The National Law Forum

The Blog of the The National Law Review

Part II: Legal Insights on Ashley Madison Hack

As more names emerge from the dark web data dump of Ashley Madison customers, lawyers around the globe have found a very willing group of would-be plaintiffs. Interestingly, all of these plaintiffs are named “Doe,” which must only be a coincidence, and certainly has nothing to do with the backlash that certain well-known ALM clients have experienced. All kidding aside, the size of the claims against ALM is staggering with one suit alleging more than $500 million in damages. How these plaintiffs will prove their damages is a question for another day, but the fact that ALM — which reported earnings of $115 million in 2014 — may soon face financial ruin must give any spectator pause.

The plaintiffs’ bar is certainly not the lone specter haunting ALM’s corridors these days. Although the company touts its cooperation with government officials in attempting to bring criminal charges against the Impact Team, that cooperation will be punctuated by the all-but-certain FTC enforcement action to come — assuming that the FTC’s data breach enforcement team were not among the 15,000 email addresses registered to a .mil or .gov account.

How will that enforcement action proceed? In many cases, the FTC initiates its investigation with a letter, sometimes called an “Access Letter” or an “Informal Inquiry Letter.” Although there is no enforceable authority behind such a letter, companies typically conclude that cooperation is the best course. For more formal investigations (or when the access letter is ignored), the FTC will issue “Civil Investigative Demands,” which are virtually the same as a subpoena, and are enforceable by court order. After collecting materials, the investigators will – in order from best case scenario to worst – drop the matter altogether, negotiate a consent decree, or begin a formal enforcement action via a complaint.

There is, of course, a lot more to an action than what I’ve listed above, which deserves a series of posts of their own. For today, the pressing question is – what’s going to happen to ALM when the FTC calls? Under the circumstances, it would make sense for ALM to push as hard as it can for a consent order, given that the likelihood of succeeding in litigation against the Commission is vanishingly low – there is little doubt that ALM failed to comply with its own promised standards for protecting customer data. And, in light of recent revelations about what really happened when customers paid to “delete” their Ashley Madison accounts, ALM will want to forestall the threat of a separate, non-data breach related unfair business practices suit any way it can.

Every consent order looks different, but the FTC has made a few requirements staples of its agreements with offending businesses over the last two decades. These include:

  • Establishing and maintaining a comprehensive information security program to protect consumers’ sensitive personal data, including credit card, social security, and bank account numbers.

  • Establishing and reporting on yearly data security protocol updates and continuing education for decision makers and data security personnel.

  • Working to improve the transparency of data, so that consumers can access their PII without excessive burdens.

  • Guaranteeing that all public statements and advertisements about the nature and extent of a company’s privacy and data security protocols are accurate.

 ALM will undoubtedly offer to take all of these steps, and more, in negotiations with the Commission. But as I mentioned above, the torrent of lawsuits ALM faces in the next year or so may moot any consent decree with the FTC. If ALM liquidates in the face of ruinous lawsuits and legal bills, the FTC’s demands will be meaningless. ALM, then, is likely an example of a company that would have benefited from a more minor security breach and subsequent FTC imposition of the kind of remedial measures that may have stopped this summer’s catastrophic data breach. An ounce of prevention is worth a pound of cure, they say, and ALM may learn that lesson at the cost of its business.

© 2015 Bilzin Sumberg Baena Price & Axelrod LLP

computer office man dispair

Legal Insights on the Ashley Madison Hack: Part I

Internet commenters and legal analysts alike are buzzing about the Ashley Madison hack. The website — which billed itself as a networking site for anyone who wanted to discretely arrange an extramarital affair — has already been named in several class action lawsuits, with claims ranging from breach of contract to negligence. As more names are unearthed (and more personal data divulged), additional lawsuits are sure to follow. For those lucky enough to be watching this spectacle from the sidelines, there are some important questions to ask. In the next few posts, I’ll consider some of these issues.

