Issue #1-2012

January 5, 2012

Todd B. Ruback, Esq., CIPP/US, CIPP/IT

This issue of the Privacy Case of the Week Newsletter features a precedential case in the Third Circuit, Reilly v. Ceridian Corporation, No. 11-1738 (3^rd Cir., December 12, 2011), a class action data breach case,in which the 3rd Circuit Court of Appeals affirmed an order of US District Court for the District of New Jersey granting the Defendant’s motion to dismiss for lack of standing and failure to state a claim. In following the growing trend among numerous Federal courts, the Court of Appeals held that the Appellants lacked standing and did not reach the merits of a substantive issue. (For some such cases see, Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046, 1051-1053(E.D. Mo. 2009), Key v. DSW, Inc., 454 F. Supp 2d 684, 690 (S.D. Ohio 2006)). 

Ceridian is a payroll processing company based in Minnesota.  They collect personal information about employees of their customers in order to issue payroll checks and withhold taxes.  The Appellants were employees of a law firm, which was a customer of Ceridian.  In 2009 Ceridian suffered a security breach when an unknown computer hacker gained access to the Appellants’ personal information, as well as the personal information of approximately 27,000 other employees of Ceridian customers.  Ceridian performed an investigation of the security breach and as a result sent notification letters to the individuals whose personal information may have been accessed. In 2010 the Appellants filed a lawsuit against Ceridian in the US District Court for the District of New Jersey alleging that they had an increased risk of identity theft, had incurred costs to monitor their credit activity and had suffered emotional distress.   Ceridian soon after filed a motion to dismiss for lack of standing and failure to state a claim. The District Court granted the motion to dismiss, holding that the Appellants lacked Article III standing under the US Constitution, and further held that even if the Appellants had standing, they nonetheless failed to adequately allege the damages, injury and ascertainable loss elements to their claim.  Appellants appealed.

The Court of Appeals, in agreeing with the District Court, held that allegations of hypothetical, possible future injury did not establish standing (injury-in-fact) under Article III of the US Constitution.  As part of its analysis the Court of Appeals stated that ‘Constitutional standing requires an “injury-in-fact, which is an invasion of a legally protected interested that is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical.” Danvers Motor Co. v. Ford Motor Co., 432 F.3^rd 286, 290-291 (3^rd Cir. 2005) (citing Lujan v. Defenders of Wildlife, 504 U.S. 555, 561 (1992).’  The Court of Appeals further stated that the “Appellants’ contentions rely on speculation that the hacker: (1) read, copied, and understood their personal information; (2) intends to commit future criminal acts by misusing the information; and(3) is able to use such information to the detriment of Appellants by making unauthorized transactions in Appellants’ names. Unless and until these conjectures come true, Appellants have not suffered any injury; there has been no misuse of the information, and thus no harm.”

Appellants, in trying to convince the court to go against the growing trend of dismissal for lack of standing in class action breach litigation, relied principally on Piscotta v. Old National Bancorp, 499 F.3^rd 629 (7^th Cir. 2007) and Krottner v. Starbucks Corp., 628 F. 3^rd 1139 (9^th Cir. 2010), whereby those courts conferred standing.  Here, however, the Court of Appeals found those cases had little persuasive value. 

In both Pisciotta and Krottner the threatened harms were significantly more imminent and certainly impending.  In distinguishing those two cases from Ceridian the Court of Appeals stated that ‘In Pisciotta there was evidence that “the [hacker’s] intrusion was sophisticated, intentional and malicious.             499 F. 3rd at 632. In Krottner, someone attempted to open a bank account with a plaintiff’s information following the physical theft of the laptop. See 628 F.3^rd at 1142.  Here, there is no evidence that the intrusion was intentional or malicious.  Appellants have alleged no misuse, and therefore, no injury.  Indeed, no identifiable taking occurred; all that is known is that a firewall was penetrated.  Appellants’ string of hypothetical injuries do not meet the requirement of an “actual or imminent” injury.” ‘

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC (www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in privacy matters.  For additional information about the matters in this bulletin or in the firm’s Privacy and Technology Law Group, please contact Todd B. Ruback, Esq., CIPP, CIPP/IT.

Todd B. Ruback, Esq., CIPP, CIPP/IT is chair of the Privacy and Technology Law Group at the law firm of DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, P.C. He is also chairman of the Privacy Special Committee of the New Jersey State Bar Association.  He represents insurance carriers as a data breach attorney, providing incident response services and defense litigation. He also performs privacy audits to determine the gaps and maturity of a company’s privacy processes, as well as implements privacy best practices.  He can be reached at 908-757-7800 x196 or by email at truback@newjerseylaw.net.

