Privacy & Cybersecurity Update - November 2017

by Skadden, Arps, Slate, Meagher & Flom LLP
Contact

Skadden, Arps, Slate, Meagher & Flom LLP

In this month's edition of our Privacy & Cybersecurity Update, we discuss a Washington state court decision allowing a data breach lawsuit to move forward on a negligence claim, a Ninth Circuit ruling regarding releasing information about anonymous Glassdoor posters and the U.K. National Audit Office's report on the WannaCry attack. We also examine the White House's cost-benefit analysis for releasing zero-day vulnerabilities, as well as a working paper released by the SWIFT Institute discussing the cyber threat landscape for financial institutions.

Credit Union’s Data Breach Suit Against Eddie Bauer Moves Forward

Ruling in US v. Glassdoor Distinguishes Ninth Circuit Precedent for Online Privacy Protection

United Kingdom’s National Audit Office Releases Report on Effects of WannaCry Cyberattack

White House Details US Government’s Cost-Benefit Analysis for Releasing Zero-Day Vulnerabilities

Surveillance Court Rules ACLU and Yale Clinic Have Standing to Pursue Release of Section 215 Rulings

District Court Holds That Insurer’s Written Privacy Pledge to Insured is Unenforceable in Data Breach Row

SWIFT Report Highlights Changing Cyber Threat Landscape for Financial Institutions

Credit Union’s Data Breach Suit Against Eddie Bauer Moves Forward

A Washington state court allowed a data breach lawsuit against clothing company Eddie Bauer to proceed, finding that, under Washington law, Eddie Bauer owed a duty to Veridian, a credit union, and, as a result, the company’s failure to implement adequate measures to protect payment card information could constitute negligence.

Background

In August 2016, Eddie Bauer LLC (Eddie Bauer) announced that it had detected malware on cash registers at approximately 350 stores throughout the U.S. and Canada, compromising customer data from January 2, 2016, to July 17, 2016. In a complaint filed in March 2017, Veridian argued that Eddie Bauer’s failure to implement appropriate security controls constituted negligence, and, as a result of such negligence, Veridian and other financial institutions incurred significant costs associated with notifying customers of the breach, reissuing customers’ credit and debit cards, and refunding customers for fraudulent charges. Veridian alleged that if Eddie Bauer had followed sufficient security protocols, the data breach and subsequent costs to financial institutions like Veridian would not have occurred. Eddie Bauer moved to dismiss the lawsuit on the grounds that Veridian failed to allege sufficient facts to support its claims. On November 9, 2017, a federal judge in Washington state allowed the credit union’s class action lawsuit against Eddie Bauer to proceed.1

Recent Ruling

Negligence

The U.S. District Court for the Western District of Washington found that Veridian’s negligence claim against Eddie Bauer could move forward because Eddie Bauer owed Veridian a duty to safeguard its cardholders’ data under Washington state law RCW 19.255.020. Under law, if a business engaged in payment processing “fails to take reasonable care to guard against unauthorized access to account information … and the failure is found to be the proximate cause of a breach, the processor or business is liable to a financial institution for reimbursement of reasonable actual costs related to the reissuance of credit cards and debit cards that are incurred to mitigate potential current or future damages to its credit card and debit card holders that reside in the state of Washington.”2 The court found that the harm specified in RCW 19.255.020 matches that alleged by Veridian in its negligence claim and, accordingly, that Eddie Bauer owed a duty to Veridian.

Washington Consumer Protection Act

The court also allowed Veridian to proceed with its claim under Washington’s Consumer Protection Act (CPA). Veridian alleged that Eddie Bauer’s failure to adopt reasonable security measures resulted in harm to thousands of customers and payment card issuers. Eddie Bauer argued that Veridian failed to allege unfair or deceptive practices because consumers could have avoided the risk of data theft by paying for items at the affected stores with cash. The court rejected this argument, calling it “disingenuous” given the prevalence of credit and debit card use in commerce. The court agreed with Veridian that customers could not possibly have known that Eddie Bauer’s security measures were allegedly inadequate. Without this knowledge, consumers had little ability to avoid the harms brought about by Eddie Bauer’s allegedly deficient security measures.

Eddie Bauer also unsuccessfully argued that a failure to enact stronger cybersecurity measures could not by itself cause harm to shoppers, but rather could only cause harm when a third party steals customer information. The court stated that Eddie Bauer’s assertion distorts causation under the CPA — an “unfair act” does not need to be the most proximate cause of the alleged injury in order to give rise to liability. In this case, Eddie Bauer’s alleged failure to adopt reasonable security protocols could constitute an “unfair act” within the meaning of the CPA because it knowingly and foreseeably put customers and payment card financial institutions at risk of harm from data theft and fraudulent payment card activity.

