Cyber Risks – The Cybersecurity Lawyer

Legal Distortion: How ADA Web Lawsuits Mimic Cybercrime – Part Two

By: Marque N. Staneluis, Esq.

This is the second installment in this series that addresses the ADA website complaints that have a significant cybersecurity and cybercrime dimension. In this installment we look at a case through the lens of the Robles claim. You can find the first part here.

If you are up to speed on part one, then proceed and look at a case that is an extreme illustration, but one that was filed in the U.S. District Court, Southern District of New York and requires the business and therefore website owner to expend time and money to address.

Primitivo Robles v. The Other Side Dispensary, LLC

The nascent legal cannabis industry in New York and New Jersey has faced a number of challenges, from a slower-than-expected roll-out of dispensaries to a plethora of unlicensed dispensaries, which created unfair competition as well as confusion. Now they face a new problem, ADA Title III lawsuits against their internet presence, i.e. their website. One such example is Primitivo Robles v. The Other Side Dispensary, LLC.

A plaintiff, Primitivo Robles, who is a citizen of Bronx Country in New York, and his representation Joseph & Norisberg, LLC, have filed, at the time of this writing, twenty separate class action lawsuits against cannabis dispensaries claiming that he, and others like him, have been “denied the full use and enjoyment of the facilities, goods and services offered to the general public, on Defendant’s Website in Bronx County.” These claims have been filed in the Federal Court of the Southern District of New York seeking both injunctive relief and compensation for “himself and all others similarly situated, seeks to certify a nationwide class.” Of the businesses targeted, four are based and sell cannabis in New Jersey.

This case exemplifies the abuse of ADA litigation. Filed on October 11, 2024 (24-cv-7729), the complaint alleges that the defendant’s website is inaccessible to individuals with visual impairments, violating Title III of the ADA. However, closer scrutiny reveals serious legal deficiencies:

The Claims

On behalf of Mr. Robles, Joseph & Norinsberg, LLC have filed 20 nearly identical claims, with only slight variations for the defendant’s name and website, a few of the product names, the date of first access, and the particular accessibility audit tool used to validate the website. The claim that jumped out at me was the one filed on Friday, October 10, 2024, 1:24-cv-07729-VSB, Robles v. The Other Side Dispensary, LLC.

As is standard in an ADA Title III claim, there is an assertion of subject-matter jurisdiction, venue, and personal jurisdiction over the Defendant. It asserts that venue is proper since “Defendant conducts and continues to conduct a substantial and significant amount of business in [the] District via the Internet and a substantiation portion of the conduct complained [of] …because Plaintiff attempted to utilizes, on a number of occasion, the subject Website within this judicial District.” For personal jurisdiction, it claims the SDNY is proper since “Defendant purposefully targets and otherwise solicits business from New York State residents through its website.

It states the Nature of the Action and then addresses Standing. During the argument for standing the claim asserts that Mr. Robles suffers from Retinitis Pigmentosa that resulted in his loss of vision. His blindness was diagnosed legally blind on March 10, 2024. Because he was worried about the dangers of dependency on his prescription medication, he discovered that a particular strain of marijuana provided particular pain relief. According to the claim, the “specific strains of marijuana (and related products) could also provide significant pain relief and is 100% legal and can be shipped anywhere in the United States, including New York.” and that “Plaintiff intends to utilize the services of Defendant and their Website, www.tosdispensary.com, because he has in the past utilized similar websites that took advantage of his physical condition by failing to send the ordered products…”

The claim then makes a very interesting assertion about how Mr. Robles has had to shop from “numerous providers, many of which operate in the legal gray area, operating without regard for the law or well-being of their customers.” A few paragraphs later he indicates he accessed the website and felt the “user reviews and rating on the website further added to their credibility, offering real-world experiences of other customers.” As the Standing assertion continues, there is an itemized list of issues that the auditing tool revealed. This includes “Broken Links,” “Empty Aria Elements Absent Accessible Names,” “Links without Accessible Names,” “Empty Buttons,” “Redundant Alternative text,” and “Skipped Heading Levels.” The claim continues explaining how WCAG 2.1 Guidelines would provide equal access and that the Defendant is engaging “in acts of intentional discrimination.” The claim provides the appropriate language for why the federal court has subject matter jurisdiction over a federal case; it also has the appropriate language to explain how the court also has supplemental jurisdiction under the New York State Human Rights Law, New York City Human Rights Law, and New York City Civil Rights Law; it also provides the appropriate argument for why venue is proper. The claim then argues that “Defendant purposefully targets and otherwise solicits business from New York State residents through its highly interactive Website,” as well as “Plaintiff has been denied the full use and enjoyment of the facilities, goods and services offered to the general public, on Defendant’s Website in Bronx County” as justification for why this court has personal jurisdiction over the defendant.

