Ickes Holt Represents Local Business in Suit Against Amazon

amazon sued by local business

On July 21, 2017, Ickes Holt filed a federal lawsuit in the Northern District of Ohio against Amazon on behalf of a local mobile electronics manufacturer.  The suit alleges that Amazon, in conjunction with third party manufacturers and retailers, fulfilled customer orders with counterfeit and knock-off merchandise.

The lawsuit alleges a pattern of conduct by Amazon minimizing the value of the plaintiff’s intellectual property and a failure to effectively respond to plaintiff’s complaints.  The lawsuit points out flaws in Amazon’s distribution and retailer structure which allow counterfeiters to easily sell products to customers seeking genuine products.

A summary of the complaint was posted today on Courthouse News Service can be found here.

While Courthouse News Service sought comment from Amazon, they did not contact Ickes\Holt for comment prior to posting the article.

Keep it Like a Secret

TRADE SECRET

With the passage of the Defend Trade Secrets Act (DTSA), the federal government handed businesses a lethal new weapon to protect trade secrets in federal court. There should be champagne popping in boardrooms everywhere. Why, you ask?

Access to federal courts in and of itself is a major boon for businesses. Any seasoned litigator knows that in federal court, deadlines and dates are set quickly and are firm. Further, federal courts have more judges, more resources, and less cluttered dockets. Accordingly, federal litigation customarily moves at lightning speed compared to state court. Also, anecdotally speaking, the federal judiciary and its staff are the cream of the legal crop. Federal judges aren’t encumbered with running for re-election (as in Ohio), they take the time to understand complex legal issues and have the wherewithal to deal with those issues. Their staff attorneys are usually enjoy digging into the meat of legal issues and complex fact patterns. This isn’t to say that state court judges and staffs are substandard. More so, state courts generally lack the resources and time to put together a stellar legal team to review your case. Thus, when dealing with a complicated trade secrets cases, federal courts will be a welcome arbiter for practitioners and clients alike.

But … there is always a but … if one seeks to enforce trade secret rights in federal court, one must bring her or his “A” game. A federal court will expect a party to be able to prove their case and motion practice is more effective. To provide an example, the “trade secret” had better be a trade secret. At first blush, that seems an obvious statement. However, beneath the obvious is the point I am driving at: if you have a trade secret you better keep it like a secret. Let me explain.

The DTSA adopts the Economic Espionage Act’s (EEA) definition of a trade secret. According to the EEA, a trade secret is defined as follows:

“[A]ll forms and types of financial, business, scientific, technical, economic or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing.”

But that’s not all. To qualify as a trade secret, the owner must: (1) have “taken reasonable measures” to keep the information secret; and (2) “derive independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, the public.” See 18 U.S.C. § 1839(3).

Reasonable measures? Sounds like another way of saying “gray area.” What are the federal courts likely to do with such gray area? I predict the federal courts will paint it with the many splendored colors of information security. Simply put, federal courts will look to set quantifiable standards for the reasonability of measures to protect trade secrets. I believe the easiest method to judge the reasonability of a plaintiff’s security measures is to view them through the lens of information security. Because many organizations still lack adequate information security, proving the existence of a trade secret trade secret in federal court will become increasingly problematic. Although scant at this juncture, federal case law seemingly bears this theory out.

In US v. Shiah, No. SA CR 06-92 DOC (C.D. Cal. Feb. 19, 2008), a case addressing trade secrets under the EEA, the defendant copied 4,700 computer files belonging to his employer, Broadcom, to an external hard drive shortly before leaving to start a new job with a competitor. In Shiah, the district court engaged in a lengthy discussion of the “reasonable measures” requirement. The measures taken by Broadcom to maintain the confidentiality of its secrets included confidentiality agreements signed by its employees that explained the value placed on confidentiality and attempted to indicate which documents were considered confidential. The confidentiality agreement also prohibited employees from taking confidential information with them upon their departure. The court noted Broadcom’s use of IT-managed firewalls, file transfer protocols, intrusion detection software, passwords to access the company’s intranet, a layer of protection between its intranet and the Internet, and selective storage of files. Broadcom further required non-disclosure agreements, tracked sharing through a program called DocSafe, and marked documents as confidential. Finally, Broadcom maintained a high security physical facility. Seems pretty good, huh?