The information contained in this blog is intended solely for informational purposes; it is a advertising publication of DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis, Lehrer & Flaum P.C.This publication is intended to alert recipients of developments in the law and is not intended to provide legal counsel, advice or opinion on any specific facts or circumstances. The contents are intended as general information only. You are urged to consult a member of this firm or your own attorney concerning your particular situation and any specific legal questions you might have.

The information contained in this blog is intended solely for informational purposes; it is a advertising publication of DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis, Lehrer & Flaum P.C.This publication is intended to alert recipients of developments in the law and is not intended to provide legal counsel, advice or opinion on any specific facts or circumstances. The contents are intended as general information only. You are urged to consult a member of this firm or your own attorney concerning your particular situation and any specific legal questions you might have.

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC (www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in privacy matters.  For additional information about the matters in this bulletin or in the firm’s Privacy and Technology Law Group, please contact Todd B. Ruback, Esq., CIPP, CIPP/IT.

The information contained in this blog is intended solely for informational purposes; it is a advertising publication of DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis, Lehrer & Flaum P.C.This publication is intended to alert recipients of developments in the law and is not intended to provide legal counsel, advice or opinion on any specific facts or circumstances. The contents are intended as general information only. You are urged to consult a member of this firm or your own attorney concerning your particular situation and any specific legal questions you might have.

James J. Moloughney, Esq., who is of counsel to the firm,  who concentrates his practice in family law matters and is certified by the New Jersey Supreme Court as a Matrimonial Attorney and is an approved mediator for matrimonial matters, has been elected President of the Somerset County Bar Association.
Todd Ruback, Esq., who s of counsel to the firm, is  a Certified Information Privacy Professional (CIPP) and Certified Information Privacy Professional/Information Technology (CIPP/IT) and concentrates his practice in internet privacy and technology matters has been appointed Chairman of the Privacy Committee of the New Jersey State Bar Association.  Todd will be working with the Institute for Continuing Legal Education (ICLE) to create a seminar on privacy law in New Jersey.
Richard Pompelio, Esq. (Of Counsel) and Nicholas Pompelio, Esq. (associate) have joined the firm.
Rich is the Founder and Executive Director of the NJ Crime Victims’ Law Center (1992 to present) and former Chairman of the NJ Victims of Crime Compensation Board (2003-2005). He is a graduate of the University of Kentucky College of Law. He teaches at Sussex County Community College and Centenary College. Rich has published a book (Crime Victims’ Rights) and two magazines (Victim Voice).  He will be responsible for establishing the Crime Victim Civil Litigation Practice Group for the firm.
Nicholas is a 2008 graduate of New England School of Law, where he served as Associate Editor of the New England Law Review. He clerked from 2008 to 2009 for Judge Thomas Critchley in the Superior Court, Morris County.

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC ( www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in  technology and privacy matters. For additional information about the matters in this bulletin or in the firm’s insurance practice, please contact Todd. R. Ruback, Esq. who heads our Technology and Privacy Law Department

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC ( www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in  technology and privacy matters. For additional information about the matters in this bulletin or in the firm’s insurance practice, please contact Todd. R. Ruback, Esq. who heads our Technology and Privacy Law Department

 Will Stengart mean that employees have an unfettered expectation of privacy in personal emails at work so long as they are sent and received on a web-based platform and are password protected?  Probably not.  That would be a broad end-run around a company’s computer use policy and that isn’t the message from the Court in Stengart.  Rather, Stengart may end up meaning that employers have to be more precise in giving adequate warning to their employees that the contents of emails from a personal account may be monitored.  Employers will have to drill into specifics in their computer use and internet use policies, so that any argument that the policy or policies are ambiguous is obviated.  As the Court in Stengart held, “Our conclusion that Stengart had an expectation of privacy in e-mails with her lawyer does not mean that employers cannot monitor or regulate the use of workplace computers.”  The Court went on to say that ”Companies can adopt and enforce lawful polices relating to computer use to protect the assets, reputation, and productivity of a business and to ensure compliance with legitimate corporate policies….But employers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy. 

 Will Stengart mean that there is a narrow expectation of privacy in personal emails at work when the emails are with an attorney and fall under the attorney-client privilege?  Probably not.  If that were the case, the Court would not have gone through its detailed logic in arriving at its holding.  Instead, it could have simply said personal emails at work with an attorney are privileged and are not discoverable.  But it did not say that.  In fact, the Court went to great lengths to discuss a concept called a “subjective expectation of privacy” and also to discuss computer use policy ambiguity. 

