Latest Spokeo Decision Adds to the Growing Body of Law Supporting Article III Standing for Cybersecurity Plaintiffs

We recently wrote about a decision in Attias v. CareFirst, Inc., holding that a class of plaintiffs whose information was compromised in a cyberattack had sufficiently demonstrated standing to survive a motion to dismiss. The U.S. Court of Appeals for the Ninth Circuit now has added to the toolbox for plaintiffs in cyber cases whose standing is challenged.

In Robins v. Spokeo, which the Ninth Circuit heard on remand from the U.S. Supreme Court, the issue was whether the plaintiff —who alleged that an inaccurate report about him on Spokeo’s consumer reporting web site constituted willful violations of the Fair Credit Reporting Act — had alleged a sufficiently “real” injury to meet the elements necessary for Article III standing.

The district court dismissed the complaint, holding that the plaintiff’s allegation of a bare violation of the statute did not show that he had suffered an injury-in-fact. The Ninth Circuit reversed in Spokeo I, holding that by alleging a violation of his statutory rights, the plaintiff had alleged a concrete and particularized injury. The U.S. Supreme Court granted certiorari and vacated that opinion, holding that the Ninth Circuit’s analysis had been incomplete, and remanded for further consideration of whether the injury was sufficiently concrete to support standing.

Specifically, the court considered “the extent to which violation of a statutory right can itself establish an injury sufficiently concrete for the purposes of Article III standing.” While the FCRA provides an individual right to sue for violations of the statute, the Supreme Court made clear that such a right does not satisfy the injury-in-fact requirement for Article III standing per se.

Rather, “even when a statute has allegedly been violated, Article III requires such violation to have caused some real — as opposed to purely legal — harm to the plaintiff.” Congress’s decision to provide a right of action is instructive, however, in cases in which the harm alleged is intangible, the Supreme Court noted in kicking the case back to the Ninth Circuit. And some statutory violations are enough on their face to demonstrate concrete harm. Thus, the Ninth Circuit faced two questions: “(1) whether the statutory provisions at issue were established to protect [the plaintiff’s] concrete rights (as opposed to purely procedural rights), and if so, (2) whether the specific procedural violations alleged in this case actually had, or present a material risk to, such interests.”

The court had “little difficulty” concluding that consumers have a concrete interest in accurate credit reporting about themselves, noting that “given the ubiquity and importance of consumer reports in modern life … the real-world implications of material inaccuracies in those reports seem patent on their face.” Further, “the interests that FCRA protects also resemble other reputational and privacy interests that have long been protected by the law.”

Turning to the second question, the court distinguished between a violation of the statute that did not result in the creation or dissemination of an inaccurate consumer report and a violation like the one at hand, which did result in dissemination of inaccurate information about the plaintiff. The latter category can support standing, if the nature of the inaccurate disclosure is such that it creates a real risk of harm. The Ninth Circuit determined that the inaccuracies at issue — which related to the plaintiff’s age, marital status, educational background, and employment history — are “the type that may be important to employers or others making use of the consumer report” and do not constitute insignificant technical statutory violations. Further, the court held, the injury was not speculative, because it had already occurred. “It is of no consequence how likely Robins is to suffer additional concrete harm” (emphasis in original).

Thus, the Ninth Circuit sent the case back to the district court for trial, paving the way for future FCRA plaintiffs whose standing to sue is called into question.

Tagged with: , , ,
Posted in Litigation, Privacy

CareFirst Data Breach Appeal Holds Three Key Lessons for Cyberattack Litigants

A recent federal appellate decision suggests that it might be getting easier for cyberattack plaintiffs to establish standing in a manner sufficient to survive a motion to dismiss. According to the U.S. Court of Appeals for the District of Columbia Circuit, people whose personal information was compromised in a cyberattack have standing to sue so long as they allege that a data breach traceable to the target company’s negligence exposed them to a substantial risk of identity theft, and they reasonably spent money to protect themselves in the wake of the attack. The case is Attias v. CareFirst, Inc., decided on August 1, 2017.

In so holding, the Court of Appeals reversed the district court’s dismissal of the action, admonishing the lower court for giving “the complaint an unduly narrow reading.” Both decisions turned on whether the plaintiffs had alleged that their social security or credit card numbers had been stolen. The lower court concluded that the plaintiffs did not demonstrate a sufficiently substantial risk of harm, and therefore lacked standing, because they had “not suggested, let alone demonstrated how the CareFirst hackers could steal their identities without access to their social security or credit card numbers.”