Despite Broadcom’s security measures the court found them “barely sufficient” to qualify as reasonable under the EEA. The court opined that Broadcom should have provided education, training or guidance to employees regarding the information it considered confidential. The court stated that the training should have been “regular” and included methods for ensuring information remained protected. The court also noted that if Broadcom had a “comprehensive system in place designating which documents were and were not confidential”, it would have been easier for employees to identify confidential information. Regarding the confidentiality agreement signed by Shiah, the court stated that it was overly broad in designating nearly all information as confidential, making it difficult for employees to understand what information was actually confidential.

The court also criticized Broadcom’s off-boarding process with Shiah. The court indicated that Broadcom was overly concerned about “sending a message” as opposed to actually protecting its information. The court indicted that Broadcom should have had Shiah’s supervisor present to thoroughly explain the terms of the confidentiality agreement, identify the information the company determined to be particularly sensitive, and inquire as to what information he was taking with him. The court also stated that Broadcom should have taken steps to inspect Shiah’s computer to determine what information Shiah had accessed and when. The court indicated that had Broadcom simply inspected Shiah’s computer, it would have learned that Shiah copied thousands of files and would have been able to investigate immediately.

Lastly, what I find most interesting about the Shiah case is the court’s dicta regarding “reasonable measures”. The court presciently stated:

“The Court is also basing its determination on what would have been considered reasonable at the time, in 2003; the Court notes that the reasonableness standard will become more and more stringent as time passes. Over time, there will and have been improvements in technology, information, and knowledge pertaining to data secrecy[.]”

The controversy in Shiah happened 13 years ago. In terms of information technology, 13 years is an eternity. The threats to information are more formidable and pervasive than ever. Furthermore, with the development of various forums on the “Deep Web” and the rise of crypto currency, it has never been easier to sell information such as trade secrets to willing buyers and to do so anonymously. A comprehensive information security regime that emphasizes trade secret management will be the best prescription for protection in this new age of federal trade secret litigation.

Read Menzies Aviation v. Wilcox, 978 F.Supp.2d 983 (D.Minn. 2013) for a more recent take on federal trade secret litigation as it relates to the consideration of “reasonable measures”. In Wilcox, the U.S. District Court of Minnesota held that the trade secret owner failed to employ reasonable measures when the employer was aware that the subject employee used personal email and a personal computer for work matters, and that much of the confidential information was shared with another third-party vendor.

Does the employer in Wilcox sound like your organization? Do you allow employees to access their personal email or use a work computer for personal matters? Conversely, do you allow employees to use personal computers or devices (phones or tablets) for work matters? Does your organization even meet the security standard set by Broadcom, which was ultimately determined to be insufficient? If your answers are yes, it seems that you may be unwittingly undermining your own ability to enforce your trade secrets rights in federal court.

ICKES \ HOLT is a full-service, team-driven, and client focused law firm in Northeast Ohio concentrating on information security and governance. Information is the DNA of modern organizations and ICKES \ HOLT is dedicated to advising clients on how to protect its information. Please contact us to discuss establishing or improving the information governance policies for your organization.

Clapper Claptrap…Data Breach Class Actions are Alive and Kicking

data breach

While attending the recent ABA Internet of Things Institute, I heard something troubling from a particular panelist, a data breach class action defense attorney. This attorney, from a monolithic law firm, proclaimed that data breach class-actions were, essentially, on life support as result of the U.S. Supreme Court’s (“SCOTUS”) decision in Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013). I was a bit astonished by the certainty of the panelist’s position. I would respectfully, and vigorously, disagree. Data breach class-actions are alive and well. Moreover, based on the latest case law and the uptick in security incidents every year, I posit that that data breach class-actions are coming to a courthouse near you. 

Clapper involved a lawsuit in which a group of attorneys and human rights, labor, legal, and media organizations alleged that the Federal Government had intercepted their private communications in conjunction with counterterrorism surveillance. SCOTUS correctly held that the alleged injury was too speculative to support legal standing to challenge the Foreign Intelligence Surveillance Act (“FISA”), because the plaintiffs possessed no actual evidence that their private communications were actually intercepted.

A handful of federal district courts around the country have applied Clapper to data breach class actions. These courts dismissed several of the cases, holding that in the absence of identity theft or other manifestation of damage, the plaintiff did not have standing. These cases have created a false sense of “security” amongst security front-liners, including, apparently, some defense attorneys.

Not. So. Fast. In back-to-back decisions, the Seventh Circuit turned the tables on SCOTUS and changed the fortunes of data breach litigants. First, In Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015), the high–end department store Neiman Marcus experienced a data breach that potentially exposed payment–card data of all customers who paid with cards during the previous year. The plaintiff class consisted of customer who had shopped at Neiman Marcus during the time the information was exposed to the invader.

