Manno v. Healthcare Revenue Recovery Group, No. 11-61357 (S.D. Fla.) (Mar. 26, 2013)
Judge Scola. Granting class certification.

Individual consent issues often derail putative TCPA classes. Not this one (at least not yet).

The plaintiff gave his cellphone number to a hospital as part of his admission to the emergency room. Later, when the plaintiff failed to pay for the ER visit, Healthcare Recovery Group (the hospital’s debt collector) called him to try to recover the debt. He sued Healthcare Recovery under the TCPA (and other statutes), contending that the debt collector illegally used an autodialer and pre-recorded message to make the call.

Judge Scola rejected Healthcare Recovery’s argument that consent was an individualized issue. According to the court, discovery had shown that the lion’s share of proposed class members had no contact with Healthcare Recovery before the allegedly illegal calls (and thus had no chance to consent to those calls). 

Written by David Carpenter, Senior Associate, Litigation & Trial Practice, Brian Boone, Senior Associate, Litigation & Trial Practice and Dave Venderbush, Counsel, Products Liability | Alston & Bird LLP

Quesada v. Banc of America Investment Services, No. 11-cv-01703 (N.D. Cal.) (Feb. 19, 2013)
Judge Rogers. Denying class certification.

A California client of Merrill Lynch (successor-in-interest to Banc of America Investment Services) sued the investment firm alleging that it violated California’s Invasion of Privacy Act by surreptitiously recording her conversations with Merrill employees. She sought to represent a class of other taped customers.

Judge Rogers denied class certification because there was no common evidence of lack of consent to the taping.

Written by David Carpenter, Senior Associate, Litigation & Trial Practice, Brian Boone, Senior Associate, Litigation & Trial Practice and Dave Venderbush, Counsel, Products Liability | Alston & Bird LLP

Jamison v. First Credit Services, Inc., No. 12 C 4415 (N.D. Ill.) (Mar. 28, 2013)
Judge Kendall. Denying class certification.

A Honda customer sued First Credit Services (Honda’s debt collection firm) under the Telephone Consumer Protection Act alleging that First Credit obtained his cellphone number illegally through “skip-tracing” (a fancy term for investigative research). The plaintiff sought to represent a class of Honda owners who had received similar unsolicited calls from First Credit.

Judge Kendall denied class certification. Recognizing that First Credit couldn’t be liable under the TCPA if a customer had consented to receiving phone calls, the court concluded that individualized issues of consent (or lack thereof) forestalled class certification. 

Written by David Carpenter, Senior Associate, Litigation & Trial Practice, Brian Boone, Senior Associate, Litigation & Trial Practice and Dave Venderbush, Counsel, Products Liability | Alston & Bird LLP

Harris v. comScore, Inc., No. 11 C 5807 (N.D. Ill.) (Apr. 2, 2013)
Judge Holderman. Granting class certification in part.

Everybody shops on the Internet these days. comScore developed software that tracks consumers’ online behavior. Consumers download the software in exchange for incentives like free third-party software. Each person who downloads comScore’s software agrees (through an electronic click-wrap agreement) to permit comScore to monitor their Internet behavior.

Read More

On Tuesday, May 28, at the direction of New York Governor Andrew Cuomo, the New York State Department of Financial Services (“DFS”) requested that the State’s largest insurance companies provide DFS with information regarding their cybersecurity practices. Among other requests, DFS is seeking information on what cybersecurity safeguards those insurance companies have in place, whether they have been the target of a cyber-attack within the past three years and the amount of resources the insurance companies dedicate to cybersecurity. The requests came in the form of “308 Letters,” which create a legal obligation for the recipient insurance companies to provide a response. DFS sent similar requests to the largest banks operating in the State earlier this year. The Governor stressed that while the State is “intensely focused on making sure that banks have the protections in place they need . . . we always have to keep at least one eye on the lookout for the next big threat.” The Superintended of DFS and co-chair of Governor Cuomo’s Cyber Security Advisory Board opined that “cybersecurity at insurance companies is something that often gets overlooked, but it’s far too important to get caught in a blind spot. We need to make sure that those insurance records are protected from hack attacks that could put New Yorkers at risk.” The 31 insurance companies receiving the letters include Aetna, AIG, Humana, Liberty Mutual, MetLife, Travelers and United Health Group.

The full text of a related Press Release issued from Governor Cuomo’s Office may be read at: http://www.dfs.ny.gov/about/press2013/pr1305281.htm

To read the full text of a related advisory, please click on Cyber Alert - New York State Inquires into Insurance Company Cybersecurity Practices: A Signal of Increased Proactive Regulator Interest in Data Security?

Written by Louis Dennig, Associate, Litigation & Trial Practice Group | Alston & Bird LLP

On June 2, 2013, Kim Peretti, co-chair of the firm’s Security Incident Management and Response Team, was quoted in The Wall Street Journal article “Support Grows to let Cybertheft Victims ‘Hack Back.’”