When you compare the language between this claim and the 20 other submitted by Mr. Robles and his counsel, there is a striking similarity. The Defendant names, products, and method used to verify, and a few other elements, all of which are bolded, are changed but everything else remains the same.

Jurisdiction

Personal Jurisdiction is the court’s authority to adjudicate the rights and liability of the defendant. According to interpretations of the U.S. Constitution it requires that the defendant has certain minimum contacts with the forum in which the court sits. Minimum contacts are a nonresident civil defendant’s connections with the forum state (i.e., the state where the lawsuit is brought) that are sufficient for the forum state to assert personal jurisdiction over that defendant. Lack of minimum contacts violates the nonresident defendant’s constitutional right to due process and “offends traditional notions of fair play and substantial justice” (International Shoe Co. v. Washington, 326 U.S. 310 (1945)). Defendants’ minimum contacts can take the form of general jurisdiction or specific jurisdiction. Some examples of minimum contacts include conducting business within the state, incorporating in the state, and visiting the state. The courts will even find that a business has contact if the defendant must make an effort to market in the forum state or otherwise purposefully avail himself of the resources of that state. In New York state, the courts have ruled that the contacts must be the defendant’s own choice and not ‘random, isolated, or fortuitous’ In order for the Federal Court in the Southern District of New York, which would then not only allow it to adjudicate the federal ADA claims, but it would also have supplemental jurisdiction for the city and state specific claims. It is a ruling under these claims that would result in significant monetary damages.

Mr. Robles filed the claim on behalf of him and others seeking to certify a New York City Subclass of legally blind individuals who have attempted to access The Other Side Dispensary’s website and are denied equal enjoyment of goods and services from Defendant’s website. The claim asserts that this dispensary purposefully targets and otherwise solicits business from New York State residents through its highly interactive Website, www.tosdispensary.com. So, the jurisdictional argument is made because a cannabis dispensary, which operates legally in New Jersey under New Jersey’s CREAMMA law, which permits it to only sell cannabis products to people who visit its store in New Jersey, has contacts in New York.

This is a farcical argument. Despite his claims that “specific strains of marijuana (and related products) … is 100% legal and can be shipped anywhere in the United States, including New York,” even a first year associate would be aware that this would constitute a deferral crime. The Other Side Dispensary does not reside in New York state nor will it engage in a federal crime by shipping cannabis products across state lines to Mr. Robles in the Bronx. The argument may be made that Mr. Robles was planning on visiting the dispensary and engaging in adult-use in New Jersey, but this does not mean that the dispensary itself had significant contacts in New York. There is no advertising on billboards, radio, or television. In fact, by his own claim, Mr. Robles found the website as “a result of a recommendation by a close friend.” This defendant, and the three others defendant;s that Mr. Robles has filed claims against, that operate solely in New Jersey, cannot and should not be subject to or have to defend in the Second Circuit or against New York specific laws.

Standing

Standing, or locus standi, is the capacity of a party to bring a lawsuit in court. To have standing, a party must demonstrate a sufficient connection to and harm from the law or action being challenged. At the federal level, legal actions cannot be brought simply because an individual or group is displeased with a government action or law. In Lujan v. Defenders of Wildlife (90-1424), 504 U.S. 555 (1992), the Supreme Court created a three-part test to determine whether a party has standing to sue:

Injury in Fact: The plaintiff must have suffered an “injury in fact,” meaning that the injury is of a legally protected interest which is (a) concrete and particularized and (b) actual or imminent.
Causal Connection: There must be a causal connection between the injury and the conduct brought before the court.
Redressability: It must be likely, rather than speculative, that a favorable decision by the court will redress the injury.

More recently, the Supreme Court’s decision in TransUnion LLC v. Ramirez (2021) noted that the injury-in-fact prong of Article III could be reduced to “no concrete harm, no standing.” Of note, the Transunion court also noted that “Article III grants federal courts the power to redress harms that defendants cause plaintiffs, not a freewheeling power to hold defendants accountable for legal infractions.”

Mr. Robles attempted to access the The Other Side Dispensary’s website on October 4, 2024 and October 5, 2024 He was looking for a “specific strains of marijuana” that could be “shipped” to him. No where in his claim is there any indication that he was planning on traveling to another state to both purchase and consume this cannabis. As stated earlier, The Other Side Dispensary will allow customers to reserve products and schedule a time to pay for it with cash or debit cards and pick it up; it is not, however, prepared to violate federal drug-trafficking laws.

