Tag Archives: Pittsburgh Technology

Pit IP Tech Blog Named Top 100 IP Blog

by: Robert Wagner, intellectual property attorney at the Pittsburgh law firm of Picadio Sneath Miller & Norton, P.C. ()

Intellectual Property transparent_1000px
We are pleased to announce that the Pit IP Tech Blog has been named one of the Top 100 IP blogs on the net by Feedspot. We look forward to continuing our coverage of IP and technology news and hope that you will continue to read our blog. Thanks for making us a Top 100 blog!

Advertisements

Pennsylvania Superior Court Rules Employer Owes No Duty to Protect Employee Data

 Kelly WilliamsKelly A. Williams, a shareholder at the Pittsburgh law firm of Picadio Sneath Miller & Norton, P.C.

In an apparent case of first impression, a divided three-judge panel of the Pennsylvania Superior Court recently held that an employer does not owe a legal duty to its employees to protect the employees’ electronically stored personal and financial information.  In Dittman v. UPMC, decided on January 12, 2017 (docket no. 971 WDA 2015), the Superior Court affirmed an opinion of the Court of Common Pleas of Allegheny County, PA (opinion by the Honorable R. Stanton Wettick, Jr.), sustaining defendant University of Pittsburgh Medical Center’s (“UPMC”) preliminary objections to an employee class action suit.  The suit arose from a data breach of the employees’ personal information, which was provided to UPMC as a condition of employment.

The employees sued UPMC for negligence and breach of contract after their names, birth dates, social security numbers, tax information, addresses, salaries and bank information were stolen due to the data breach. Specifically, they alleged that UPMC failed to properly encrypt data, establish adequate firewalls and implement adequate authentication protocols to protect the information in its computer network.  All of UPMC’s 62,000 employees and former employees were affected by the breach.  Appellants consisted of two separate but overlapping classes.  One class alleged that the stolen information had already been used to file fraudulent tax returns and steal the tax refunds of certain employees.  The other class consisted of those who had not suffered this harm but alleged that they were at increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse.

security-breach-image-2To determine whether a duty of care exists, the Pennsylvania courts look to five factors, none of which are determinative alone. Seebold v. Prison Health Servs., Inc., 57 A.3d 1232, 1243 (Pa. 2012); Althaus ex. rel. Althaus v. Cohen, 756 A.2d 1166, 1169 (Pa. 2000).  The five factors are:

  1. the relationship between the parties;
  2. the social utility of the actor’s conduct;
  3. the nature of the risk imposed and foreseeability of the harm incurred;
  4. the consequences of imposing a duty upon the actor; and
  5. the overall public interest in the proposed solution.

In Dittman, the court found that the first factor weighed in favor of finding a duty because the employer-employee relationship gives rise to duties on the employer.  The court next weighed the second factor against the third:  the need of employers to collect and store personal information about their employees against the risk of storing information electronically and the foreseeability of data breaches.  The court concluded:

While a data breach (and its ensuing harm) is generally foreseeable, we do not believe that this possibility outweighs the social utility of electronically storing employee information. In the modern era, more and more information is stored electronically and the days of keeping documents in file cabinets are long gone. Without doubt, employees and consumers alike derive substantial benefits from efficiencies resulting from the transfer and storage of electronic data. Although breaches of electronically stored data are a potential risk, this generalized risk does not outweigh the social utility of maintaining electronically stored information. We note here that Appellants do not allege that UPMC encountered a specific threat of intrusion into its computer systems.

Analysis of the fourth factor looks to the consequences of imposing a duty.  In this situation, the court considered that data breaches are widespread and that there is no safe harbor for entities storing confidential information.  It was also the court’s opinion that no judicially created duty of care is needed to incentivize companies to protect confidential employee information because other statutes and safeguards are in place to prevent employers from disclosing confidential information.  Thus, the court concluded that “it unnecessary to require employers to incur potentially significant costs to increase security measures when there is no true way to prevent data breaches altogether. Employers strive to run their businesses efficiently and they have an incentive to protect employee information and prevent these types of occurrences.”

Finally, the fifth factor looks to whether there is a public interest in imposing a duty.  The Superior Court found persuasive the reasoning of the trial court that imposing a duty here would greatly expend judicial resources and would result in judicial activism.  The Superior Court agreed with the trial court that the Pennsylvania legislature has considered the same issues and chose only to impose a duty of notification of a data breach.  “It is not for the courts to alter the direction of the General Assembly because public policy is a matter for the legislature.”