In Remijas, the court stated “there is ‘no need to speculate as to whether [the Neiman Marcus customers’] information has been stolen and what information was taken.’” The court concluded that the plaintiffs’ injuries were concrete and particularized enough to support Article III standing. The court identified two future injuries that were sufficiently imminent: (1) the increased risk of fraudulent credit or debit card charges; and (2) the increased risk of identity theft. The court further opined that such risks were not mere “allegations of possible future injury,” but instead were the type of “certainly impending” future harm that SCOTUS requires to establish standing.

Two weeks ago, the Seventh Circuit doubled down on its Remijas holding in Lewert v. P.F. Chang’s China Bistro, Inc., No. 14-3700, (7th Cir. 2016), a case involving data breaches at 33 P.F. Chang’s restaurant locations. In Lewert, the Seventh Circuit impliedly relaxed the standing requirements for data breach cases even further. P.F. Chang’s attempted to distinguish the case

from Remijas by arguing that the Lewert plaintiffs had dined at a Northbrook, Illinois, restaurant that was not among the 33 locations subject to the breach.

The Seventh Circuit rejected P.F. Chang’s argument and concluded that a lawsuit could compensate for the costs of purchasing credit-monitoring services, lost points on a debit card, or unreimbursed fraudulent charges (though the panel raised doubts about whether the costs of plaintiffs’ meals or the right to their identities constituted injuries). Citing Remijas, the court held that the plaintiffs were at risk for future fraudulent charges given that the breach had already occurred.

“They describe the same kind of future injuries as the Remijas plaintiffs did: the increased risk of fraudulent charges and identity theft they face because their data has already been stolen,” wrote Chief Judge Diane Wood. “These alleged injuries are concrete enough to support a lawsuit.”

So, in my opinion, Clapper does not constitute the death knell of data breach class action lawsuits.i In fact, Clapper is well reasoned, and ultimately, correctly decided. The Clapper Court held that plaintiffs’ injuries were too speculative because there was no evidence that a breach or disclosure (i.e. intercepted communications) had even occurred. This holding comports perfectly with traditional notions of subject matter jurisdiction and Article III standing. Conversely, in Remijas and Lewert, plaintiffs established that a breach or disclosure had actually occurred. Therefore, the court reasoned, plaintiffs’ had a substantive and concrete injury in the potential financial consequences of the breach.

Effectively, the Seventh Circuit has established that the mere occurrence of a data breach or disclosure constitutes actionable injury, regardless of whether identities are stolen or fraudulent charges are incurred. For once, it seems that the courts are actually in lockstep with the practical realities of law (albeit a little late to the party). The breach IS the injury. The breach is a bell that cannot be un-rung. In a climate where government officials have conceded to an inability to protect information, data collectors must be held accountable at the first instance where malefactors obtain personal information. We, as a government, society, and legal profession, cannot allow these entities to breathe a sigh of relief and go on their merry way just because a hacker does not use the stolen information. To do so allows a free pass and misses a chance to teach accountability and make information security a top priority.

i This article does not address the potential for state court actions in negligence and intentional tort. State court actions will be addressed in a future article.

Internet of Things Institute: Day One Takeaways

computer scientists

Day 1 of the ABA Internet of Things Institute:  So, come to find out, the Internet of Things (“IoT”) is not the precursor to SkyNet or a rampant abuse of power by Big Brother.  It is fascinating, and yes, slightly frightening.  The simple fact is, the IoT is just like any other rapid advance in technology – it is power that can be used for good or ill.  It provides safer cars, more productive businesses, and cleaner, more efficient energy grids.  It also provides more pervasive avenues for malefactors to hack into our daily lives.  But the bottom line is, the IoT is not going away, so it is imperative to understand it and implement sound security practices.