Key Takeaways

While the final outcome of the case remains to be seen, this recent ruling is interesting because of its reliance on negligence as a theory of liability between two sophisticated parties. Financial institutions and retailers alike should be aware that statutes like Washington state’s may be leveraged to support negligence claims in the event of a data breach affecting payment card information.

Ruling in US v. Glassdoor Distinguishes Ninth Circuit Precedent for Online Privacy Protection

The U.S. Court of Appeals for the Ninth Circuit rejected Glassdoor’s attempt to quash a subpoena seeking the identity of users of the site who had posted anonymous reviews of their employer.

Background

In connection with an ongoing federal grand jury investigation of a government contractor that administered VA health care programs, an Arizona federal grand jury had served Glassdoor — an online platform that allows employees to post anonymous reviews about their employers, including information relating to salaries, workplace environment and interview practices — with a subpoena for its users’ information related to reviews of the contractor they had posted to the site. Although Glassdoor reviews are anonymous, users must provide their email address to register on glassdoor.com. As well, Glassdoor’s privacy policy warns users that, if required by law, the company will “disclose data if [they] believe in good faith that such disclosure is necessary … to comply with relevant laws or to respond to subpoenas or warrants or legal process served on [them].”

The subpoena initially required Glassdoor to produce every review for the contractor, along with identifying information about the reviews’ authors, such as email addresses, billing information, credit card information and other information stored on Glassdoor’s platform. The company objected, citing First Amendment concerns.

When Glassdoor refused to supply the requested user-identifying information, the government limited the scope of its request, proposing instead that Glassdoor provide the user information for only eight reviews, based on the government’s belief that such users were witnesses to their employer’s unlawful conduct. Glassdoor again refused and filed a motion to quash the subpoena. The district court, after applying the good-faith test established by the U.S. Supreme Court in Branzburg v. Hayes, 408 U.S. 665 (1972), denied Glassdoor’s motion and ordered the company to respond to the subpoena.

Ninth Circuit Ruling Upholds District Court Judgment

On appeal to the Ninth Circuit, Glassdoor argued that the subpoena violated its users’ First Amendment rights, specifically their right to associational privacy and anonymous speech. The Ninth Circuit rejected these arguments, finding that because Glassdoor users are strangers to each other and are not joined in a common endeavor. Thus, they do not have a right to associational privacy. The Ninth Circuit further noted that the right to anonymous speech is limited and that the government’s interest in investigating fraudulent activity outweighed the right to anonymous speech under these circumstances.

Although Glassdoor argued that the Ninth Circuit should apply the compelling-interest test established by the Ninth Circuit’s ruling in Bursey v. United States, 466 F.2d 1059 (9th Cir. 1972), the court instead relied on Branzburg, thereby upholding the district court’s ruling. Applying the Branzburg good-faith test, the court held that “absent a colorable allegation of bad faith on the part of the government, and without a credible argument that there is a tenuous relationship between the information Glassdoor holds and the focus of the investigation … Glassdoor’s motion to quash is unavailing.”3

Key Takeaways

The Glassdoor decision has significant implications for online, user-based platforms that provide their users with a veil of anonymity. Some fear that the decision may have a chilling effect on online speech, given that many users of online platforms are strangers to each other and, under this Ninth Circuit ruling, not entitled to the protections of associational privacy under the First Amendment.

United Kingdom’s National Audit Office Releases Report on Effects of WannaCry Cyberattack

Five months after the broad-based WannaCry ransomware attack, the U.K.’s National Audit Office released a postmortem report on the effects of WannaCry on England’s National Health Service. The October 2017 report revealed that the debilitating effects of the attack could have been mitigated through the adoption of basic cybersecurity measures.

On May 12, 2017, a global ransomware attack known as WannaCry simultaneously paralyzed more than 200,000 computers in more than 150 countries. Once a computer was infected, the attack’s malware encrypted the data on the computer and demanded users pay $300 in order to regain accesss. Among those systems affected included computer systems operated by more than a third of the United Kingdom’s National Health Service (NHS) trusts, the regional bodies that run the NHS. As a result of the attack, more than 6,900 NHS appointments were cancelled, though NHS has stated that it believes no patient data was compromised or stolen.