A version of this article appeared June 3, 3013, on page B6 in the U.S. Edition of The Wall Street Journal, with the headline, “Cybertheft Victims Itchy to Retaliate.”

Written by Security Incident Management & Response Team | Alston & Bird LLP

Kim Peretti, co-lead of the Security Incident Managements & Response Team, and Maki DePalo, Associate, recently published “Evolving DDOS Attacks Provide the Driver for Financial Institutions to Enhance Response Capabilities,” in the most recent May issue of The Banking Law Journal.

“In the wake of an unprecedented variant of a traditional cybercrime attack, financial institutions of all sizes should take the opportunity to review, reexamine, improve and expand their incident response capabilities,” Peretti said.

VIEW: The Banking Law Journal article “Evolving DDOS Attacks Provide the Driver for Financial Institutions to Enhance Response Capabilities.”

Written by Kimberly Peretti, Partner, Security Incident Management & Response Team and Maki DePalo, Associate, Privacy & Data Security | Alston & Bird LLP

On Wednesday, May 22, 2013 the Commission on the Theft of American Intellectual Property released a report making several policy, legislative and legal recommendations with the aim of reducing the “scale and scope of IP theft.” The Commission noted that to reduce such theft the United States must change the “incentive structure for IP thieves” by altering the “conditions that encourage foreign companies to steal American intellectual property.”

Read More

Alston & Bird's Privacy & Data Security Team Team led the May 14, 2013, monthly update conference call of the ABA Antitrust Section’s Privacy and Information Security Committee. Kim Peretti, Paul Martino, Bruce Sarkisian and David Keating were featured panelists during the call.

VIEW: ABA Privacy and Data Security Update presentation slides. (PDF)

Written by the Privacy & Data Security Team | Alston & Bird LLP

In a letter responding to a request by Senator Jay Rockefeller (D-WV), Chairman of the Senate Commerce Committee, Chairman Mary Jo White of the U.S. Securities and Exchange Commission (SEC) stated that she has asked her staff for a briefing on the efficacy of the SEC’s 2011 staff guidance on Cybersecurity disclosures, overall compliance with the guidance and any recommendations regarding further guidance in the area of cybersecurity. The 2011 staff guidance urges public companies to disclose in their SEC filings descriptions of specific cybersecurity threats faced by the companies and the steps they are taking to mitigate them.

Sen. Rockefeller had written to White on April 9 to ask the just-confirmed SEC Chair to “elevate” the 2011 guidance and issue it at the Commission level as well. In his letter, Rockefeller posited that the staff guidance had had a positive impact on information available to investors, but “the disclosures are generally still insufficient for investors to discern the true costs and benefits of companies’ cybersecurity practices.”

Written by Bruce Sarkisian, Associate, Technology, Privacy & IP Transactions | Alston & Bird LLP

Kim Peretti, co-chair of the firm’s Security Incident Management and Response Team and former senior litigator for the Justice Department's Computer Crime and Intellectual Property Section, was interviewed by BankInfoSecurity.com, where she discussed the cyber heist scheme that involved $45 million withdrawn from ATMs worldwide.

Peretti offered insights, lessons learned from global cash-out schemes and security tips for targeted organizations.

Visit BankInfoSecurity.com to watch the video of Peretti’s interview.

Written by Security Incident Management & Response Team | Alston & Bird LLP

Kim Peretti, co-chair of the firm’s Security Incident Management and Response Team and former senior litigator for the Justice Department's Computer Crime and Intellectual Property Section, was quoted in The New York Times article, “In Hours, Thieves Took $45 Million in A.T.M. Scheme.”

Ms. Peretti said the significance in this data breach is that they are manipulating the financial system to be able to change these balance limits and withdrawal limits. “When you have a scheme like this, where the system can be manipulated to quickly get access to millions of dollars that in some sense did not exist before, it could be a systemic risk to our financial system.” 

View the complete article: "In Hours, Thieves Took $45 Million in A.T.M. Scheme"

Written by Security Incident Management & Response Team | Alston & Bird LLP

On May 17, 2013, Kim Peretti will serve as planning chair and Todd McClelland will be a featured speaker in the program entitled “The Top Five Data Security Threats in 2013: Knowing and Understanding the Legal Risks,” by ALI-CLE. Data security remains the elephant in the room for many corporate legal departments, law firms and outside counsel. Everyone knows data security concern is warranted, but many still do not entirely comprehend the risks, what resources are needed to protect against them, or how to handle liabilities resulting from breaches. Moreover, even if you appreciate the legal aspects of your data security needs, you may struggle to keep your policies and procedures current because of rapid changes in technology.

The following topics will be discussed during the program.

• National cyber security concerns
• Evolving cyber threat landscape
• Mobile devices in the workplace (BYOD)
• Data security in the cloud
• Employee training and awareness

To register, please click here.

