New York’s Department of Financial Services (“NYDFS”) recently proposed cybersecurity regulations intended to protect consumers and financial institutions from the ongoing threat of cyber-attacks. NYDFS’s proposed “Cybersecurity Requirements for Financial Services Companies” regulate all financial services companies including banks, insurance companies, and any other entity subject to financial services laws. The Proposed Regulation defines a “Covered Entity” as “any [p]erson operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the [New York] banking law, the insurance law or the financial services law.” The goal is to secure “Nonpublic Information,” from misuse, disruption and unauthorized access. “Nonpublic Information” is broadly defined to include “all electric information that is not Publicly Available” and includes personal information and intellectual property, as well as several categories of information that a Covered Entity receives from or about its consumers. The Proposed Regulation addresses five key areas: Establishment of a cybersecurity program; Adoption of a cybersecurity policy; Role of the chief information security officer; Oversight of third-party service providers; Additional items that relate to security practices and other matters. The first requirement is that the Covered Entities must establish a cybersecurity program designed to ensure the confidentiality, integrity and availability of their information systems. The program must perform certain core cybersecurity functions, including: identification of cybersecurity risks and detection of cybersecurity events (i.e. an act or attempt to gain unauthorized use of an informational system); implementation of policies and procedures to protect from cybersecurity events; responsiveness to cybersecurity events to mitigate the negative events; and recovery from cybersecurity events and restoration of normal operations. The written cybersecurity policy mandated by the proposed regulations imposes more stringent requirements on a regulated financial institution. It requires the Covered Entity’s cybersecurity policy to address multiple areas, such as customer data privacy, vendor and third-party service providers, and incident response. Moreover, it requires that the cybersecurity policy is reviewed by the financial institution’s board of directors and approved by a “Senior Officer” at least once a year. Additionally, the Proposed Regulation requires each Covered Entity to designate a Chief Information Security Officer that will be responsible for overseeing and implementing the cybersecurity program and enforcing the cybersecurity policy. That person will also be responsible for reporting on the cybersecurity program, at least bi-annually, to the board of directors. The Proposed Regulation also sets forth policies and practices that Covered Entities must implement related to third-party service providers, in order to ensure the security of information systems accessible to them. These policies and practices must include identification and risk assessment of third parties, minimum cybersecurity practices that third-parties must meet, due diligence processes used to evaluate the cybersecurity practices of third parties, and an annual assessment of third parties. The Proposed Regulation further requires Covered Entities to encrypt their Nonpublic Information by January 2018 and for Nonpublic Information in transit and by January 2022 for Nonpublic Information at rest. Further, beginning January 15, 2018, Covered Entities must have the chair of the board sign a certification for the Superintendent of Financial Services stating that the Covered Entity is in full compliance with the Proposed Regulation. Finally, the Proposed Regulation provides that it “will be enforced pursuant to, and is not intended to limit, the superintendent’s authority under any applicable laws.” Those laws include provisions of the New York Banking Law, Insurance Law and Finance Law that impose civil and even criminal penalties for false disclosures made with an intent to deceive a regulator. This gives rise to the possibility that the individuals who sign the compliance certification may be exposed to personal liability if the Covered Entity is found to have not complied with the Proposed Regulation. For now, the proposed regulation is subject to a 45 day notice and comment period that began on September 28, 2016, and is slated to take effect January 1, 2017. While the new Regulations apply only to financial institutions in New York, they will have an outside impact given the state’s central role in the financial sector. With the effective date of January 1, 2017 just around the corner, Covered Entities should begin assessing their cybersecurity risks and developing their cybersecurity program to begin documenting their compliance efforts. The use of legal counsel familiar with data security and privacy issues is always recommended. Add to Flipboard Magazine.