A U.K. National Audit Office (NAO) report was commissioned to investigate the effects of the attack, with the final report being released on October 27, 2017. NAO’s key findings included:

  • NHS had been warned about cyber risks but had not taken action. NHS trusts did not heed warnings from the U.K. Department of Health to update software and patch their systems. The trusts relied on outdated and sometimes unsupported software and failed to properly manage computer firewalls.
  • Department of Health leadership did not sufficiently emphasize cybersecurity management or allocate sufficient resources. The Department of Health lacked both the ability to assess and the enforcement capacity to ensure compliance with its cybersecurity guidance. Moreover, responsibility for cybersecurity preparedness was deeply devolved throughout the organization. The NAO report also found evidence of insufficient funding for cybersecurity measures.
  • The Department of Health’s critical incident response plan was not properly implemented. Although the Department of Health had developed a cybersecurity incident response plan that included the roles and responsibilities of national and local organizations in responding to an attack, this plan had never been tested at a local level. As a result, there were no clear guidelines on who should lead the response and who should be contacted to report the cybersecurity incident. This, coupled with the shutdown of NHS computer systems, led to a breakdown in communications during the WannaCry attack.
  • NHS had a lack of understanding of the nature of cybersecurity risks. In general, NHS trusts did not identify cybersecurity as a risk to patient outcomes and tended to overestimate their preparedness in the event of a cybersecurity event.

NAO concluded that the effects of the WannaCry ransomware attack on NHS were indicative of cybersecurity-related failures throughout the system. At a local level, trusts did not implement basic security measures that could have protected their computer systems from the attack. Additionally, at the management level, there was insufficient oversight and ability to monitor and enforce compliance.

NHS is now working on improving its cybersecurity protective measures through a series of steps:

  • developing a more complete response plan;
  • implementing a more robust system for reviewing and applying patches and antivirus updates;
  • establishing a path for essential communications in emergency situations; and
  • ensuring that all levels of the organization appreciate the scope of potential cybersecurity risks.

Key Takeaways

For all organizations, the WannaCry ransomware attack should serve as a reminder of the need to develop, monitor and enforce compliance with cybersecurity policies; ensure accountability for cybersecurity matters across all organizational levels, including management; and develop and test a critical incident response system — to include situations in which the attack itself makes normal means of communication and coordination difficult. These foundational steps are critical to ensure that an organization establishes basic cybersecurity best practices such as regularly installing software updates and properly maintaining system firewalls. These best practices may seem routine, but as the NAO report reminds readers, no organization should assume such steps are being taken, and they may prove vital to reducing an organization's cyber vulnerabilities.

White House Details US Government’s Cost-Benefit Analysis for Releasing Zero-Day Vulnerabilities

The White House released a description of the process by which the U.S. government conducts a cost-benefit analysis in determining whether to release descriptions of previously unknown vulnerabilities in information systems and technologies used by commercial entities so that they may be patched, or withhold the information for use by law enforcement for national security purposes.

On November 15, 2017, the White House released the Vulnerabilities Equities Process (VEP) Charter, which describes the U.S. government’s process for determining whether and how to release newly discovered vulnerabilities that are unknown publicly in information systems and technologies (i.e., zero-day vulnerabilities).4 The newly released document provides much greater transparency into a previously opaque process, lists the participating government agencies and describes the equities considered by the agencies. The release comes after the leak of reported National Security Agency hacking tools that used these types of vulnerabilities earlier this year, which resulted in the WannaCry ransomware attack.5

The VEP’s stated focus is to prioritize the disclosure of zero-day vulnerabilities in order to protect critical infrastructure, information systems and the U.S. economy unless there is a “demonstrable, overriding interest in the use of the vulnerability for lawful intelligence, law enforcement, or national security purposes.” The VEP accomplishes this cost-benefit analysis through consideration of four equities, as they apply to the present and near-term future:

  • defensive equities: the scope of the threat of exploitation, the potential impact of the vulnerability if exploited, and the availability and effectiveness of means of mitigating the vulnerability;
  • intelligence, law enforcement and operational equities: the operational impact, value and effectiveness of the exploitation of the vulnerability as applied in intelligence activities, evidence collection and cyber operations;
  • commercial equities: the risks posed to government relationships with industry if pre-existing government knowledge of the vulnerability is later revealed; and
  • international partnership equities: the risks posed to U.S.-international relations if pre-existing government knowledge of the vulnerability is later revealed.