Written by Security Incident Management & Response Team | Alston & Bird LLP 

In the newly proposed version of the Critical Infrastructure Protection (“CIP”) Reliability Standards, the Federal Energy Regulatory Commission (“FERC”) is seeking, for the first time, to create mandatory cybersecurity protections for the bulk electric system (“BES”), which includes electric utilities. The new standards would classify each BES Cyber System as Low, Medium or High Impact based on how severely a cyber attack on a given system would affect the national power grid. For each classification tier, the new CIP standards would require varying but specific levels of cybersecurity protection. It is important to note that any system considered a BES Cyber System will at a minimum be classified as Low Impact. BES Cyber Systems are defined as groupings of BES Cyber Assets, which in turn are defined as “Asset[s] that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which . . . would affect the reliable operation of the Bulk Electric System.” The new rule was proposed by the North American Electric Reliability Corporation (“NERC”) and would constitute CIP version 5 standards. CIP version 3 standards are currently in effect, and the proposed rule would essentially leapfrog the CIP version 4 standards that were set to become mandatory in April, 2014. CIP version 4 standards would not have reached those Cyber Systems that will be classified as Low Impact under the new CIP standards.

Read More

Eric Shimp, a Policy Advisor at Alston & Bird, recently published “Data Protection: Data privacy in the Transatlantic Trade agreement? US-EU ponder the way forward” in the most recent version of the BEERG Global Labor Newsletter.

As the US approaches the launch of negotiations toward a free trade agreement with the European Union, data privacy is emerging as a divisive issue. Disagreements over policy, between the US government and industry, and even among various EU member governments and Brussels, promise for a rocky negotiation ahead. To view a full version of the article, please click here.

Written by Privacy & Data Security Team | Alston & Bird LLP

In the aftermath of such incidents as the shootings at Virginia Tech and Newtown, HHS published guidance to remind covered entities that health care providers may, consistent with the HIPAA Privacy Rule, disclose protected health information (PHI), including from mental health records, to warn that persons may be at risk of harm because of a patient, when the provider believes that such warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others.

Today, HHS seeks information on whether the Privacy Rule inhibits State covered entities from reporting mental health bars to gun ownership/possession to the National Instant Criminal Background Check System (NICS), in its advance notice of proposed rulemaking, “HIPAA Privacy and the National Instant Criminal Background Check System.”

Read More

This article is the second in a four-part series describing some of the challenges to conducting breach investigations in response to increasingly sophisticated attacks. In Part 1, entitled Right-Sizing the Data Breach Investigation and published with Law360 on March 26, 2013, we provided an overview of the evolving advanced cyber threat landscape and the three common breach response scenarios (internal investigations to fix technical problems, investigation to assess payment card exposure, and investigations to determine compliance with state data breach notification statutes). This Part II takes a closer look at responses involving payment card breaches—both because of their unique nature and their potentially grave implications.

Please click the following link for a full version of Understanding the Role of the PFI in Payment Card Breaches.

Written by Jim Harvey, Partner, Privacy & Data Security  | Alston & Bird LLP

Kim Peretti, co-chair of the firm’s security-incident and management-response team and former senior litigator for the Justice Department's Computer Crime and Intellectual Property Section, was quoted in the Wall Street Journal article, “U.S. Eyes Pushback On China .” U.S. officials view that strategy [indictment] as a way to establish a deterrent. China likely wouldn't turn over its citizens to the U.S. for prosecution, but U.S. authorities could ensure suspects would be unable to travel freely for fear of being turned over by a foreign government to U.S. law enforcement.

"It would be very significant, because it would be a first of its kind," said Kimberly Peretti, a former Justice Department prosecutor who handled cybercrime cases during eight years at the department until 2010. Indictments create leverage in diplomatic negotiations, because it is more difficult for the government to deny the problem when there is a specific legal action against an individual, she said.

Written by Security Incident Management & Response Team | Alston & Bird LLP

Today the House voted 288-127 to pass the Cyber Intelligence Sharing and Protection Act (CISPA), H.R. 624. The bill passed by a wider margin than last Congress, with 92 Democrats voting in favor of H.R. 624. Several amendments regarding privacy concerns were adopted. Ranking Member Dutch Ruppersberger (D-MD) stated after the vote “CISPA recognizes that you can’t have true security without privacy, and you can’t have privacy without security. This bill effectively works to protect both.”

Read More

Yesterday afternoon the House Permanent Select Committee on Intelligence marked up H.R. 624, the Cyber Intelligence Sharing and Protection Act (CISPA), which was introduced in February. The bill passed the Committee by a vote of 18-2 after the approval of six amendments.

Ranking Member Dutch Ruppersberger (D-MD) praised the “collaborative effort” on improving privacy and civil liberties, while Chairman Mike Rogers (R-MI) noted the amended bill will help American businesses protect their networks from “cyber looters” while improving the cybersecurity marketplace, and without imposing unfunded mandates or additional federal regulation on the private sector.

Written by Jeff Sural, Counsel, Legislative & Public Policy, Privacy & Data Security | Alston & Bird LLP