In addition, since the most recent ruling in New York Federal court requires there be a nexus to a place of public accommodation and not just a website. Although Mr. Robles was persuaded by “the real-world experiences of other customers,” that would have been very hard to do considering that The Other Side Dispensary had not even opened its doors. When he claimed to visit the website as well as when he filed his claim on October 10, 2024, the website at the time clearly indicated on the front page that opening would be on October 14, 2024. Mr. Robles did not suffer any harm and therefore has no standing. First, nothing in his claim indicates that he was planning on traveling to New Jersey and remaining there. What he was apparently willing to do, and admitted to doing, was participating in the illegal interstate trafficking of a Schedule I drug. Therefore, he suffered no harm to be redressed. Secondly, since The Other Side Dispensary was not even operational at the time the suit was filed, it cannot be a place of public accommodation, and, therefore, ADA Title III does not apply.

Interesting, isn’t it? These are not just nit-picks at minor procedural points, these are grievous errors that call into question the validity of the entire claim. I have one more, very interesting question to pose and some recommendations in the next, and last section coming soon. Stay Tuned!

Legal Distortion: How ADA Web Lawsuits Mimic Cybercrime – Part One

By: Marque N. Staneluis, Esq.

Introduction

In recent years, a surge of Americans with Disabilities Act of 1990 (“ADA”) Title III website accessibility complaints has flooded the federal court system. While the ADA is a critical tool for ensuring equitable access, many of these cases lack genuine merit. Instead, they exploit legal ambiguities, overwhelming small businesses, as well as the federal courts, with predatory lawsuits. A prime example of this is Primitivo Robles v. The Other Side Dispensary, LLC, a case emblematic of the broader issue of invalid ADA website complaints. This paper explores this case to highlight how these lawsuits pose a threat not only to legitimate accessibility advocacy but also to emerging industries like cannabis in New York and New Jersey. Further, it argues that ADA website complaints have a significant cybersecurity and cybercrime dimension. This paper is broken down into three sections which (a) explains what and how a website should be accessible and what does it mean not to be, (b) looks at a case through the lens of the Robles claim, and finally (c) concludes with one of several recommendations to resolve the cybersecurity loophole.

ADA Title III

The ADA was enacted to prohibit discrimination against individuals based on their disabilities. The ADA defines disability as “a physical or mental impairment that substantially limits one or more major life activities.” Some of those major life activities are seeing, hearing, speaking, learning, communicating, and walking. While enacting this legislation, Congress declared that “physical or mental disabilities in no way diminish a person’s right to fully participate in all aspects of society, yet many people with physical or mental disabilities have been precluded from doing so because of discrimination.” In the physical world this is bathroom stalls that are not wheelchair accessible or a lack of handicap parking. In the virtual world, From the ratification of the ADA until 2017, Title III offenses were limited to physical structures and to the limited list of private entities whose operations affect commerce that are classified by one of its twelve definitions. Each definition encompasses a number of business types that provide similar services, such as “(B) a restaurant, bar, or other establishment serving food or drink;” “(E) a bakery, grocery store, clothing store, hardware store, shopping center, or other sales or rental establishment;” or even “(F) a laundromat, dry-cleaner, bank, barber shop, beauty shop, travel service, shoe repair service, funeral parlor, gas station, office of an accountant or lawyer, pharmacy, insurance office, professional office of a healthcare provider, hospital, or other service establishment.” Examples of (B) would be Five Guys, Hooters, Domino’s Pizza, or a local diner. Examples of (E) would be a Winn-Dixie, Hobby Lobby, or local flower shop. Examples of (F) Winn-Dixie’s Pharmacy, Metropolitan Life Insurance, or any lawyer’s office. To state a claim for relief under Title III of the ADA, a plaintiff “must allege (1) that [he] is disabled within the meaning of the ADA; (2) that defendants own, lease, or operate a place of public accommodation; and (3) that defendants discriminated against [him] by denying [him] a full and equal opportunity to enjoy the services defendants provide.”

Appellate courts are split as to whether the provisions of the ADA, mainly those involving places of public accommodation under Title III, apply to online technology such as websites. The Third, Sixth, Ninth, and Eleventh Circuits follow the approach that Title III applies to the services of a place of public accommodation and not limited to services only in the place of accommodation. In other words, Title III applies if there is sufficient nexus between the website and the physical location. However, if the physical location is not a place of public accommodation, then neither need be its website. This is in contrast to the First and Seventh Circuit which broadly applies the ADA and does not limit its interpretation to a physical structure. The United States District Court, Southern District of New York, has started leaning toward following the First Circuit, but in the September, 2024 decision handed down by Laura Taylor Swain, Chief United States District Judge, in Meija v. HIgh Brew Coffee, Inc, this trend has been restrained. In her decision, Judge Swain stated the “Second Circuit has not squarely addressed the question of whether a website, absent a connection to a physical location, constitutes a place of public accommodation.” She then ruled “the Court finds that a stand-alone website is not a place of public accommodation under Title III of the ADA. Plaintiff thus fails to state a claim on which relief may be granted under the ADA. Because Plaintiff fails to state a claim under the ADA, Count III’s request for declaratory relief is also dismissed.” This is the latest precedent in New York federal courts, and although not controlling is strongly influential in what circumstances must a website be considered a place of public accommodation in New York.

