Tag Archives: technology

Pittsburgh Court Rules on Data Breach Class Claims – Denying Cause of Action

Posted By Henry M. Sneath, Chair of the Cybersecurity and Data Breach Prevention and Response Team at Pittsburgh, Pa. law firm Picadio Sneath Miller & Norton, P.C.  hsneath@psmn.com or 412-288-4013

537047_70437721A Pittsburgh, Pennsylvania Judge has ruled at the trial court level that there is no private cause of action for the alleged failure of a major hospital network to secure and protect PII and PHI. Denying Class claims, Judge Wettick has ruled that because the legislature has not created such a right, that only the Pennsylvania Attorney General has the right to bring a claim in this circumstance. See the Legal Intelligencer article here: http://tinyurl.com/nphostc  We will get more details on this case and pass them along with our analysis.

Advertisements

Business Leaders Rank Cyber Risk #2 on List of Main Concerns

Posted By Henry M. Sneath, Chair of the Cybersecurity and Data Breach Prevention and Response Team at Pittsburgh, Pa. law firm Picadio Sneath Miller & Norton, P.C.  hsneath@psmn.com or 412-288-4013

Travelers Business Risk ImageTravelers Indemnity and Insurance released its annual Business Risk Index, which is a survey of the concerns of business leaders and decision makers. Not surprisingly, for 2015, Cyber Risk moved up to the number 2 concern on that list, right behind rising healthcare costs. In some industry sectors it is the number 1 concern. The Banking and Financial Services, Professional Services, and Technology sectors each ranked cyber risks as the main driver of sleepless nights.  The chart on page 3 of the survey is very instructional as to the different concerns between small, medium and large businesses. Small businesses have less concern about data breach than larger businesses, but perhaps small businesses are overlooking their vulnerability and attractiveness as targets. If they care less, they will likely protect less, and become easy targets for hackers. It should be a huge concern for all businesses in all industries as no one appears immune. If you data store or deal in Personal Identifiable Information (PII) or Personal Health Information (PHI) as part of your business, then you are a valuable target. If you have financial or credit information, or trade secrets to protect, then perhaps your competitors, foreign governments and political hackers want to look inside your data. Many insurers are now offering Cyber Risk Insurance to provide defense and indemnity against these risks. Every business should have a data breach prevention and response team of employees and outside consultants and lawyers to audit the company’s vulnerability and to set the plan for a response when a breach occurs.  See the complete Travelers Business Risk Index at: https://www.travelers.com/prepare-prevent/risk-index/business/index.aspx

Target Agrees to Settle Class Claims Over 2013 Data Breach for $10M

Posted By Henry M. Sneath, Chair of the Cybersecurity and Data Breach Prevention and Response Team at Pittsburgh, Pa. law firm Picadio Sneath Miller & Norton, P.C.  hsneath@psmn.com or 412-288-4013

Data Breach broken_security_lock photo Target Corp. agrees to settle the 2013 data breach class claims prior to argument on class certification. Lead plaintiff’s counsel admitted the uphill battle he faced to obtain class certification due primarily to the difficulty in these consumer data breach cases of proving commonality of claims. This settlement, which still needs court approval for its proposed $10M payout, will not settle claims by commercial entities, but only individual consumer claims. Here is a good article with more detail from the National Law Journal. We will continue to follow this settlement and the handling of the commercial claims as this blog increases our focus on Cybersecurity and Data Breach Prevention and Response issues.

See this link to the NLJ for more info:  http://tinyurl.com/kxwjrb9

 

 

Pittsburgh Technology Council Tech 50 Award Winners Announced

By: Joseph R. Carnicella, intellectual property attorney with Picadio Sneath Miller & Norton, P.C.

On behalf of our firm, I would like to thank The Pittsburgh Technology Council for hosting such a spectacular event last evening.  Also, I would like to congratulate all of the award winners who were recognized by the Council as leaders in technology and innovation within the Pittsburgh area.

