Tsibouris & Associates Home | Practice Areas | Attorneys | Contact | Publications | Clients | Blog Home

Tuesday, March 18, 2008

Supermarket Chain Falls Victim to Security Breach

By Dino Tsibouris & Mehmet Munur

On Monday March 17, 2008, Hannaford, an East Coast supermarket chain, announced that it fell victim to a security breach. The security breach has so far resulted in 1,800 actual cases of fraud.

Hannaford announced that the breach affected 4.2 million unique account numbers during the card authorization process. Hannaford first noticed the breach on February 27 and contained it on March 10. Hannaford, VISA, MasterCard, and the U.S. Secret Service have not released much information regarding the security breach due to the ongoing nature of the investigation. However, no personal data such as names, addresses, or telephone numbers were revealed during the breach.

It is possible that hackers breached Hannaford’s security similar to how hackers breached TJ Maxx’s security in 2006. TJ Maxx employed an outdated and easy to break encryption scheme called WEP to secure its wireless networks. Hackers breached a TJ Maxx store’s wireless network near St. Paul, MN using a laptop and a directional antenna. They then used this data to compromise TJ Maxx’s central customer database at its Framingham, MA headquarters. The hackers obtained many millions of credit card numbers and some personally identifying information such as driver’s license numbers and social security numbers.

Hannaford’s security breach pales in comparison to the security breach at TJ Maxx, which may have affected 100 million customers. TJ Maxx has settled with VISA and the card issuing banks over its security breach for $82 million. TJ Maxx has set aside a reserve fund of $107 million for payments and legal expenses. Though the FTC has been investigating TJ Maxx, it has not yet announced a settlement. FTC may levy fines against TJ Maxx since that breach was the largest security breach to date.

While the FTC has only settled 17 cases to date relating to data security practices by companies handling personal information, it has settled 2 so far in 2008. It appears that FTC will settle more cases related to security breaches this year.


Monday, March 17, 2008

Settlement of Lawsuit over Email Upheld

By: Dino Tsibouris & Mehmet Munur

A Massachusetts court of appeals recently held that Amazon was bound to a settlement that was conducted over email to dismiss a case against it and noted that the email exchange created “a present agreement awaiting a later document.”

The litigation that led to the email settlement arose from Amazon’s investment in Basis Technology, a software company focusing on “extracting meaningful intelligence from multilingual text.” In September 1999, Amazon entered a technical services agreement with Basis to help Amazon create an electronic commerce system in Japan. In December 1999, Amazon purchased 1.6 million shares of preferred stock in Basis with a common stock conversion provision with a ratio of one-to-one and anti-dilution rights. In April 2001, Amazon agreed to a recapitalization that increased its conversion rights to two-to-one (one share of preferred stock to two shares of common stock). In March 2004, the Basis Board of Directors distributed a memorandum acknowledging the issuance of almost half a million shares of preferred stock to In-Q-Tel, the venture capital arm of the Central Intelligence Agency. Amazon received notice of this issuance but did not consent.

In the meantime, in May 2003, Basis had commenced a lawsuit against Amazon for breach of fiduciary duty. In March 2005, counsel for Basis and Amazon reached a preliminary settlement through email. Basis counsel sent an email memorializing the discussions of that evening with 6 provisions that showed general agreement on the main points but omitting most of the details that would be drafted later. One of the provisions required Amazon to convert its preferred stock to common stock under the 1999 share purchase agreement. Basis counsel also asked to be contacted the next morning, before the two parties reported the settlement to the judge, in the event the Amazon counsel disagreed. The next morning, counsel for Amazon replied to the email with one word, “correct.” The trial judge ended the trial and entered an order for a settlement between the parties, pending the detailed provisions.

Several days later, Amazon and Basis reached a deadlock over the conversion ratio. Basis argued that the conversion rate should be two-to-one. Amazon argued that the anti-dilution provisions should result in a ratio of more than 2.1-to-one due to the issuance of shares of preferred stock to In-Q-Tel. Amazon concluded that this difference would result in a loss of quarter of a million dollars and reduction in ownership stake from 10% to 8.5%. When the parties could not resolve this dispute, after extensive hearings and examinations, the court entered a judgment enforcing the settlement agreement the parties had reached during their email exchange in March 2005.

On appeal, Amazon argued that the emails did not create an unambiguous agreement between the parties and that Amazon did not intend to be bound. After reviewing the emails, the appeals court ruled that the parties had reached a settlement on the essential business terms when Amazon counsel “concisely responded, ‘correct.’” The court, citing a 1987 decision, stated that “the parties have agreed upon all material terms, [therefore] it maybe inferred that the purpose of a final document which the parties agree to execute is to serve as a polished memorandum of an already binding contract.” Therefore, solely agreeing to the essential terms of a contract over email does not change the principles of contract formation.

The decision of both the trial court and the appeals court is not surprising for two reasons. First, Amazon executives appear to have wanted to get out of an unfavorable settlement by Amazon counsel after it was already made. Second, an email that manifests the intention to be bound by a sufficiently definite agreement should be treated no different than a similar writing in a different medium.

This case compares well with CSX Transp., Inc. v. Recovery Express, Inc., 415 F. Supp. 2d 6 (D. Mass. 2006). There, CSX received an email from a person expressing interest in purchasing railcars as scrap. Relying only on the domain name on the email address, and without checking to make sure that the person worked for that corporation, CSX sold the railcars to the email sender. When the check written by the purchaser bounced, CSX sued the company holding the domain name of the email address—Recovery Express. The court concluded that the use of the email address by the railcar purchaser did not create apparent authority to act as Recovery Express’ agent. Though the CSX employee conducting business over email was not an attorney, it appears that he fell in the same trap that Amazon counsel did when he conducted a settlement over email.

The case is Basis Tech. Corp. v. Amazon.com Inc., No. 06-1048 (Mass. App.Ct., Jan. 7, 2008).


Tsibouris Law Blog Featured in Columbus Business First

Tsibouris & Associates Law Blog was recently featured in Columbus Business First article on Columbus law firm blogs. The article discusses the burgeoning law firm blog scene in Columbus, Ohio. To read more, please click here.