CareFirst Data Breach Appeal Holds Three Key Lessons for Cyberattack Litigants

A recent federal appellate decision suggests that it might be getting easier for cyberattack plaintiffs to establish standing in a manner sufficient to survive a motion to dismiss. According to the U.S. Court of Appeals for the District of Columbia Circuit, people whose personal information was compromised in a cyberattack have standing to sue so long as they allege that a data breach traceable to the target company’s negligence exposed them to a substantial risk of identity theft, and they reasonably spent money to protect themselves in the wake of the attack. The case is Attias v. CareFirst, Inc., decided on August 1, 2017.

In so holding, the Court of Appeals reversed the district court’s dismissal of the action, admonishing the lower court for giving “the complaint an unduly narrow reading.” Both decisions turned on whether the plaintiffs had alleged that their social security or credit card numbers had been stolen. The lower court concluded that the plaintiffs did not demonstrate a sufficiently substantial risk of harm, and therefore lacked standing, because they had “not suggested, let alone demonstrated how the CareFirst hackers could steal their identities without access to their social security or credit card numbers.”

The Court of Appeals took issue with this approach, because it presumed that the plaintiffs did not allege that this information had been stolen. However, the court noted, the complaint alleged that “PII/PHI/Sensitive Information” had been taken, and included in the definition of that term “patient credit card … and social security numbers.” Further, the complaint alleged that identity thieves could use the information accessed in the attack to “open new financial account[s] [and] incur charges in another person’s name.” At the motion dismiss stage, this combination of allegations is sufficient to establish a substantial risk of future harm, the court held.

A distinguishing feature of cyberattack cases, the court noted, is that an unauthorized party has already accessed another person’s information. In this circumstance, “it is much less speculative – at the very least, it is plausible – to infer that this party has both the intent and the ability to use that data for ill,” the court reasoned.

Having found that the plaintiffs had sufficiently alleged an “injury in fact” to establish standing, the Court of Appeals then addressed the second prong in the standing analysis: whether the injury could be fairly traceable to the alleged conduct of the defendant. CareFirst argued that this prong was not met, because there was no allegation that the attacker was affiliated with the company. But such a direct connection is not required, the Court of Appeals concluded. Rather, the plaintiffs’ allegations that CareFirst’s failure to properly secure their data creates enough of a link to the injury to satisfy the “fairly traceable” standard.

Finally, the court made short work of finding that the plaintiffs had satisfied the final requirement for standing – that the harm they suffered was “likely to be redressed by a favorable judicial decision” – by alleging that they had reasonably spent money to protect themselves against the potential for identity theft. This money could be recovered through an award of money damages, thereby meeting the third prong of the standing analysis.

In conclusion, Attias v. CareFirst carries three main takeaways for cyberattack litigants on the question of standing: (1) some courts will take a broad reading of complaint allegations at the motion to dismiss stage, and may infer from the cyberattack itself an intent harm to the victims; (2) the hacker need not be affiliated with the target company for the plaintiffs’ alleged harm to be traced back to that company; and (3) if the plaintiffs reasonably incurred costs to protect themselves from identity theft in the wake of the attack, they will, at least in some jurisdictions, satisfy prong three of the standing analysis.

Tagged with: , , , , ,
Posted in Cyberattack, Data Breach, Litigation

Will the New General Data Protection Regulations (“GDPR”) Be a Block in the Chain?

Yes, I know that I ooze wit, but seriously, on the 25 May 2018, the new GDPR will come into force, which replaces the current data protection regulations (irrespective of Brexit). The principle at the heart of the GDPR is that personal data can only be gathered under strict conditions for legitimate purposes. More importantly however, among other things, it gives people the “right to be forgotten.” With this in mind, how will the GDPR fit in with the blockchain? After all, isn’t the whole purpose of the blockchain to record the ownership of just about anything, by using a fully trustworthy peer-to-peer payment system, that provides a neutral, permanent, irrefutable, and more importantly, transparent, record of all transactions?  How can a data controller erase personal information on the blockchain?

It seems to me as organisations are forging ahead to be compliant by 2018, this new wide-ranging and challenging obligation needs a practical and universally agreed solution. Otherwise we are going to embark on a era of satellite litigation of what constitutes “reasonable steps” – against a backdrop of ever changing advancements in technology.

The solution may not rest with the lawyers alone (boo) – but a combination of legal drafting and a Blockchain platform which allows transactions/smart contracts to be created off-chain in stake channels, which protects people’s privacy.