The Court of Appeals took issue with this approach, because it presumed that the plaintiffs did not allege that this information had been stolen. However, the court noted, the complaint alleged that “PII/PHI/Sensitive Information” had been taken, and included in the definition of that term “patient credit card … and social security numbers.” Further, the complaint alleged that identity thieves could use the information accessed in the attack to “open new financial account[s] [and] incur charges in another person’s name.” At the motion dismiss stage, this combination of allegations is sufficient to establish a substantial risk of future harm, the court held.

A distinguishing feature of cyberattack cases, the court noted, is that an unauthorized party has already accessed another person’s information. In this circumstance, “it is much less speculative – at the very least, it is plausible – to infer that this party has both the intent and the ability to use that data for ill,” the court reasoned.

Having found that the plaintiffs had sufficiently alleged an “injury in fact” to establish standing, the Court of Appeals then addressed the second prong in the standing analysis: whether the injury could be fairly traceable to the alleged conduct of the defendant. CareFirst argued that this prong was not met, because there was no allegation that the attacker was affiliated with the company. But such a direct connection is not required, the Court of Appeals concluded. Rather, the plaintiffs’ allegations that CareFirst’s failure to properly secure their data creates enough of a link to the injury to satisfy the “fairly traceable” standard.

Finally, the court made short work of finding that the plaintiffs had satisfied the final requirement for standing – that the harm they suffered was “likely to be redressed by a favorable judicial decision” – by alleging that they had reasonably spent money to protect themselves against the potential for identity theft. This money could be recovered through an award of money damages, thereby meeting the third prong of the standing analysis.

In conclusion, Attias v. CareFirst carries three main takeaways for cyberattack litigants on the question of standing: (1) some courts will take a broad reading of complaint allegations at the motion to dismiss stage, and may infer from the cyberattack itself an intent harm to the victims; (2) the hacker need not be affiliated with the target company for the plaintiffs’ alleged harm to be traced back to that company; and (3) if the plaintiffs reasonably incurred costs to protect themselves from identity theft in the wake of the attack, they will, at least in some jurisdictions, satisfy prong three of the standing analysis.

Tagged with: , , , , ,
Posted in Cyberattack, Data Breach, Litigation

Will the New General Data Protection Regulations (“GDPR”) Be a Block in the Chain?

Yes, I know that I ooze wit, but seriously, on the 25 May 2018, the new GDPR will come into force, which replaces the current data protection regulations (irrespective of Brexit). The principle at the heart of the GDPR is that personal data can only be gathered under strict conditions for legitimate purposes. More importantly however, among other things, it gives people the “right to be forgotten.” With this in mind, how will the GDPR fit in with the blockchain? After all, isn’t the whole purpose of the blockchain to record the ownership of just about anything, by using a fully trustworthy peer-to-peer payment system, that provides a neutral, permanent, irrefutable, and more importantly, transparent, record of all transactions?  How can a data controller erase personal information on the blockchain?

It seems to me as organisations are forging ahead to be compliant by 2018, this new wide-ranging and challenging obligation needs a practical and universally agreed solution. Otherwise we are going to embark on a era of satellite litigation of what constitutes “reasonable steps” – against a backdrop of ever changing advancements in technology.

The solution may not rest with the lawyers alone (boo) – but a combination of legal drafting and a Blockchain platform which allows transactions/smart contracts to be created off-chain in stake channels, which protects people’s privacy.

We are in a strange new world. Who would have ever envisaged 20 years ago that lawyers (who are renowned technophobes – hence the reason why they became lawyers) and computer scientists (who love having to consider every analytical possibility when designing a code) would become ideal business partners …

Tagged with: , , , ,
Posted in Data Security, Privacy, Regulations

Coca-Cola Dodges Privacy Class Action

Coca-Cola won big last month when it secured summary judgment in a privacy class action brought by a former bottling plant employee concerning compromised personal information. Hon. Joseph Leeson of the Eastern District of Pennsylvania found that Coca-Cola was not under any contractual obligation to protect its employees’ personal information.