The Federal Trade Commission recently vacated the decision of its Chief Administrative Law Judge and on July 29, 2016 entered a final order against LabMD potentially expanding previous interpretations of what constitutes “unfair or deceptive practices” under Section 5 of the FTC Act. Although the FTC’s exercise of authority over cyber and data security issues is nothing new, cases brought by the FTC against private companies regarding data security typically settle without extensive litigation. The LabMD matter was notable as it proceeded to trial, as well as – until now – successfully challenged the FTC’s authority. The LabMD matter arises from two alleged “security incidents” from 2008 and 2012, in which personal identification and billing information of over 9,000 cancer patients was first discovered on a peer-to-peer file sharing network, and later in documents seized from third parties during an identity theft investigation. The FTC filed a complaint in August 2013 alleging that LabMD failed to employ “reasonable and appropriate” data security practices as required by Section 5. After LabMD refused to settle, the case proceeded to trial and Chief ALJ D. Michael Chappell ultimately in November 2015, dismissed the FTC’s complaint. In his decision, Chief ALJ Chappell focused on the causation issue and found that the FTC did not establish that LabMD’s data security practices had “caused, or is likely to cause, a substantial injury to consumers” as required by Section 5. During its case, the FTC did not present any evidence that the exposed information had ever been seen or used by anyone other than Tiversa, the underlying data security consultant company that notified LabMD of its security risk. The Chief ALJ noted that a mere possibility of harm does not equate to a likelihood of harm. He also found that purely subjective or emotional harm, such as the embarrassment by patients, is insufficient to constitute “substantial injury.” On appeal, the full FTC commission issued a unanimous opinion written by Chairwoman Edith Ramirez reversing Chief ALJ Chappell’s decision. The FTC first spent significant energy establishing the record presented regarding an issue the ALJ did not address at all, which was LabMD’s purported failures regarding its data security standards. The FTC set forth a significant record and found that LabMD failed to protect its computer network or employ adequate risk assessment tools, failed to provide data security training to its employees, failed to adequately restrict and monitor the computer practices of its network users and consequently found that LabMD’s data security practices were unfair Violations of Section 5(n). As to causation, the FTC commission reversed and found that the disclosure of sensitive medical information alone, even in the absence of economic or physical harm, satisfies the “substantial injury” requirement of Section 5. By exposing sensitive identification and financial information to the public, the FTC reasoned, LabMD created circumstances in which the information “could have been found.” The FTC concluded that exposure of information is in and of itself a substantial injury. By doing so, has the FTC has effectively elevated evidence of what could possibly occur over evidence of what has occurred? An immediate criticism of this new interpretation is that it appears to grant the FTC broad authority to deem security practices it considers to be potentially harmful to consumers as presumptive violations of Section 5. LabMD has sixty days to appeal the FTC’s decision to the U.S. Court of Appeals. Add to Flipboard Magazine.
In May of this year, the United States District Court for the Northern District of Georgia ruled largely in favor of the class action plaintiffs and against The Home Depot, Inc. by denying a motion to dismiss on at the pleading stage in multi-district litigation involving one of the largest retail data breaches in history. Beginning in April 2014, hackers obtained access to Home Depot’s computer systems due to a firewall flaw. The hackers installed malware on the point-of-sale systems at 7,500 self-checkout lanes in order to siphon off the information from payment cards used at those stations. The malware remained on the checkout terminals until around September 7, 2014. The hackers then made available the credit and debit card information of 56 million Home Depot customers for sale on a black-market website. The thieves thereafter made a large number of fraudulent transactions with the credit and debit card information. In its opinion denying the store’s motion to dismiss, the Court detailed at length the internal warnings Home Depot received from its IT staff concerning the company’s security issues. These warnings dated back to 2008 and showed that Home Depot ignored the threat and failed to properly implement and update antivirus software for its point-of-sale systems. In fact, the Court cited evidence that the company took affirmative steps to stop employees from fixing security deficiencies and made it known that they would not spend the money to make the necessary improvements. The Court also outlined numerous external warnings Home Depot received in the nine months prior to the data breach, including correspondence from Visa advising of increased hacker intrusions; advice from an outside security consultant informing Home Depot that its network was vulnerable to attack and did not comply with industry standards; and an alert from the FBI instructing of the danger of malware attacks and urging the company to update its network security measures. The plaintiffs in this case are not individuals, but rather a putative class of financial institutions that issued and owned payment cards compromised by the data breach, as well as associations of credit unions whose members have been damaged by the data breach. The plaintiffs allege that Home Depot’s data security system suffered many weaknesses leading up to the data