The “business compromise email”  is what the FBI calls the “$5 billion scam,” but apparently an insurance company did not agree with an insured company that they had been the victim of a crime.

A federal court recently found that a crime policy afforded coverage for a $4.8 million wire transfer that an insured company was duped into making.  See Medidata Solutions, Inc. v. Federal Ins. Co., 15-CV-907 (SDNY July 21, 2017).   In this case, the thief took advantage of “real” facts, posing as the insured’s attorney for a corporate transaction.   More specifically, the insured was contemplating an acquisition and, as part of that process, the president instructed the finance department to be prepared, on an urgent basis, to assist with the transaction.  Continue Reading Court Holds Crime Policy Covers Business Compromise Email Loss

The Internet of Things (“IoT”) can be thought of as a group of different devices that can communicate with each other, perhaps over a network such as the internet. We have written extensively about many of the privacy challenges that IoT devices can create. Recently, the Federal Trade Commission (“FTC”) made clear that its Children’s Online Privacy Protection Rule (the “COPPA Rule”) would continue to be applicable to new business models, including “the growing list of connected devices that make up the Internet of Things. That includes connected toys and other products intended for children that collect personal information, like voice recordings or geolocation data.”

To assist companies in complying with their COPPA obligations, the FTC has released an updated Six Step Compliance Plan. These steps are:

Step 1: Determine if Your Company is a Website or Online Service that Collects Personal Information from Kids Under 13.

Step 2: Post a Privacy Policy that Complies with COPPA.

Step 3: Notify Parents Directly Before Collecting Personal Information from Their Kids.

Step 4: Get Parents’ Verifiable Consent Before Collecting Personal Information from Their Kids.

Step 5: Honor Parents’ Ongoing Rights with Respect to Personal Information Collected from Their Kids.

Step 6: Implement Reasonable Procedures to Protect the Security of Kids’ Personal Information.

Chart: Limited Exceptions to COPPA’s Verifiable Parental Consent Requirement

Notably, per Step 1, the FTC has made it clear that COPPA defines “Website or Online Service” broadly, to include “mobile apps that send or receive information online (like network-connected games, social networking apps, or apps that deliver behaviorally-targeted ads), internet-enabled gaming platforms, plug-ins, advertising networks, internet-enabled location-based services, voice-over internet protocol services, connected toys or other Internet of Things devices.” A key takeaway for companies everywhere is that, if your service collects personal information from kids under 13, it is unlikely that the FTC will be swayed by an argument that your service is not subject to the COPPA Rule. Instead, entitles would be wise to either limit their data collection activities such that personal information is not collected, or take the time to understand and comply with their COPPA obligations from the outset.

If your IoT device or app does collect personal information from kids under 13, “verifiable parental consent” is the most important compliance concept, and also tricky to implement. There are exceptions to this “verifiable parental consent” requirement in the COPPA Rule, but those exceptions are limited and reliance on any exception should only be done with careful consideration of your collection practices and the COPPA Rule.

Similarly, the FBI has warned consumers, regarding Internet connected toys presenting privacy concerns for children. Companies may wish to pay particular attention to the recommendations that the FBI has for consumers, as many of them involve the consumer researching whether the company has used basic measures to protect the privacy of children that use these toys, including using authentication and encryption as well as providing for security patches at the device level. Companies may wish to consider whether these suggestions could form part of the basis for a reasonable standard of care, and whether, given their IoT devices “use case,” a failure to support one or more of these measures could subject them to additional liability.

If you have any questions regarding COPPA compliance, please do not hesitate to contact the team at Mintz Levin.


Decisions you make when founding and/or investing in an insurtech venture can dictate your regulatory obligations, tax liability, operational structure and, ultimately, profitability.

Here are five seemingly simple questions to ask when launching an insurtech venture (and do not miss question #3): Continue Reading Five Questions for Investors in Insurtech

In a decision sure to have wide-ranging implications for cross-border discovery and governing privacy regimes, the Supreme Court recently held in Water Splash, Inc. v. Menon, that the Convention on the Service Abroad of Judicial and Extrajudicial Documents in Civil and Commercial Matters (the “ Hague Service Convention” or the “Convention”) does not prohibit service by mail.  While the Court stated explicitly that its holding does not affirmatively authorize service by mail, the Court concluded that the Convention does not prevent service by mail if: (1) the receiving country has not objected to service by mail; and (2) service by mail is authorized under otherwise-applicable law.

