November 02, 2018

MONTH-IN-BRIEF: Internet Law & Cyber-Security

Juliet Moringiello, Sara Beth A.R. Kohut


Dish Network Settles Streaming Dispute With Injunction and Damages

By Sara Beth A.R. Kohut

Dish Network LLC and NagraStar LLC filed an agreed motion for final judgment and permanent injunction with certain defendants to end their SetTV streaming service that allegedly retransmitted Dish’s programming without authority. Dish Network LLC v. Johnson, No. 8:18-cv-1332-T-33AAS (M.D. Fla. Oct. 24, 2018).  The fourth largest pay-television provider in the U.S. sued SET Broadcast LLC and persons associated with it in May 2018 for violating the Federal Communications Act by taking content from Dish’s satellite broadcasts and redistributing it through their streaming service. The defendants operated their streaming service for approximately 16 months, obtaining about 261,000 subscribers. The U.S. District Court for the Middle District of Florida had previously granted temporary and preliminary injunctive relief to Dish. The agreed motion for final judgment included a permanent injunction against the defendants, plus statutory damages of $90,199,000.


FTC Offers Small Business Cybersecurity Guidance

By Sara Beth A.R. Kohut

The U.S. Federal Trade Commission’s Bureau of Consumer Protection recently issued a notice of cybersecurity resources available on its website for small businesses. The information is set forth in 12 “need-to-know” topics, which will also be addressed in the FTC’s weekly Business Blogs. The initial posting covered Cybersecurity Basics, offering tips to incorporate security in the usual course of business. The basic stages include securing wireless networks, multi-factor authentication, data-breach planning, and staff training. Other topics will include physical security, ransomware, vendor managements, and cyber insurance. The FTC’s materials also being promoted by the Small Business Administration, National Institute of Standards and Technology, and the Department of Homeland Security.

Data Privacy

NJ and Aetna Reach Settlement Over HIPAA, State Law Violations

By Lawrence Thomas, Drexel University Thomas R. Kline School of Law

The State of New Jersey and Aetna, Inc. have reached a settlement agreement after Aetna improperly disclosed Protected Health Information (PHI) in violation of HIPAA and state laws, such as the New Jersey AIDS Assistance Act. Aetna allegedly compromised the information of thousands of Americans and hundreds of New Jersey residents on two occasions in 2017 when it mailed revealing information about patients’ HIV/AIDS status and atrial fibrillation (AFib) diagnoses. Aetna mailed information in envelopes containing large transparent glassine windows that revealed the addressees’ names and information such as “HIV Medications” and “IMPACT-AFIB”—disclosing diagnoses or causing interpretations of diagnoses. Under the settlement, Aetna must implement new policies and procedures to safeguard PHI and Personally Identifiable Information (PII), as well as modify its procedures for printing and mailing PHI/PII. Aetna must further appoint an independent consultant to monitor and report on procedures for member privacy, confidential information, and PHI/PII. New Jersey and Aetna have agreed on a settlement payment of $365,211.59, and Aetna will be subject to monitoring by the New Jersey Division of Consumer Affairs for at least two years.

ABA Issues Ethics Opinion on Lawyer Data Breaches

By Irene Mo

The American Bar Association’s Standing Committee on Ethics and Professional Responsibility released Formal Opinion 483, “Lawyers’ Obligation After an Electronic Data Breach or Cyberattack,” on October 17. Specifically, the Opinion focuses on a breach involving client information. To avoid a data breach, an attorney must: 1) stay updated on the risks and benefits of incorporating technology into the delivery of legal services (Model Rule 1.1); 2) reasonably safeguard client information from unauthorized access or disclosure (MR 1.6(c)); and 3) ensure compliance from other attorneys, staff, and third-party vendors with cybersecurity policies (MR 5.1 and 5.3). If a data breach does occur, an attorney must notify current (MR 1.4) and former (MR 1.9(c)) clients of the breach, regardless of what cybersecurity safeguards were in place, and keep clients updated on the attorney’s response and mitigation plan. The Committee notes that in addition to an attorney’s compliance with Formal Opinion 483, the attorney should also analyze compliance under state and federal laws.

Juliet Moringiello

Commonwealth Professor of Business Law, Widener University Commonwealth Law School

Juliet Moringiello is the Commonwealth Professor of Business Law at Widener University Commonwealth Law School in Harrisburg, PA, where she teaches Property, Bankruptcy, Secured Transactions, Sales, and a seminar on Cities in Crisis. She earned her B.S.F.S. at Georgetown University, her J.D. at Fordham University School of Law, and her LL.M in Legal Education at Temple University School of Law. Professor Moringiello is Chair of the Pennsylvania Bar Association Business Law Section, a Uniform Law Commissioner for Pennsylvania, and a member of the American Law Institute. She is also a Fellow of the American College of Commercial Finance Lawyers and has held several leadership positions in the American Bar Association Business Law Section.

Sara Beth A.R. Kohut

Co-Chair; Cybersecurity, Privacy, and Data Protection Group; Young Conaway

Sara Beth’s practice focuses on advising legal representatives for future claimants in connection with asbestos mass tort insolvency matters and settlement trusts. She has also represented national and local businesses in cases involving intellectual property, corporate and commercial issues in the federal and state courts in Delaware. Sara Beth has advised clients on strategies for protecting intellectual property rights and complying with obligations governing the privacy and security of sensitive data. She currently co-chairs Young Conaway’s Cybersecurity, Privacy, and Data Protection group.