CURRENT MONTH (November 2018)
Data Privacy
New Hampshire Adopts Constitutional Right to Privacy
By Antoine D. Bedard, Penn State Law
On November 6, 2018, New Hampshire passed a constitutional amendment, creating the “right to live free from governmental intrusion in private or personal information,” and making New Hampshire the 11th state to adopt a right to privacy. New Hampshire’s right to privacy won’t apply as broadly as some of the other states’ respective right, because the statute specifically stops governmental intrusion but not private parties. The amendment contains no explicit exception to the right and has vague language like “natural, essential, and inherent,” which may give the New Hampshire courts wide latitude in interpreting and applying the right. There’s concern that the court’s interpretation and application may impact the effectiveness of search warrants as well as situations where the public would have a right to know.
Electronic Contracting
Ohio Court finds Emails Satisfy Statute of Frauds for Real Estate Sale
By John E. Ottaviani, Partridge Snow & Hahn LLP
An Ohio appellate court recently found that a series of email exchanges could satisfy the Ohio statute of frauds with respect to the sale of residential real estate. The proposed buyer and seller of a high-end residential property conducted negotiations for the sale of the property by email. After some back and forth, the proposed buyers sent an email that said, in part, “I am good at [price] for a purchase price Based on inception [sic] and customary closing. We can get a simple contract drafted Monday and have it signed by us Tuesday with the earnest money cashier check to you upon acceptance of the contract by Tuesday. Please let me know. Mike[.]” The next day, one of the sellers responded with “We accept” by email. The proposed buyer responded “Great, I agree too.” The following Tuesday, the buyers and sellers met to sign a contract, but a dispute ensued and the sellers never signed the contract. The trial court granted a summary judgment in favor of the proposed sellers on the buyer’s complaint requesting specific performance.
On appeal, the court found that the email exchange was definite enough to satisfy the Ohio statute of frauds with respect to the sale of land, because the emails constituted a writing that (1) identifies the subject matter, (2) establishes that a contract has been made, and (3) states the essential terms with reasonable certainty. However, the court remanded the case back to the trial court to determine whether the parties had a present intention to be bound, or whether the parties did not intend to be bound until execution of the more formal contract.
Cyber Security
PA Court Finds Duty to Protect Employee Info
By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP
The Supreme Court of Pennsylvania has held that an employer owes a duty of reasonable care in collecting and storing the personal information that it required its employees to provide as a condition of employment. In Dittman v. UPMC, No. 43 WAP 2017 (Pa. Nov. 21, 2018), employees filed a class action suit after a data breach exposed the personal information of 62,000 UPMC current and former employees. Some employees suffered actual damages when the stolen data was used to file fraudulent tax returns. The trial and appeals courts had dismissed the employees’ claims.
The Supreme Court found that the employees alleged sufficiently that UPMC engaged in affirmative conduct creating the risk of a data breach by requiring the employees, as a condition of employment, to provide certain personal and financial information, which UPMC collected and stored on an internet-accessible computer system without utilizing adequate security measures. Accordingly, UPMC had a duty to exercise reasonable care in protecting that information from an unreasonable risk of harm. That duty was not affected by the criminal acts of third parties stealing the data and the economic loss doctrine did not bar the employees’ claim because UPMC’s legal duty existed independently of contractual obligations. Accordingly, the Court vacated the lower courts’ orders and remanded.
Ohio Cybersecurity Safe Harbor Law Takes Effect
By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP
A new Ohio law that provides a limited liability shield for companies that reasonably conform their written cybersecurity program to at least one of 11 industry recognized frameworks took effect on Nov. 2. The Ohio Data Protection Act is the first of its kind to provide a liability shield for claims in data breach litigation.
The Act requires a cybersecurity program to contain administrative, technical, and physical safeguards that protect the security and confidentiality of information, and protect against anticipated threats and unauthorized access and acquisition to information that can be used for identity theft or fraud. Compliance with the statute gives rise to an affirmative defense to tort causes of action under Ohio law based on a failure to use reasonable controls that results in a data breach. The industry recognized frameworks include certain ones developed by the National Institute of Standards and Technology (NIST) and the Center for Internet Security, and those issued under the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA).