breach, and that the failures were due to incompetence by senior management and a desire to cut corners to save money. The financial institutions allege that they have been damaged by having to reimburse customers for the fraud losses suffered due to the data breach as well as by other costs such as having to reissue payment cards and paying for credit fraud monitoring. They bring claims for negligence, negligence per se, and violation of eight state-specific consumer protection statutes. They also seek injunctive and declaratory relief. The association plaintiffs seek only equitable relief. Home Depot moved to dismiss all of the claims. Home Depot first sought to dismiss all of the claims for lack of standing. The Court held that the plaintiffs adequately plead standing because they plead actual injury in the form of various costs they have incurred as a result of the data breach, which are not speculative and are not threatened future injuries. Further, the Court held that any costs undertaken to avoid future harm from the data breach are reasonable mitigation costs due to a substantial risk of harm. With respect to the negligence claim, the Court rejected Home Depot’s invitation to hold that it had no legal duty to safeguard information even though it had warnings that its data security was inadequate and failed to heed them. The Court stated that to hold that no such duty existed would allow retailers to use outdated security measures and turn a blind eye to the ever-increasing risk of cyber attacks, leaving consumers with no recourse to recover damages even though the retailer was in a superior position to safeguard the public from this risk. Home Depot also sought to dismiss the negligence per se claim based on Section 5 of the FTC Act and argued that Section 5 cannot form the basis of a negligence per se claim despite Georgia law that allows the adoption of a statute or regulation as a standard of conduct so that its violation becomes negligence per se. The Court disagreed and held that the plaintiffs adequately plead a violation, that they were within the class of persons intended to be protected by the statute, and that the harm suffered is the kind the statute was meant to protect. The Court also noted two cases applying Georgia law that suggest the FTC Act can serve as the basis of a negligence per se claim. Home Depot argued that the plaintiffs’ claim for injunctive and declaratory relief is improperly based upon a speculative future data breach, but the Court disagreed. The Court noted that the plaintiffs have alleged that Home Depot’s security measures continue to be inadequate and that the plaintiffs will suffer substantial harm. As a result, these are sufficient facts to survive a motion to dismiss regarding a future breach because there is a continuing nature to the breach. The Court granted Home Depot’s motion to the extent the plaintiffs’ claim for declaratory relief seeks an impermissible determination of past liability, because past liability is properly covered in the plaintiffs’ negligence claims. Finally, the Court looked at eight state-specific consumer protection statutes. The majority of these claims survived Home Depot’s attack because the Court held that maintaining inadequate security measures can constitute the sort of conduct required for a deceptive or unfair practice claim under the various state statutes. In response to the Court’s denial, Home Depot sought permission to bring to the Eleventh Circuit several questions of law raised by the Court’s refusal to dismiss all of the claims. District courts do not typically agree to allow an interlocutory appeal before the case advances past a motion to dismiss, but Home Depot asserts that its request “easily satisfied” the requirements for an immediate interlocutory appeal because the challenged ruling involves controlling questions of law, there is a substantial ground for difference of opinion with respect to each question, and a quick appeal could materially advance the ultimate termination of the litigation. Home Depot argues that the Court’s ruling raises at least six novel questions of law that would benefit from immediate resolution, including whether financial institutions have Article III standing to assert claims arising out of a data breach, whether retailers owe banks a duty to protect against third-party criminal hacks, and whether financial institutions can bring a negligence per se claim premised on an alleged violation of Section 5 of the Federal Trade Commission Act. With respect to the standing issue, Home Depot argues that the banks simply lumped together a list of their injuries in six paragraphs of a 283-paragraph complaint and that no institution had alleged its own specific injuries. The merchant also asserted that the banks’ decision to implement “prophylactic measures” to protect against the risk of future harm was insufficient to maintain standing. No other court has yet ruled on the standing of financial institutions to assert claims arising out of a data breach. As a result, Home Depot urged the district court to allow the Eleventh Circuit to tackle the questions of whether named plaintiffs in class actions have Article III standing without specifying their individual injuries, and whether prophylactic measures taken to guard against losses that may never occur can establish Article III standing. Section 5 of the FTC Act allows the commission to bring claims for unfair or deceptive trade practices against businesses, but private parties are not given this authority. As a result, the plaintiffs’ have utilized a negligence per se action in an attempt to circumvent this restriction, but Home Depot is asking the Eleventh Circuit to reject this tactic. It remains to be seen whether the District Court will allow the appeal and whether the Eleventh Circuit will take the case. We will continue to monitor the proceedings and provide substantive updates. Add to Flipboard Magazine.