We are in a strange new world. Who would have ever envisaged 20 years ago that lawyers (who are renowned technophobes – hence the reason why they became lawyers) and computer scientists (who love having to consider every analytical possibility when designing a code) would become ideal business partners …

Tagged with: , , , ,
Posted in Data Security, Privacy, Regulations

Coca-Cola Dodges Privacy Class Action

Coca-Cola won big last month when it secured summary judgment in a privacy class action brought by a former bottling plant employee concerning compromised personal information. Hon. Joseph Leeson of the Eastern District of Pennsylvania found that Coca-Cola was not under any contractual obligation to protect its employees’ personal information.

The issues arose when an ill-motived former IT employee disposed of old Coca-Cola laptops that were still storing employee information, including addresses, phone numbers and SSNs. The proposed class action was brought on behalf of the 74,000 employees whose information was compromised.

The court rejected plaintiff’s arguments that a handful of company policies, when woven together, impose a contractual duty on Coca-Cola to safeguard information for the benefit of employees. Coca-Cola argued that its detailed security policies create obligations to safeguard Company information to support business operations, but not to shield employees personally. The judge agreed, ruling the relevant policy provisions serve to protect the company, not the employees.

Cited provisions came from Code of Conduct, the Protection Policy and the Acceptable Use Policy, and read, in part: “Computer hardware, software, and data must be safeguarded from damage, theft, fraudulent manipulation, and unauthorized access to and disclosure of Company information.” Another provision stated that “[w]e all have an obligation to safeguard Company assets including exercising care in using Company equipment, vehicles, and bringing to the attention of high management any waste, misuse, destruction, or theft of Company property or illegal activity.”

It is also noteworthy that, despite not being contractually obligated to protect employee information, Coca-Cola was responsible and proactive in response to the incident. Coca-Cola informed employees of the lost laptops and provided one year of free credit monitoring and fraud restoration services. Ironically, plaintiff claimed that Coca-Cola should compensate him for wages lost because of the time required to submit the necessary information to obtain the protection services. The court explicitly rejected this as well.

The case is Enslin v. The Coca-Cola Co., No. 2:14-cv-06476, in the U.S. District Court for the Eastern District of Pennsylvania.

Tagged with: , , , , , ,
Posted in Data Breach, Data Security, Litigation, Privacy

Win for Insurance Industry in Computer Fraud Coverage Ruling

Computers are involved at some point in almost every business transaction—that is the reality of life in the digital age. The implications of that fact are still being worked out with respect to the interpretation of insurance contract computer fraud provisions. This month, a judge in the Northern District of Georgia issued a narrow reading, handing the insurance company an important victory.

InComm is a debit card processing company that allows consumers to purchase credits, referred to as “chits,” which can be loaded onto a debit card. From November 2013 through May 2014, a system vulnerability allowed consumers to redeem a single chit multiple times, thereby receiving more than the value they had purchased. In total, InComm processed more than 25,000 unauthorized redemptions, mistakenly transmitting more than $11 million to various debit card issuers.

Once InComm discovered the losses, it sought coverage from its insurer, Great American Insurance Company (“GAIC”). Citing to the policy’s computer fraud provision, GAIC denied and InComm responded by filing suit for breach of contract and bad faith and seeking a declaration of coverage.

The relevant computer fraud provision stated: “[GAIC] will pay for loss of, and loss from damage to, money, securities, and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises: (a) to a person (other than a messenger) outside those premises; or (b) to a place outside those premises.”

In the case of InComm, the company’s redemption program allowed cardholders to conduct debit card activity by dialing in by phone and using either voice or touchtone commands to claim chits. Therefore, the unauthorized transactions at issue (conducted by sophisticated identity theft perpetrators) were accomplished using a phone, not a computer.

In granting summary judgment to GAIC, the court found that the computer fraud provision did not apply because the actual fraud was committed using a phone. The court explained that simply because “a computer was somehow involved in a loss does not establish that the wrongdoer ‘used’ a computer to cause the loss.” Finding to the contrary would “unreasonably expand the scope” of the computer fraud provision, which was intended to limit coverage to computer fraud. Finally, the judge concluded, to accept “lawyerly arguments” that coverage should be expanded to include losses “involving a computer engaged at any point in the causal chain” would “strain the ordinary understanding of computer fraud.”

The case is InComm Holdings Inc. v. Great American Insurance Co., No. 1:15-cv-2671 (N.D. Ga. Mar. 16, 2017).