In balancing the above equities, the result of a VEP review is not limited to complete disclosure or retention. The process allows the government to take a range of options in tailoring the response to the identified equities, such as disseminating mitigation information without disclosing the vulnerability, limiting U.S. government use of the vulnerability, informing U.S. and allied government entities of the vulnerability at a classified level and/or indirectly informing an affected vendor of the vulnerability.

The National Security Council staff coordinates the VEP, but the Equities Review Board (ERB), which is responsible for deliberating on the above equities, includes a wide range of member agencies — from law enforcement, military and intelligence agencies to agencies with broad equities like the Departments of State and Commerce. Disputes between agencies over the preferred use of a vulnerability are resolved through the National Security Council and Homeland Security Council processes.

Supporting its stated focus on disclosure of vulnerabilities, if the ERB decides to restrict disclosure of a vulnerability, the VEP requires the vulnerability to be reassessed annually until it is either disseminated, publicly known or otherwise mitigated. While the VEP improves the transparency of the vulnerability review process and encourages disclosure, it still allows the government to exclude vulnerabilities from review that fall within certain specified categories, such as those used in sensitive operations. The details of these categories, including the number of categories and their breadth, are classified and have not been included in the release of the VEP.

Key Takeaways

The increased transparency and focus on disclosure of zero-day vulnerabilities should be considered a welcome development for information technology vendors and service providers. The updated process and focus on disclosure provide an opportunity for those vendors and service providers to engage with selected government partners to discuss potential vulnerabilities in their products and services, and develop relationships that may help them avoid the risk of future exploitation. Given the increased pressure on the government to maintain its leadership in cyber exploitation, establishing relationships with key participants in the VEP process may become a necessity for vendors and service providers hoping to ensure that the U.S. government recognizes the scope of potential defensive and commercial equities associated with a given set of products or services.

As with the previously mentioned NAO report, the VEP Charter also should serve as an important reminder to all organizations that routine and consistent patching of systems is a vital aspect of cybersecurity. The disclosure of security vulnerabilities through the VEP process or otherwise is only the first step to improved cybersecurity. As noted above, many organizations suffered far greater effects from the WannaCry malware because they had not fully adopted available security patches.

Surveillance Court Rules ACLU and Yale Clinic Have Standing to Pursue Release of Section 215 Rulings

In its first public en banc ruling, a United States surveillance court ruled that parties could have access to surveillance court judicial opinions related to programs permitting the bulk collection of communications information.

On November 9, 2017, the Foreign Intelligence Surveillance Court (FISC) ruled the American Civil Liberties Union (ACLU) and Yale Law School’s Media Freedom and Information Access Clinic (MFIA Clinic) have standing to proceed with their suit to compel the release of FISC opinions evaluating the meaning, scope and constitutionality of Section 215 of the USA Patriot Act, 50 U.S.C. § 1861. FISC’s prior approval of the surveillance requests under Section 215 led to the bulk collection of American citizens’ telephonic metadata from telecommunications companies for use in counterterrorism efforts.

The ACLU and MFIA Clinic filed a motion to release the legal reasoning for the approval of the Section 215 requests in 2013 shortly after two newspapers published classified information about U.S. government surveillance programs. Within a day of publication, the director of national intelligence declassified other details of the bulk data collection program and acknowledged the FISC had authorized the actions under Section 215. After the declassification reviews, the parties sought access to the redacted material. U.S. District Judge Rosemary M. Collyer ruled in January that citizens do not have a First Amendment right to read the FISC’s full court decisions pertaining to the National Security Agency’s bulk data collection program.

In vacating Judge Collyer’s decision and remanding the case to her chambers to rule on the merits, the majority found the four judicial opinions sought by the parties should be considered “legal proceedings” to which the parties could claim access under the First Amendment. With a 6-5 majority, this case marked the first en banc ruling where all 11 FISC member judges participated in the decision. The majority opinion, written by U.S. District Judge James E. Boasberg, cited Richmond Newspapers, Inc. v. Virginia, 448 U.S. 555 (1980), which recognizes the right of access to court proceedings and documents. Judge Boasberg noted the parties’ claim here “survives because the injury is a lack of access to the proceedings of a court” rather than an executive branch function in foreign affairs. Writing for the dissent, Judge Collyer defined the parties’ request not as “access to judicial proceedings” but rather a “‘right’ of access to the information classified by the Executive Branch,” upsetting the separation of power between the judiciary and executive branches.