For any corporate entity with global operations or employees and consumers abroad, take a close look at the terms of the Convention, the applicable service laws of the countries in which you maintain operations, and, as always, be mindful of where you might need to look for documents or other things that might be implicated in relation to a complaint served or received aboard.  At the very least, pop Bob Dylan into Pandora and enjoy this warm summer day.

Continue Reading Knock, Knock, Knocking on Menon’s Door

Oregon’s legislature recently expanded the scope of statutory consumer protections by passing a bill to amend the state’s Unlawful Trade Practices Act (the “Act”). Recently, Oregon’s Governor Kate Brown signed H.B. 2090 into law after near unanimous passage by state lawmakers. The bill is particularly notable because it squarely targets online commerce and imposes liability on businesses for publishing false or misleading online privacy policies. Continue Reading Oregon Ramps up State Consumer Protections in an Era of Deregulation

Despite some courts’ evident confusion about the impact of payment card theft on consumer cardholders, other courts are getting it right.  Just this week, a judge in the Northern District of Illinois issued an order dismissing the second amended complaint filed by consumer cardholders in In re Barnes & Noble Pin Pad Litig. (N.D. Ill.).  This order marked the third time that the court had dismissed the consumer cardholder claims due to lack of injury.  Here, as in every theft of credit or debit card data, the fact that consumers are held harmless for fraudulent charges on their cards means that such losses – which are borne by the issuing banks – do not result in injury to consumers sufficient to confer statutory or constitutional standing.  This leaves plaintiffs, like those in Barnes & Noble, to argue that they sustained actionable injury because of inconvenience (cards are replaced, accounts are temporarily frozen) or apprehension of potential future harm (future adverse credit impact).  The court in Barnes & Noble held the former to be insufficiently significant to allow claims under statutes requiring proof of loss, while the latter was deemed too speculative to permit standing.  Even though plaintiffs could show that they purchased credit monitoring services after the breach, the court held that money spent on attempts to mitigate future fraud are not injury that may be redressed under state unfair competition law.

Having dismissed three separate attempts to plead an actionable claim, the court dismissed the second amended complaint in Barnes & Noble with prejudice.  With this ruling, the court has provided additional support for defendants resisting consumer claims arising from theft of payment card data.

Recently the United States Computer Emergency Readiness Team (US-CERT), an organization within the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD) and a branch of the Office of Cybersecurity and Communications’ (CS&C) National Cybersecurity and Communications Integration Center (NCCIC), encouraged users and administrators to review a recent article from the Federal Bureau of Investigation (FBI) regarding Building a Digital Defense with an Email Fortress.

Are we have discussed in many posts before, phishing — the fraudulent practice of sending emails purporting to be from a reputable entity to induce an individual to reveal privileged information such as a password — remains a major security threat.  Within the article, the FBI provides several helpful actions for businesses can take to reduce their risk of being phished, including reporting and deleting suspicious e-mails, and making sure that countermeasures such as firewalls, virus software, and spam filters are robust and up-to-date.

We encourage each of our readers to review the FBI’s guidance and consider whether their organization could benefit from any of the methods of protection provided.

Companies with any questions regarding any of these issues should not hesitate to contact the team at Mintz Levin.

It seems as though we have been writing about this case for a lifetime.  Target Corporation’s data breach saga came one step closer to a conclusion this week.  On Tuesday, Target reached an $18.5 million settlement with 47 states and the District of Columbia to resolve the states’ investigation into the company’s 2013 data breach.   Alabama, Wisconsin, and Wyoming were not part of the settlement. Continue Reading Target Reaches $18.5 Million Dollar Settlement in Data Breach with States

 

The latest edition of the Mintz TCPA Digest has been published and you can read it hot off the presses, here.

This month’s issue features updates on the latest regulatory activities and an article on a potential ruling that could have major implications for pending and future TCPA cases.

Mintz Levin’s TCPA and Consumer Calling Practice team should be on your speed dial.

 

You’ve had your apple a day, but you can’t keep the subpoenas away…  

And, if your organization is facing a request seeking records or other materials that may contain patient health information (“PHI”), it bears repeating that while HIPAA provides a number of methods through which covered entities that hold records containing PHI may produce such records, these guidelines are closely enforced by courts.   Read on for your spring check-up. Continue Reading HIPAA Spring Check-up: Your Obligations to Safeguard Third-Party Patient Health Information in medical records produced in litigation