 The Stengart message is that an employer would be wise to not construe Stengart too narrowly in thinking its application is only for attorney-client communication; nor should an employer construe Stengart too broadly in thinking that an employee now has an unfettered expectation of privacy in his emails so long as the emails meet certain criteria, namely that they are password protected and are sent on a web-based platform.  Rather, a cogent course for an employer to take is the middle ground.  There may well be an employee expectation of privacy in emails that are sent on a password protected web-based platform, regardless of whether it is with the employee’s attorney, unless there are pro-active steps taken by the employer to obviate a subjective expectation of privacy and to clarify any computer use or internet use policy ambiguities.  Employers should consider not only revising their computer use and internet use policies to be more precise as to this point, but also should consider the design and implementation of a rigorous and consistent employee training programs that include employee acknowledgements. 

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC ( www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in  technology and privacy matters. For additional information about the matters in this bulletin or in the firm’s insurance practice, please contact Todd. R. Ruback, Esq. who heads our Technology and Privacy Law Department

March 11, 2011

Organizations are generally cognizant of their obligations to protect their customers’ personal information (PI).  Most organizations have privacy policies in place that describe their approach to the collection and protection of their customers’ PI.  Organizations spend significant amounts of time, effort and money to ensure that the processes concerning the collection and protection of their customers’ personal information match what the privacy policies say.  Less attention, however, has been spent on the protection of other types of information that organizations may collect. This information includes information that must be protected by contract, confidential information, trade secrets, payment card information, regulated information, and of course the employee PI.  This is important because many organizations dedicate the majority of their information security dollars to protect their customers’ PI. They do so because they rightly fear the consequences of a data breach of their customers’ PI, namely class action litigation, regulatory enforcement actions, the cost of response to a data breach incident, and the loss of goodwill and corporate reputation.  However, organizations would be well served to give thoughtful consideration to whether they are adequately protecting these other types of information that they collect and whether the expenditure of information security dollars is properly aligned with actual risks.

The consequences of not adequately protecting these other types of information can be significant and include not only the same consequences as those of a data breach of their customers’ PI, but also include possible litigation for breach of contract with partners and corporate customers, as well as the loss of value of intellectual property due to leakage of trade secrets or confidential information.

In order to have a thoughtful conversation about how to protect these other types of information, a general counsel or privacy professional should first perform a privacy risk assessment.  The purpose of the privacy risk assessment is to understand where the privacy risks are for the organization so mitigation controls can either be put in place or risk transfer instruments such as insurance can be purchased.

As part of the privacy risk assessment, a useful first step is to determine where the data is and who the data owners are.  By going through this exercise you will help ensure that data is not improperly collected, used or stored beyond the business need or regulatory requirements.  You will also validate that the proper identity and authorization processes are in place for access to the data.

A second step in a privacy risk assessment is to understand the methods that the data is collected, as well as to perform an inventory, categorization, and data mapping to understand the degree of sensitivity of the data. This will help to ensure that the data is being properly treated.  As part of this step it is important to know the purpose for which the data is being collected and what your obligations are around each piece of data.  If this is not clearly understood, then you can’t put the right controls in place and you may be in violation of contractual or regulatory obligations, your organization’s intellectual property may be at risk, or your customers’ confidential information may be at risk.  If your organization transfers the data onward to third parties, it can be determined at this juncture.  This determination is likewise important, as it will shed light on whether your organization is at risk for improperly transferring the data, whether your third parties have adequate controls in place, or whether you need to have further controls imposed upon these third parties.

The Privacy and Technology Group of DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, P.C. helps organizations have thoughtful conversations about the information they collect and how that information is protected. We partner with out clients to perform privacy risk assessments and to develop implementation plans based upon best privacy practices that help reduce the risk of litigation and regulatory action while creating a privacy-based value added proposition that sets organizations apart from their competitors.

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC ( www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in  technology and privacy matters. For additional information about the matters in this bulletin or in the firm’s insurance practice, please contact Todd. R. Ruback, Esq. who heads our Technology and Privacy Law Department

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC ( www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in insurance coverage matters as well as technology and privacy matters. For additional information about the matters in this bulletin or in the firm’s insurance practice, please contact Steven A. Kunzman, Esq. who heads our Insurance Coverage Department; for additional information about the firm’s technology and privacy practice, please contact Todd. R. Ruback, Esq. who heads our Technology and Privacy Law Department