ADA website litigation has evolved into a form of legal and financial exploitation that parallels cybercrime. These cases are frequently initiated by high-volume plaintiffs or law firms relying on automated tools to identify “violations.” This strategy mirrors the methodology of cybercriminals, who deploy bots to find vulnerabilities in software or systems.

Just as cybercriminals exploit software loopholes, opportunistic litigants exploit the lack of detailed federal regulations on website accessibility standards under the ADA. ADA Title III website accessibility claims have grown exponentially with over 4,000/year since 2021, and New York eclipsing all other states. In September 2024, there were 342 Lawsuits filed, with 65% of them filed in New York. More importantly, these claims are filed by a handful of plaintiffs and firms. A small group of plaintiffs is responsible for a significant portion of lawsuits filed under the Americans with Disabilities Act (ADA), 31 Plaintiff Firms File 50% of ADA Website Accessibility Lawsuits. Many ADA lawsuits are resolved through settlements because defending these cases can cost small businesses tens of thousands of dollars. This “settle or go bankrupt” dynamic is akin to ransomware attacks. Emerging markets, such as the cannabis industry in NY and NJ, are disproportionately affected due to their limited resources and regulatory challenges. These businesses already navigate complex state and federal laws, making them prime targets for predatory litigation. Even with settlements under $25,000, that would still mean that these cases will cost approximately $100 million. Although small compared to the $42 billion from ransomware attacks in the United States, it is yet another potential cyber attack vector that businesses and their IT staff has to worry about.

As I outlined in my 2021 paper “The ADA and website accessibility: a technical problem without a technical understanding,” website accessibility cases are rarely decided on the merits of the claim. The courts have consistently taken the position as was indicated in the Winn-Dixie 2017 court, stating that “[r]emediation measures in conformity with the WCAG 2.0 Guidelines will provide Gil and other visually impaired consumers the ability to access Winn-Dixie’s website and permit full and equal enjoyment of the services, facilities, privileges, advantages, and accommodations provided through Winn-Dixie’s website.”

WCAG

Web Content Accessibility Guidelines (“WCAG”) 2 is developed through the World Wide Web Consortium (“W3C”) in cooperation with individuals and organizations around the world, with a goal of providing a single shared standard for web content accessibility that meets the needs of individuals, organizations, and governments internationally. The guidelines are a set of internationally recognized standards developed through the Web Accessibility Initiative (“WAI”). WCAG provides guidelines for making web content more accessible to people with disabilities, including those with visual, auditory, cognitive, and motor impairments. WCAG is often referenced in legal frameworks, including: (a)

Americans with Disabilities Act (“ADA”) in the U.S. (as applied to websites via case law), (b) Section 508 of the Rehabilitation Act (this applies to U.S. federal agencies and contractors), (c) European Accessibility Act (EAA) and EN 301 549 (European Union), and (d) other national and regional accessibility laws worldwide.

Key aspects of WCAG focus on being (a) perceivable, (b) operable, (c) understandable, and (d) robust.

Perceivable – Content must be presented in a way that users can perceive, including alternatives for non-text content (e.g., captions for videos, text descriptions for images).
Operable – Users must be able to interact with and navigate the content, ensuring functionality via a keyboard and providing sufficient time for interactions.
Understandable – Information and user interface components must be clear and predictable.
Robust – Content must be accessible across various technologies, including assistive devices.

Despite these guidelines, there is no set standard for how compatible a website has to be in order to be ADA compliant. What appears in complaints are elements or attributes that are missing or incomplete. In some cases, the lack of these elements or attributes are very detrimental to a disabled person’s use of a site because their screen readers cannot extract conveyable information without these values. An example of this is a picture (“image” in HTML) that does not contain the title attribute. This attribute contains the text description of the picture that appears when a visual user mouses over the image, it is lao what screen readers use to describe the picture in audio. However, there are also many references to elements or attributes missing that may or may not create issues for the screen readers. One such HTML construct is the ARIA attributes. Accessible Rich Internet Applications (ARIA) is a set of roles and attributes that define ways to make web content and web applications (especially those developed with JavaScript) more accessible to people with disabilities. Based on this definition, it should be obvious that it should be used without fail, and many website accessibility evaluation services like Google Lighthouse and WAVE will report on these when missing. Ironically, the first rule of ARIA use is “If you can use a native HTML element or attribute with the semantics and behavior you require already built in, instead of re-purposing an element and adding an ARIA role, state or property to make it accessible, then do so.”