Some takeaways from Day 1: 

  • The IoT is a broad term for a world where everyday objects are connected, have software and are networked.
  • Computer scientists predicted the IoT in the 1980’s.
  • The most commonly known examples of the IoT are consumer goods like thermostats and light bulbs with sensors to monitor how many people are in a room at a given time and software to interpret that data to more efficiently allocate energy consumption.
  • Consumer products are just the beginning:  more necessary and beneficial uses include smart energy grids, smart water solutions, smart cities and infrastructure, autonomous cars, agricultural improvements, and medical products like medicine pumps, defribulators, and monitoring devices for the aged (which will double in population by 2050).
  • We need to understand that connected devices are nothing more than computers, and computers can be programmed to do whatever you want.  So yes, that smart refrigerator can be hacked to send out malicious emails.
  • Because of this threat, we need to rely on sound engineering principles and strong encryption when developing IoT devices.
  • Manufacturers of IoT devices need to remember that they are actually developing software and not just cool gadgets.
  • Consumer protection must always be at the forefront of development.
  • Computer scientists were able to convert first generation electronic voting machines into Pac-Man games.
  • Industry cannot rely on Congress to legislate IoT security.  We have to rely on Industry sector regulation and consumer protection laws.
  • You cannot regulate what you can’t define.  According to one U.S. Senator, the IoT is moving too fast, its too big, and it changes every day.
  • The IoT is currently a $2 Trillion economy and will grow to $11 Trillion by 2025.
  • Don’t fear autonomous cars – 95% of auto accidents are due to driver error.  Autonomous vehicles will make roads safer, including not only individual vehicles, but the trucking industry as well.
  • The IoT is expected to create a 10-25% savings in energy consumption and manufacturing processes for industry.  Business will have to implement IoT devices to remain competitive.
  • The IoT is the 4th industrial revolution and will fundamentally change organizational behavior, as well as perceptions of privacy, security, ownership and interpersonal relationships.
  • Good with the Bad:  the IoT will also unquestionably create difficult societal, business, and ethical problems, such as job loss or restructuring, privacy and security issues, cyber-terrorism threats, cross-border data flow issues, data ownership issues, and dangerous digital divides (access, literacy, and acceptance of IoT).
  • Abuses and abusers will evolve.  Bad actors will remain bad actors.  The IoT will not change human behavior, but will give bad actors new tools to be bad actors.
  • There will be an estimated 30 billion IoT devices by 2030.
  • The raw cost of utilizing encryption is approximately 2 cents per device.
  • HIPAA and HITECH require healthcare providers to encrypt patient personal health information.
  • Cloud computing raises significant legal and ethical issues for every organization that uses the Internet.
  • The key to safely navigating the IoT and protecting your organizational information and the information of those you serve is security by design and front end engineering.
  • Cyber liability insurance is a good idea, but not the cure – coverage is not always sufficient, insurance companies may seek to deny coverage, and insurance does not fix the problems caused by a breach or recover the information lost.
  • The value in the IoT is the aggregation of data that by itself is useless.
  • Privacy concern and policy discussions must be viewed in context with the beneficial uses of the IoT.
  • 42% of consumers believe that privacy concerns outweigh the benefits of the IoT because the focus is on the consumer products, not the societal benefits.
  • IoT devices are increasingly becoming threat vectors.
  • IoT devices and software that utilize the collected data could be protectable intellectual property even though the data itself is not.

One thing is certain.  The IoT presents the greatest potential for human connectedness and technological advances in history while simultaneously presenting the greatest potential for security and privacy abuses.  The idea of a global community where information flows freely for the betterment of humanity is an exciting one.  However, we must temper that laudable goal with the stark reality that the same technology that frees us can also be used by bad actors to compromise that freedom.

In the immortal words of Peter Parker’s Uncle Ben:  with great power comes great responsibility.  Attorneys and other professionals specializing in information security and privacy must be at the forefront of the IoT.  So too must others (traditional attorneys, healthcare providers, financial services professionals, business owners, and governmental leaders) understand the benefits and threats posed by the IoT and seek advice from people best equipped to shepherd them through this new age.

Ickes Holt is a full-service, team-driven, and client focused law firm in Northeast Ohio concentrating on information security and governance. Information is the DNA of modern organizations and Ickes Holt is dedicated to advising clients on how to protect its information. Please contact us to discuss establishing or improving the information governance policies for your organization.