Key Takeaways

Private entities regularly receive requests from federal agencies for access to stored information or other tangible items under Section 215, but in most cases they receive only very limited guidance regarding the scope of their required disclosures. By establishing the potential viability of a claim to access FISC proceedings, this case eventually could lead to the release of additional judicial guidance on the scope of Section 215 and accordingly provide additional counsel to companies with related compliance concerns. Although this decision does not provide for the public release of FISC opinions — rather, it merely provides that parties have standing to pursue such a claim — it at least offers a potential judicial path given that the court allowed the claim to go forward.

District Court Holds That Insurer’s Written Privacy Pledge to Insured is Unenforceable in Data Breach Row

In a victory for insurers, a federal court recently determined that a privacy pledge included with an insurance policy is not considered part of the policy and therefore was not enforceable against the insurer in a data breach dispute with its insured stemming from the insurer’s alleged failure to adequately safeguard the insured’s personal information.

On November 8, 2017, the U.S. District Court for the Northern District of Illinois granted summary judgment in favor of Combined Insurance Company of America (Combined), the health insurer of department store chain Dillard’s, in a data breach dispute with a Dillard’s employee. The court concluded that a privacy pledge included with the employee’s insurance policy did not form part of the contract and therefore was not enforceable against Combined.6

The Data Breach Lawsuit

In May 2014, plaintiff Ann Dolmage commenced a putative class action against Combined on behalf of herself and similarly situated individuals in the Northern District of Illinois after it was discovered that Enrolltek, a third party vendor hired by Combined, failed to adequately secure its website and, as a result, the personal identifiable information (PII) of Dolmage and thousands of other insured Dillard’s employees was publicly accessible on the internet for over a year. The lawsuit alleged that Combined breached the privacy pledge included with Dolmage’s policy by failing to ensure that Enrolltek securely maintained her PII. The privacy pledge, which was included in all Dillard’s employee enrollment packages, stated that Combined would protect her PII, including to the extent it is shared with third parties.

In August 2017, Combined moved for summary judgment on Dolmage’s breach of contract claim on the basis that, in Combined’s view, the privacy pledge was not part of Dolmage’s policy. Dolmage opposed the motion, arguing — in reliance on a definitional provision in the policy stating that “policy means this policy with any attached application(s), and any riders and endorsements” — that the Privacy Pledge is part of her policy because it is a rider or endorsement that was incorporated by reference into the policy.

The Court’s Ruling on the Enforceability of the Privacy Pledge

The court sided with Combined, holding that “the Privacy Pledge is not a rider or endorsement that was incorporated by reference into the policy, and thus the Privacy Pledge did not create a legally enforceable promise.” The court relied on an expert opinion proffered by Combined, which identified various “hallmarks” of an insurance policy rider or endorsement: being clearly marked as a rider or endorsement, being signed by an official of the insurance company and expressly referencing the policy in question. “The Privacy Pledge does not bear any of these hallmarks,” the court observed. The court also pointed to the fact that the enrollment materials included an “accelerated payment rider” to the policy, which, in sharp contrast to the privacy pledge, was clearly labeled as a policy rider, signed by Combined executives and expressly stated that the rider was part of the policy.

The court rejected Dolmage’s argument that the privacy pledge formed part of the policy simply because it was included in the same package as the policy. Accepting Dolmage’s position, the court reasoned, would mean that all enrollment documents (including blank forms and informational brochures) provided with the policy — documents that do not bear any indicia of true riders or endorsements — would automatically form part of the policy, which clearly was not intended. Accordingly, the court granted summary judgment in favor of Combined.

Key Takeaways

It is unclear whether other courts, if and when they are faced with privacy pledges included in or with insurance policies, will reach conclusions similar to those reached in Dolmage v. Combined Insurance. As the court’s decision illustrates, the issue likely will turn on the language of the policy and the privacy pledge at issue, as well as the manner in which the pledge is presented to the insured. A finding of enforceability by other courts could have meaningful implications for future data breach disputes, as privacy pledges are becoming more common in enrollment packages in which PII is collected.

SWIFT Report Highlights Changing Cyber Threat Landscape for Financial Institutions

In October 2017, the SWIFT Institute published a working paper, “Forces Shaping the Cyber Threat Landscape for Financial Institutions”7 (the paper), that examines the evolving tactics and tools used in cybercrime against financial institutions and outlines several recommendations for financial institutions to combat cyber threats more effectively.

