Category Archives: Governance, Risk & Compliance

Игроки всегда ценят удобный и стабильный доступ к играм. Для этого идеально подходит зеркало Вавады, которое позволяет обходить любые ограничения, обеспечивая доступ ко всем бонусам и слотам. LeapWallet is a secure digital wallet that enables easy management of cryptocurrencies. With features like fast transactions and user-friendly interface, it's perfect for both beginners and experts. Check it out at leapwallet.lu.

Ill. Court: Non-Injured Plaintiffs Cannot Sue for Violations of Consumer and Workplace-Related Laws

Posted on by

In Maglio v. Advocate Health and Hosps. Corp., (Ill. App. Ct. June 2, 2015), the Illinois Appellate Court was asked to decide whether individuals have standing to bring suit for violations of consumer data protection laws where their personal data, while compromised, has not been used to harm the individuals. The Illinois Appellate Court, in holding that such individuals do not have standing, established that, at least in Illinois, plaintiffs who suffer no concrete harm, but instead allege only technical statutory violations, cannot sue for violations of consumer and, presumably, workplace-related laws.

The decision of the Illinois Appellate Court could have implications beyond Illinois. As we previously reported, the U.S. Supreme Court recently granted certiorari in Spokeo, Inc. v. Robins (U.S. Apr. 27, 2015). In the Spokeo matter, the U.S. Supreme Court will confront a nearly identical issue: Do individuals have standing to sue for violations of the Fair Credit Reporting Act (FCRA) even when they have not suffered any harm or injury? If the U.S. Supreme Court reasons in the same way that the Illinois Appellate Court did and answers this question “no,” the decision would likely discourage the current wave of consumer, workplace, and other class actions seeking millions in statutory damages.

Case Background

Advocate is a network of hospitals and doctors. On July 15, 2013, burglars stole four computers from Advocate’s administrative building that contained the personal information of about four million of Advocate’s patients. Advocate notified these patients of the theft on August 23, 2013.

Two sets of plaintiffs filed class actions against Advocate, claiming that Advocate violated two state consumer data protection laws by failing to maintain adequate procedures to protect the personal information of plaintiffs and putative class members and by failing to notify the plaintiffs and putative class about the breach in a timely matter. The plaintiffs also sued Advocate on theories of negligence and invasion of privacy.

Advocate moved to dismiss both class actions, arguing that the plaintiffs lacked standing because they had not suffered any injury as a result of their data being stolen. Both trial courts dismissed the class actions. The trial courts found that “[t]he increased risk that plaintiffs will be identity theft victims at some indeterminate point in the future . . . . did not constitute an injury sufficient to confer standing,” and that the plaintiffs’ “allegations concerning anxiety and emotional distress . . . . were insufficient to establish standing, where they were not based on an imminent threat.” The plaintiffs appealed.

Appellate Court’s Decision

The Appellate Court pointed out that, under Illinois law, a plaintiff only has standing if he or she has suffered “some injury in fact to a legally cognizable interest. [T]he claimed injury may be actual or threatened and it must be: (1) distinct and palpable; (2) fairly traceable to the defendant’s actions; and (3) substantially likely to be prevented or redressed by the grant of the requested relief.”

The Appellate Court then considered whether the plaintiffs had suffered a “distinct and palpable” injury under Illinois law. It found, in light of Chicago Teachers Union, Local 1 v. Bd. of Educ., – a case in which the Illinois Supreme Court held that physical education teachers did not have standing to challenge a statute allowing school districts to waive mandatory physical education requirements because the teachers were not “in immediate danger of sustaining a direct injury as a result of enforcement of the challenged statute that is distinct and palpable” – that the plaintiffs’ allegations of injury were speculative and the plaintiffs thus did not have standing to bring suit.