The issues arose when an ill-motived former IT employee disposed of old Coca-Cola laptops that were still storing employee information, including addresses, phone numbers and SSNs. The proposed class action was brought on behalf of the 74,000 employees whose information was compromised.

The court rejected plaintiff’s arguments that a handful of company policies, when woven together, impose a contractual duty on Coca-Cola to safeguard information for the benefit of employees. Coca-Cola argued that its detailed security policies create obligations to safeguard Company information to support business operations, but not to shield employees personally. The judge agreed, ruling the relevant policy provisions serve to protect the company, not the employees.

Cited provisions came from Code of Conduct, the Protection Policy and the Acceptable Use Policy, and read, in part: “Computer hardware, software, and data must be safeguarded from damage, theft, fraudulent manipulation, and unauthorized access to and disclosure of Company information.” Another provision stated that “[w]e all have an obligation to safeguard Company assets including exercising care in using Company equipment, vehicles, and bringing to the attention of high management any waste, misuse, destruction, or theft of Company property or illegal activity.”

It is also noteworthy that, despite not being contractually obligated to protect employee information, Coca-Cola was responsible and proactive in response to the incident. Coca-Cola informed employees of the lost laptops and provided one year of free credit monitoring and fraud restoration services. Ironically, plaintiff claimed that Coca-Cola should compensate him for wages lost because of the time required to submit the necessary information to obtain the protection services. The court explicitly rejected this as well.

The case is Enslin v. The Coca-Cola Co., No. 2:14-cv-06476, in the U.S. District Court for the Eastern District of Pennsylvania.

Tagged with: , , , , , ,
Posted in Data Breach, Data Security, Litigation, Privacy

Win for Insurance Industry in Computer Fraud Coverage Ruling

Computers are involved at some point in almost every business transaction—that is the reality of life in the digital age. The implications of that fact are still being worked out with respect to the interpretation of insurance contract computer fraud provisions. This month, a judge in the Northern District of Georgia issued a narrow reading, handing the insurance company an important victory.

InComm is a debit card processing company that allows consumers to purchase credits, referred to as “chits,” which can be loaded onto a debit card. From November 2013 through May 2014, a system vulnerability allowed consumers to redeem a single chit multiple times, thereby receiving more than the value they had purchased. In total, InComm processed more than 25,000 unauthorized redemptions, mistakenly transmitting more than $11 million to various debit card issuers.

Once InComm discovered the losses, it sought coverage from its insurer, Great American Insurance Company (“GAIC”). Citing to the policy’s computer fraud provision, GAIC denied and InComm responded by filing suit for breach of contract and bad faith and seeking a declaration of coverage.

The relevant computer fraud provision stated: “[GAIC] will pay for loss of, and loss from damage to, money, securities, and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises: (a) to a person (other than a messenger) outside those premises; or (b) to a place outside those premises.”

In the case of InComm, the company’s redemption program allowed cardholders to conduct debit card activity by dialing in by phone and using either voice or touchtone commands to claim chits. Therefore, the unauthorized transactions at issue (conducted by sophisticated identity theft perpetrators) were accomplished using a phone, not a computer.

In granting summary judgment to GAIC, the court found that the computer fraud provision did not apply because the actual fraud was committed using a phone. The court explained that simply because “a computer was somehow involved in a loss does not establish that the wrongdoer ‘used’ a computer to cause the loss.” Finding to the contrary would “unreasonably expand the scope” of the computer fraud provision, which was intended to limit coverage to computer fraud. Finally, the judge concluded, to accept “lawyerly arguments” that coverage should be expanded to include losses “involving a computer engaged at any point in the causal chain” would “strain the ordinary understanding of computer fraud.”

The case is InComm Holdings Inc. v. Great American Insurance Co., No. 1:15-cv-2671 (N.D. Ga. Mar. 16, 2017).

Tagged with: , ,
Posted in Legislation, Litigation

Fourth Circuit To Plaintiffs: “Could” Isn’t Enough For Standing

A split continued to develop in the federal courts last month as the Fourth Circuit denied Article III standing to the plaintiffs in a data breach case whose alleged injuries were limited to the increased risk of future identity theft and the cost of measures to protect against it. The Fourth Circuit joins the First and Third Circuits in rejecting this theory as grounds for standing, finding it too great of a stretch. In contrast, the Sixth, Seventh and Ninth Circuits have all recognized in certain circumstances that, at the pleading stage, plaintiffs can establish an injury-in-fact based on possible future injury.

