Category Archives: Legal

Для тех, кто интересуется безопасным доступом к онлайн-играм, наш партнер предлагает зеркало Вавады, которое позволяет обходить любые блокировки и сохранять доступ ко всем функциям казино.

Ill. Court: Non-Injured Plaintiffs Cannot Sue for Violations of Consumer and Workplace-Related Laws

Posted on by

In Maglio v. Advocate Health and Hosps. Corp., (Ill. App. Ct. June 2, 2015), the Illinois Appellate Court was asked to decide whether individuals have standing to bring suit for violations of consumer data protection laws where their personal data, while compromised, has not been used to harm the individuals. The Illinois Appellate Court, in holding that such individuals do not have standing, established that, at least in Illinois, plaintiffs who suffer no concrete harm, but instead allege only technical statutory violations, cannot sue for violations of consumer and, presumably, workplace-related laws.

The decision of the Illinois Appellate Court could have implications beyond Illinois. As we previously reported, the U.S. Supreme Court recently granted certiorari in Spokeo, Inc. v. Robins (U.S. Apr. 27, 2015). In the Spokeo matter, the U.S. Supreme Court will confront a nearly identical issue: Do individuals have standing to sue for violations of the Fair Credit Reporting Act (FCRA) even when they have not suffered any harm or injury? If the U.S. Supreme Court reasons in the same way that the Illinois Appellate Court did and answers this question “no,” the decision would likely discourage the current wave of consumer, workplace, and other class actions seeking millions in statutory damages.

Case Background

Advocate is a network of hospitals and doctors. On July 15, 2013, burglars stole four computers from Advocate’s administrative building that contained the personal information of about four million of Advocate’s patients. Advocate notified these patients of the theft on August 23, 2013.

Two sets of plaintiffs filed class actions against Advocate, claiming that Advocate violated two state consumer data protection laws by failing to maintain adequate procedures to protect the personal information of plaintiffs and putative class members and by failing to notify the plaintiffs and putative class about the breach in a timely matter. The plaintiffs also sued Advocate on theories of negligence and invasion of privacy.

Advocate moved to dismiss both class actions, arguing that the plaintiffs lacked standing because they had not suffered any injury as a result of their data being stolen. Both trial courts dismissed the class actions. The trial courts found that “[t]he increased risk that plaintiffs will be identity theft victims at some indeterminate point in the future . . . . did not constitute an injury sufficient to confer standing,” and that the plaintiffs’ “allegations concerning anxiety and emotional distress . . . . were insufficient to establish standing, where they were not based on an imminent threat.” The plaintiffs appealed.

Appellate Court’s Decision

The Appellate Court pointed out that, under Illinois law, a plaintiff only has standing if he or she has suffered “some injury in fact to a legally cognizable interest. [T]he claimed injury may be actual or threatened and it must be: (1) distinct and palpable; (2) fairly traceable to the defendant’s actions; and (3) substantially likely to be prevented or redressed by the grant of the requested relief.”

The Appellate Court then considered whether the plaintiffs had suffered a “distinct and palpable” injury under Illinois law. It found, in light of Chicago Teachers Union, Local 1 v. Bd. of Educ., – a case in which the Illinois Supreme Court held that physical education teachers did not have standing to challenge a statute allowing school districts to waive mandatory physical education requirements because the teachers were not “in immediate danger of sustaining a direct injury as a result of enforcement of the challenged statute that is distinct and palpable” – that the plaintiffs’ allegations of injury were speculative and the plaintiffs thus did not have standing to bring suit.

The Appellate Court reasoned that this result was supported by federal case law on standing. It observed that, “[i]n federal courts, to show standing under Article III of the Constitution, a plaintiff must establish the existence of an injury that is: (1) concrete, particularized, and actual or imminent; (2) fairly traceable to the challenged action; and (3) redressable by a favorable ruling.”  To meet the first requirement, “an ‘allegation of future injury may suffice if the threatened injury is ‘certainly impending,’ or there is a ‘substantial risk’ that the harm will occur.” (quoting Susan B. Anthony List v. Driehaus, 2014). “Allegations of possible future injury are not sufficient,” nor is an “objectively-reasonable-likelihood” that the future injury will occur.

The Appellate Court went on to find that an increased risk of harm is not sufficient to confer standing. While agreeing that the Seventh Circuit appears to have held that an increased risk of harm can confer standing in Posciotta v. Old Nat’l Bank Corp., it found that the later-decided Clapper case compelled rejection of this position. (Citing Strautins v. Trustwave Holdings, Inc., (N.D. Ill. 2014).