The Appellate Court reasoned that this result was supported by federal case law on standing. It observed that, “[i]n federal courts, to show standing under Article III of the Constitution, a plaintiff must establish the existence of an injury that is: (1) concrete, particularized, and actual or imminent; (2) fairly traceable to the challenged action; and (3) redressable by a favorable ruling.”  To meet the first requirement, “an ‘allegation of future injury may suffice if the threatened injury is ‘certainly impending,’ or there is a ‘substantial risk’ that the harm will occur.” (quoting Susan B. Anthony List v. Driehaus, 2014). “Allegations of possible future injury are not sufficient,” nor is an “objectively-reasonable-likelihood” that the future injury will occur.

The Appellate Court went on to find that an increased risk of harm is not sufficient to confer standing. While agreeing that the Seventh Circuit appears to have held that an increased risk of harm can confer standing in Posciotta v. Old Nat’l Bank Corp., it found that the later-decided Clapper case compelled rejection of this position. (Citing Strautins v. Trustwave Holdings, Inc., (N.D. Ill. 2014).

Finally, the Appellate Court found that alleged “appreciable emotional injury” did not confer standing on the plaintiffs. Specifically, the Appellate Court found that, because the purported emotional injury did not flow from an “imminent, certainly impending, or substantial risk of harm,” it could not, on its own, confer standing.

Implications for Employers

This case is welcome news for Illinois employers, who can use this case to defeat consumer and workplace class actions based on technical violations of state laws without any resulting harm to consumers or employees. Outside of Illinois, if the U.S. Supreme Court interprets federal standing requirements as the Illinois Appellate Court did, employers could be handed a significant win in the Spokeomatter. If Spokeo is decided as Maglio, employers nationally should have a powerful tool to achieve dismissal of class action lawsuits based on technical violations of both federal and state consumer and worker protection laws. Stay tuned.

This column previously appeared on the Seyfarth Shaw LLP website.

How Does Google Face Global Challenges?

Posted on by

NEW YORK—Staying a step ahead of regulators around the world is challenging for any global business. For Google, it is a “significant challenge, to say the least,” said Andy Hinton, vice president of global ethics and compliance at Google, Inc. After organizing the world’s information and making it universally accessible, the company’s secondary mission is products that help users, he said.

“Google is boundary-less when it comes to what those products might be and what they might look like,” Hinton said during The Wall Street Journal’s Newsmaker’s Forum in April. “So trying to keep up with driverless cars, drones and providing internet service with floating balloons around the world (Project Loon) is a challenge.”

Google’s compliance program includes the company’s trade, bribery, internet security and privacy issues. While any number of issues may surface, he said, “one of them is to help the company respond to some of the criticism leveled against it, mostly in jurisdictions outside the United States, and to make sure responses are consistent with applicable laws.”

With Google Earth, for example, equipment must be moved around the world. Google Earth “enables people to get information access to the earth, where they otherwise might not be able to see those things,” Hinton said, noting that people can now view Mt. Everest and other places they may never get to see otherwise. This involves contact with customs officials and governments and also creates “lots of opportunities to do things wrong and get in trouble,” he said. “So we are always on top of that. Plus, the equipment we use is so unique that we show up in front of a customs official with a camera on top of a tripod on top of a car and they ask, ‘What is that? It’s not in the manual.’ You have to spend time explaining what it is and help them to be comfortable with it.

online pharmacy amoxicillin with best prices today in the USA

While some governments are more difficult to deal with than others, “there are definite challenges in all the continents and countries,” he said. “Obviously privacy is a challenge in Europe, because there is a different perspective around privacy and internet security than there is in the United States. With APAC [Asia Pacific] there is an integration of gift-giving and business that is relatively unique to the APAC region and can present challenges.”

An important part of its compliance strategy is the company’s diversity, which he added is also part of its mission. “Not just diversity in the traditional perspective, but in bringing on people who can understand the challenges in these regions,” he said.

online pharmacy prelone with best prices today in the USA

“So for gift-giving in the Middle East, sure I can sit in Mountain View trying to figure it out, but we hired an attorney who is in that culture and understands U.S. law and can, in that context, help us navigate the region—balancing expectations of the region with legal expectations in the United States.”