In the Fourth Circuit case, Beck v. McDonald, No. 15-1395 (4th Cir. Feb. 6, 2017), veterans in two consolidated cases alleged that the William Jennings Bryan Dorn Veterans Affairs Medical Center (Dorn VAMC), had violated the Privacy Act of 1974 and the Administrative Procedure Act (APA) after a laptop containing their unencrypted personal information, such as names, birthdates, and the last four digits of their social security numbers was stolen; and, in another case, four boxes of pathology reports containing confidential patient information went missing. The plaintiffs sought declaratory relief and monetary damages under the Privacy Act, and broad injunctive relief under the APA, potentially placing the entire VA’s privacy program under judicial oversight.

Upholding the districts court’s dismissal for lack of subject-matter jurisdiction, the Fourth Circuit found the plaintiffs’ grounds for standing did not satisfy the Supreme Court’s Article III standard that qualifies the threat of injury as an injury-in-fact: harm that is particular, concrete and imminent. The court found the increased risk of future identity theft to be speculative because, unlike the Sixth, Seventh and Ninth Circuit cases cited by plaintiffs, there was no evidence that any of the personal information had actually been accessed or misused. In those cases, the breaches at issue had been carried out by malicious hackers who intended to use the information they had culled for fraudulent purposes. In the absence of such facts, the Fourth Circuit reasoned, it must “engage with the same attenuated chain of possibilities” rejected by the Supreme Court in Clapper v. Amnesty International. It would have to assume not only that that the thieves targeted the stolen items for a pernicious purpose, but chose from thousands of people to use the personal information of the named plaintiffs to steal their identities.

In an attempt to establish that they faced a substantial risk of future harm, the plaintiffs argued that 33% of health-related data breaches result in identity theft. The court was not swayed, reasoning that, even if the figure were true, it would mean that over 66% of those affected would suffer no harm. The plaintiffs even took a stab at irony, deriding the VA’s offer to provide free credit monitoring services to affected individuals as a tacit admission that the plaintiffs faced a substantial risk of future harm. The court rejected this argument as well, though it acknowledged that other circuits have shown some tolerance on the issue. In response to the plaintiffs’ allegations that they had suffered an injury-in-fact because of expenses they have or will in the future incur to shield themselves against identity theft, the court characterized these mitigation efforts, like Clapper, as “self-imposed harms” because, again, there was no evidence that the threat of harm went beyond speculation. Finally, the court found that the allegations of “substantial harm,” “embarrassment,” “inconvenience” and “unfairness” under the Privacy Act and APA would not relieve them of the burden to prove Article III standing. Both statutes were interpreted as requiring evidence of actual harm.

One final note: the Fourth Circuit leaned on the procedural posture of Beck in making its decision. Since the plaintiffs’ standing was challenged not during the pleadings, but on summary judgment, which occurs after the discovery of evidence phase in litigation, the court held them to a higher threshold, demanding that allegations must be backed by specific facts to meet the burden of Article III standing.

Tagged with: , , , , ,
Posted in Data Breach, Litigation

Plaintiffs in Horizon Breach Win Key Article III Ruling at 3rd Circuit

hacker's hands on laptop keyboardRecently, the Third Circuit Court of Appeals overturned a United States District Court for the District of New Jersey dismissal of a class action filed in the aftermath of a data breach at Horizon Healthcare Services Inc., (“Horizon”). The appellate decision in In Re: Horizon Healthcare Services Inc. Data Breach Litigation may expand the conditions under which a plaintiff can file suit against a company for loss of digitalized personal information. According to the Third Circuit, it appears that violations of federal privacy law are considered de facto injuries, providing plaintiffs with standing regardless of whether they suffer an economic loss.

In November 2013, two laptops containing the unencrypted information of 839,000 Horizon customers were stolen from the company’s New Jersey headquarters. A class of Horizon members quickly filed a class action lawsuit that included claims of willful and negligent violations of the Fair Credit Reporting Act (“FCRA”), among other state-based claims.

