Employee Retaining Stored Patient List on Personal Laptop Triggers Data Breach Obligation

An employee of East Bay Perinatal Medical Associates in Oakland, CA, retained on his personal laptop, a patient list that he had prepared as part of his job. The list did not contain PHI information but it did contain PII information. The Berkley Police discovered the list during an unrelated investigation and notified EBPMA that it was on the computer. This action — alone — was sufficient to trigger the notification requirement of the California data breach notification law, at great expense and frustration for EBPMA.

Do you still think that your company isn’t at risk for a data breach? If so, go ahead and get familiar with the image below — this is the first page of the template for the notification that EBPMA had to send out!

Notification

Employee Viewing Information Without Authorization Triggers Data Breach Notification Obligation for Credit Union

An employee of Golden State Credit Union viewed member account information, containing Personally Identifiable Information (PII), without having the requisite authority to view such accounts. This action — alone — was sufficient to trigger the notification requirement of the California data breach notification law, at great expense and frustration for the Credit Union, which offered credit monitoring services to those affected.

Do you still think that your company isn’t at risk for a data breach? If so, go ahead and get familiar with the image below — this is the first page of the template for the notification that Golden State had to send out!

Golden State Credit Union Breach Notification Template

Golden State Credit Union Breach Notification Template

Rocky Dhir & Shawn Tuma - Cybersecurity at State Bar of Texas - Texas Bar TV

Rocky Dhir Interviews Shawn Tuma About Cybersecurity for Lawyers at State Bar of Texas 2015 Annual Meeting

I had the wonderful opportunity to visit with and get to know Rocky Dhir (@rockydhir) at the State Bar of Texas 2015 Annual Meeting in San Antonio. Rocky is the Founder and CEO of Atlas Legal Research, LP (@atlaslegal), “the world’s leading legal outsourcing company.”

Rocky and I did a brief interview where we talked about a lot of things — but also cybersecurity and, more specifically, cybersecurity for law firms. Rocky is a pro at this and he does them all of the time for the State Bar of Texas’ Texas Bar TV channel — and it really showed, but I had a great time doing it and, in the end, that’s what matters, right?

Thanks Rocky!

The CFAA Requires Access of a Computer — Not Just Access to Information

To have a valid CFAA claim, there must be an access to a computer.

The Computer Fraud and Abuse Act is often referred to as an “access crime” because the act that is prohibited is accessing a computer. Misusing information that someone else obtained from a computer is not accessing a computer. Doing so may be wrong for other reasons, but it is not a CFAA violation because it does not entail accessing a computer.

The court in New Show Studios LLC v. Needle, 2014 WL 2988271 (C.D. Cal. June 30, 2014) addressed this issue where a former employee continued to use his former employer’s information after his employment terminated by having people who still worked for the company access information and supply it to him. The court dismissed the CFAA claim because the plaintiff did not plead any access to a computer:

To prevail on a CFAA claim, plaintiffs must establish, among other things, that defendants “intentionally accessed a computer.” LVRC Holdings LLC, 581 F.3d at 1132. But the FAC is devoid of any allegation that the defendants accessed any computer. Instead, the FAC only alleges that Needle “gained access to confidential and sensitive information.” FAC ¶ 37. Accessing plaintiffs’ information, however, is not the same thing as accessing plaintiffs’ computer systems, even if that information was at some point stored on those computers. The Ninth Circuit has specifically cautioned against reading the CFAA as an “expansive misappropriation statute.” Nosal, 676 F.3d at 857; see also id. at 863 (explaining that the “general purpose” of the CFAA “is to punish hacking—the circumvention of technological access barriers—not misappropriation of trade secrets”). If plaintiffs wish to assert a claim under the CFAA, they must plainly allege that defendants’ accessed their computer systems, and explain the basis for those allegations.

Using Single Individual Password to Access News Site to Share Info With Others is Not CFAA Interruption of Service

A person’s use of his single individual use password to access a news site to access content that he then shared with over 100 other people did not cause any impairment to the integrity or availability of data or loss due to interruption of service as required to bring a civil claim under the Computer Fraud and Abuse Act.

Capitol Audio Access, Inc. v. Umemoto, 980 F. Supp.2d 1154 (E.D. Cal. 2013).

Employers Receive Friendly Computer-Fraud-And-Abuse-Act Ruling From Louisiana Court

The U.S. Eastern District of Louisiana recently sided with employers in the on-going judicial debate over interpreting the Computer Fraud and Abuse Act “CFAA”. See Associated Pump & Supply Co., LLC v. Dupre, et al., No. 14-0009 E.D. La.. Associated Pump sued its former employee Kevin Dupre for violating CFAA during his alleged scheme to steal Associated Pump’s trade secrets. The complaint sets forth a now familiar scenario: shortly before resigning, Dupre used his work computer to violate a confidentiality agreement and known company policies by improperly accessing and obtaining Associated Pump’s confidential information to use while employed by Associated Pump’s competitor. These allegations, the Court held, state a viable CFAA claim.

via Employers Receive Friendly Computer-Fraud-And-Abuse-Act Ruling From Louisiana Court | Silicon Bayou News.