These claims do contain accessibility evaluation reports that reflect the count of missing parts in order to support the claim that the site is not accessible to their plaintiff on the day in question. This is a step forward in making the claims more substantive, but it does not actually prove the site was not accessible as the plaintiff claims. The real world equivalent would be similar to indicating that NOT ALL of the parking spots are handicap accessible. In the real world, with the rare exception of less than 10 spots, the number of accessible spots does not exceed 10%. So to indicate that certain elements and attributes are not present is equivalent to pointing out the non-accessible spots with no regard to the number or nearness of the accessible ones.

Come back soon to read Part Two

The Virus and Ransomware

In the middle of the pandemic, things we used to take for granted feel frightening. A trip to the grocery store, taken only when truly necessary, seems like stepping onto the set of a post-apocalyptic movie, as shoppers eye each other suspiciously from behind face masks while picking over thinly-stocked shelves. Cyber criminals, unfortunately, know how to prey on these fears. From early in the COVID-19 crisis, cybersecurity experts have warned about a rise of social engineering attacks, such as phishing emails, spoofed websites impersonating public health authorities such as the World Health Organization and the U.S. Centers for Disease Control, and fake coronavirus mobile apps.

Some of these social engineering campaigns have been linked to ransomware attacks on health care facilities, financial services providers, and other essential businesses. A study done by Carbon Black, for example, showed a 148% increase in ransomware attacks between February and March 2020. Another study released by Checkpoint Research on April 16, 2020, found that ransomware attackers are increasingly engaging in “double extortion.” This kind of attack begins as a typical ransomware incident: the attacker encrypts the victim’s data and demands a ransom to decrypt it. It also adds a second stage: the attacker makes a copy of sensitive data and then, after receiving the decryption ransom, demands a second payment to prevent public disclosure of the stolen data.

Although the COVID-19 crisis creates fear, it also prompts generosity and altruism – ranging from the heroism of front-line health care workers to everyday acts of kindness like checking in virtually on friends and neighbors. At the start of the crisis, leading ransomware groups such as DoppelPayemer and Maze seemed to join this wave of altruism by promising to avoid attacks on health care facilities. These groups try to position themselves as modern-day cyber Robin Hoods, stealing from wealthy banks and other for-profit companies while avoiding entities such as healthcare facilities that serve the poor.

Almost immediately after this promise, however, Maze hit Hammersmith Medicines Research, a British company that may serve as a COVID-19 vaccine test center. The truth is that these are ruthless organized crime operations that will not hesitate to take advantage of this crisis.

Now more than ever, even as we practice social distancing to flatten the curve of the coronavirus infection, we need to practice good cyber hygiene to flatten the curve of cyber attacks. It’s a good time to remind employees working from home of some basic principles:

Be wary of texts or emails that seem unusually alarmist or urgent, particularly if they purport to originate from high-level government or corporate sources.
Avoid apps and websites that claim to offer some inside information or cures beyond what is being reported by official government sources and reputable news outlets.
If presented with a request for information that seems suspicious, use recognized channels, including a phone call to the supposed source, to confirm whether the request is authentic.
Notify the appropriate persons in your organization of contacts that appear to be social engineering scams.

Cybersecurity and Corporate Social Responsibility

My article Cybersecurity, Encryption, and Corporate Social Responsibility has been published in the current edition of the Georgetown Journal of International Affairs. I argue in this paper that “[c]ompanies such as Apple should recognize that they have a social responsibility to work with governments on security issues, and such a corporate social responsibility norm should become part of international CSR principles.”

Bot Code, Norms, and Law

There’s a good post on Dark Reading by Ido Safruti about norms and etiquette for bot code. According to Imperva’s most recent bot traffic report, bots comprise the majority of Internet traffic. May bots are intentionally disruptive or misleading — for example, bots that create comment link spam on blogs. Others are useful — for example, they, allow a search engine to index web pages. Even useful bots can be disruptive, such as by using up site capacity, and the robots.txt standard has been developed so that site owners can limit or exclude bot traffic.

Safruti provides the following guidelines for ethical bot code:

1. Declare who you are;
2. Provide a method to accurately identify your bot;
3. Follow robots.txt;
4. Don’t be too aggressive.

These are sound guidelines, but my lawyer Spidey sense wonders how they might translate into legal norms, or whether they should become legal norms. The most immediate way in which guidelines like this can become part of legal norms is through a contractual terms of use. I’m not sure a terms of use would be enforceable either as a legal or practical matter against unwanted bots, not least because the measure of contractual damages would be unclear. There’s an interesting 2001 case in the First Circuit finding a Computer Fraud and Abuse Act violation for bot use, but the facts are quirky and it seems to me perhaps wrongly decided. Perhaps guidelines like Safruti’s provide a standard of care for a tort claim if an unwanted bot causes a business interruption, though in states where the economic loss doctrine applies this would produce an difficult question about whether slowing a website is a kind of compensable property damage. Guidelines like this could also be incorporated into a regulatory regime, which the Internet community as a whole might not find palatable.

