SteveK August 12th, 2011

We are pleased to announce the following:

James J. Moloughney, Esq., who is of counsel to the firm,  who concentrates his practice in family law matters and is certified by the New Jersey Supreme Court as a Matrimonial Attorney and is an approved mediator for matrimonial matters, has been elected President of the Somerset County Bar Association.
Todd Ruback, Esq., who s of counsel to the firm, is  a Certified Information Privacy Professional (CIPP) and Certified Information Privacy Professional/Information Technology (CIPP/IT) and concentrates his practice in internet privacy and technology matters has been appointed Chairman of the Privacy Committee of the New Jersey State Bar Association.  Todd will be working with the Institute for Continuing Legal Education (ICLE) to create a seminar on privacy law in New Jersey.
Richard Pompelio, Esq. (Of Counsel) and Nicholas Pompelio, Esq. (associate) have joined the firm.
Rich is the Founder and Executive Director of the NJ Crime Victims’ Law Center (1992 to present) and former Chairman of the NJ Victims of Crime Compensation Board (2003-2005). He is a graduate of the University of Kentucky College of Law. He teaches at Sussex County Community College and Centenary College. Rich has published a book (Crime Victims’ Rights) and two magazines (Victim Voice).  He will be responsible for establishing the Crime Victim Civil Litigation Practice Group for the firm.
Nicholas is a 2008 graduate of New England School of Law, where he served as Associate Editor of the New England Law Review. He clerked from 2008 to 2009 for Judge Thomas Critchley in the Superior Court, Morris County.

Tags: Crime Victims Law, Divorce Law, Family Law, Matrimonial Law, Mediation, Privacy Law, Technology Law

• Crime Victims , Divorce Law , Family Law , Mediation , Privacy Law , Technology Law
• Comments Off

SteveK March 28th, 2011

It’s been a year since the New Jersey Supreme Court decision in Stengart v. Loving Care Agency. 990 A2d 650 (2010) and what has changed?  The Stengart case shook the world of employment law because it is one of the first cases to provide that an employee has an expectation of privacy in personal, password protected, web-based emails sent on a company computer through a company server, irrespective of the fact that the employer had a computer use policy in effect at the time.  The Court held that the Plaintiff had a subjective expectation of privacy in her emails because they were password protected and she did not save them on the company computer, as well as the fact that the emails were between her and her attorney, which is a fiduciary personal relationship.  When the company captured the emails from her computer after she left employment and shared those emails with their defense attorneys, the defense attorneys had an obligation to not read them because the emails were privileged and to promptly return them to the Plaintiff’s attorneys.

 Will Stengart mean that employees have an unfettered expectation of privacy in personal emails at work so long as they are sent and received on a web-based platform and are password protected?  Probably not.  That would be a broad end-run around a company’s computer use policy and that isn’t the message from the Court in Stengart.  Rather, Stengart may end up meaning that employers have to be more precise in giving adequate warning to their employees that the contents of emails from a personal account may be monitored.  Employers will have to drill into specifics in their computer use and internet use policies, so that any argument that the policy or policies are ambiguous is obviated.  As the Court in Stengart held, “Our conclusion that Stengart had an expectation of privacy in e-mails with her lawyer does not mean that employers cannot monitor or regulate the use of workplace computers.”  The Court went on to say that ”Companies can adopt and enforce lawful polices relating to computer use to protect the assets, reputation, and productivity of a business and to ensure compliance with legitimate corporate policies….But employers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy. 

 Will Stengart mean that there is a narrow expectation of privacy in personal emails at work when the emails are with an attorney and fall under the attorney-client privilege?  Probably not.  If that were the case, the Court would not have gone through its detailed logic in arriving at its holding.  Instead, it could have simply said personal emails at work with an attorney are privileged and are not discoverable.  But it did not say that.  In fact, the Court went to great lengths to discuss a concept called a “subjective expectation of privacy” and also to discuss computer use policy ambiguity. 