Finally, the Appellate Court found that alleged “appreciable emotional injury” did not confer standing on the plaintiffs. Specifically, the Appellate Court found that, because the purported emotional injury did not flow from an “imminent, certainly impending, or substantial risk of harm,” it could not, on its own, confer standing.

Implications for Employers

This case is welcome news for Illinois employers, who can use this case to defeat consumer and workplace class actions based on technical violations of state laws without any resulting harm to consumers or employees. Outside of Illinois, if the U.S. Supreme Court interprets federal standing requirements as the Illinois Appellate Court did, employers could be handed a significant win in the Spokeomatter. If Spokeo is decided as Maglio, employers nationally should have a powerful tool to achieve dismissal of class action lawsuits based on technical violations of both federal and state consumer and worker protection laws. Stay tuned.

This column previously appeared on the Seyfarth Shaw LLP website.

Mastering IT Risk Assessment

Posted on by

The foundation of your organization’s defense against cyber theft is a mastery of IT risk assessment. It is an essential part of any information security program, and in fact, is mandated by regulatory frameworks such as SSAE 16, SOC 2, PCI DSS, ISO 27001, HIPAA and FISMA.

Compliance with those frameworks means that your organization not only has to complete an IT risk assessment but it must also assess and address the risks by implementing security controls.

In the event of a breach, an effective IT risk management plan—which details exactly what your IT department is going to do and how they’re going to do it—and implementation of the critical security controls that have the potential to save your organization millions of dollars in direct response costs, legal fees, regulatory fines, and costs associated with rebuilding a damaged corporate reputation.

Evaluating the potential compliance, operational and reputational risks to your organization and then ranking their importance and likelihood is not easy. Even more challenging is developing and then implementing the IT risk management plan. If your IT department is undergoing an IT risk assessment now or strengthening its cybersecurity strategy, look to qualified industry professionals and innovative technologies to help you master the process and stay compliant.

Here are six tips to keep in mind:

1. Get professional help. Hire an independent third party auditor and/or attorney.

buy bactrim online www.arborvita.com/wp-content/uploads/2023/10/jpg/bactrim.html no prescription pharmacy

Your IT hosting provider may even provide compliance and auditing services. These consultants can provide a comprehensive risk analysis, audit assistance and privacy and security guidance, including identifying potential risks, exposures and liabilities.

2. Use private cloud technology to protect sensitive data. Moving all or part of your infrastructure to a professionally managed, compliant private cloud offers benefits that drive business value. Your organization’s data and apps are hosted by experts in an environment that is independently audited for the specific regulatory compliance that you need, which is a big help in passing your own audit. Also, your IT department is freed up to focus on strategic projects without bearing the burden of solving compliant hosting complexities, hassling with maintenance and support, managing staff allocations, and providing expensive training.

3. Invest in annual IT risk assessments. Be sure to work with an unbiased, fully independent auditing team, which typically includes certified engineers and compliance experts. Comprehensive risk assessments pinpoint the many risks faced by your organization and address network security vulnerabilities. They are designed to give you the education, expertise, support and protection that you need to plan your security strategy, pass your audits and maintain a continuously-compliant IT environment.

buy pepcid online www.arborvita.com/wp-content/uploads/2023/10/jpg/pepcid.html no prescription pharmacy

4. Schedule frequent penetration testing and vulnerability scans. These uncover critical IT vulnerabilities and show how well you are protecting your network and data. Ask your auditors, compliance experts or compliant hosting provider to perform monthly or quarterly tests, help you to establish critical processes (such as data encryption and hardened authentication), and develop a clear understanding of how to avoid IT compliance disasters. Get a full report on external, internal and web application testing as well as strategies for remediation.

5. Ensure application security.  A good auditor or compliance team can help secure the design, development and deployment of your web-facing applications by thoroughly assessing any vulnerabilities and addressing design flaws or security gaps that impact compliance. Managing and remediating risks now saves time and money later.

6. Educate employees about security.  Frequent security awareness trainings and daily reminders throughout the workplace will help reduce violations. Your auditor or compliance team should customize a workplace awareness program for your business.

buy priligy online www.arborvita.com/wp-content/uploads/2023/10/jpg/priligy.html no prescription pharmacy

Ensure that the training is situational and fully engaging.

Small Businesses Hit Hardest By Employee Theft

Posted on by

The typical organization loses 5% of revenue each year to fraud – a potential projected global fraud loss of $3.7 trillion annually, according to the ACFE 2014 Report to the Nations on Occupational Fraud and Abuse.

In its new Embezzlement Watchlist, Hiscox examines employee theft cases that were active in United States federal courts in 2014, with a specific focus on businesses with fewer than 500 employees to get a better sense of the range of employee theft risks these businesses face. While sizes and types of thefts vary across industries, smaller organizations saw higher incidences of embezzlement overall.