Weighing all five factors, the court held that the factors weighed against imposing a duty.  Judge Stabile filed a concurring opinion, which Judge Olson, the writer for the majority opinion, joined.  Judge Stabile agreed with the ruling but emphasized that the law in this area is quickly changing and that the ruling was based on the facts pled in that particular case.  One of the key facts for Judge Stabile was the fact that the employees had not alleged that UPMC was on notice of any specific security threat.  In a dissenting opinion, Judge Musmanno concluded that  allegations that UPMC failed to properly encrypt data, establish adequate fire walls and implement appropriate authentication protocols was sufficient to allege that UPMC knew or should have known that there was a likelihood data would be stolen.  Judge Musmanno also disagreed with the majority’s assumption that employers are sufficiently incentivized to protect employee data without a duty imposed upon them to do so.

The employees filed a motion for reconsideration and reargument on January 26, 2017.  Thus, the Superior Court’s January 2017 opinion may not be the final word on the issue.

security-breach-imageDittman is interesting in the world of data breach lawsuits because it does not address standing.  Many data breach defendants have relied upon the theory that plaintiffs lack standing to bring claims for data breaches where plaintiffs cannot prove actual harm from the breach.  Proof of actual harm can be challenging because evidence regarding the use of the stolen information may be difficult to find.  Here, standing was not discussed by the Superior Court.  In the trial court below, UPMC had argued that the claims against it should be dismissed on the grounds that the employees lacked standing to assert claims on behalf of employees who had not yet been injured.  UPMC also asserted that the employees’ negligence and breach of implied contract claims failed as a matter of law.  After oral argument on these issues, the trial court ordered both parties to file supplemental briefs on the issue of whether UPMC owed a duty to its employees with respect to the handling of their personal and financial data.  This ultimately proved to be the issue that the trial court and the Superior Court found to be determinative.

The Dittman v. UPMC opinion may be found at:  http://scholar.google.com/scholar_case?case=17833965968674892500&q=dittman+v.+upmc&hl=en&as_sdt=6,39&as_vis=1.

Pittsburgh Court Rules on Data Breach Class Claims – Denying Cause of Action

Posted By Henry M. Sneath, Chair of the Cybersecurity and Data Breach Prevention and Response Team at Pittsburgh, Pa. law firm Picadio Sneath Miller & Norton, P.C.  hsneath@psmn.com or 412-288-4013

537047_70437721A Pittsburgh, Pennsylvania Judge has ruled at the trial court level that there is no private cause of action for the alleged failure of a major hospital network to secure and protect PII and PHI. Denying Class claims, Judge Wettick has ruled that because the legislature has not created such a right, that only the Pennsylvania Attorney General has the right to bring a claim in this circumstance. See the Legal Intelligencer article here: http://tinyurl.com/nphostc  We will get more details on this case and pass them along with our analysis.

Cybersecurity (CISA) Bill Moves out of Congressional Committee

j0402514Posted By Henry M. Sneath, Chair of the Cybersecurity and Data Breach Response team at Pittsburgh, Pa. law firm Picadio Sneath Miller & Norton, P.C.  hsneath@psmn.com or 412-288-4013

Privacy concerns continue to dog the CISA (formerly CISPA) bill, but it easily passed out of the  Senate Intelligence Committee yesterday.  Pundits claim that the bill pits “big government – NSA, Homeland Security et al allegedly aided by Big Tech Companies” against privacy advocates who want less regulation of data and the internet. I’m not sure if it lines up that neatly however. See this short article with a summary of the committee process from Wired.Com.

Here is an advocacy website piece which supports defeat of he bill.

We will continue to monitor the path of the bill to see if it makes it to the Senate Floor for a vote. For the complete text of the bill, view it at this link.

Sneath Headshot

Henry M. Sneath on Google+ or see his PSMN ® bio.