Tagged with: , ,
Posted in Legislation, Litigation

Fourth Circuit To Plaintiffs: “Could” Isn’t Enough For Standing

A split continued to develop in the federal courts last month as the Fourth Circuit denied Article III standing to the plaintiffs in a data breach case whose alleged injuries were limited to the increased risk of future identity theft and the cost of measures to protect against it. The Fourth Circuit joins the First and Third Circuits in rejecting this theory as grounds for standing, finding it too great of a stretch. In contrast, the Sixth, Seventh and Ninth Circuits have all recognized in certain circumstances that, at the pleading stage, plaintiffs can establish an injury-in-fact based on possible future injury.

In the Fourth Circuit case, Beck v. McDonald, No. 15-1395 (4th Cir. Feb. 6, 2017), veterans in two consolidated cases alleged that the William Jennings Bryan Dorn Veterans Affairs Medical Center (Dorn VAMC), had violated the Privacy Act of 1974 and the Administrative Procedure Act (APA) after a laptop containing their unencrypted personal information, such as names, birthdates, and the last four digits of their social security numbers was stolen; and, in another case, four boxes of pathology reports containing confidential patient information went missing. The plaintiffs sought declaratory relief and monetary damages under the Privacy Act, and broad injunctive relief under the APA, potentially placing the entire VA’s privacy program under judicial oversight.

Upholding the districts court’s dismissal for lack of subject-matter jurisdiction, the Fourth Circuit found the plaintiffs’ grounds for standing did not satisfy the Supreme Court’s Article III standard that qualifies the threat of injury as an injury-in-fact: harm that is particular, concrete and imminent. The court found the increased risk of future identity theft to be speculative because, unlike the Sixth, Seventh and Ninth Circuit cases cited by plaintiffs, there was no evidence that any of the personal information had actually been accessed or misused. In those cases, the breaches at issue had been carried out by malicious hackers who intended to use the information they had culled for fraudulent purposes. In the absence of such facts, the Fourth Circuit reasoned, it must “engage with the same attenuated chain of possibilities” rejected by the Supreme Court in Clapper v. Amnesty International. It would have to assume not only that that the thieves targeted the stolen items for a pernicious purpose, but chose from thousands of people to use the personal information of the named plaintiffs to steal their identities.

In an attempt to establish that they faced a substantial risk of future harm, the plaintiffs argued that 33% of health-related data breaches result in identity theft. The court was not swayed, reasoning that, even if the figure were true, it would mean that over 66% of those affected would suffer no harm. The plaintiffs even took a stab at irony, deriding the VA’s offer to provide free credit monitoring services to affected individuals as a tacit admission that the plaintiffs faced a substantial risk of future harm. The court rejected this argument as well, though it acknowledged that other circuits have shown some tolerance on the issue. In response to the plaintiffs’ allegations that they had suffered an injury-in-fact because of expenses they have or will in the future incur to shield themselves against identity theft, the court characterized these mitigation efforts, like Clapper, as “self-imposed harms” because, again, there was no evidence that the threat of harm went beyond speculation. Finally, the court found that the allegations of “substantial harm,” “embarrassment,” “inconvenience” and “unfairness” under the Privacy Act and APA would not relieve them of the burden to prove Article III standing. Both statutes were interpreted as requiring evidence of actual harm.

One final note: the Fourth Circuit leaned on the procedural posture of Beck in making its decision. Since the plaintiffs’ standing was challenged not during the pleadings, but on summary judgment, which occurs after the discovery of evidence phase in litigation, the court held them to a higher threshold, demanding that allegations must be backed by specific facts to meet the burden of Article III standing.

Tagged with: , , , , ,
Posted in Data Breach, Litigation

Plaintiffs in Horizon Breach Win Key Article III Ruling at 3rd Circuit

hacker's hands on laptop keyboardRecently, the Third Circuit Court of Appeals overturned a United States District Court for the District of New Jersey dismissal of a class action filed in the aftermath of a data breach at Horizon Healthcare Services Inc., (“Horizon”). The appellate decision in In Re: Horizon Healthcare Services Inc. Data Breach Litigation may expand the conditions under which a plaintiff can file suit against a company for loss of digitalized personal information. According to the Third Circuit, it appears that violations of federal privacy law are considered de facto injuries, providing plaintiffs with standing regardless of whether they suffer an economic loss.

