While the current vendor environment clearly poses significant challenges and risks to businesses entrusting them with their data, use of encryption can, at least in many cases, materially mitigate that risk. The devil, however, is in the details …
On January 25, 2019, the Illinois Supreme Court handed down a key ruling that will make it significantly easier for consumers and workers to sue and recover damages for mere non-compliance with the requirements of the state’s Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (BIPA or Act). In its highly anticipated decision in Rosenbach v. Six Flags Entertainment Corp., the state’s high court unanimously held that actual harm is not required to bring an actionable claim under BIPA, and that a violation of BIPA’s technical requirements alone can support a cause of action under the Act. Thus, an individual who merely alleges a technical violation of BIPA is sufficiently “aggrieved” under the Act—with statutory standing to sue for significant statutory damages and injunctive relief—even if that person suffered no actual injury or harm as a result of the violation.
In the past several weeks, we have seen an uptick in crypto-related insolvencies; most recently Giga Watt, a Bitcoin-mining firm, filed for chapter 11 relief in the Eastern District of Washington. Often, the questions arising out of a crypto-related bankruptcy revolve around the value of Bitcoin or other cryptocurrency. However, while cryptocurrency is certainly how blockchain technology was first deployed, it is by no means its only utility. For example, in the organics food industry, retail giants like Walmart have employed blockchain technology to shore up their supply chains. If there is a need to identify precisely from where a SKU of organic lettuce was sourced, blockchain technology now affords Walmart the ability to do so in a matter of seconds instead of days. Thus, while often discussed in connection with Bitcoin, blockchain technology in the bankruptcy context is not exclusively a conversation about a bitcoin’s worth.
If you listen very carefully, the age of information security as we know it ended recently, not with a bang, but with a whimper. While that may be something of an overstatement, a recent event put us on the track to that very end.
Consider the “old-way”: Your company decides to engage a vendor to provide services or products in which the vendor will have possession of, hosting of, access to, or other use of your sensitive data or interaction with your production systems. In those cases, a prudent company would do three things to address information security. First, they would conduct due diligence of the vendor’s security practices, including past security incidents, compliance with recognized security standards, security policy review, etc. Second, they would include specific, strong protections in their contract with the vendor addressing the vendor’s obligations with regard to security, including service level obligations to ensure the availability of critical data. Finally, a prudent company would conduct post-contract execution audits and inspections to ensure the security requirements in the agreement are being followed.
Cybercrime is an ever-increasing threat from which manufacturers are not immune. Although reliable statistics are not available, one particular type of scheme that seems to be on the rise is vendor payment fraud. In cases of vendor payment fraud, the fraudster poses as an existing supplier and provides the manufacturer with seemingly legitimate instructions changing the account payment information. The exact means by which vendor payment fraud schemes are perpetrated can take many forms. However, the most sophisticated and hardest to detect schemes often involve “hacking” into the vendor’s systems and sending a seemingly legitimate email or other instruction directing the change.