The Pittsburgh Technology Council holds an annual Tech 50 awards presentation as a way to honor companies that have demonstrated an ability to grow and succeed as technology-oriented companies in Pittsburgh.  The event last evening provided an excellent opportunity for business leaders to come together and recognize and celebrate all of the creative contributions made by these companies on a local, national and global stage.  The Tech 50 award winners are as follows:

  • Calgon Carbon Corporation – Advanced Manufacturer of the Year
  • Epiphany Solar Water Systems, LLC – Innovator of the Year
  • ERT, formerly invivodata, inc. – Life Sciences Company of the Year
  • TrueFit – New Media Company of the Year
  • Summa Technologies – Solution Provider of the Year
  • Branding Brand – Start-Up of the Year
  • ANSYS, Inc. – Tech Titan of the Year
  • Scott Pearson, Aquion Energy, Inc. – CEO of the Year

Again, congratulations!  We wish you and all of the other Pittsburgh tech companies the best.

Who Will Inherit Your Digital Music–Bruce Willis to Sue Apple?

by: Robert Wagner, intellectual property attorney at Picadio Sneath Miller & Norton, P.C. ()

Earlier this week, an interesting story emerged that Bruce Willis was considering suing Apple over whether his children could inherit his iTunes collection after his death. The story turned out to be a hoax, but the questions it raises regarding ownership and rights in this digital age are very interesting.

Decades ago, music, movies, and books were exclusively purchased in a tangible form—records or CDs, videotapes or DVDs, and paperback or hardback books. While these formats are still largely available, more and more people are purchasing this type of content in an intangible digital format through services like Apple’s iTunes and Amazon’s Kindle stores.

In the past, the purchase of a tangible product like a record or book made transferring the product easy. Under the first sale doctrine, one simply could give or sell the record or book to another without any constraints. Thus, inheriting the record or the book did not pose any problems from an intellectual property or legal perspective. (Whether anyone wanted grandma’s or grandpa’s record or book collection is another matter).

When one purchases a song from iTunes or a book for Amazon’s Kindle store, the issue gets more complicated. One is actually purchasing a limited license to listen to the song or read the book on a limited number of devices. No physical, tangible products are purchased. Normally, the license is limited to the purchaser and is arguably valid only during the lifetime of the purchaser (assuming there are no other restrictions, as there sometimes are with video “purchases”). Thus, there is nothing tangible to give to another. Indeed, the licenses often explicitly restrict the giving or selling of the product to another.

Getting back to the situation that Bruce Willis was supposedly concerned about—what would happen to all of the music he purchased after he died? Most of the time, families will likely not be particularly concerned about whether they inherit grandpa’s music collection, but not always. For instance, what if the father or mother dies prematurely, and everything that the family was listening to or watching on a regular basis was purchased through that person’s iTunes account? The shift to a digital medium could have a very real and expensive consequence (in addition to whatever emotional trauma the family has to deal with from the untimely death).

I think a more concerning issue is the potential effect on a family’s photographs and letters, which can be some of the most treasured possessions a family has. With the shift to storing photographs on-line and corresponding through e-mail rather than letters, we are moving some of our most prized possessions and memories from tangible forms that can easily be preserved and given to others to an intangible form that may have unexpected and unanticipated restrictions. For example, if an individual stores all of his or her photographs on-line, what happens when that person dies? Will the account be closed and all the files deleted once the annual payments stop? Even if it is not, who will be allowed to access it, especially if the passwords were never written down or are lost?

We are still in the infancy of the digital age in many respects and questions like these are only beginning to be considered, and many companies’ terms and conditions are simply not designed to deal with circumstances like these. So, what should one do?

Where possible and when the ability to transfer the item to your spouse, children, or others is important, then efforts should be made to make sure the item is in a tangible form or resides on a computer in a way that is accessible regardless of whether you are alive or whether you fail to make an annual payment to a particular cloud service. In the case of pictures, that could mean having them printed out or storing them in a folder on your hard drive (instead of in the cloud). The same is true of e-mails. If there are particularly important e-mails, make sure that they have been saved on your hard drive, instead of leaving them in the cloud, or print them out.

