December 06, 2018

MONTH-IN-BRIEF: Internet Law & Cyber-Security

Juliet Moringiello, Sara Beth A.R. Kohut

Data Privacy

New Hampshire Adopts Constitutional Right to Privacy

By Antoine D. Bedard, Penn State Law

On November 6, 2018, New Hampshire passed a constitutional amendment, creating the “right to live free from governmental intrusion in private or personal information,” and making New Hampshire the 11th state to adopt a right to privacy. New Hampshire’s right to privacy won’t apply as broadly as some of the other states’ respective right, because the statute specifically stops governmental intrusion but not private parties. The amendment contains no explicit exception to the right and has vague language like “natural, essential, and inherent,” which may give the New Hampshire courts wide latitude in interpreting and applying the right. There’s concern that the court’s interpretation and application may impact the effectiveness of search warrants as well as situations where the public would have a right to know.

Electronic Contracting

Ohio Court finds Emails Satisfy Statute of Frauds for Real Estate Sale

By John E. Ottaviani, Partridge Snow & Hahn LLP

An Ohio appellate court recently found that a series of email exchanges could satisfy the Ohio statute of frauds with respect to the sale of residential real estate.  The proposed buyer and seller of a high-end residential property conducted negotiations for the sale of the property by email.  After some back and forth, the proposed buyers sent an email that said, in part, “I am good at [price] for a purchase price Based on inception [sic] and customary closing.  We can get a simple contract drafted Monday and have it signed by us Tuesday with the earnest money cashier check to you upon acceptance of the contract by Tuesday.  Please let me know.  Mike[.]”  The next day, one of the sellers responded with “We accept” by email.  The proposed buyer responded “Great, I agree too.”  The following Tuesday, the buyers and sellers met to sign a contract, but a dispute ensued and the sellers never signed the contract.  The trial court granted a summary judgment in favor of the proposed sellers on the buyer’s complaint requesting specific performance.

On appeal, the court found that the email exchange was definite enough to satisfy the Ohio statute of frauds with respect to the sale of land, because the emails constituted a writing that (1) identifies the subject matter, (2) establishes that a contract has been made, and (3) states the essential terms with reasonable certainty.  However, the court remanded the case back to the trial court to determine whether the parties had a present intention to be bound, or whether the parties did not intend to be bound until execution of the more formal contract.

Cyber Security

PA Court Finds Duty to Protect Employee Info

By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP

The Supreme Court of Pennsylvania has held that an employer owes a duty of reasonable care in collecting and storing the personal information that it required its employees to provide as a condition of employment. In Dittman v. UPMC, No. 43 WAP 2017 (Pa. Nov. 21, 2018), employees filed a class action suit after a data breach exposed the personal information of 62,000 UPMC current and former employees. Some employees suffered actual damages when the stolen data was used to file fraudulent tax returns. The trial and appeals courts had dismissed the employees’ claims.

The Supreme Court found that the employees alleged sufficiently that UPMC engaged in affirmative conduct creating the risk of a data breach by requiring the employees, as a condition of employment, to provide certain personal and financial information, which UPMC collected and stored on an internet-accessible computer system without utilizing adequate security measures. Accordingly, UPMC had a duty to exercise reasonable care in protecting that information from an unreasonable risk of harm. That duty was not affected by the criminal acts of third parties stealing the data and the economic loss doctrine did not bar the employees’ claim because UPMC’s legal duty existed independently of contractual obligations. Accordingly, the Court vacated the lower courts’ orders and remanded.

Ohio Cybersecurity Safe Harbor Law Takes Effect

By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP

A new Ohio law that provides a limited liability shield for companies that reasonably conform their written cybersecurity program to at least one of 11 industry recognized frameworks took effect on Nov. 2. The Ohio Data Protection Act is the first of its kind to provide a liability shield for claims in data breach litigation.

The Act requires a cybersecurity program to contain administrative, technical, and physical safeguards that protect the security and confidentiality of information, and protect against anticipated threats and unauthorized access and acquisition to information that can be used for identity theft or fraud. Compliance with the statute gives rise to an affirmative defense to tort causes of action under Ohio law based on a failure to use reasonable controls that results in a data breach. The industry recognized frameworks include certain ones developed by the National Institute of Standards and Technology (NIST) and the Center for Internet Security, and those issued under the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA).

Juliet Moringiello

Commonwealth Professor of Business Law, Widener University Commonwealth Law School

Juliet Moringiello is the Commonwealth Professor of Business Law at Widener University Commonwealth Law School in Harrisburg, PA, where she teaches Property, Bankruptcy, Secured Transactions, Sales, and a seminar on Cities in Crisis. She earned her B.S.F.S. at Georgetown University, her J.D. at Fordham University School of Law, and her LL.M in Legal Education at Temple University School of Law. Professor Moringiello is Chair of the Pennsylvania Bar Association Business Law Section, a Uniform Law Commissioner for Pennsylvania, and a member of the American Law Institute. She is also a Fellow of the American College of Commercial Finance Lawyers and has held several leadership positions in the American Bar Association Business Law Section.

Sara Beth A.R. Kohut

Co-Chair; Cybersecurity, Privacy, and Data Protection Group; Young Conaway

Sara Beth’s practice focuses on advising legal representatives for future claimants in connection with asbestos mass tort insolvency matters and settlement trusts. She has also represented national and local businesses in cases involving intellectual property, corporate and commercial issues in the federal and state courts in Delaware. Sara Beth has advised clients on strategies for protecting intellectual property rights and complying with obligations governing the privacy and security of sensitive data. She currently co-chairs Young Conaway’s Cybersecurity, Privacy, and Data Protection group.