Tabletop for NJSBA Second Annual Cybersecurity Conference

Here is a tabletop exercise I drafted that we’ll be running at the Second Annual NJSBA Cybersecurity Conference.

Acme Corp. manufactures and sells industrial control systems (ICS). ICS devices integrate computer chips, hardware and software and can be programmed to monitor, regulate and control various components of commercial manufacturing, assembly and packaging plants. For example, the following video shows an Acme ICS serving as the controller for water bottling plant:

ACME’s ICS devices are network enabled and come bundled with a software suite that allows users to monitor and control the devices through a web interface.

Acme also provides installation and maintenance services for its ICS equipment. Each ICS device must be configured for the systems it will control, which involves the creation of custom computer code. The computer code, and sometimes the hardware, must periodically be updated if the underlying system configuration changes or if Acme develops performance enhancements, bug fixes, or security patches. In a larger installation, Acme’s fees for installation and maintenance can exceed the costs of the initial hardware purchase, and the total contract price can exceed ten million dollars.

Acme maintains detailed information about each of its installations, including specific configuration information, networking details, and backup copies of computer code. This information is stored in numerous documents in a variety of formats, including, for example, Word documents, Excel spreadsheets, Powerpoints, e-mails, and plain text files, on systems used by various Acme business units. Files may reside on individual computer hard drives, internal company file servers, portable media (such as thumb drives), company-owned and personal laptops, smartphones and tablets, and commercial cloud-based storage such as Google Drive and Dropbox.

ISSUE 1: A number of management-level Acme employees recently received emails purporting to have been sent by Sol Fish, Vice President for Client Relations at Acme. The emails instruct the recipients to log into a newly-established sales database through a hyperlink in the email using their existing Acme network log-in credentials. Fish did not send these emails, however, nor has Acme created any new sales database. Meanwhile, Fish has received an email from Carl Kent, a business reporter for the Broad Street Journal, inquiring about the fact that the full technical specifications for an ICS installation at the Port Newark were posted this morning on a number of business and government blogs. In fact, Acme won a contract to improve the automation of shipping cranes and other devices at the Port. The contract was controversial because of unsubstantiated allegations of bid rigging, cost overruns, and other political complaints. The full technical specifications are confidential for security concerns among other reasons. An obvious inference is that the spearphising attack may have allowed someone to obtain and post the confidential specifications.

ISSUE 2: In addition, Fish has received an angry call from Bill Brazos, the CEO of Consolidated Fulfillment Centers, Inc. Consolidated owns and operates large warehouse and fulfillment centers for major online retail companies. Brazos claims that an Acme ICS system installed at a Consolidated facility in Edison, NJ contained a vulnerability that allowed hackers to obtain information concerning consumers to whom products were being distributed through the Consolidated facility. Brazos says “millions” of customer accounts may have been compromised.

WannaCry Ransomware and Legal Fault

The WannaCry Ransomware attack has spread throughout the world over the past week. Fingers are pointing at Microsoft for the vulnerability in earlier versions of Windows, at the NSA for creating the leaked exploit, and at North Korea for allegedly perpetrating the attack. There is blame to go around, but if we were to assess comparative fault the victim is also substantially to blame, for at least two reasons, one obvious and one less obvious:

First, the obvious reason: the attack affected older versions of Windows, including Windows XP, which has not been supported by Microsoft since 2014. However frustrating Microsoft’s update and support cycle might seem, and whatever transaction and opportunity costs are involved in switching an organization to a newer OS, it is negligent to continue using an outdated, unpatchable OS.

Second, the less obvious reason: the attack exploited Port 445, a networking port used by those older versions of Windows for peer-to-peer connections with printers and the like. A basic component of any cybersecurity compliance program — in addition to using updated, patched software — is to conduct regular port audit scans and to configure firewalls to block unnecessary ports. Given the low cost of this kind of precaution, failure to conduct port audits is almost certainly negligence.

Presentation on Cybersecurity and the Economic Loss Doctrine

Here are the slides for my presentation on cybersecurity and the economic loss doctrine at the NJICLE 2016 Cybersecurity Conference.

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xTlpKWTJ2OGNzQVE/preview?usp=drivesdk” title=”eclossdatabreachicle.pptx” icon=”https://ssl.gstatic.com/docs/doclist/images/icon_10_powerpoint_list.png” width=”100%” height=”400″ style=”embed”]

Presentation on Law Firms and Cybersecurity

Here are the slides for my presentation on law firms and cybersecurity at the NJICLE 2016 Cybersecurity Conference.