Finally, it is a good practice to leave instructions as to what important on-line accounts you have (e-mail, Facebook, iTunes, cloud storage, banking, etc.) and how to access them so that others can get access to these accounts where appropriate if you are no longer able to. Given the important nature of these accounts, you should only leave this information with people you trust or in a location that is secure (e.g., a bank box).

It will be interesting to see how companies respond to issues like the one that Bruce Willis supposedly raised (even though he didn’t actually). The cloud provides many great conveniences, but as is often true with new technologies and ways of doing things, there are many unexpected issues that emerge. Hopefully, people, companies, and the law will find solutions to preserve those family treasures without too many hassles.

Federal Court Orders Defendants to Add Metadata to Privilege Log

by: Kelly A. Williams, a partner at Picadio Sneath Miller & Norton, P.C.

Parties to litigation are used to providing privilege logs (a list of documents not produced in discovery on the grounds that the documents contain privileged information) with such information as author, recipient, date, description of the document and the privilege being asserted.  Now that electronic documents are becoming the “norm,” the courts may begin requiring more information about these documents.  Once such case is Favors v. Cuomo, a redistricting case in filed in the Eastern District of New York.  In this case, the court ordered defendants to supplement their privilege log to include “addressee(s), copyee(s), blind copyee(s), date, time, subject line, file name, file format, and a description of any attachments.”  Favors v. Cuomo, 11-CV-5632, 2012 U.S. Dist. LEXIS 113076, *116 (E.D.N.Y. Aug. 10, 2012) (U.S. Mag. J. Roanne L. Mann).  The rationale for this ruling was that this type of information is easily and readily accessible given the metadata available for electronic documents.  Id.  However, the court did add that merely listing the subject line, file name or document title would be insufficient as it would result in “vague, confusing, or conclusory descriptions.”  Id. at *117 n.36.  Thus, this type of information would have to be revised to provide a sufficient description of the document.

Western Pennsylvania Patent Lawsuit Filings Increase in 2012

by: Henry M. Sneath, a shareholder at Picadio Sneath Miller & Norton, P.C.

The USDC for the Western District of Pennsylvania enacted local patent rules in 2005. The court has also been designated as one of a number of courts in the country that are part of a Pilot Program where patent filings will be monitored and wherein participating courts will establish certain practices for the administration of Patent cases. While patent filings have been rather flat in the Pa. Western District in the last few years, the number has skyrocketed in 2012. There were 11 Patent cases filed in 2011, but this year, through July, there have already been 28 filings, or more properly, 11 actual filings and 17 transfers of cases from the Eastern District of Texas, or which relate to those transferred cases.

These latter 17 cases have related to the same or similar patents held by a company called Maxim Integrated Products, which is suing numerous big name companies, and which is being sued in declaratory judgment actions by many other big name companies. Many of their suits were filed, not surprisingly in Texas Eastern, but were transferred to Pa. Western.

Declaratory Judgment actions followed and have been filed here by other companies whom Maxim allegedly threatened with suit. The patent (s) at issue relate to the transfer of “cash” between secure devices (eg: mobile to mobile). The Summary of the Invention in this ‘510 patent is set forth as:

“The present invention is an apparatus, system and method for communicating a cash equivalent electronically to and from a portable module. The portable module can be used as a cash equivalent when buying products and services in the market place. The present invention comprises a portable module that can communicate to a secure module via a microprocessor based device. The portable module can be carried by a consumer, filled with electronic money at an add-money station, and be debited by a merchant when a product or service is purchased by the consumer. As a result of a purchase, the merchant’s cash drawer will indicate an increase in cash value.”

We will follow these cases and report more in the future.

