Category Archives: Federal Law

Federal legal issues

Interested in liability protections? Learn about the Safety Act.

The “Support Anti-terrorism by Fostering Effective Technologies Act of 2002 or Safety Act (no, I don’t know where the “Y” came from) seems to have flown under the radar for the past 15 years with few buyers or sellers of cybersecurity technologies taking advantage of the Act and its liability protections.

Passed in the wake of the terrorists attacks on September 11, 2001, the Act’s stated intent is to incentivize the development and deployment of Qualified Anti-Terrorism Technologies (QATT), including cybersecurity technologies, in a couple very specific ways.

First, the Act limits the Seller of a QATT’s financial liability to an amount determined by the Office of SAFETY Act within the Department of Homeland Security.  In exchange for carrying the required insurance, the seller’s liability is limited to the amount of that insurance (6 CFR Part §25.7(a)).  Additionally, no punitive, exemplary (§25.7(b)(1)), or noneconomic damages, “unless the plaintiff suffered physical harm” are available to the plaintiff (§25.7(b)(2)).

This is all great news for the Seller of a QATT, but what about their customers?  Section 25.7(d) extends these liability protections downstream:

“There shall exist only one cause of action for loss of property, personal injury, or death for performance or nonperformance of the Seller’s Qualified Anti-Terrorism Technology in relation to an Act of Terrorism. Such cause of action may be brought only against the Seller of the Qualified Anti-Terrorism Technology and may not be brought against the buyers, the buyers’ contractors, or downstream users of the Technology, the Seller’s suppliers or contractors, or any other person or entity. In addition, such cause of action must be brought in the appropriate district court of the United States.”

So putting it all together, any cause of action resulting from an Act of Terrorism regarding a QATT has exclusive federal jurisdiction, has a cap to awards, cannot include punitive, exemplary, or noneconomic (with exceptions) damages, and can only be brought against the Seller, not their subcontractors, suppliers or buyers.

What is an Act of Terrorism?  The determination of an Act of Terrorism is left to the Secretary of Defense (or their designee), but the requirements are that the Act:

  1. Is unlawful;
  2. causes harm; and
  3. uses methods designed or intended to cause mass destruction.

There is no requirement that the Act of Terrorism have a political basis.  Many attacks against public and private sector enterprises could fall under this umbrella.

Of course, this is a very high-level overview of a 10 page regulation, but with so many benefits for themselves and their customers, companies are tripping over themselves to get to the Office of Safety Act right?

Actually, according to the Approved Awards Search site only around a dozen companies have earned awards for cybersecurity related technologies.  In a world where over 300 vendors exhibited at the most recent BlackHat conference, it would seem that the ability to offer your customers any level of liability protection would make a great differentiator.

 

Website accessibility under Title III

When I was in law school our assignment for mock trial in Legal Research and Writing was a debate regarding whether websites were “places of public accommodation” under title III of the Americans with Disabilities Act.

This was a fairly novel idea at the time.  Title III requires that places of public accommodation, like grocery stores, must make their stores accessible to disabled shoppers.  As with any law school mock trial assignment we had to argue both sides with equal fervor.

Over the last several years this debate has continued in real courtrooms across the country.  This month another court stepped into the fray.  In Juan Carlos Gil v. Winn-Dixie Stores, Inc., the judge ruled the Winn-Dixie grocery store must make its website accessible to the disabled.  Gil, the plaintiff, is legally blind and the Winn-Dixie website was incompatible with screen readers that he used to browse the website.

The Judge in this case did not specifically address whether a website is a place of public accommodation, but stated:

The Court need not decide whether Winn-Dixie’s website is a public accommodation in and of itself, because the factual findings demonstrate that the website is heavily integrated with Winn-Dixie’s physical store locations and operates as a gateway to the physical store locations.

This integration with the physical Winn-Dixie stores is more than just an advertising platform but

The services offered on Winn-Dixie’s website, such as the online pharmacy management system, the ability to access digital coupons that link automatically to a customer’s rewards card, and the ability to find store locations, are undoubtedly services, privileges, advantages, and accommodations offered by Winn-Dixie’s physical store locations.

