $25,000 for the respective claims. All offers were rejected. The trial resulted in a defense verdict on the CEPA claim and a jury award of $2600 on the PWA claim.  Plaintiff applied to recover fees pursuant to the fee shifting provisions of the PWA in the amount of $122,000.

 

 The trial court granted plaintiff fees, but reduced the fee award by 40% based on plaintiff’s “limited success” and also awarded fees to the employer on the failed CEPA claim in accordance with the offer of Judgment rule. The Appellate Division affirmed the fees awarded to the defendants; however, the Supreme Court reversed. The Supreme Court held that a trial judge might consider the offer of judgment made by the employer and unjustifiably rejected by the plaintiff in determining the amount of fees to be awarded to a prevailing plaintiff, if “under all the circumstances” the offer of judgment was reasonable.  The Court ruled, however, that there is no basis to shift the fees to a defendant in such a case.

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC ( http://www.dbnjlawblog.com) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of parties in employment matters. For additional information about the matters in this bulletin or in the firm’s Employment Practice, please contact Richard P. Flaum, Esq.

Tags:

Next »