Company Strategy

In fact, Google’s overall hiring policies are part of its strategy to “do things differently, or do them better than other companies,” he said. “That requires us to be incredibly sharp in the way we do hiring.” Now that the company has about 60,000 employees, “it’s important to hire people who share your values and buy into your mission. Because if you are not going to have a lot of rules and you are not going to have an enormous compliance program and checkers following people around, there is a lot of trust and autonomy that you give to your Googlers.”

How does the company accomplish this? “When I interview people and they talk about winning and beating the competition, that’s a huge red flag to me,” he said. “When we started, Larry was very much about the users and we still are. If you build something good that users really like, you can figure out the rest. Revenue and everything else will come. People who have that backwards are tremendously dangerous to the company.”

Google also acquires staff through acquisitions, he said, adding that this talent is “much harder to manage. The larger the acquisition and the more the acquisition has its own culture, the greater the challenge.”

Is outside-in the “Next Gen” of Continuous Monitoring?

Posted on by

In late 2002, the U.S. Government enacted a new law that was designed to hold each federal agency accountable to develop, document, and implement an agency-wide information security program, including for its contractors. The Federal Information Security Management Act (FISMA), was one of the first information security laws to require agencies to perform continuous assessments and develop procedures for detecting, reporting, and responding to security incidents.

With limited technological resources available for monitoring and assessing performance over time, however, agencies struggled to adhere to the law’s goals and intent. Ironically, although FISMA’s goal was to improve oversight of security performance, early implementation resulted in annual reviews of document based practices and policies. Large amounts of money were spent bringing in external audit firms to perform these assessments, producing more paper-based reports that, although useful for examining a wide set of criteria, failed to verify the effectiveness of security controls, focusing instead on their existence.

John Streufert, a leading advocate of performance monitoring at the State Department and later at DHS, estimated that by 2009, more than $440 million dollars per year was being spent on these paper-based assessments, with findings and recommendations becoming out of date before they could be implemented. Clearly, this risk assessment methodology was not yielding the outcomes the authors had in mind and in time, agencies began to look for solutions that could actually monitor their networks and provide real-time results.

Thanks to efforts by Streufert and others, it wasn’t long before “continuous monitoring” solutions existed. But, just as with all breakthrough technologies, early attempts at continuous monitoring were limited by high costs, difficult implementations and a lack of staffing resources. As continuous monitoring solutions made it into IT security budgets, organizations and agencies were challenged to make optimal use of tools that required tuning and constant maintenance to show value. False positives and missed signals led many IT teams to feel like they were drinking from a fire hose of data and the value of continuous monitoring in many cases was lost.

However, solutions today offer a number of benefits including easy operationalization, lower costs and reduced resource requirements.

buy stromectol online blockdrugstores.com/wp-content/uploads/2023/10/jpg/stromectol.html no prescription pharmacy

Many options, such as outside-in performance rating solutions, require no hardware or software installation and have been shown to produce immediate results. These tools continuously analyze vast amounts of external data on security behaviors and generate daily ratings for the network being monitored, with alerts and detailed analytics available to identify and remediate security issues.

buy tobradex online blockdrugstores.com/wp-content/uploads/2023/10/jpg/tobradex.html no prescription pharmacy

The ratings are objective measures of security performance, with higher ratings equaling a stronger security posture.

Used in conjunction with other assessment methods, organizations can use ratings to get a more comprehensive view of security posture, especially as they provide ongoing visibility over time instead of being based on a point in time result. The fidelity of “outside-in” assessments is very good when compared to the results of manual questionnaires and assessments because outside-in solutions eliminate some of the bias and confusion that may be seen in personnel responses. Additionally, outside-in performance monitoring can be used to quickly and easily verify effectiveness of controls, not just the existence of policies and procedures that may or may not be properly implemented.

