“Sniffing” Does Not Violate Wiretap Act

                     

Sniff
Sniffing Technology Outpaces Legislation

The US District Court for the Northern District of Illinois (Judge Holderman) recently ruled that the interception of unencrypted, publicly available WiFi networks does not violate provisions of the federal Wiretap Act. In a decision involving admissibility of evidence, the court found that a party’s “intercept” fell within an exception to the Wiretap Act – allowing a person “to intercept or access an electronic communication made through an electronic communication system that is configured so that electronic communication is readily accessible to the general public.”

The issue arose in a a patent infringement case. Innovatio IP Ventures sued commercial users of wireless internet technology, such as hotels and coffee shops, for infringing its patents by making the technology available to their customers, as well as using the technology for managing internal processes. As discovery proceeded in the case, Innovatio used commercially-available WiFi network analyzers to collect information about the Wireless Network Users (hotels, restaurants, etc.) allegedly infringing networks. The process, known as “sniffing,” requires Innovatio’s technicians to enter the Users’ premises during business hours with a laptop and a packet capture adapter. The adapter can intercept data packets traveling wirelessly between the WiFi router provided by the Users and any devices that may be communicating with it.

Innovatio sought a ruling on the admissibility of the information it gained in the sniffing process. The court asked the parties to address the Wiretap Act issues. Rejecting both parties’ technical arguments (and experts),  the court focused on an exception to the Act. The Court distinguished this case from a ruling from the Google Street View litigation, by stating that the earlier ruling relied on accepting the premise that communications could only be intercepted using sophisticated technology. Basically, the court concluded that the technology continues to evolve faster than the court rulings and the legislation. The court noted that the public may still have some lack of awareness regarding the privacy of communications in a coffee shop setting, but that lack of awareness does not mean that parties utilizing technology to capture the communications are in violation of the Wiretap Act.

See, In Re Innovatio IP Ventures, LLC Patent Litigation, N.D.Ill., No. 1:11-cv-09308, Aug. 22, 2012

Mobile Device Privacy – Federal Legislation

The Mobile Device Privacy Act, introduced Wednesday by
Representative Ed Markey, would also require mobile phone makers, network
operators and app developers to get permission from customers before monitoring
their mobile devices.

See update at:

http://www.pcworld.com/businesscenter/article/262244/

 

The app industry is pushing back saying they can develop systems for protection without need for legislation.

Appellate Court Finds Coverage for Data Breach under Crime Policy

According to the Privacy Rights Clearinghouse, in 2005, DSW Shoe Warehouse suffered a data breach affecting over 1.4 million customers, across 25 states.  Between February 1 and February 14, 2005, hackers gained unauthorized access to the DSW main computer system and then the criminals downloaded credit card and checking account information pertaining to customers (the DSW incident was a part of the same scheme that targeted TJX, Barnes & Noble, Target, Sports Authority, Boston Market -see, The Great Cyberheist, by James Verini, New York Times Magazine, Nov. 10, 2010 –using a technique known as “war driving,” hackers sat in vehicles outside stores with laptops and high-power radio antennae to gain access to networks).  DSW was first alerted of the problem in March of 2005.  In the wake of the breach, DSW incurred expenses relating to customer communications, public relations fees, customer claims/litigation and attorneys fees in connection with the investigations by seven state AG’s and the FTC.  DSW claimed losses of $4 million, including costs associated with charge backs, card reissuance, account monitoring and fines imposed by VISA/MasterCard.

DSW submitted Proofs of Loss to its insurer, National Union, starting in September 2005 (following initial notification of the matter in April 2005).  DSW claimed a total of $6.8 million for the losses plus interest.  At the time, DSW did not have specific data breach coverage for the incident; however, it submitted the claim under a computer fraud rider to a “Blanket Crime Policy.”  (As of 2005, AIG and other insurers provided coverages for network security/privacy liabilities as well as coverages for network incidents, interruptions; at the time, some policies did not specifically address fines/penalties associated with a breach but most now do).

National Union denied coverage for the loss under the crime policy, stating that the claims arose from “third party theft of proprietary confidential customer credit card information.”  The crime policy included an endorsement for “Computer & Funds Transfer Fraud Coverage,” where the insurer agreed to pay for “Loss which the Insured shall sustain resulting directly from… theft of any Insured property by Computer Fraud…”  (Italics added).

The district court granted summary judgment for DSW based upon the policy language and National Union appealed.  The appellate court disagreed with the insurer’s denial analysis and found coverage for DSW by stating that the phrase “resulting directly from” does not unambiguously limit coverage to a loss resulting “solely” or “immediately” from the theft itself (see, Retail Ventures, Inc. v. National Union Fire Ins. Co. of Pittsburgh, Pa., — F.3d—(2012) [emphasis added].

National Union argued that the commercial crime policy was a fidelity bond and provided only first party coverage.  The district court found that the policy covered more than fidelity coverage.  National Union also argued that the “resulting directly from” language required that the theft of property by computer fraud be the “sole” and “immediate” cause of the insured’s loss.  National Union urged that this approach refers to the insured’s own loss, say from employee misconduct, and not the insured’s vicarious liability to third parties.

While the Sixth Circuit acknowledged that other decisions reason that the “resulting directly from” language suggests a stricter causation than proximate cause, the court went on to find that the Ohio Supreme Court would apply a proximate cause standard to determine whether the loss was covered.  The appellate court decided that the “resulting directly from” language was ambiguous.  Further, the court did not find an exclusion to apply.  The court found that the exclusion for “loss of … confidential information of any kind” did not include the hacked customer data as the customer information was not DSW’s confidential information but was obtained from customers in order to receive payment.

Given the trend in available coverages following this and other notable incidents from 2005 to 2007 (Choice Point, TJX), it does not appear likely that many courts will be looking to crime policies or fidelity policies for coverage of these types of losses.  It might not be unexpected, however, that where a policy has language about “computer fraud” or “computer systems” courts will continue to pay careful attention to the language, in particular if there are significant losses following breach incidents.  And, as noted by this court, not all crime policies contain similar “resulting directly from” language or even provisions that address “computer fraud.”  In that regard, the decision may have a limited shelf-life.

 

Update from HHS on Stage 2 of HITECH Act’s EHR program

The meaningful use rule spells out requirements fo rhow hospitals and physicians must use electronic health records to qualify for a second round of incentives, beginning in 2014.  Participants were required to conduct a risk assessment in Stage 1 and now Stage 2 requires that the EHR technology be designed to encrypt, by default, the electronic health informaton stored locally on end-user devices.

http://www.govinfosecurity.com/hitech-stage-2-rules-unveiled-a-5060