Picking Better Passwords

by: Robert Wagner, intellectual property attorney at Picadio Sneath Miller & Norton, P.C. ()

With the news that millions of LinkedIn passwords were compromised last week, we should all reconsider what passwords we are using and whether they are secure enough for our needs. As with most security issues, there is always a balance between having a password that is easy enough for you to remember but too difficult for someone else to guess. This article discusses some strategies and tips for creating and managing stronger passwords.

What Is a Bad Password?

Not all passwords are equal, and there are many that should simply be avoided for most applications. It goes without saying that “password” and “12345” are terrible passwords. A good lists of these “bad” passwords can be found here. In general, though, a bad password is one that is:

  • short (less than 8 characters)
  • a single word (in any language) that can be found in a dictionary
  • something that is readily identified with you (e.g., your name or your spouse’s, children’s, or parents’ name; the street you live on or the city you live in, etc.)
  • a variation on your login or username
  • adjacent letters or numbers (e.g., qwerty, 12345, abcde, etc.)

Looking through lists of bad passwords can be very enlightening and can give you some ideas of passwords to avoid.

What Is a Good Password?

Now that we know what types of passwords are not great, what types of passwords are better? A good password likely will have many of the following characteristics:

  • longer than 8 characters (generally, the longer the better)
  • have a mix of upper and lowercase letters, numbers, and symbols
  • be unrelated to any readily identifiable information about you

Again, there is always a balance between ease of use (i.e., something you can remember) and the strength of the password. A long string of random letters, numbers, and symbols is potentially very secure, but is, counterintuitively, not likely to be a good password if you can’t remember it. If you have to write down your password on a piece of paper in order to use it, your password is only as good as the security you have in place to protect that piece of paper.

Thankfully, there are a number of techniques you can use to create stronger passwords that you can remember. One of the most common is to use the first letters of a phrase. For example, if you choose the phrase “To be or not to be, that is the question,” the password would become “Tbontb,titq”. That seemingly random set of letters and symbols would not be susceptible to a dictionary attack (in which the attacker simply tries all the words in the dictionary), but would still be easily remembered. [For the record, this is such a common phrase, that it is likely a bad password. Choose a more obscure sentence or phrase to use, instead.] We could make this password stronger by changing some of the letters to numbers. For example, the “o” could become a zero and the “i” could become a one—so, the password would be “Tb0ntb,t1tq”.

Another common technique is to use unrelated words separated by numbers or symbols. The key to this approach is taking advantage of using the strength of longer passwords and introducing numbers and symbols to avoid dictionary attacks. For example, you could use “fruit25lawnmower#%”. For added strength, you could capitalize some of the letters and change some to numbers—“fRU1t25LawnM0wer#%”.

This is an interesting website where you can enter passwords, and it will assess their relative strengths. As always, you should be cautious about entering any passwords you actually use or intend to use. You can, however, enter similar passwords and begin to get a sense of what makes a stronger or weaker password.

More Dos and Don’ts

Now that we have talked about good and bad passwords, there are a few other points you should consider in managing your passwords.

The strength of your password should reflect the importance of that account to you (or your employer). Very important accounts, like your bank account, should be given the strongest password you can reasonably remember that is different from any other passwords you use. You should also consider regularly changing it in case it becomes compromised without your knowledge.

E-mail accounts should be considered important accounts and given stronger passwords. There can be a real danger if someone gains access to your e-mail account. For example, once you know someone’s username, many websites will allow you to reset the password by sending an e-mail to the registered address. If an attacker gains control of your e-mail, he or she can then reset the password to your bank account (or any other account).

Ideally, you should have a different password for every account or website. That way, if one password is compromised, it won’t compromise your others. Unfortunately, it can be difficult to remember which password you used with which account. To help with this problem, you should consider using a password management program that stores all of your passwords in one location (and is often designed to easily enter those passwords into website forms). These programs then use one master password to unlock all of your passwords. They can be very convenient and useful programs because they allow you to keep track of all of your passwords in a secure way. But, you are putting all your eggs in one basket, so the master password you choose should be strong and access to the program limited.

