Law Firm Bears Loss for Business Email Compromise
By William R. Denny, Potter Anderson & Corroon LLP
In O’Neill, Bragg & Staffin, P.C. v. Bank of America Corp., No. 18-2109 (E.D. Pa. Nov. 13, 2018), appeal filed (3d Cir. Dec. 12, 2018), the district court dismissed a lawsuit seeking to recover a law firm’s losses following a business email compromise (BEC). The complaint alleged that a computer hacker had created email correspondence appearing to originate from attorney Gary Bragg’s email address, directed to Alvin Staffin, another attorney in the same firm, requesting that the attorney send a wire for $580,000 on behalf of a client to a Bank of China investment account. Staffin contacted Bank of America by telephone and initiated a wire transfer from the firm’s IOLTA account, which contained money held in trust by the firm for multiple clients. Shortly after the wire transfer was confirmed, Staffin called Bragg, whom he believed had made the transfer request, to discuss the transfer. Upon learning that Bragg had not sent the email and that the firm had been victimized by a computer hacker, Staffin contacted Bank of America to request that the transfer be stopped, but it was too late. The law firm sued Bank of America for breach of contract and of various regulations, due to the bank’s failure to stop the fraudulent transaction. However, the court ruled that the contract and regulations were clear that the bank had no obligation to stop the transfer once the payment order was received by the bank. Although the law firm was innocent of wrongdoing, as between it and the bank, it had to bear the loss.
Based on fraud reports submitted by victims around the world, according to the FBI, from October 2013 to May 2018, 41,058 total U.S. victims collectively lost at least $2.9 billion to BEC scams, with global losses exceeding $12.5 billion. These scams are hard to detect, because the emails are often sent from legitimate email accounts, are tailored to each recipient and do not contain any suspicious links. The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone. Personnel receiving wire transfer requests should be trained to require either an in-person conversation or telephone verification, using only a pre-approved list of telephone numbers for contacts. Never rely on contact information included in the email. Users should be trained always to assume that a wire transfer request is fraudulent until proven otherwise.
“New” Federal Cybersecurity Agency Created
By Antonia M. Dumas, XPAN Law Group
The U.S. entered December with its first official federal level cybersecurity agency. Rather than creating a “new” agency, the Cybersecurity and Infrastructure Security Agency Act of 2018 (the “Act”) re-designates the Department of Homeland Security's (DHS) National Protection and Programs Directorate (NPPD) as the Cybersecurity and Infrastructure Security Agency (CISA).
The Act designates a Director of National Cybersecurity and Infrastructure Security (now Christopher Krebs) who reports directly to the DHS Secretary, as well as a Deputy Director, and a Privacy Director to ensure compliance with federal laws. Under the Act, the Director (as well as CISA as a whole) has a number of responsibilities which require coordination with federal and other government agencies and authorities, in addition to the private sector and other entities. Some of these responsibilities include: leading cybersecurity and critical infrastructure security programs and operations, coordinating with non-federal and federal entities, and carrying out responsibilities concerning chemical facility antiterrorism standards. Further, the Act divides the CISA is into three distinct divisions to better focus its services and resources, including a Cybersecurity Division.
Although there is an expectation that the Agency will be able to better protect the U.S. from cybersecurity threats, the Act states that no additional funds are authorized to carry out the Act’s requirements (which may limit CISA’s functionality). For now, it appears that the CISA will provide essentially the same services and resources that were provided by the NPPD, but the revamping of the CISA may encourage small businesses to take advantage of the Cybersecurity Division’s programs and resources.
2018 Online Holiday Shopping Outpaced In-Store Sales
By John E. Ottaviani, Partridge Snow & Hahn LLP
According to MastercardSpendingPulse, which tracks spending online and in stores, 2018 holiday retail sales hit a six-year high. Total sales topped $850 billion from November 1 through December 24, a 5.1 percent rise over a year ago. Online sales, which made up 13 percent of total retail sales this year, increased more than 19 percent over 2017.
Shoppers spent less at brick-and-mortar department stores this year, which may be in part due to store closings. But sales at websites of department stores rose 10.2 percent according to Mastercard. According to another study by e-commerce intelligence company Edison Trends, the department stores with the most increase in online sales during the 2018 holiday season are Walmart (an 86% increase over the same period in 2017), Nordstrom (up 40%), Target (up 38%), Kohl’s and Macy’s (up 7% each). Sears (down 22%) and J.C. Penney (down 10%) were among the stores with the biggest decrease in online sales.
Passive Consent Insufficient to Enforce Arbitration Provision in Application Service Terms
By John E. Ottaviani, Partridge Snow & Hahn LLP
A federal court in Washington recently refused to enforce the arbitration provision in a gambling application developer’s terms of service. In Wilson v. Huuuge, Inc., No. 3:18-cv-05276-RBL (W.D. Wash. Nov. 13, 2018), the user never had to click or check a box indicating “I agree.” Rather, the terms were visible to the users only when they downloaded the game, or in the “settings” menu, after travelling through several screens. In addition, there was no notice or language near the “download” button indicating the existence of the terms of service. The court also rejected the developer’s argument that everyone knows that all applications come with terms, stating:
The Court declines to adopt Huuuge’s suggestion. While online users today are savvier than in the past, this does not mean that the rules of contract law no longer apply. If an app developer wishes to bind a user to their copious terms, the onus is on the developer to at least provide reasonable notice and easy access. This is not a difficult thing to do when designing an app, despite Huuuge’s protestations that the Court should devise some special rule for app store purchases. … The fact is, Huuuge chose to make its Terms non-invasive so that users could charge ahead to play their game. Now, they must live with the consequences of that decision.
Ohio Federal Court Says No Harm, No Standing in Data Breach Suit
By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP
An Ohio federal Court recently dismissed a data breach lawsuit for lack of standing because the plaintiff alleged only that his information “might” be improperly accessible. In Williams-Diggins v. Mercy Health, No. 3:16-cv-1938 (N.D. Ohio Dec. 4, 2018), Lindsey Williams-Diggins sued Mercy Health, alleging that the company exposed private, protected patient information to unauthorized persons by using unsecure software called the Horizon Patient Folder Webstation portal. Although Williams-Diggins alleged his information could have been accessed by unauthorized persons, he did not allege that it actually was accessed. Because he alleged only “possible future injury,” the court found that Williams-Diggins did not sufficiently allege an injury giving rise to standing under Spokeo, Inc. v. Robins, 136 S.Ct. 1540 (2016) and other precedent. The court further held the plaintiff’s claims relying on HIPAA regulations failed because HIPAA does not create a private right of action for an improper disclosure of protected information. Accordingly, the court granted Mercy Health’s motion to dismiss.