 The Stengart message is that an employer would be wise to not construe Stengart too narrowly in thinking its application is only for attorney-client communication; nor should an employer construe Stengart too broadly in thinking that an employee now has an unfettered expectation of privacy in his emails so long as the emails meet certain criteria, namely that they are password protected and are sent on a web-based platform.  Rather, a cogent course for an employer to take is the middle ground.  There may well be an employee expectation of privacy in emails that are sent on a password protected web-based platform, regardless of whether it is with the employee’s attorney, unless there are pro-active steps taken by the employer to obviate a subjective expectation of privacy and to clarify any computer use or internet use policy ambiguities.  Employers should consider not only revising their computer use and internet use policies to be more precise as to this point, but also should consider the design and implementation of a rigorous and consistent employee training programs that include employee acknowledgements. 

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC ( www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in  technology and privacy matters. For additional information about the matters in this bulletin or in the firm’s insurance practice, please contact Todd. R. Ruback, Esq. who heads our Technology and Privacy Law Department

Tags: Attorney Client Privilege, Data Protection, Expectation of Privacy, Loving Care, New Jersey, New Jersey Supreme Court, Privacy Law, Stengart, Technology Law

• Corporate Law , Employment Law , Privacy Law , Technology Law
• Comments Off

SteveK March 11th, 2011

By Todd Ruback, Esq., CIPP

March 11, 2011

Organizations are generally cognizant of their obligations to protect their customers’ personal information (PI).  Most organizations have privacy policies in place that describe their approach to the collection and protection of their customers’ PI.  Organizations spend significant amounts of time, effort and money to ensure that the processes concerning the collection and protection of their customers’ personal information match what the privacy policies say.  Less attention, however, has been spent on the protection of other types of information that organizations may collect. This information includes information that must be protected by contract, confidential information, trade secrets, payment card information, regulated information, and of course the employee PI.  This is important because many organizations dedicate the majority of their information security dollars to protect their customers’ PI. They do so because they rightly fear the consequences of a data breach of their customers’ PI, namely class action litigation, regulatory enforcement actions, the cost of response to a data breach incident, and the loss of goodwill and corporate reputation.  However, organizations would be well served to give thoughtful consideration to whether they are adequately protecting these other types of information that they collect and whether the expenditure of information security dollars is properly aligned with actual risks.

The consequences of not adequately protecting these other types of information can be significant and include not only the same consequences as those of a data breach of their customers’ PI, but also include possible litigation for breach of contract with partners and corporate customers, as well as the loss of value of intellectual property due to leakage of trade secrets or confidential information.

In order to have a thoughtful conversation about how to protect these other types of information, a general counsel or privacy professional should first perform a privacy risk assessment.  The purpose of the privacy risk assessment is to understand where the privacy risks are for the organization so mitigation controls can either be put in place or risk transfer instruments such as insurance can be purchased.

As part of the privacy risk assessment, a useful first step is to determine where the data is and who the data owners are.  By going through this exercise you will help ensure that data is not improperly collected, used or stored beyond the business need or regulatory requirements.  You will also validate that the proper identity and authorization processes are in place for access to the data.

A second step in a privacy risk assessment is to understand the methods that the data is collected, as well as to perform an inventory, categorization, and data mapping to understand the degree of sensitivity of the data. This will help to ensure that the data is being properly treated.  As part of this step it is important to know the purpose for which the data is being collected and what your obligations are around each piece of data.  If this is not clearly understood, then you can’t put the right controls in place and you may be in violation of contractual or regulatory obligations, your organization’s intellectual property may be at risk, or your customers’ confidential information may be at risk.  If your organization transfers the data onward to third parties, it can be determined at this juncture.  This determination is likewise important, as it will shed light on whether your organization is at risk for improperly transferring the data, whether your third parties have adequate controls in place, or whether you need to have further controls imposed upon these third parties.

The Privacy and Technology Group of DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, P.C. helps organizations have thoughtful conversations about the information they collect and how that information is protected. We partner with out clients to perform privacy risk assessments and to develop implementation plans based upon best privacy practices that help reduce the risk of litigation and regulatory action while creating a privacy-based value added proposition that sets organizations apart from their competitors.