Hungry, Hungry HIPAA

HIPAA compliance

One recent case that didn’t get much attention, but should have, clarifies Ohio health care providers’ potential exposure for the unauthorized disclosure of patient health information (“PHI”).  On August 14, 2015, the Second District Court of Appeals decided Sheldon v. Kettering Health Network. [i]   In Sheldon, the Second District addressed patients’ rights related to the unauthorized disclosure of PHI.  Although the plaintiff was ultimately unsuccessful, the court affirmatively held that the Health Information Portability and Accountability Act (“HIPAA”) does not prevent a patient for asserting a common law tort claim for unauthorized disclosure of medical information.  On February 10, 2016, the Ohio Supreme Court declined to review the correctness of the Second District’s decision.  At that point, Sheldon effectively removed more than fifteen (15) years of gray area on the matter.[ii]

Prior to Sheldon, the Ohio Supreme Court decided Biddle v. Warren Gen. Hosp.[iii]  In Biddle, the Court held that, in Ohio, a physician can be held liable under Ohio common law for unauthorized disclosures of medical information.  The cause of the “gray area” was that the Supreme Court decided Biddle before HIPAA’s privacy-rule regulations were published on December 28, 2000 and before its security-rule regulations took effect on April 21, 2003.[iv]   The Sheldon case provides considerable clarity on exactly how HIPAA and the HITECH Act coexist with Ohio common law tort claims.

One point verified by Sheldon is that, according to Ohio law,  HIPAA does not allow a private cause of action.[v]  However, the Second District then concluded that HIPAA does not preempt an Ohio state law claim for the independent tort recognized by the Ohio Supreme Court in Biddle:

“[T]he unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital has learned within a physician-patient relationship.”

The Second District went on the refer to such actions as “Biddle claims.”   The Second District went a step further in addressing how the standards delineated in the HIPAA regulations interact with Biddle claims.

The Second District held that violation of HIPAA does not provide for negligence per se claims.  The Court reasoned that to allow such a claim would essentially override HIPAA’s explicit prohibition of private causes of action.[vi]   However, buried in the Sheldon decision is one sentence that should send a shiver down the spines of physicians and the attorneys who represent them:

“[T]he violation of an administrative rule does not constitute negligence per se; however such a violation may be admissible as evidence of negligence.”[vii]

Essentially, HIPAA may not allow for a private cause of action, but according to Sheldon, a health care provider’s HIPAA dirty laundry can still be heard by a jury in conjunction with a Biddle claim.

More troubling is that recent Federal case law, although only persuasive authority for Ohio state claims, will make it much easier to get these types of cases to a jury.

In  July 2015, the Federal Seventh Circuit Court of Appeals decided Remijas v. Nieman Marcus Group, LLC[viii]a case involving a massive data breach.  The Seventh Circuit overruled the trial court’s ruling in holding that “injuries [of customers] associated with resolving fraudulent charges and protecting oneself against future identity theft do” provide sufficient standing to maintain a cause of action for those affected by a data breach.[ix]  Thus, in situations where a data breach has occurred, but no actual identity theft has occurred, Remijas establishes the framework for plaintiffs’ lawyers to overcome the heretofore solid defense of lack of standing due to intangible and speculative damages.   Although no Ohio court has applied the reasoning of Remijas, there is now a viable legal argument to be made in Ohio state law negligence claims.

With the spate of data breaches in the health care industry occurring around the country (including several in the state of Ohio), HIPAA covered entities must take action to ensure that information security processes and procedures are in place. Not only because the impending threat of litigation or the fact that the Department of Heath and Human Services has announced that 200 new HIPAA audits are in the pipeline for 2016.[x]  It is simply the right thing to do.  Perhaps the Hippocratic oath, in our digital age, should extend to patients’ identity as well as their health and wellness.

Ickes Holt is a full-service, team-driven, and client focused law firm in Northeast Ohio concentrating on information security and governance. Information is the DNA of modern organizations and Ickes Holt is dedicated to advising clients on how to protect its information. Please contact us to discuss establishing or improving the information governance policies for your organization.

 

[i] Sheldon v. Kettering Health Network, 40 N.E.3d 661(App. 2d Dist. 2015)

[iii] Biddle v. Warren Gen. Hosp. , 86 Ohio St.3d 395, 401,1999-Ohio-115, 715 N.E.2d 518 (1999)

[iv]Sheldon at 671

[v] Id. at 670 citing Henry v. Ohio Victims of Crime Comp. Program, S.D.Ohio No. 2:07-cv-0052, 2007 WL 682427 (Feb. 28, 2007)

[vi] Id. at 674

[vii]Id. citing Chambers v. St. Mary’s School, 82 Ohio St.3d 563, 1998-Ohio-184, 697 N.E.2d 198 (1998)

[viii] Remijas v. Neiman Marcus Group, LLC, 794 F3d 688 (7th Cir. 2015)

[ix] Id.

[x] Raths, David, OCR’s Samuels Describes Launch of Phase 2 of HIPAA Audit Program, Health Care Infomatics, March 19, 2016