Finally, don’t write your passwords down on post-it notes on your computer monitor or in other easy-to-find places. If your password is too hard to remember, think about creating a different one that you can remember. On the other hand, it can make good sense to keep your passwords written down in a secure location in case you forget them, especially if the account provides no way to reset the password. Ideally, you should keep them in a locked location, though.

Parting Thoughts

Having a good password requires some discipline and can be inconvenient at times. However, it can be far more inconvenient to have your account hacked and your money or information stolen. Taking a little time now to really think about how to create and manage your passwords can save you a lot of hassle in the future.

Top 10 Smart Phone PINs to Avoid (Updated)

by: Robert Wagner, intellectual property attorney at Picadio Sneath Miller & Norton, P.C.

iPhones and other smart phones are becoming ubiquitous among legal (and other) professionals. The ability to access your e-mail and documents outside the office is extraordinarily convenient. As attorneys, though, we must temper that convenience with our obligation to preserve our clients’ confidences. Most smart phones offer the ability to password protect the phone, often with a 4-digit PIN or passcode, before you can access the information on the phone. They also often have a feature that will wipe the phone’s data if a certain number of incorrect PINs are entered in a row (with the iPhone that number is 10). But just how secure is your phone?

In this blog post by Daniel Amitay, he looked at the most common 4-digit PINs from over 200,000 users for a program he wrote for the iPhone. Startlingly, the top 10 most common PINs represent 15% of all the PINs people actually use (instead of 0.1% if the PINs were uniformly distributed). While the PINs people use for a program on their phone, as opposed to the phone’s PIN itself, may not be the same, the findings are interesting nonetheless. If they were the same or even a large percentage were, this means that someone who finds (or steals) an iPhone would have around a 1 in 7 chance of unlocking the phone before it is wiped automatically! Smart phone users would be well advised to take a look at the list and consider whether the PINs they have chosen are really as secure as they should be given what information is on (or accessible from) their phones.

For a similar article about computer passwords, check out this NY Times article.

Update: There is another very interesting article on DataGenetics website that explores this issue in even more detail. It looks at not only 4-digits PINs, but also up to 10-digit PINs and identifies some of the more common ones used.  It provides even more insight into common PINs to avoid, and it is well worth the read.

Update: What You Need to Know About PDF/A ECF Filings in Federal Court

by: Robert Wagner, intellectual property attorney at Picadio Sneath Miller & Norton, P.C.

As discussed in an earlier post on this blog, the federal courts will be requiring all electronic filers to move to the PDF/A standard for ECF filings. The Western District of Pennsylvania announced that it is beginning its transition to this format now, and all filings starting on January 1, 2012 must be in the PDF/A standard (link to Court’s PDF announcement).

The PDF/A format should be a longer lasting file format that will allow attorneys and the public to access these records well into the future. The PDF/A standard requires that the files be self-contained and not refer to use any information outside of the file itself. So, all the fonts and other information will be embedded inside the file. There are two types of PDF/A formats—the PDF/A-1a and PDF/A-1b formats. The “a” format requires strict tagging of information, while the “b” format is less stringent. As a practical matter, one will likely need the original source file (for example, the original Microsoft Word file) to create a PDF/A-1a file. This will make it more difficult to convert standard PDF files into PDF/A-1a files. On the other hand, because the PDF/A-1b format is more forgiving, and it should be possible to convert standard PDF files into this format. It appears that the federal courts will accept either PDF/A format.

There are a variety of websites offering advice and tutorials to help ease the transition to the PDF/A format. The Adobe Acrobat for Legal Professionals website recently posted a tutorial on using the save as feature in Acrobat 9 and X to create or convert files into the PDF/A format. It also hosted a webcast on the topic that can be viewed here.

For additional information:

  • Federal Court FAQ regarding PDF/A change
  • past Adobe Acrobat for Legal Professionals blog posts on this topic 1, 2, 3, 4
  • ISO 19005-1:2005 FAQ describing the standard (downloads FAQ)
  • PDF/A compliance organization FAQ