Thus, the judge found that Winn-Dixie had violated the ADA Title III and issued an injunction which requires, among other provisions, that Winn-Dixie’s

website must be accessible by individuals with disabilities who use computers, laptops, tablets,
and smart phones

If you would like to test how your webpage renders on a screen reader, there is a chrome extension called ChromeVox, that will let you browse the web using a screen reader.  Anyone who doesn’t understand the reason why this is important should install this extension and browse the web for a half and hour with your eyes closed.  The experience should be quite enlightening.

Attorney – Client in the cloud

Over the past few months I’ve been asked several times about the status of attorney-client privilege when attorneys use cloud technology.  It is an interesting question and there are a couple concepts that need to be explained about A-C.  So buckle up, this is a long one.

First (and very broadly speaking), A-C is lost when disclosed to a third party intentionally or inadvertently.  So an attorney and client discussing a case in a busy coffee shop could potentially lose A-C since a third party could overhear the communications.  I know the attorneys reading this post will likely come out of their chairs with exceptions, but I’m trying to paint a high level picture.

This loss of A-C does not mean that attorneys have to hide everything in locked safes buried in concrete.  The comments on the model rules of professional conduct state:

“…unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. ” (emphasis added).

So, this brings us to Harleysville Insurance Company v. Holding Funeral Home, No. 1:15cv00057, memorandum op. (WD Va. Feb. 9, 2017).  In Harleysville, an investigator for the parent company of Harleysville uploaded surveillance video of the underlying event to a file sharing site.  He then emailed a link to the video to another party.  The same investigator later placed the case file in the share.

The share was not password protected or otherwise protected.  In fact anyone with the link or anyone who found the share could see the information.  Remember the language of the model rule above?  The Virginia court echoed this language in their opinion stating that inadvertent disclosure can be caused “by failing to implement sufficient precautions to maintain its confidentiality.” (emphasis added)  The court continued “With regard to the reasonableness of the precautions taken to prevent the disclosure, the court has no evidence before it that any precautions were taken to prevent this disclosure.” (emphasis added).

The court concluded that A-C had been waived by posting the information to a publically available website.

As I’ve counseled clients in the past, whether A-C will survive in the world of cloud usage depends on the steps taken to prevent disclosure.  Encryption, access control, and logging are your friends.

Breach notification laws: Better privacy or the 10th circle?

Today (April 19th) New Mexico became the 48th state to enact a data breach notification law.  Only Alabama and South Dakota do not have a notification law on the books.

On the one hand this is good news for the privacy on New Mexicans.  They are now ensured they will have notice of a breach of their personally identifying information.  They will have the opportunity to mitigate the damage resulting from such a personal exposure.

For security and privacy folks, though, there is a different perspective.  We now have 48 distinct regulations to track.  If I have a client that does business across the country, I have to ensure I am able to help them comply with 48 different (and sometimes contradictory) regulations.  As an example, assume I have a client doing business in Texas, Oklahoma, and Colorado:

  • In Texas and Oklahoma consider a drivers license an element of personally identifying information; Colorado does not.
  • Colorado requires notification to the credit reporting agencies (CRA) if more than 1000 records are breached.  CRA reporting is required in Texas if more than 10,000 records are breached.  Oklahoma does not require CRA reporting at all.
  • Oklahoma allows for electronic communications if the cost of written communication exceeds $50,000; in Texas and Colorado it is only allowable if the costs exceed $250,000.

Add the other 45 states to the mix and the mapping becomes complex.  I won’t comment on whether there is a “better” rule, but the hodgepodge of requirements makes it more difficult for everyone.   This is the type of conflict that is ripe for a federal rule to unify requirements.  Unfortunately the attempts to do so over the past few years have failed to garner much attention.

BTW:  For the curious, there are at least 89 different counties with breach or privacy laws.  A breach at a multi-national corporation can be very complex.