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC ( www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in  technology and privacy matters. For additional information about the matters in this bulletin or in the firm’s insurance practice, please contact Todd. R. Ruback, Esq. who heads our Technology and Privacy Law Department

Tags: Privacy Law, Technology Law

• Privacy Law , Technology Law
• Comments Off

SteveK July 7th, 2010

Todd Ruback, of counsel to the firm, who concentrates his practice in technology and privacy law recently participated in ESI Report,  entitled Cloud Computing, Data Breaches & Case Update discussing the benefits and burdens associated with cloud computing.  The podcast can be heard at http://legaltalknetwork.com/podcasts/esi-report/2010/05/cloud-computing-data-breaches-case-update/

Tags: Privacy Law, Technology Law

• Privacy Law , Technology Law
• Comments Off

SteveK January 19th, 2010

Steven Kunzman and Todd Ruback of the firm recently participated in a podcast with A.M Best regarding developments in privacy law and related insurance issues. To hear the podcast go to: http://www3.ambest.com/bestfeed/insurancelaw/Insurance_Law_Podcast_40.mp3

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC ( www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in insurance coverage matters as well as technology and privacy matters. For additional information about the matters in this bulletin or in the firm’s insurance practice, please contact Steven A. Kunzman, Esq. who heads our Insurance Coverage Department; for additional information about the firm’s technology and privacy practice, please contact Todd. R. Ruback, Esq. who heads our Technology and Privacy Law Department

Tags: insurance law new jersey, Privacy Law, Technology Law

• Corporate Law , Insurance Law , Privacy Law , Technology Law
• Comments Off

SteveK November 16th, 2009

By

Steven A. Kunzman, Esq.

And

Todd B. Ruback, Esq., CIPP

Privacy Overview

 The pervasive use of the Internet as a business platform and for the collection, use and transmission of personal information presents fertile ground for the growth in claims arising from data breaches and improper privacy practices. As these claims arise, they will undoubtedly be tendered to insurers for defense and indemnification under various commercial policy forms, including those recently developed to provide coverage for privacy claims.[1] Insurance companies must be cognizant of the changing winds on the privacy landscape.  Due to increasing regulatory compliance requirements and a spike in privacy related litigation flowing from record setting data breaches, organizations and insurance carriers will undoubtedly be faced with privacy as a significant risk component to business.  According to Verizon Business’s 2009 Data Breach Investigation Report, 2008 saw more reported data breaches than the previous four years combined, with 285 million records breached. [2]  The Poneman Institute estimated in its 2009 Annual Study that the average cost for a data breach exceeded $200 per record for organizations that were first time victims of a data breach.[3]  Numerous class action suits for privacy violations have been filed, the most famous of which is against Heartland Payment Systems, for a massive breach caused by external hackers.[4]  Additionally, the FTC and Attorneys General of states across the country appear to be stepping up enforcement actions against companies for improper privacy practices.

 The likelihood of an organization facing a privacy-related claim for liability or a regulatory enforcement action for improper privacy practices has increased significantly.  Concordantly, claims for coverage under insurance polices will increase significantly over the coming years. Although the present anticipated harm to any individual does not appear to be significant, these claims will have an impact on an insurer by increasing costs for claims processing, investigation, incident response management, complying with statutorily required breach notification processes, litigation defense and payment of claims, particularly the costs for any class action claims.

Privacy Litigation and its Impact Upon the Insurance Carrier

 Some background in privacy issues is helpful to put these potential claims into an understandable context. There are two components to privacy:  data protection and privacy practices.  Both components are governed in large part by either regulation or statute, and in some cases by common law. 

 Data Protection:            Data Protection encompasses the security of data that contains personal information.  There are generally three elements to security: technical, physical and administrative.  Industries such as financial services and healthcare have security standards as respectively enumerated in the Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA).  Further, the payment card industry has created its own technically objective security standard, PCI-DSS, which applies to many organizations that accept payment cards.