According to the report, “When we looked at the totality of federal actions involving employee theft over the calendar year, nearly 72% involved organizations with fewer than 500 employees. Within that data set, we found that four of every five victim organizations had fewer than 100 employees; more than half had fewer than 25 employees.”

Overall, they found:

Hiscox Embezzlement Watchlist

It is particularly interesting to note that women orchestrate the majority of these thefts (61%) – a rarity in many kinds of crime. Yet the wage gap extends even to ill-gotten gains, Hiscox found: While they were responsible for more of these actions, women made nearly 30% less from these schemes than men.

Drilling down into specific industries, Hiscox found that financial services companies were at the greatest risk, with over 21% of employee thefts – the largest industry segment – targeting an organization in this field, including banks, credit unions and insurance companies. Other organizations frequently struck by employee theft include non-profits (11%), municipalities (10%) and labor unions (9%). Groups in the financial services, real estate and construction, and non-profit sectors had the greatest total number of cases in the Hiscox study, while retail entities and the healthcare industry suffered the largest median losses.

For more of the report’s insight on specific industries, check out the infographic below:

Hiscox Embezzlement Watchlist Targeted Industries

Travelers Stages Live Hack to Examine Realities of Cyberrisk

Posted on by

NEW YORK—Yesterday, Travelers hosted “Hacked: The Implications of a Cyber Breach,” a panel of the insurer’s top experts and outside consultants drilling down into the realities of the cyber threat.

According to Travelers’ brand new 2015 Business Risk Index, cybersecurity rose from the #5 threat in 2014 to the #2 threat perceived by business leaders, with 55% most concerned about malicious and criminal attacks.

In an exercise to show just how valid that concern it is, panelists Kurt Oestreicher, a member of the cyber fraud investigative services team at Travelers, and Chris Hauser, former Silicon Valley FBI agent and current member of the cyber fraud investigative services team at Travelers, successfully carried out a live hack. Using a fake website created for this demonstration, the experts staged an SQL injection attack—the same kind of attack as Heartbleed, these are still responsible for 97% of breaches. Using an open-source penetration testing program that Hauser described as “point and click hacking,” they easily found a way to tunnel into the site’s SQL database. The process of scanning for vulnerabilities and acting on a known exploit—in other words, conducting the actual, successful “hack”—took about two minutes, including the time Hauser spent talking the audience through the process.

The program used to conduct this hack was free, and the number of resources readily available for free or very low cost means that more everyday businesses will become victims as malicious actors face very few obstacles to attempt a hack. “As tools and techniques like this become more common, it becomes far easier to target small- and medium-sized businesses and that exposure increases, especially because there are such low costs up front,” said Oestreicher.

Every day in the United States, 34,529 of these known computer security incidents take place. Yet many go undetected, and a lot are willfully unreported. While larger breaches impact more records, the preponderance of breaches strike Main Street businesses, not Wall Street corporations. In fact, of those that are identified and reported, 62% of breaches impact small and medium-sized businesses, Travelers found. Increased awareness among this group has yet to translate into increased coverage, however. According to a survey by Software Advice, insurance penetration among this group hovers at just over 2%, a trend Mullen has seen in the field as well. “Only about 10% of those who should have that coverage actually do,” he said.

According to data from NetDiligence, those incidents that are covered by insurance break down as follows:

NetDiligence Cyberinsurance Claims by Business Sector

NetDiligence Cyberinsurance Claims by Data Type

With hefty fines, costly investigation and notification requirements, and possible lawsuits and class actions, the true costs rapidly spiral. According to Mark Greisiger, president of data breach crisis services and security practices company NetDiligence, the average cost of a breach is $733,000 for SMBs—before any possible lawsuits or fines. Per record, the cost ranges from 1 cent to $1,000, based on the type of information contained. The average legal settlement after such breaches is currently about $550,000. Yet these numbers primarily reflect incidents where insurance was in place. Without the trusted vendor agreements, for example, the cost of retaining forensic investigation services in the midst of a crisis can be up to three times higher, he reported.

Recovering from these incidents varies wildly by the type of records exposed, and the resources available to aid in the effort. “It’s a wild pain in the butt with insurance,” said breach coach John Mullen, a managing partner of the Philadelphia Regional Office and chair of the U.S. Data Privacy and Network Security Group at Lewis Brisbois Brisgaad & Smith. “Without insurance, it’s a small- and medium-sized business killer. The Main Street story is a $2 million bill and no business.”

In the 2015 Business Risk Index, Travelers also shared a more detailed view of preparedness among specific industries:

Business Risk Index Cyber Preparedness