It seems clear that the Impact Team (the group responsible for breaking into Ashley Madison’s servers) were singularly focused on exposing embarrassing personal information as well as sensitive financial data. What is less clear is why they chose Ashley Madison’s parent company Avid Life Media (“ALM”) as the target. Certainly, the general public’s reaction to the data breach was muted if not downright amused, likely because the “victims” here were about as unsympathetic as they come. Still, the choice of Ashley Madison, and the way the hack was announced, demonstrates an important point about data security: self-described “hacktivists” may target secure information for reasons other than financial gain.

The Impact Team appears to be more motivated by shaming than any identifiable monetary benefit, although it is entirely possible that money was a factor. Interestingly, the intended damage from the leak was designed to flow in two directions. The first, and most obvious, was to Ashley Madison users, who clearly faced embarrassment and worse if their behavior were made public. The second direction was to ALM itself, for “fraud, deceit, and stupidity.” In particular, the Impact Team referred to ALM’s promises to customers that it would delete their data permanently, and keep their private information safe. Obviously, that didn’t happen. ALM made matters far worse for itself when it scrambled to provide a response to Impact Team’s threat, and made promises of security it could not keep. Now, in addition to a class action lawsuit alleging half a billion dollars in damages, ALM faces the wrath of a recently emboldened FTC.

One takeaway from this situation from a legal perspective is how ALM was targeted. Black hat groups often solicit suggestions for whom to attack, but typically in a secure fashion that would prevent early warning. LulzSec, responsible for the data breach at Sony Pictures in 2011, made a habit of seeking input as to what government entity or business to target, but kept those suggestions, and the contributors, secret. The Impact Team broke from that pattern, and announced before the breach, that they would release private information unless ALM shut down Ashley Madison and sister site “Established Men.” Other than a similar demand made to Sony Pictures Studios regarding the film The Interview, I can think of no other instances where hackers/hacktivists telegraphed that a cyber attack was coming.

Realizing this, a few questions immediately sprang to mind:

  • What do you do if your company gets a warning from a web group?
  • How many businesses have received such warnings and silently complied, just to avoid loss of sensitive information or damage to their reputation?
  • What happens to officers and directors who receive these warnings and do nothing? Is that a breach of fiduciary duties? Negligence? A civil conspiracy?

Ultimately, all of these questions merge into the two ongoing themes of data security: How do you protect critical information, and what do you do if you can’t?

In my upcoming articles I will get into the particulars of how some companies respond to cyberattacks, but for now, it makes sense to highlight the importance of planning ahead for your business. Even a basic cyber security protocol is better than a haphazard, post hoc response, and there are many resources that provide guidance about best practices. Longer-term planning requires expertise and commitment, but education can begin any time.

I’ll paraphrase Ashley Madison — Life is short: make a plan.

© 2015 Bilzin Sumberg Baena Price & Axelrod LLP

Power Generating Windmills

Federal District Court sets aside 30-Year Eagle Take Permit

On August 11, 2015, a United States District Court judge halted a years-long effort by the United States Fish & Wildlife Service (“FWS”) to smooth the federal permitting path for wind energy. Shearwater et al. v. Ashe, No. 14-CV-02830-LHK (N. D. Cal.)(August 11, 2015). Specifically, the judge set aside a rule allowing for activities such as wind energy projects to kill bald eagles and golden eagles for up to 30 years.

FWS’s efforts began back in the current administration’s first year with the first ever authorization for either individual or programmatic take permits of bald or golden eagles under the Bald and Golden Eagle Protection Act (“BGEPA”) of 1940. (Decision at p. 6) The FWS explained at the time that “the rule limits permit tenure to five years or less because factors may change over a longer period of time such that a take authorized much earlier would later be incompatible with the preservation of the bald eagle or the golden eagle.” (Decision at p. 7, citing 74 Fed. Reg. at 46,856). As explained in the court’s decision, the FWS downplayed anticipated use of the new permits for wind energy projects, stating that “the wind power facility could obtain a programmatic permit only ‘[i]f [advanced conservation practices] can be developed to significantly reduce the take’ resulting from ‘the operation of turbines.’” (Decision at p. 8, citing 74 Fed. Reg. 46,842)(emphasis supplied).