In November 2013, two laptops containing the unencrypted information of 839,000 Horizon customers were stolen from the company’s New Jersey headquarters. A class of Horizon members quickly filed a class action lawsuit that included claims of willful and negligent violations of the Fair Credit Reporting Act (“FCRA”), among other state-based claims.

At the core of the plaintiffs’ claim was the assertion that Horizon is a consumer reporting agency that had violated the FCRA by allowing their private information to fall into the hands of thieves and failing to adopt procedures that would keep sensitive information confidential. The plaintiffs sought statutory, actual and punitive damages, and an injunction to prevent Horizon from continuing to store personal information in an unencrypted manner. The plaintiffs claimed that the violation of their statutory right to have their information secured against unauthorized disclosure is in and of itself an injury. Read more ›

Tagged with: , , , ,
Posted in Data Breach

Protect Against Cyber Attacks: A New Guide to Help Small Businesses

No business is too small to be the victim of a cyberattack. In fact, as larger companies invest more resources in cybersecurity, attackers are beginning to target smaller, less secure businesses. It is important for every small business to understand the risks and be prepared. To help, the National Institute of Standards and Technology (NIST) recently published Small Business Information Security: The Fundamentals. It provides a simple and actionable framework to help minimize security risks.

The NIST guide is divided into five basic categories (identify, protect, detect, respond, and recover) and provides useful worksheets to help identify important types of data. We have reviewed NIST’s guide and supplied an overview of the takeaways:

  1. Know the Risks

Hackers and cyber criminals pose one kind of threat to data security, but environmental incidents and equipment failure can be equally devastating to the security of business information. Security threats can come from personnel within a business as well, so vet employees and provide security training.

  1. Identify Data

The first step in any risk management plan is to identify what data needs to be protected and understand what vulnerabilities exist. Create a list of all the information a business uses (e.g. customer names, e-mail addresses, banking information, employee information, etc.) and know who has access to such information. Additionally, it is important to identify any vulnerabilities in a business’s systems. It is highly recommended that companies engage an outside consultant to conduct a mock attack to identify any system vulnerabilities.

  1. Protect

NIST’s guide provides excellent recommendations on the use of encryption, securing wireless access points and installing network firewalls. However, the easiest and most often overlooked recommendation is to train employees on security policies and establish clear guidelines on how they can best protect business information.

  1. Detect

While some security events are easily detectable, many are not. Businesses should consider implementing anti-virus software that is designed to detect intrusions. Additionally, it may be worthwhile to use a program that keeps a log of daily activity that occurs on the network. These logs may show trends that indicate an intrusion has occurred. An outside consultant can be a valuable tool in interpreting these trends as there may be a more serious problem that is not readily apparent.

  1. Respond

It is critical that every business develop a response plan to be followed after a security event has occurred. Appoint a person who will implement the plan, include the contact information of all internal personnel who should be notified, as well as directions on how to quarantine infected systems, if necessary. Furthermore, many states require customer notification after a security event. Thus, it is important to know state notification laws and how to properly comply.

  1. Recover

After a security event, it is important to evaluate the response procedures. Assess any weaknesses in the plan and make adjustments as needed. If possible, restore backed up data or implement a backup procedure for business data. Companies should also consider cyber insurance as part of any risk management plan.

The full guide can be found here: http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf.

Tagged with: , , , , , , , , , ,
Posted in Cyberattack, Data Breach, Data Security, Privacy, Standards

Commission on Enhancing Cybersecurity Report Calls for Greater Investment

computer with lockOn Friday December 2nd the President’s Commission on Enhancing Cybersecurity (“Commission”) released their long-awaited Report on Securing and Growing the Digital Economy. The nonpartisan Commission was created in April by President Obama with the objective of examining U.S. cybersecurity policy and the determining “actionable recommendations” to secure the increasingly interdependent cyber infrastructure.  Given the increasingly number of intrusions, disruptions, manipulations and thefts due to cyber vulnerabilities, the report is apt in its expression that technological advancement is outpacing U.S. cybersecurity practices and policies. President-elect Trump had pledged to adopt several cybersecurity policies, one being a commission, very much like the Commission on Enhancing Cybersecurity. Thus this report should be welcomed by President-elect Trump as a formative step in his cybersecurity reform.