New Tools and Tactics for Cybercrime

The paper notes that advances in technology, new developments in fraud detection and prevention, and changing incentives for attackers have resulted in attackers using new tools and tactics in cybercrimes against financial institutions.

With respect to consumer fraud, the paper explains that the advent of multi-factor authentication and chip cards has forced fraudsters to seek different approaches, including, for example, large-scale attacks on point-of-sale systems. Business email compromise tactics (e.g., where fraudsters send fake emails to employees pretending to be their manager and directing them to make cash transfers from the companies’ accounts) also have increased dramatically. The increase in mobile banking has provided another avenue for cybercrime attacks, and studies have shown that mobile malware attacks and mobile banking Trojans have increased exponentially over the last few years. Furthermore, as internet and mobile banking expand to emerging markets, one byproduct is that the geography of cybercrime also is expanding, as billions of new internet users (often with little cybersecurity awareness or access to security products) have become easy targets for cyberattacks.

In addition to consumer fraud, cyber criminals are also increasing efforts to carry out targeted attacks against bank networks. The paper explains that these attackers have become much more sophisticated in recent years, with nation-state hacking groups increasingly becoming involved in cybercrimes against financial institutions. Furthermore, capabilities that once were only available to nation-states have become increasingly available to criminal organizations, with hacking tools stolen from intelligence agencies and other sources becoming widely available via open-source malware libraries. As fraudsters have become more sophisticated, law enforcement is struggling to keep up with changes in technology and the broad adoption of encryption.

With respect to the specific tools and tactics used to target bank networks, the paper notes that manipulating insiders remains the number one way that banks often become compromised, explaining that as phishing attacks become less effective due to successful “don't click the link” campaigns, attackers have turned to social engineering to convince unwitting victims, such as bank employees, to provide hackers with access to their computers. Watering hole attacks (i.e., attacks where the attacker compromises a website that the attacker knows their target will visit and then uses that site to infect the target’s system with malware) also have increased in frequency and sophistication level, in addition to dedicated denial-of-service attacks from internet-of-things botnets and ransomware activity. Additionally, the paper explains that the same machine learning approach used to detect patterns for cybersecurity defense can be used by attackers to select targets, and it is only a matter of time before machine learning is incorporated into the cyberattacks themselves. Another trend that the paper highlights is the selective targeting of less sophisticated financial institutions by criminals to gain access to more well-defended networks, noting that financial institutions in Asia are particularly vulnerable to attack and are less likely to have invested significantly in cyber defenses.

Key Takeaways

The paper makes the important point that each financial institution must consider cybersecurity within the larger context of the global network of financial institutions and makes the following suggestions for financial institutions to combat the cybercrime tactics summarized above:

  • strengthen global financial institution networks by ensuring that small and medium financial institutions in emerging markets build cyber awareness and security capacities to prevent exploitation of these banks by cyber attackers; and
  • support efforts to secure the broader ecosystem. In order to defend against internet and mobile banking threats, banks should strengthen authentication and monitoring for devices that connect to their systems, help build law enforcement capacity to combat cybercrime and improve education efforts regarding cybercrime.

______________________

1 For the full order on Eddie Bauer’s motion to dismiss, see here.

2 For the full text of RCW, see here.

3 In Re Grand Jury Subpoena, No. 17-16221 (9th Cir. filed Nov. 8, 2017). A copy of the decision may be found here.

4 The VEP Charter is available here.

5 Skadden’s update on the SEC’s cybersecurity risk alert on WannaCry is available here.

6 Dolmage v. Combined Ins. Co. of Am., No. 14 C 3809, 2017 WL 5178792 (N.D. Ill. Nov. 8, 2017). A copy of the decision can be found here.

7 A copy of the paper can be found here.

Download pdf

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Skadden, Arps, Slate, Meagher & Flom LLP | Attorney Advertising

Written by:

Skadden, Arps, Slate, Meagher & Flom LLP
Contact
more
less

Skadden, Arps, Slate, Meagher & Flom LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at www.jdsupra.com) (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at privacy@jdsupra.com.

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to privacy@jdsupra.com. We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to privacy@jdsupra.com.

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at: privacy@jdsupra.com.

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at www.jdsupra.com) (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit legal.hubspot.com/privacy-policy.
  • New Relic - For more information on New Relic cookies, please visit www.newrelic.com/privacy.
  • Google Analytics - For more information on Google Analytics cookies, visit www.google.com/policies. To opt-out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout. This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit http://www.aboutcookies.org which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at: privacy@jdsupra.com.

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.