Pittsburgh Business Success Story: “Branding Brand. Com” for Mobile Commerce

Branding Brand LogoBy: Henry Sneath, Chair of the Intellectual Property practice at Picadio Sneath Miller & Norton, P.C.  hsneath@psmn.com or 412-288-4013

I attended the Pittsburgh Technology Council’s breakfast briefing this morning and heard a great presentation by Jeffrey Hennion, President of Pittsburgh based Branding Brand: http://www.brandingbrand.com/ Founded by 3 CMU students, the company is now an industry leader in Mobile Commerce website and application development. They serve some of the largest retailers and businesses who are now true believers in the power of mobile commerce and mobile wallet apps – shopping from a phone. Costco (See Image below), Dicks Sporting Goods, Sephora, Ralph Lauren and countless more retailers have large percentages of sales now flowing through Branding Brand platforms. Starbucks is currently the leader in mobile commerce sales with its QR code based “mobile wallet”, which allows purchases from a scan of your phone screen.  A next big market for these products is the travel industry. As you ride from the airport to the hotel, you use your phone to check into the hotel, you skip the registration desk, open your room with your phone which has been activated with a mobile key. As Jeff described it – these developments are fascinating, but sometimes a little creepy. The percentage of phone driven ordering, and mobile wallet purchased sales is zooming upward and some companies could face loss of significant market share if they don’t keep up.

Costco_1_large

Large Patent Verdict in Pittsburgh – Marvell Case

marvell_chipBy Henry M. Sneath, Esq. – Chair of the Picadio Sneath Miller & Norton, P.C. Intellectual Property Group. Contact him at hsneath@psmn.com

Last week a Pittsburgh federal court jury found on behalf of local university CMU against hard drive chip maker Marvell (See attached photo) on claims of patent infringement and willfulness. The $1.17 Billion award was huge by any standards and still faces post trial motions which could vacate the verdict or increase it for willfulness, which the jury found. Judge Fischer could grant any number of what will surely be multiple post trial motions including a motion for mistrial, which was made by Marvell counsel during CMU’s closing argument and on which she denied the motion without prejudice to rule on it after the announcement of a verdict. In other words, she could still grant a mistrial and vacate the one month trial and verdict. She could also increase the verdict by as much as threefold based on the willfulness finding. The article attached below indicates that no tech verdict this large has ever stood the test on appeal. Here is one of a number of good descriptions of the case as it has been written about extensively over the last week:  http://arstechnica.com/tech-policy/2012/12/jury-slams-marvell-with-mammoth-1-17-billion-patent-verdict/
Here also is an interesting video take on the case.
http://www.bloomberg.com/video/david-martin-on-carnegie-mellon-marvell-patent-case-er1U0P~yQXC616MuXqU_Hw.html

We will continue to follow this important case.

Picking Better Passwords

by: Robert Wagner, intellectual property attorney at Picadio Sneath Miller & Norton, P.C. ()

With the news that millions of LinkedIn passwords were compromised last week, we should all reconsider what passwords we are using and whether they are secure enough for our needs. As with most security issues, there is always a balance between having a password that is easy enough for you to remember but too difficult for someone else to guess. This article discusses some strategies and tips for creating and managing stronger passwords.

What Is a Bad Password?

Not all passwords are equal, and there are many that should simply be avoided for most applications. It goes without saying that “password” and “12345” are terrible passwords. A good lists of these “bad” passwords can be found here. In general, though, a bad password is one that is:

  • short (less than 8 characters)
  • a single word (in any language) that can be found in a dictionary
  • something that is readily identified with you (e.g., your name or your spouse’s, children’s, or parents’ name; the street you live on or the city you live in, etc.)
  • a variation on your login or username
  • adjacent letters or numbers (e.g., qwerty, 12345, abcde, etc.)

Looking through lists of bad passwords can be very enlightening and can give you some ideas of passwords to avoid.

What Is a Good Password?

Now that we know what types of passwords are not great, what types of passwords are better? A good password likely will have many of the following characteristics:

  • longer than 8 characters (generally, the longer the better)
  • have a mix of upper and lowercase letters, numbers, and symbols
  • be unrelated to any readily identifiable information about you

Again, there is always a balance between ease of use (i.e., something you can remember) and the strength of the password. A long string of random letters, numbers, and symbols is potentially very secure, but is, counterintuitively, not likely to be a good password if you can’t remember it. If you have to write down your password on a piece of paper in order to use it, your password is only as good as the security you have in place to protect that piece of paper.

Thankfully, there are a number of techniques you can use to create stronger passwords that you can remember. One of the most common is to use the first letters of a phrase. For example, if you choose the phrase “To be or not to be, that is the question,” the password would become “Tbontb,titq”. That seemingly random set of letters and symbols would not be susceptible to a dictionary attack (in which the attacker simply tries all the words in the dictionary), but would still be easily remembered. [For the record, this is such a common phrase, that it is likely a bad password. Choose a more obscure sentence or phrase to use, instead.] We could make this password stronger by changing some of the letters to numbers. For example, the “o” could become a zero and the “i” could become a one—so, the password would be “Tb0ntb,t1tq”.