The report offers 16 recommendations and 53 “associated actions.” The recommendations are broken down into six major categories, including, protecting and securing information infrastructure; building cybersecurity workforce capabilities; and ensuring an open, fair and secure global digital economy. Amongst the recommendations, two are notable for different reason: the creation and appointment of an Ambassador for Cybersecurity, “to lead U.S. engagement with the international community on cybersecurity strategies, standards and practices;” and a larger focus on training and hiring cybersecurity professionals. The recommendation for a cyber ambassador is a major acknowledgment that cyber issues know no boundaries and the interconnected nature of the global economy presents a serious and international threat to trade and businesses. Meanwhile, the Commission placed a premium on introducing new incentives and investments in innovation to attract new cyber security professionals, signifying its intention to increase U.S. capabilities. In specific numbers, the report recommended creating a national cybersecurity workforce program with the aim of training 100,000 new cybersecurity professionals by 2020.

These major recommendations are not specifically what the President-elect called for during the campaign, but the general tone regarding the importance of stepping up the United States’ cyber capabilities, is reflective of his proposals. Both the report and Trump have been clear that U.S. is not reaching its greatest cyber potential and needs to be if it seeks to maintain its position as a global leader. This report provides a comprehensive plan to increasing U.S. focus and capabilities on cybersecurity.

Overall the report calls for investment in cybersecurity mechanisms, greater attention to the foibles that plague current U.S. cybersecurity policy, and strengthening of public–private sector dialogues involving cybersecurity. The Commission, although an Obama administration installation, is geared towards gaining the attention of President-elect Trump. However, until his intentions are made clear, the report will remain simply recommendations.

Tagged with: , ,
Posted in Standards

NIST Releases Comprehensive Cyber Security Guidelines for the Internet of Things

internet of thingsAs the Internet of Things continues to grow and expand, the fact that guidance on security measures and protections is a necessity has become increasingly evident. Recently, the National Institute of Standards and Technology (NIST) released a lengthy set of IoT guidelines, known as NIST Special Publication 800-160. NIST unveiled the nearly 260-page publication at the Splunk GovSummit 2016 conference. The announcement came on the heels of the Dyn attack in late October, which further highlighted the immediate need for standards and guidance.

The strictly voluntary guidelines work to address questions and concerns about protections for devices connected to the internet. It is estimated that there are currently approximately 7 billion things connected to the Internet, but experts expect that number to triple by 2020. NIST described IoT as a “powerful and complex” system which is “inexorably linked to [our] economic and national security interests.”

Given the enormous nature of this ever-growing sector of the digital world, it must be in the forefront of cyber-security discussions. IoT not only must be actually secure, but users must have a sense of trustworthiness in the security and protections. One drafter said that users must have the same confidence in the security of IoT as they do the safety of a bridge they cross or an airplane they board. However, not only do policies and protections need to build up users’ confidences, but they need to simultaneously degrade the confidence that cyber-criminals have in their own abilities and operations.

NIST expressly stated in Special Publication 800-160 that its objective is to “address security issues” and “to use established engineering processes to ensure that needs, concerns, and requirements are addressed with appropriate fidelity and rigor, early and in a sustainable manner.”

As is the case behind most cyber-security policies, NIST is striving to limit the damage of inevitable, successful breaches. It recognizes that preventing breaches or attacks is not a realistic goal. Therefore, the drafters focused on emphasizing that necessary protections must be incorporated at the design stage and built into devices rather than being an afterthought, analogous to an airbag being built into the dashboard of a car. The protections also must be capable of keeping the device secure throughout its life-cycle.

Although the guidelines are voluntary, they should spawn valuable conversation and discussion. In order for the guidelines to have the desired effect, industry, government, and academia must all join forces to promote their benefits and vouch for their necessity.

Lawyers can use the guidelines to facilitate conversations with clients about cybersecurity measures. The guidelines can be presented to boards of directors and executives and positioned as a detailed overview of what must be done to implement security measures. Because the guidelines are government-backed and have been approved by the federal government, they can also be a tool used to get the support, including the financial support, necessary to implement security measures. They can also be used as a reference point when evaluating cyber insurance policies, as underwriters can refer to them during the underwriting process.

Lawyers should also caution clients that there will likely be regulators and litigants who point to the guidelines when attempting to impose liability on device manufacturers following a breach. Failure to follow the standards, it will be argued, is evidence of negligence or lackadaisical security. Whether the guidelines will create a standard of care remains to be seen, but they should certainly become part of the conversation as the IoT – with all of its inherent risks – continues to expand.