 A security breach may take many forms, some of which include the unauthorized access to personal information by   an external source such as a hacker or an outsourced service provider, the unauthorized access to personal information by an internal source such as an employee or contractor, or something as simple as the theft of a company laptop that contains personal information 

Private party lawsuits against companies for failing to protect data due to deviation from certain standards are based upon a negligence theory.  To date plaintiffs have had difficulty prevailing on negligence claims, although there have been numerous and significant settlements.[5]  The challenge plaintiffs have faced is in proving actual damages that were proximately caused by the defendant’s failure to protect personal information.6  Some courts, however, are beginning to view data breach litigation in a similar light to toxic tort medical monitoring claims in that the threat of future harm may be sufficient to sustain a claim.7  If this “future risks” approach to data protection litigation gains traction, then insurance companies can look forward to more protracted and costly litigation, with the potential for significant jury awards under the class action umbrella.

 Privacy Practices:            Privacy practices that may be subject to claims include: improper collection, use, or transfer of personal information; the improper collection of information using unauthorized cookies, spiders, spy ware, or other technological means; failure to protect personal information according to a company’s posted online privacy statement; having a privacy statement that does not meet regulatory requirements8 spamming, improper faxing or telemarketing, and the commission of privacy torts such as the invasion of privacy.  For companies that transact online business in not only the United States, but also the European Union (EU) where the laws on privacy practices are greatly different, compliance become complex and risk of an improper privacy practice rises greatly.

 Companies committing improper privacy practices are often subject to multiple layers of penalties or fines not only in the EU but also in the United States.  For example, if a company fails to protect personal information according to its posted online privacy statement, it may be subject to an investigation and penalties from both the Federal Trade Commission (FTC) and state authorities for unfair/deceptive online trade practices,9 in addition to the potential private claims for violations of state consumer protection laws.  In essence, a company may pay three times for the same transgression in the US.  Although insurance policies generally exclude coverage for regulatory or enforcement actions by governmental bodies, the exposure is presented in private litigation, which may require aggressive defense of the regulatory claim.  It appears, however, that some of the new privacy insurance policies may offer coverage for regulatory matters. 

 Insurance Coverage:  Coverage Part B of a typical Comprehensive General Liability  (CGL) insurance policy generally includes coverage for damages cause by “personal injury” and “advertising injury.” Although those representing the insured often consider this section of the insurance policy to provide an expansive grant of coverage, this coverage is usually considered by the insurer to be limited to a number of specified claims such as personal injury, which is often defined in a CGL policy as “an injury arising out of…violation of an individual’s right of privacy.”  Part B of the policy states that the insurance applies to personal injury if “caused by an offense…[a]rising out of the conduct of your business, excluding advertising, publishing, broadcasting or telecasting done by or for you.” These policy forms were surely designed without any contemplation of the current risks since they have only come into existence with the pervasive use of computers and the Internet to transact business. In addition, there may be issues as to when the “injury” has taken place; at the time of the breach or the time when the personal injury is actually sustained.  In order to be able to properly evaluate and assume the risks some insurers have, therefore, developed policies to specifically address the risks presented. Undoubtedly if claims continue to rise and develop as anticipated, insurers may dispute coverage and/or respond to the claims being asserted based upon polices that, at the time of issuance, did not envision the present risk of injury caused by data breach.  Management of the risk therefore requires a thorough understanding of the nuances of the laws and requirements of   best of breed privacy practices

 Conclusion

The changing privacy landscape will have a tangible impact on an insurance carrier’s costs of responding to claims under the personal injury and advertising portions of the CGL policies and under specifically designed policies.  Foresight in addressing these

risks and an understanding of the landscape of privacy laws and issues will be an

essential component to underwriting the risks and defending the claims.

 End Notes

[1] Zurich North America Commercial Expands Security, Privacy Insurance Coverage, http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=218400572

2 Verizon Business 2009 Data Breach Investigations Report, By Wade Baker, April 15, 2009

3 Poneman Institute’s Fourth Annual US Cost of Data Breach Study, By Dr. Larry Poneman, January 2009

4 In Re: Heartland Payment Systems, Inc. (626 F. Supp 2d 1336; 2009 U.S. Dist. LEXIS 81493) (Order 

  granting consolidation of class action lawsuits.)