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xdXF2aTlDeWhmMlk/preview?usp=drivesdk” title=”iclecyber.pptx” icon=”https://ssl.gstatic.com/docs/doclist/images/icon_10_powerpoint_list.png” width=”100%” height=”400″ style=”embed”]

LabMD Enforcement Stayed

The FTC’s enforcement action against LabMD has been stayed in an unusual grant of emergent relief by the Eleventh Circuit. The FTC’s Opinion in LabMD essentially established a negligence balancing test for cybersecurity compliance. A negligence balancing test requires a rough evaluation of the burden of avoiding a risk (B) compared to the probability of loss (P) and extent of loss (L): B >< PL. Such a test is incredibly difficult to apply in the cybersecurity context because the probability of loss is close to 1, the potential loss is enormous, and the burden of taking adequate precautions to prevent loss is also potentially enormous.

A big part of the problem in applying this calculus is the definition of “loss” or “harm.” In LabMD, the FTC found that the mere unauthorized disclosure of a file containing personal information is a harm and that reputational or emotional harm to affected consumers, apart from any showing of financial loss, is a kind of substantial injury that must be considered. In the tort context, recovery for emotional harm without related personal injury or property damage is difficult and controversial, and is usually handled under theories of intentional or negligent infliction of emotional distress. Recovery for reputational damage is perhaps even more difficult and controversial, because such claims usually arise under the law of defamation, which involves first amendment concerns, or a cause of action such as “public disclosure of private facts,” which requires an act of “publication” by the defendant.

The relevant section of the FTC Act in evaluating the LabMD standard is section 45(n):

The Commission shall have no authority under this section or section 57a of this title to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.

The Eleventh Circuit found that the FTC Act likely does not provide remedies for intangible harms and that the phrase “likely to cause” in section 45(n) means something more than a low probability of occurrence. Opinion, at 9-10. The Eleventh Circuit’s Opinion is a bit unclear on this point, but I think the court is getting at the heart of how a negligence balancing test is applied. The “P” in B >< PL will be something between 0 and 1. As long as it is above 0, there could be a duty of care depending on the values of B and L. The Eleventh Circuit seems to think “P” has to pass a certain threshold before the FTC’s statutory authority is triggered. Opinion, at 10 (stating “we do not read the word ‘likely’ [in section 45(n)] to include something that has a low likelihood.”).

I’m sympathetic to the Eleventh Circuit’s concerns about whether the FTC should be in the business of creating a new negligence standard for cybersecurity enforcement. Focusing on the “P,” however, is not the best approach because the probability of some loss from cybersecurity incidents for any business today is 1 or close to 1. As we often say in the cybersecurity business, if not if you’ll get hacked, it’s when. A more important statutory question, it seems to me, is whether mere “reputational” or “emotional” privacy harms are the kind of “substantial injury to consumers” Congress originally tasked the FTC with redressing.

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xaW02MFdjWWRGdWs/preview?usp=drivesdk” title=”LabMD_ FTC 11th Cir stay Order.pdf” icon=”https://ssl.gstatic.com/docs/doclist/images/icon_12_pdf_list.png” width=”100%” height=”400″ style=”embed”]

The FTC, Ransomware, and You

“Ransomware” is malicious software that enables attackers to hold computer data or a computer network hostage until a ransom is paid. Ransomware often encrypts all the files on a system, making them unusable until the attacker supplies an encryption key. An FBI Alert issued last week stated that ransomware infections are at an “all-time high.” According to the FBI Alert, just one recent strain of ransomware infected about 100,000 computers per day. Id. Commenting on the Alert, security expert Brian Krebs said “[w]hat we can expect is not only more targeted and destructive attacks, but also ransom demands that vary based on the attacker’s estimation of the value of the data being held hostage and/or the ability of the victim to pay some approximation of what it might be worth.”

The ransomware threat is troubling from the perspective of business continuity, lost productivity, lost data, and possible ransom payment costs. The threat is also troubling from a legal perspective because in public comments earlier this month, FTC Chairwoman Edith Ramirez suggested that failure to address vulnerabilities that could be exploited by ransomware can comprise an FTC Act violation. This means companies now face two kinds of liabilities from ransomware: business costs, and civil liability to the FTC and perhaps private litigants.