For a copy of the guidelines, follow this link: NIST Guidelines

Tagged with: , ,
Posted in Standards

Commercial Trucking Goes Green for Safer Streets

A new federal mandate requires most commercial truck drivers to “go green” by trading in their old paper logs for electronic logging devices (ELDs) by December 18, 2017. Thought to affect roughly 3.5 million truck drivers, the new mandate is intended to increase driver compliance with federal drive-time regulations and decrease burdensome paperwork.

Commercial truck drivers are legally required to take a lengthy break after 11 hours of consecutive driving, but drivers have admitted to driving longer hours and falsifying their logs. The ELD mandate is expected to improve compliance with the federally required hours of service because the logs will be electronically linked to vehicle engines. Reports have shown that on average each year, there are 1,800 crashes (resulting in 60 injuries and 25 deaths) from driving while tired, and the hope is that new ELD requirements will decrease the number of fatigue-related accidents.

When the engine is on, the ELD records the date, time and location of the truck within a one-mile radius. It also records the drivers’ identification and motor carrier information. It does not record continuously, but automatically logs this information once per hour. The ELD is also intended to document when a driver changes status from “driving,” “on duty but not driving,” “moving to the sleeper berth,” and “off duty.” The driver is responsible for inputting the status information, since an entirely automatic option was considered too invasive. Recorded ELD data is stored and subject to access by authorized safety vehicles during inspections or audits.

Driver monitoring, of course, is nothing new. Truckers are already required to manually log most of this information and make it available upon request. Nonetheless, the ELD mandate was not warmly received by many in the commercial trucking community. A contentious relationship has existed between the commercial trucking industry and the Department of Transportation (DOT) since 1995, when Congress directed the DOT to revise the hours of service requirements. From 1995 to 2012, the DOT proposed many rules changes, all of which were challenged and struck down—three times in federal court, once in the Seventh Circuit.

In 2012, Congress stepped in again and passed the Motor Vehicle Enhancement Act, explicitly directing the DOT to come up with an ELD rule. In December 2015, when the new ELD rule was first released, it was promptly challenged by two professional truck drivers and the Owner-Operator Independent Drivers Association (OOIDA). This time, however, on October 31, 2016, the Seventh Circuit upheld the ELD mandate.

Petitioners argued the ELD mandate should be struck down for numerous reasons, including their contention that it constitutes an unreasonable search and/or seizure and thereby violates the Fourth Amendment. The Seventh Circuit responded to the Fourth Amendment challenge by noting that it “need not resolve whether the ELD mandate constitutes a search or seizure. Even if it did, it would be reasonable under the Fourth Amendment exception for pervasively regulated industries.”

The Court used a three-part analysis to conclude that the commercial trucking industry is pervasively regulated: (1) the history of the regulation in commercial trucking; (2) the comprehensiveness of commercial trucking regulations; and (3) the inherent dangers in the commercial trucking industry.

To each of these points, respectively, the Court noted that the industry has been government regulated since 1935. It said that commercial trucking regulations are comprehensive and extensive, governing everything from driver qualifications to vehicle inspections. And, lastly, the Court cited its own opinion from 2007 upholding random drug testing for truck drivers to show that commercial trucking is inherently dangerous activity. In 2007, it stated that trucking is “fraught with such risks of injury to others that even a momentary lapse of attention could have disastrous consequences.”

The Seventh Circuit also established that the ELD mandate is a reasonable way to regulate the commercial trucking industry. It found that the government has a substantial interest in the commercial trucking industry and that ELDs are a necessary advance because paper logs are subject to falsification, forgery, and human error—not to mention motor carrier pressure on drivers to drive for longer hours than legally allowed. It also considered the ELD mandate a constitutionally adequate substitute for a warrant largely because it is not any different than the current search of paper logs.

In response to the petitioner’s other arguments, the Seventh Circuit ruled that (1) ELDs do not need to be entirely automatic because, if they were, they would be “breathtakingly invasive;” (2) the ELD mandate sufficiently protects drivers from ELD-related harassment by motor carriers; (3) no cost-benefit analysis was necessary for implementing the ELD mandate because it was done at Congress’s direction; and (4) ELD information will be kept sufficiently confidential as per the statutory requirement.

The OOIDA has not said whether it will appeal the Seventh Circuit’s decision, but the organization has made clear its disappointment with the ruling. Its displeasure notwithstanding, it appears that the commercial trucking industry will be going green. The hope is that ELDs will collect information more efficiently and accurately, while creating safer roads, but without introducing new or unforeseen privacy concerns for drivers.

Tagged with:
Posted in Privacy, Regulations
About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Receive Email Updates

Email:

Cozen O’Connor Blogs