McGuireWoods LLP

Subscribe to McGuireWoods LLP's Posts

At McGuireWoods, we deliver quality work, personalized service and exceptional value. We use technology to provide efficient legal solutions and employ a diverse workforce to bring real-world and innovative perspectives to meeting our clients’ needs. With more than 1,000 lawyers and 21 strategically located offices worldwide, McGuireWoods uses client-focused teams to serve public, private, government and nonprofit clients from many industries, including automotive, energy resources, healthcare, technology and transportation.

Earlier this month, a federal court denied an employer’s motion to dismiss a claim that it violated the Stored Communications Act (SCA) by accessing a former employee’s personal emails, concluding that the plaintiff need not allege the emails were unopened at the time of the alleged unauthorized access. Levin v. ImpactOffice LLC, No. TDC-16-2790 (D. Md. July 10, 2017).

Defendant ImpactOffice LLC (Impact), which supplies office products and services, collected the plaintiff’s company-issued cell phone after she resigned. Id. at *1.  She had previously deleted all emails stored on the phone, including personal emails from her Gmail account. Id. The plaintiff later filed suit in the District of Maryland, seeking a declaratory judgment that the restrictive covenants in her employment agreement are unenforceable and asserting a claim for unauthorized access of her personal emails under the SCA. Id. at *1-2.

According to the complaint, Impact accessed—and forwarded to its own attorney—a number of these personal emails, which were still stored on Google servers, including emails sent and received after the plaintiff resigned and emails between the plaintiff and her attorney. Id. at *1.

The SCA is violated when a person “intentionally accesses without authorization a facility through which an electronic communication service is provided . . . and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.” 18 U.S.C. § 2701(a).  The SCA defines “electronic storage” as “(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.” Id. § 2711(1) (incorporating definitions in 18 U.S.C. § 2510).

In its motion to dismiss, Impact asserted that because the plaintiff did not allege that the emails were unopened at the time of its alleged access, she had not sufficiently alleged that the emails were in “electronic storage” under the SCA. Levin, No. TDC-16-2790 (D. Md. July 10, 2017), at *2.

The court first agreed with Impact’s interpretation of “temporary, intermediate storage” under Part (A) of the definition, citing First, Third, Fourth, and Ninth Circuit precedent, observing that Part (A) is “generally understood to cover email messages that are stored on a server before they have been delivered to, or retrieved by, the recipient.” Id. at *3.

However, the court ultimately concluded that, at this stage, the plaintiff need not “specifically allege that the emails at issue were unopened at the time” of Impact’s alleged unauthorized access due in part to the “fact-intensive” nature of the question. Id. at *4. 
Continue Reading Former Employee Need Not Allege Emails Were Unopened to Assert Claim of Unauthorized Access Under Stored Communications Act

The FTC has updated its Children’s Online Privacy Protection Rule (COPPA) Six-Step Compliance Plan for Your Business “to reflect developments in the marketplace” – including the introduction of internet-connected toys and the Internet of Things.

COPPA applies to operators of commercial websites and online services directed to children under 13 that collect, use, or disclose

The U.S. Department of Health & Human Services (HHS) issued a recent report noting that cybersecurity is a key public health concern that needs “immediate and aggressive attention.”  Shortly thereafter, HHS’ Office for Civil Rights (OCR) released a checklist of practical steps health care providers can take to protect themselves and their patients in the event of a cyber attack.  Both items underscore the Government’s increased focus on cybersecurity in the health care industry and remind health care providers of the importance of preparing for and appropriately responding to cyber attacks.

The Report

The interdisciplinary Health Care Industry Cybersecurity (HCIC) Task Force issued its 87 page report (the Report), mandated by the Cybersecurity Act of 2015, emphasizing the increased responsibility health care organizations have to secure their systems, medical devices, and patient data.

The increased focus on cybersecurity comes in the wake of recent rise and sophistication of cyberattacks on the health care industry. For instance, the Report notes that the health care sector experienced more cyber incidents resulting in data breaches in 2015 than any of the other 15 critical infrastructure sectors in the U.S. economy.  As the health care industry increasingly shifts to electronic health records (EHRs), automated medication delivery systems, and generally more connectivity and dependence on the Internet of Things (IoT), the prevalence and severity of these attacks is likely to increase.