Shortly after adopting its new 5-year rule, however, there was a significant increase in wind energy projects. Decision at p. 9. In response, the FWS developed its Eagle Conservation Plan Guidance, a voluntary guidance, which introduced advanced conservation practices or ACPs for the wind energy sector, including experimental ACPs (i.e., scientifically unproven). Id.

The wind energy industry, although undoubtedly pleased to have secured a programmatic take permit for the accidental or incidental killing of bald and golden eagles, commented on the 5-year permit program, complaining that a 5-year permit was unworkable in that projects were developed for a useful life of twenty to thirty years, and the shorter permit term made financing difficult. As a result of its concern that wind energy projects were not able to get permits as a result of the uncertainty of potential future regulatory changes regarding the killing of eagles, FWS proceeded with efforts to move to a 30-year permit “as soon as possible.” Decision at p. 10. The court notes that “[a]t bottom, FWS issued the Proposed 30-Year Rule ‘[b]ecause the industry has indicated that it desires a longer permit.’” Id.(emphasis supplied).

Internal debate ensued at the FWS regarding the proposed 30-year permit rule. Despite concerns and staff opinions that an EIS would be needed to support the rule, FWS Director Dan Ashe instructed his staff not to conduct further NEPA work, that an NGO lawsuit was unlikely, and to proceed. Id. at p. 13-16. The rule was finalized and effective as of January 8, 2014. A lawsuit followed five months later.

The FWS’s efforts to accommodate wind energy development and facilitate additional permitting through its 5-year and 30-year eagle take permits appear to pre-date the recent Clean Power Plan, which notably incentivizes the development of wind and other non-emitting energy sources. The effort, though, certainly is consistent with the Clean Power Plan and this administration’s encouragement of renewable energy sources.

In its August 11th ruling, the court concluded that FWS failed to comply with NEPA, set aside the 30-year rule and remanded the rule for further consideration by FWS. During the remand of the rule, the 5-year permit should still be available as an option for applicants.

© Steptoe & Johnson PLLC. All Rights Reserved.

Airport security silhouettes

Uncertain Future of Extended Employment Authorization for STEM Graduates

In 2008, the Department of Homeland Security (DHS) issued an emergency regulation that added 17 months of employment eligibility to recent graduates holding student visas who received a degree in Science, Technology, Engineering and Mathematics (STEM). This 17-month period was in addition to the 12-month period of employment authorization that applies to all recent college graduates holding student immigration status.

Recently, a federal court vacated the 17 month additional employment eligibility period for STEM graduates.Washington Alliance of Technology Workers v. U.S. Department of Homeland Security, U.S. District Court, District of Columbia. The Court upheld DHS’s authority to issue the regulation but vacated the regulation itself because no notice and comment period was provided before the regulation was issued. Furthermore, the Court stayed its decision until February 12, 2016, in order to allow DHS to issue a regulation using the appropriate notice and comment process. The Technology Workers Union, which filed the lawsuit challenging the 17 month addition of employment eligibility, is appealing the case to the D.C. Circuit Court of Appeals.

The President had noted in his November 2014 announcement regarding administrative steps to improve the immigration system that DHS would issue regulations expanding the employment authorization opportunities of recent college graduates. The result in the Washington Alliance case may encourage DHS to timely issue its new regulation using a notice and comment period so as to allow people already enjoying the use of a 17-month STEM graduate employment authorization period to continue working without interruption.

A component of the President’s proposed administrative steps to improve the immigration system referenced an enhanced role for colleges/universities in ensuring a connection between a student’s field of study and the job held by the recent graduate. We do not yet know what that additional role will be, nor do we know whether the Court of Appeals will agree with the lower court with regard to the authority of DHS to allow post-graduation employment authorization or at least the extended STEM authorization. Further, we do not know whether DHS will complete its work in time to avoid a disruptive gap in regulations after February 12, 2016. Given the fact that tens of thousands of people are currently working pursuant to extended employment authorization for STEM graduates, there is great interest in bringing clarity to this issue. If you have an employee working on extended employment authorization for recent graduates, please keep an eye on developments in this area. You may need to perform an I-9 re-verification in February of 2016.

pills, close-up

FDA Flunks Mylan’s India Facilities, Finds cGMP Violations

When we open our medicine cabinet, we take for granted that the drugs we find there are safe and properly labeled. Many physicians privately worry, however, about the safety and efficacy of prescription drugs.