At the core of the plaintiffs’ claim was the assertion that Horizon is a consumer reporting agency that had violated the FCRA by allowing their private information to fall into the hands of thieves and failing to adopt procedures that would keep sensitive information confidential. The plaintiffs sought statutory, actual and punitive damages, and an injunction to prevent Horizon from continuing to store personal information in an unencrypted manner. The plaintiffs claimed that the violation of their statutory right to have their information secured against unauthorized disclosure is in and of itself an injury. Read more ›

Tagged with: , , , ,
Posted in Data Breach

Protect Against Cyber Attacks: A New Guide to Help Small Businesses

No business is too small to be the victim of a cyberattack. In fact, as larger companies invest more resources in cybersecurity, attackers are beginning to target smaller, less secure businesses. It is important for every small business to understand the risks and be prepared. To help, the National Institute of Standards and Technology (NIST) recently published Small Business Information Security: The Fundamentals. It provides a simple and actionable framework to help minimize security risks.

The NIST guide is divided into five basic categories (identify, protect, detect, respond, and recover) and provides useful worksheets to help identify important types of data. We have reviewed NIST’s guide and supplied an overview of the takeaways:

  1. Know the Risks

Hackers and cyber criminals pose one kind of threat to data security, but environmental incidents and equipment failure can be equally devastating to the security of business information. Security threats can come from personnel within a business as well, so vet employees and provide security training.

  1. Identify Data

The first step in any risk management plan is to identify what data needs to be protected and understand what vulnerabilities exist. Create a list of all the information a business uses (e.g. customer names, e-mail addresses, banking information, employee information, etc.) and know who has access to such information. Additionally, it is important to identify any vulnerabilities in a business’s systems. It is highly recommended that companies engage an outside consultant to conduct a mock attack to identify any system vulnerabilities.

  1. Protect

NIST’s guide provides excellent recommendations on the use of encryption, securing wireless access points and installing network firewalls. However, the easiest and most often overlooked recommendation is to train employees on security policies and establish clear guidelines on how they can best protect business information.

  1. Detect

While some security events are easily detectable, many are not. Businesses should consider implementing anti-virus software that is designed to detect intrusions. Additionally, it may be worthwhile to use a program that keeps a log of daily activity that occurs on the network. These logs may show trends that indicate an intrusion has occurred. An outside consultant can be a valuable tool in interpreting these trends as there may be a more serious problem that is not readily apparent.

  1. Respond

It is critical that every business develop a response plan to be followed after a security event has occurred. Appoint a person who will implement the plan, include the contact information of all internal personnel who should be notified, as well as directions on how to quarantine infected systems, if necessary. Furthermore, many states require customer notification after a security event. Thus, it is important to know state notification laws and how to properly comply.

  1. Recover

After a security event, it is important to evaluate the response procedures. Assess any weaknesses in the plan and make adjustments as needed. If possible, restore backed up data or implement a backup procedure for business data. Companies should also consider cyber insurance as part of any risk management plan.

The full guide can be found here: http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf.

Tagged with: , , , , , , , , , ,
Posted in Cyberattack, Data Breach, Data Security, Privacy, Standards

Commission on Enhancing Cybersecurity Report Calls for Greater Investment

computer with lockOn Friday December 2nd the President’s Commission on Enhancing Cybersecurity (“Commission”) released their long-awaited Report on Securing and Growing the Digital Economy. The nonpartisan Commission was created in April by President Obama with the objective of examining U.S. cybersecurity policy and the determining “actionable recommendations” to secure the increasingly interdependent cyber infrastructure.  Given the increasingly number of intrusions, disruptions, manipulations and thefts due to cyber vulnerabilities, the report is apt in its expression that technological advancement is outpacing U.S. cybersecurity practices and policies. President-elect Trump had pledged to adopt several cybersecurity policies, one being a commission, very much like the Commission on Enhancing Cybersecurity. Thus this report should be welcomed by President-elect Trump as a formative step in his cybersecurity reform.