The Report includes several high-level recommendations to federal regulators that could have a significant impact on members of the health care industry, including, among others:

  • Creating a cybersecurity leader role within HHS to align industry-facing efforts for health care cybersecurity;
  • Requiring federal regulatory agencies to harmonize existing and future laws and regulations that affect health care industry cybersecurity;
  • Exploring potential impacts to the Physician Self-Referral Law (the Stark Law), Anti-Kickback Statute, and other fraud and abuse laws to allow health care organizations to share cybersecurity resources and information with their partners; and
  • Establishing a Medical Computer Emergency Readiness Team (MedCERT) to coordinate medical device-specific responses to cybersecurity incidents and vulnerability disclosures.The Report also identified several recommended steps for industry members, including identifying a cybersecurity leadership role for driving for more robust cybersecurity policies, processes, and functions with clear engagement from executives.

The Report also suggested creating managed security service provider models to support small and medium-size health care providers. The Task Force also recommended that the industry evaluate options to migrate patient records and legacy systems to secure environments (e.g., hosted, cloud, shared computer environments). The imperatives, recommendations, and action items identified in the Report may be a guidebook for future rule-making from HHS aimed at strengthening the privacy of protected health information (PHI) in a new age of cybersecurity risks.

OCR Checklist

In the wake of the Report and an unprecedented year of increased cyber-attacks against health care entities (including the recent WannaCry attack and the Petya attack), OCR released a checklist of steps that HIPAA covered entities and business associates must take in response to a cyber-related security incident. OCR also published an infographic of the steps, which include:
Continue Reading Increased Focus on Health Care Cybersecurity: HHS Releases Long-Awaited Report and Cyber Attack Quick-Response Checklist

“Big data” in the education context refers to the massive amount of information collected by K-12 schools and higher education institutions on student socio-economics, race and sex, test performance, academic performance, graduation rates, behavior and a myriad of other data points and how they all interact with one another. Collecting and analyzing student data is

Healthcare service provider CoPilot Support Services (“CoPilot”) recently agreed to pay a $130,000 settlement after it waited over a year to notify patients of a data breach, in violation of New York’s breach notification law. The settlement highlights the need for covered entities to ensure compliance with state breach notification laws, which may impose stricter

On Friday, May 12, the WannaCry ransomware attack struck hundreds of thousands of users across the globe, causing major disruptions in private and public networks. The attack, which encrypts a user’s files and holds them for ransom, may infect a computer without any action taken by the user.  With similar attacks expected, and as we

The UK government launched its 5-year National Cyber Security Strategy in November 2016, investing a reported £1.9 billion to protect UK businesses from cyber-attacks and make the country the safest place to live and do business online. This strategy has included the opening of the National Cyber Security Centre (part of GCHQ) and the creation of campaigns to support businesses with expert guidance on cyber security, such as Cyber Aware and Cyber Essentials.

More recently, on 19 April, the government produced its report into cyber security breaches, based on a survey of over 1500 UK businesses. According  to the government report, just under half of all UK businesses suffered at least one cyber security breach or attack in the last 12 months, yet only 1 in 10 businesses have a cyber security incident management plan in place and only a third have a formal policy that covers cyber security risks. The average cost of a breach is said to be around £20,000, but this is a conservative estimate and for many larger companies the cost is much more, not least in monetary terms. The risk of negative publicity and damage to reputation remains high, even when security measures are adopted and insurance cover is in place, so it is no wonder that businesses are confused about what to do to protect themselves and the data they hold. The danger is that companies do not sufficiently address the problems, perhaps because it seems impossible to eliminate the threat completely, or they are put off by scaremongering tactics by InfoSec consultants or cyber insurance brokers.

Cybersecurity should be a priority for company directors. Under the Companies Act 2006, they have a duty to promote the success of the company and to exercise reasonable care, skill and diligence in the performance of their role. Failing to adopt and maintain appropriate security measures to protect personal data and confidential information against cyber-attacks could be considered a breach of these duties and expose the company and individual directors to legal liabilities, including fines and claims for compensation, under data protection legislation and potential action from regulators, such as the ICO or FCA, for businesses in the financial sector.
Continue Reading UK Cyber- Security Breaches Survey

On May 18, 2017, the European Commission imposed a “proportionate and deterrent” fine of €110 million on Facebook for providing misleading information during the Commission’s investigation under the EU merger control rules of Facebook’s acquisition of WhatsApp. This decision – which it is understood Facebook will not appeal – is an example of

Last week, President Trump signed an executive order (EO) designed to strengthen national cybersecurity and critical infrastructure. The EO focuses on the modernization of the federal information technology (IT) network and national cybersecurity risk management. While the order does not specifically address private-sector business procedures, companies will likely be forced to adjust operations in response