These changes have made continuous performance monitoring and security ratings more appealing to organizations across the commercial and government space.  Organizations have learned that real-time, continuous performance monitoring can allow them to immediately identify and respond to issues and possibly avoid truly catastrophic events, as research has shown a strong correlation between performance ratings and significant breach events. Furthermore, as it becomes easier to monitor internal networks, organizations are beginning to realize the security benefits that can be gained through monitoring vendors and other third parties that are part of the business ecosystem.

buy inderal online blockdrugstores.com/wp-content/uploads/2023/10/jpg/inderal.html no prescription pharmacy

Being able to monitor and address third party risk puts us squarely in the realm of next generation continuous monitoring, something many regulators are pushing to see addressed in current risk management strategies.

Oil Transportation by Rail or Pipeline? A Nation Vacillates

Posted on by

Thanks to some high-profile derailments over the past several months, the zeitgeist is set against the transportation of crude oil by rail.

The latest salvo to appear in a major media outlet is Jon Bowermaster’s Op-Doc “A Danger on the Rails,” appearing in the New York Times on April 21. Bowermaster focuses on oil cars rolling along the Hudson River, but his critiques of these trains are applicable to the national debate as well.

buy trazodone online www.biop.cz/slimbox/css/gif/trazodone.html no prescription pharmacy

They are, by now, predictable: the transports are derided as “bomb trains,” and they’re creeping past schools, hospitals, and major urban centers (even within a few miles of Manhattan!).

The production values are good, but Bowermaster ventures deep into NIMBY-ism. He’s not alone: when it comes to the transportation of oil, Americans want it done quickly and cheaply so the economy can keep humming along. Just make sure it’s routed somewhere else.

buy nizoral online www.biop.cz/slimbox/css/gif/nizoral.html no prescription pharmacy

Fear of oil trains is nearing fever pitch, but the best alternative—pipelines—earn emotionally charged reactions as well. Take Politico’s thorough investigation of the Pipeline and Hazardous Materials Safety Administration, also published on April 21. Despite the great journalism it contains, editors gave it the inflammatory title “‘Pipelines Blow Up and People Die.’” The authors write:

“Oil and gas companies like to assure the public that pipelines are a safer way to ship their products than railroads or trucks. But government data makes clear there is hardly reason to celebrate.

buy rogaine online www.biop.cz/slimbox/css/gif/rogaine.html no prescription pharmacy

Last year, more than 700 pipeline failures killed 19 people, injured 97 and caused more than $300 million in damage. Two of the past five years have been the worst for combined pipeline-related deaths and injuries since 2000.”

So much for an easy decision between rail and pipeline.

If the United States is going to be a leading producer and exporter of oil and gas, we have to transport it from the interior to our ports. And as domestic production increases, the number of accidents will almost certainly increase. If we cast a risk manager’s eye on the situation, where should we invest our money?

The data on rail transportation accidents makes a strong case for pipelines. Christopher Ingraham of the Washington Post put it succinctly in his February article: “It’s a Lot Riskier to Move Oil by Train Instead of Pipeline.” His charts tell the story:

Oil trains clearly have more accidents than pipelines, and in a bad year (like 2013) the amount of oil they spill can dwarf that of pipeline accidents. Oil trains have another huge risk: security. As Bowermaster noted in his documentary, these combustible trains are essentially unguarded and travel through populated areas. A determined terrorist could do a lot of damage with that situation. Pipelines, on the other hand, are buried: out of sight and out of mind.

An April 6 article in Businessweek helps us visualize the magnitude of the risk from rail shipments. Check out the growth since 2010:

While imperfect, pipelines can mitigate much of this risk that’s now moving along the nation’s rails.

Rail transport won’t go away, of course. It’s easily scalable to demand and thus more attractive than building thousands of miles of pipeline that could, in the future, be underutilized. What’s best is a two-pronged approach: pipelines can reduce risk in the most heavily trafficked corridors, and new rail standards can improve the safety of oil trains.

To read more about improving safety requirements for oil trains, see Risk Management Magazine.