Archive for Legal Developments
The Transfer of Undertakings (Protection of Employment) Regulations 2006 (“TUPE”) is in the spotlight as part of the UK Government’s Employment Law Review. Launched in 2011, the purpose of the review is to reform employment law in order to achiev…
Continue Reading →Google has figured out that I shop for a lot of children’s clothing online, as my two children grow like weeds. Every time I launch a search, my banner ads link to brands that I have bought previously or similar brands that other consumers may have pu…
Continue Reading →In addition to the consumer hoopla over iOS 7, companies managing BYOD programs also have reason to rejoice. As reported on CIO.com, iOS 7 brings about a new level of control for companies through expanded app-level MDM Capabilities. MDM, or Mobile D…
Continue Reading →There are a number of important reforms being made to UK employment law this year, largely due to the enactment of the Enterprise and Regulatory Reform Act 2013 (“ERRA”). Many of the reforms under ERRA are being implemented over a period of time from 2…
Continue Reading →We recently posted a three-part series on BYOD issues in this blog. A primary theme was the inherent tension between employer control and employee privacy in a BYOD environment. In a recently reported case out of the Northern District of Ohio (Lazette …
Continue Reading →This article was originally published in the July 22, 2013 issue of Texas Lawyer.
The constant threat of cyberattacks presents many and varying challenges for businesses. Insurance provides one way to deal with them. Because the market for insurance covering these risks and the law interpreting these policies both continue to develop, this is an area in which attorneys can help clients by maximizing their opportunity to secure the broadest possible coverage.
A look at federal and state action on cybersecurity risks provides some critical background. President Obama issued his Executive Order on Improving Critical Infrastructure Cybersecurity in February. In October 2011, the U.S. Securities and Exchange Commissions Division on Corporate Finance issued relevant guidance on financial-disclosure obligations concerning cybersecurity issues in CF Disclosure Guidance Topic No. 2 – Cybersecurity.
Texas law also imposes some key legal requirements on businesses. Texas Business & Commerce Code Chapter 521 imposes duties on companies to protect sensitive personal information collected or maintained in a company’s regular course of business and to notify affected individuals if the security of a computerized system containing that data is breached.
A look at cyberattackers also provides important perspective. Wrongdoers can target a company’s trade secrets or product-development pipeline for competitive, nationalistic or societal reasons. In addition, certain industries with a strong presence in Texas, such as energy, petrochemicals, transportation and technology, face particularly frequent attacks due to their unique characteristics and vulnerabilities.
When prevention efforts are insufficient, a data security breach often imposes first-party losses in the form of response costs and impacts on the company’s revenue stream. These can include expenses for detecting, investigating and eliminating the intrusion, notifying those affected by it, managing the company’s reputation and dealing with revenue impacts from damaged customer relationships. Third-party claims also can result, in the form of lawsuits and regulatory actions.
Because these issues touch on so many aspects of a company’s business, from negotiating vendor agreements to compliance to litigation, lawyers have many opportunities to help clients address these risks. Insurance coverage provides one such opportunity.
A company’s traditional insurance policies may offer at least some protection. In Retail Ventures Inc. v. National Union Fire Insurance Co. of Pittsburgh, PA (2012), the 6th U.S. Circuit Court of Appeals held that a “computer fraud” endorsement to a crime insurance policy covered more than $5 million in losses arising out of the illicit access to customer accounts stored in a retailer’s database. These losses included expenses for customer communications, public relations, customer claims, and investigations by multiple states and the Federal Trade Commission, as well as chargebacks, card reissuance costs, account monitoring and fines imposed by the credit card issuers.
The insurance industry’s offerings for specific cybersecurity policies also have grown rapidly in response to this threat. Just going through the process of applying for cyberinsurance can improve a company’s risk awareness. Large insurance brokers often use illuminating self-assessment questionnaires that pose dozens of queries on topics such as background checks, employee and contractor training, network security protocols, prior incidents and crisis-management procedures.
Attorneys will need to guide clients through varying policy options. Current cyberinsurance offerings lack the standardization that develops after court challenges refine policy language and the marketplace comes to accept that language.
Given the lack of industry-wide agreement on policy language, an “off the shelf” policy may be ill-suited to a particular business. Because the market is still developing, lawyers can have a greater impact in negotiating more favorable terms for a specific client’s unique needs. The policy should cover both first-party and third-party losses, as a cyberattack often triggers both.
On July 24th, 2013 the Massachusetts legislature passed An Act Relative to Transportation Finance (“the Act”), which, among other things, makes “computer system design services and the modification, integration, enhancement, installation or configurati…
Continue Reading →Today the European Commission unveiled its legislative package to adapt the EU payments market to the opportunities of the single market and to support EU economic growth . The package includes a proposal for a cap on multilateral interchange fees (MIFs) for card-based payment transactions. MIFs are set by credit-card companies and collected by banks each time a consumer makes a purchase on a card. Fees across Europe vary widely, from less than 0.2% in the Netherlands to more than 1.5% in Poland. In addition, surcharges on consumer debit and credit cards will be banned by the new Payment Services Directive (PSD2). Surcharges are the extra charge imposed by some merchants for payments by card and, according to the Commission, are common notably for purchases of airline tickets online. In 95% of cases, merchants will no longer be allowed to surcharge consumers for using payment cards, whether for domestic or cross-border payments. This measure alone is set to save consumers 730m euro each year. So called ‘three-party schemes’ such as American Express and Diners, as well as commercial cards issued to businesses, which together account for the remaining 5%, are not covered by the surcharging prohibition. Retailers will be able to surcharge for these cards or refuse to accept them.
Introducing the legislative package, Michel Barnier, Internal Market and Services Commissioner, said “…the proposed changes to interchange fees will remove an important barrier between national payment markets and finally put an end to the unjustified high level of these fees.” Vice President Joaquín Almunia added “…interchange fees paid by retailers end up on consumers’ bills. Not only are consumers generally unaware of this, they are even encouraged through reward systems to use the cards that provide their banks with the highest revenues… the regulation capping interchange fees will prevent excessive levels of these fees across the board.”
MIFs have long been under regulatory scrutiny, with laws adopted in the United States, Australia and other countries, and several EC decisions under EU competition laws including the 2007 MasterCard case. Although included in a merchant’s cost of receiving card payments, regulators are concerned that interchange fees are ultimately passed through to consumers through higher prices amounting to tens of billions of euros each year. With Visa and MasterCard’s market share estimated at 96.8% in value, and with interchange fees already banned in countries such as Denmark and the United States, the Commission believes that regulation is required. This is despite the MasterCard case, the proceedings against Visa Europe (which lead to undertakings for consumer debit cards in 2010 and consumer credit cards in 2013) and a rash of other national competition proceedings.
Jim Gatto, Meighan O’Reardon and James Chang recently published “Mobile Privacy Practices: Recent California developments indicate what’s to come” in the June issue of Computer Law Review International.
The use of mobile applications has seen huge gro…
Continue Reading →