5 See, In re TJX Cos. Retail Sec. Breach Litig., 246 F.R.D. 389; 2007 U.S. Dist. LEXIS 87920 (over $40M settlement) and Department of Veterans Affairs Data Theft Litigation, No. 06-0506 (D.D.C. January 27, 2009) ($20M settlement)

6 See, Forbes v. Wells Fargo Bank, N.A., 420 F. Supp2d 1018, 1021 (D.Minn.2006); Giordano v. Wachovia Sec., LLC., 2006 2177036 (D.N.J. July 31, 2006) (unpublished); Guin v. Brazos Higher Educ. Serv. Corp., Inc. 2006 WL 288483 (D. Minn.) Feb 7, 2006 (unpublished); Hendricks v. DSW Shoe Warehouse, 444 F. Supp. 2d 775, 783 (W.D. Mich. 2006)

7 See, Pisciotta v. Old Nat. Bancorp, 499 F.3^rd 629 (7^th Cir. Aug. 21, 2007)

8 See, GLBA

9 See, Pinero v. Jackson Hewitt Tax Services, No. 08-3535 (E.D. La. Jan 7, 2009)

 Todd B. Ruback, Esq. is chair of the Privacy and Technology Practice at the law firm of DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, P.C.  He is also a Certified Information Privacy Professional (CIPP) and thought leader in the area of privacy law.  He has authored or co-authored numerous publications on privacy and is also a lecturer at various privacy seminars and conferences.  He is a present nominee to be on the Board of Directors of the International Association of Privacy Professionals (IAPP) for the upcoming term of 2010-2015 and will be a speaker at the IAPP International Privacy Convention to be held in Washington, D.C. in April 2010, where he will lecture on trends and risk in privacy litigation. 

 Steven Kunzman, Esq. is the chair of the Insurance Coverage Practice of the law firm of DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, P.C.  He has been providing counsel and representation to insurance companies on insurance coverage matters and defense to insurance company clients for over 25 years.  

Tags: insurance law new jersey, Privacy Law, Technology Law

• Corporate Law , Defense Litigation , Insurance Law , Privacy Law , Technology Law
• Comments Off

SteveK October 21st, 2009

In the recent article published in New Jersey Municipalities magazine entitled ‘The Right to Privacy Versus the Right to Access Public Records,” Todd Ruback, Esq. discusses the recent decision of the New Jersey Supreme Court that provides guidance to local governments on how to balance a citizen’s right to privacy with requests for documents under the Open Public Records Act (OPRA). Mr. Ruback concludes that the Court may have created an implied right to privacy under the New Jersey State Constitution.

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC ( www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in technology and privacy matters. For additional information about the matters in this bulletin or in the technology and privacy practive group, please contact Todd Ruback Esq.

Tags: Technology Law

• Municipal Law , Privacy Law , Technology Law
• Comments Off

SteveK September 14th, 2009

This summary describes the White Paper entitled “Data Breach: Overview of Trends in Litigation and an Approach to Practical Prevention” co-authored by Todd B. Ruback, Esq. and CIPP and Albert Raymond, Chief Privacy Officer, CIPP and CISSP. The White Paper was released for publication on September 12, 2009. 

The purpose of the White Paper is to review the topic of data breach, which is the unauthorized access of personal information, from two perspectives:  first, an overview of the trends in data breach litigation, and second, a more granular perspective of practical data protection processes that may serve as a guidepost to help reduce the risk of likelihood of data breach.  Taken together the reader will understand why a measured approach to data protection can reduce the risk of financial liability from a data breach lawsuit.

 The White Paper discusses the evolving approach to data breach litigation and tries to identify the trends developing in this field.  It discusses risk associated with data breach litigation as well as an approach to practical prevention of data breach within an organization.  To obtain a copy of the White Paper, please contact either of the co-authors below.

 Todd B. Ruback is an attorney and a Certified Information Privacy Professional (CIPP) at the law firm of DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, P.C.  He is chair of the law firm’s Privacy and Technology law practice. 

 Albert Raymond is the Chief Privacy Officer at PHH Mortgage and is also a Certified Information Privacy Professional (CIPP) and a Certified Information Systems Security Professional (CISSP).   Mr. Raymond’s blog is found at http://privacysecurity.blogspot.com/

Tags: Privacy Law, Technology Law

• Corporate Law , Privacy Law , Technology Law
• Comments(0)