About 85% of the prescription drugs sold in the United States are manufactured offshore. Many of those offshore drugs are made by generic companies, foreign contract manufacturing companies and sometimes, offshore facilities owned by the so-called “big pharma” manufacturers themselves. Wherever manufactured, drugs distributed in the United States must meet certain current good manufacturing practices or cGMP standards.

Recently the Food and Drug Administration (FDA) began ramping up inspections of offshore manufacturing facilities and the results are shocking. Although cGMP violations have been found worldwide, experts are particularly worried about drugs made in China and India.

Earlier this month the FDA cited three facilities in Bangalore, India that manufacture drugs for Mylan. Headquartered in the U.K., Mylan is the second largest generic and specialty pharmaceutical company in the world. With approximately 30,000 employees worldwide and revenues of $7.72 billion (USD), Mylan certainly qualifies as big pharma.

The FDA says it inspected three of Mylan’s Indian plants between August of 2014 and February of this year. It found “significant” cGMP violations at all three facilities.

Worse, the FDA says that in all three instances Mylan’s response to the three inspections lacked “sufficient corrective actions.”

cGMP standards are in place throughout the manufacturing process to insure the potency and quality of the finished pharmaceuticals. The FDA wants to insure that there are no contaminants in the finished product as well as insuring the finished product is neither stronger nor weaker than advertised.

As a result of the inspections, the FDA concluded a likelihood that the finished drugs from all three plants were adulterated. Those findings are certainly bad news for consumers. It’s also bad for physicians as well. It’s hard for doctors to get dosages correct or monitor for side effects if a drug has inconsistent potency or the presence of contaminants.

In the case of Mylan’s Bangalore, India facilities, the violations were numerous and included:

  • gloves and sterile gowns for use in aseptic environments had holes and tears

  • personal sanitation violations

  • clean room violations

  • discolored injection vials

  • lots with failed assays or contaminants

At least one of the facilities had similar violations dating back to a 2013 inspection.

Overall, the FDA noted, “These items found at three different sites, together with other deficiencies found by our investigators, raise questions about the ability of your current corporate quality system to achieve overall compliance with CGMP. Furthermore, several violations are recurrent and long-standing.”

The FDA declared that continued noncompliance could result in drugs from these facilities being blocked from importation and distribution within the United States.

Mylan has had previous problems with U.S. regulators. In 2000 Mylan paid a $147 million fine to settle charges that the company raised the price of generic lorazepam by 2,6000% and generic clorazepate by 3,200%. The FTC had charged that the company raised the price of lorazepam, the generic equivalent of the brand name antianxiety medication Ativan, from $7 per bottle to $190. Although Mylan agreed to the payment of the fine, it denied any wrongdoing.

Only the FDA can punish drug companies for cGMP violations but if there is proof of an adulterated product entering the commerce stream, the federal False Claims Act can come into play. That law allows private individuals to file a lawsuit against a wrongdoer and receive a percentage of whatever is recovered by the government. Last year the Justice Department paid $635 million in whistleblower awards under the False Claims Act.

Whistleblowers in cGMP cases have received tens of millions of dollars. Dinesh Thakur, a former Ranbaxy executive, received $48 million for information about adulterated generic drugs.

To qualify for a whistleblower award, one must possess inside, “original source” information about a cGMP violation resulting in an adulterated drug or under / over potency medication being approved for sale by Medicaid, Medicare or Tricare. (Most drugs are approved.)

While we believe that contaminated drugs are relatively rare, industry sources tell us that potency issues are rampant. That means the drugs in your medicine cabinet may have little or no active ingredients.

Article By Brian Mahany of Mahany Law

© Copyright 2015 Mahany Law

Follow

Get every new post delivered to your Inbox.

Join 22,387 other followers