Another common technique is to use unrelated words separated by numbers or symbols. The key to this approach is taking advantage of using the strength of longer passwords and introducing numbers and symbols to avoid dictionary attacks. For example, you could use “fruit25lawnmower#%”. For added strength, you could capitalize some of the letters and change some to numbers—“fRU1t25LawnM0wer#%”.

This is an interesting website where you can enter passwords, and it will assess their relative strengths. As always, you should be cautious about entering any passwords you actually use or intend to use. You can, however, enter similar passwords and begin to get a sense of what makes a stronger or weaker password.

More Dos and Don’ts

Now that we have talked about good and bad passwords, there are a few other points you should consider in managing your passwords.

The strength of your password should reflect the importance of that account to you (or your employer). Very important accounts, like your bank account, should be given the strongest password you can reasonably remember that is different from any other passwords you use. You should also consider regularly changing it in case it becomes compromised without your knowledge.

E-mail accounts should be considered important accounts and given stronger passwords. There can be a real danger if someone gains access to your e-mail account. For example, once you know someone’s username, many websites will allow you to reset the password by sending an e-mail to the registered address. If an attacker gains control of your e-mail, he or she can then reset the password to your bank account (or any other account).

Ideally, you should have a different password for every account or website. That way, if one password is compromised, it won’t compromise your others. Unfortunately, it can be difficult to remember which password you used with which account. To help with this problem, you should consider using a password management program that stores all of your passwords in one location (and is often designed to easily enter those passwords into website forms). These programs then use one master password to unlock all of your passwords. They can be very convenient and useful programs because they allow you to keep track of all of your passwords in a secure way. But, you are putting all your eggs in one basket, so the master password you choose should be strong and access to the program limited.

Finally, don’t write your passwords down on post-it notes on your computer monitor or in other easy-to-find places. If your password is too hard to remember, think about creating a different one that you can remember. On the other hand, it can make good sense to keep your passwords written down in a secure location in case you forget them, especially if the account provides no way to reset the password. Ideally, you should keep them in a locked location, though.

Parting Thoughts

Having a good password requires some discipline and can be inconvenient at times. However, it can be far more inconvenient to have your account hacked and your money or information stolen. Taking a little time now to really think about how to create and manage your passwords can save you a lot of hassle in the future.

“Open Innovation” – Pittsburgh May Be The Perfect Place For it

Posted by Henry M. Sneath, a principal, shareholder and IP Group Chair at Picadio Sneath Miller & Norton, P.C. in Pittsburgh, Pennsylvania.

I take no credit for this post. We have been linking to a great site “Pittsblog” authored by Michael Madison, a UPitt Law Professor.  He has published a series of great articles on “Open Innovation” in Pittsburgh and his latest is a good read. Check it out: http://pittsblog.blogspot.com/

Pittsburgh Technology Start-Up Funding

Posted by Henry M. Sneath, a principal, shareholder and IP Group Chair at Picadio Sneath Miller & Norton, P.C. in Pittsburgh, Pa.

The Pittsburgh technology community continues to grow and prosper. Old steel mill slabs are now covered with high-tech facilities and incubators. The Commonwealth of Pennsylvania pumped some new money into the Pittsburgh economy with 3 funding awards approved and administered by the Ben Franklin Technology Partners http://benfranklin.org/ (BFTP), a long time Pennsylvania authority which places state funding money with deserving partners. Through a competitive process, the following Pittsburgh based awards were approved by BFPT:

  • $100,000 for Idea Foundry for a technology development grant to help entrepreneurs in information technology or related engineering field create a business. With this funding, the nonprofit organization, which offers market analysis, product management, management team development and other services, is expected to spin out five new companies.
  • $450,000 for the Pennsylvania NanoMaterials Commercialization Center for a university research commercialization grant aimed at developing an industry and university network for building the state’s energy sector.
  • $600,000 for the University of Pittsburgh for a university research commercialization grant for an electric power and energy research project aimed at items such as power electronics, renewable energy and smart grid technology.
  • Read more: Pennsylvania hands out $4M in tech commercialization grants | Pittsburgh Business Times

Thanks to the Pittsburgh Business Times for reporting on these awards.