The Federal Trade Commission has no specific statutory mandate over cybersecurity compliance. Nevertheless, the FTC has made cybersecurity enforcement central to its institutional mission. Legal challenges to the FTC’s authority over cybersecurity so far have failed. In FTC v. Wyndham Worldwide, 799 F.3d 236 (3rd Cir. 2015), for example, the Third Circuit held the FTC’s statutory mandate under the Federal Trade Commission Act, 16 U.S.C. § 45(a), to prevent “unfair methods of competition in commerce” encompasses cybersecurity policies and requirements relating to a company’s customer data. And the FTC recently concluded that the FTC Act’s general balancing test for determining if an act or practice is “unfair” applies to cybersecurity issues. See In the Matter of LabMD, Docket No. 9257, Opinion of the Commission (July 29, 2016).

These risks are particularly difficult to manage because of the FTC Act’s standard of liability and the nature of ransomware. Under Section 5(2) of the FTC Act, an act or practice is “unfair” only if

(1) it “causes or is likely to cause substantial injury to consumers;”

(2) the injury “is not reasonably avoidable by consumers themselves”; and

(3) the injury is “not outweighed by countervailing benefits to consumers or competition.”

In the Matter of LabMD, at 9 (quoting 15 U.S.C. § 45(n)). In LabMD, the Commission stated that “’[t]he touchstone of the Commission’s approach to data security is reasonableness.’” Id. at 11 (quoting Commission Statement Marking the FT’s 50th Data Security Settlement, at 1 (Jan. 31, 2014)). While a “reasonableness” standard sounds reasonable, the statutory test essentially encodes a kind of “negligence balancing test” in which “reasonableness” is measured by the risk and probability of harm in comparison to the burden of taking precautions. Most of us will remember – with varying degrees of fondness – this test from Judge Learned Hand’s famous opinion in U.S. v. Carroll Towing Co., 159 F.2d 169 (2d Cir. 1947): B >< PL.

The problem with this kind of test in relation to cybersecurity is that the probability of some loss is very high and the scope of the loss could be enormous. This means just about any kind of precaution could be considered reasonable. Indeed, in LabMD, the Commission found that LabMD “did not employ basic risk management techniques or safeguards such as automated intrusion detection systems, file integrity monitoring, or penetration testing.” In the Matter of LabMD, at 11. “Penetration testing,” which involves employing “white hat” hackers to probe a network for vulnerabilities, can be a valuable part of a cybersecurity hygiene program, but it is a stretch to suggest that penetration testing should always be employed by every entity on every kind of network. See SANS Institute InfoSec Reading Room, Penetration Testing: Assessing Your Overall Security Risks Before Attackers Do (June 2006).

The U.S. Department of Justice has published an interagency technical guidance document on protecting networks from ransomware that could serve as a useful rough measure of reasonable care. According to the Justice Department guide, preventive measures against ransomware should include a number of specific technological measures together with an “awareness and training program.” Id. at 3-4. The guide notes that “[b]ecause end users are targets, employees and individuals should be aware of the threat of ransomware and how it is delivered.” Id. at 3. The DOJ’s guide also includes lists of instructions for business continuity and for incident response if infected with ransomware. See id. at 4-5.

The growth in ransomware and other cybersecurity threats and the FTC’s aggressive enforcement posture suggest that companies should carefully consider their preparations for ransomware and other malware attacks in conjunction with legal counsel. And even with what seem like reasonable preparations, companies of every size must prepare for an adverse incident. In this regard, the following DOJ recommendations for incident response is particularly noteworthy:

Contact law enforcement immediately. We strongly encourage you to contact a local field office of the Federal Bureau of Investigation (FBI) or U.S. Secret Service immediately upon discovery to report a ransomware event and request assistance

Id. at 5 (emphasis in original).

Contacting the FBI or Secret Service might be a good idea, because ransomware attackers often are connected to foreign criminal syndicates and might even help finance terrorism. However, companies should keep in mind the FTC’s commitment to enforcing its broad unfairness standard against companies suffering from ransomware attacks. In addition, companies sometimes decide to pay the ransom quietly in order to regain access to their data. Brian Krebs, for example, describes an incident in which a company’s finance department “didn’t bat an eyelash when asked to authorize several payments of $600 to satisfy the Bitcoin ransom demanded by the intruders: After all, . . . the data on one of the infected systems was worth millions — possibly tens of millions — of dollars, but for whatever reason the company didn’t have backups of it.” Once the government is involved, a quiet ransom payment might not be possible – if it is even considered lawful under the circumstances. Any investigation of the incident, and particularly any coordination with the FBI, should involve legal counsel to protect privilege and limit liability as much as possible.

Growing Cyberattack Surface

Here is a nifty graphic from the McAfee Labs 2016 Threat Predictions Report.

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xM3pzUG9samdxVmc/preview?usp=drivesdk” title=”mcafee.pdf” icon=”https://ssl.gstatic.com/docs/doclist/images/icon_12_pdf_list.png” width=”100%” height=”400″ style=”embed”]