The report offers 16 recommendations and 53 “associated actions.” The recommendations are broken down into six major categories, including, protecting and securing information infrastructure; building cybersecurity workforce capabilities; and ensuring an open, fair and secure global digital economy. Amongst the recommendations, two are notable for different reason: the creation and appointment of an Ambassador for Cybersecurity, “to lead U.S. engagement with the international community on cybersecurity strategies, standards and practices;” and a larger focus on training and hiring cybersecurity professionals. The recommendation for a cyber ambassador is a major acknowledgment that cyber issues know no boundaries and the interconnected nature of the global economy presents a serious and international threat to trade and businesses. Meanwhile, the Commission placed a premium on introducing new incentives and investments in innovation to attract new cyber security professionals, signifying its intention to increase U.S. capabilities. In specific numbers, the report recommended creating a national cybersecurity workforce program with the aim of training 100,000 new cybersecurity professionals by 2020.

These major recommendations are not specifically what the President-elect called for during the campaign, but the general tone regarding the importance of stepping up the United States’ cyber capabilities, is reflective of his proposals. Both the report and Trump have been clear that U.S. is not reaching its greatest cyber potential and needs to be if it seeks to maintain its position as a global leader. This report provides a comprehensive plan to increasing U.S. focus and capabilities on cybersecurity.

Overall the report calls for investment in cybersecurity mechanisms, greater attention to the foibles that plague current U.S. cybersecurity policy, and strengthening of public–private sector dialogues involving cybersecurity. The Commission, although an Obama administration installation, is geared towards gaining the attention of President-elect Trump. However, until his intentions are made clear, the report will remain simply recommendations.

Tagged with: , ,
Posted in Standards

NIST Releases Comprehensive Cyber Security Guidelines for the Internet of Things

internet of thingsAs the Internet of Things continues to grow and expand, the fact that guidance on security measures and protections is a necessity has become increasingly evident. Recently, the National Institute of Standards and Technology (NIST) released a lengthy set of IoT guidelines, known as NIST Special Publication 800-160. NIST unveiled the nearly 260-page publication at the Splunk GovSummit 2016 conference. The announcement came on the heels of the Dyn attack in late October, which further highlighted the immediate need for standards and guidance.

The strictly voluntary guidelines work to address questions and concerns about protections for devices connected to the internet. It is estimated that there are currently approximately 7 billion things connected to the Internet, but experts expect that number to triple by 2020. NIST described IoT as a “powerful and complex” system which is “inexorably linked to [our] economic and national security interests.”

Given the enormous nature of this ever-growing sector of the digital world, it must be in the forefront of cyber-security discussions. IoT not only must be actually secure, but users must have a sense of trustworthiness in the security and protections. One drafter said that users must have the same confidence in the security of IoT as they do the safety of a bridge they cross or an airplane they board. However, not only do policies and protections need to build up users’ confidences, but they need to simultaneously degrade the confidence that cyber-criminals have in their own abilities and operations.

NIST expressly stated in Special Publication 800-160 that its objective is to “address security issues” and “to use established engineering processes to ensure that needs, concerns, and requirements are addressed with appropriate fidelity and rigor, early and in a sustainable manner.”

As is the case behind most cyber-security policies, NIST is striving to limit the damage of inevitable, successful breaches. It recognizes that preventing breaches or attacks is not a realistic goal. Therefore, the drafters focused on emphasizing that necessary protections must be incorporated at the design stage and built into devices rather than being an afterthought, analogous to an airbag being built into the dashboard of a car. The protections also must be capable of keeping the device secure throughout its life-cycle.

Although the guidelines are voluntary, they should spawn valuable conversation and discussion. In order for the guidelines to have the desired effect, industry, government, and academia must all join forces to promote their benefits and vouch for their necessity.

Lawyers can use the guidelines to facilitate conversations with clients about cybersecurity measures. The guidelines can be presented to boards of directors and executives and positioned as a detailed overview of what must be done to implement security measures. Because the guidelines are government-backed and have been approved by the federal government, they can also be a tool used to get the support, including the financial support, necessary to implement security measures. They can also be used as a reference point when evaluating cyber insurance policies, as underwriters can refer to them during the underwriting process.

Lawyers should also caution clients that there will likely be regulators and litigants who point to the guidelines when attempting to impose liability on device manufacturers following a breach. Failure to follow the standards, it will be argued, is evidence of negligence or lackadaisical security. Whether the guidelines will create a standard of care remains to be seen, but they should certainly become part of the conversation as the IoT – with all of its inherent risks – continues to expand.

For a copy of the guidelines, follow this link: NIST Guidelines

Tagged with: , ,
Posted in Standards
About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Receive Email Updates

Email:

Cozen O’Connor Blogs