In a case with a familiar fact pattern, the United States District Court for the Eastern District of Louisiana refused to find that permitting Plaintiff to proceed in Louisiana state court was “futile” on Article III standing issues and remanded the matter to the state court for determination whether Plaintiff has constitutional standing to proceed with his suit. Plaintiff, Walter Bradix, IV, a former employee of Advance Stores Company, d/b/a Advanced Auto Parts store, sued his former employer for disclosure of his and a number of other employees’ personal information. The disclosure occurred as a result of a phishing scam where in the attacker posed as an employee of Defendant. The disclosed information including employees’ names, gross wages for 2015, social security numbers and state in which each employee paid income tax. The Plaintiff alleged that the information can, and likely already has, been used by thieves to open credit card accounts, file tax returns, etc. In support of the foregoing, Plaintiff pointed to two unidentified inquires on his credit report. Plaintiff argued that the remedy offered by the Defendant – 24 months of credit monitoring services – was “woefully inadequate” and that Plaintiff and other employees will incur significant costs to correct breaches of their personal data which Advance argued were yet to occur. Plaintiff filed a class action petition in the Civil District Court for the Parish of Orleans. Plaintiff alleged that Defendant’s conduct with regard to the phishing attack amounted to negligence, gross negligence, breach of fiduciary duty and invasion of privacy under Louisiana state law. Defendant removed the action to federal court asserting federal subject matter jurisdiction under the Class Action Fairness Act (“CAFA”), and then filed a motion to dismiss. The District Court denied Defendant’s motion and entered an order remanding the case to Louisiana State Court. Defendant then asked for reconsideration of the Court’s ruling. In its motion for reconsideration, Defendant argued that dismissal is more appropriate as remand to Louisiana court would be “futile”. Advance argued that Plaintiff lacked standing in both federal court and Louisiana state court because both courts can only preside over cases “involving ‘actual present or immediately threatened injury’ and more than a ‘hypothetical threat.’” It was the Defendant’s position that the Louisiana state court would rely on federal jurisprudence and apply federal law regarding speculative harm, and since the federal law clearly provides that federal court has no jurisdiction over matters dealing with speculative harm, neither would the Louisiana state court have jurisdiction over such claim. The District Court for the Eastern District of Louisiana rejected Defendant’s futility argument finding it too broad and also finding it uncertain that the lack of standing under Article III would necessarily mean that the Louisiana state court would have to dismiss the case. Relying on the United States Supreme Court’s discussion of the futility doctrine wherein the Court refused to apply the futility doctrine to circumstances where “plaintiff’s Article III standing would not necessarily defeat its standing in state court,” the District Court found that Defendant failed to establish that Louisiana state law firmly follows the Supreme Court on the issue of Article III standing.International Primate Protection League v. Tulane Educaitonal Fund, 500 U.S. 72 (1991). Based upon the foregoing, the District Court refused to apply the futility doctrine to the within set of facts and remanded the matter to the state court for determination whether Plaintiff has standing to proceed with his suit. Add to Flipboard Magazine.
On July 7, 2016, the United States District Court for the District of Minnesota granted Target’s unopposed motion to dismiss the derivative actions filed by a number of shareholders against the company relating to the well-reported 2013 data breach. The breach resulted in the theft of payment card data information of approximately 40 million customers, as well as certain personal information of up to 70 million customers. The significant media attention purportedly negatively impacted Target’s sales and consumer perception. As a result, certain shareholders initiated derivative actions against Target’s Board of Directors alleging that the Board (1) failed to properly provide for and oversee an information security program and (2) failed to give customers prompt and accurate information in disclosing the breach. The shareholders asserted that the Board breached its fiduciary obligations to Target resulting in a variety of identified damages, including data breach costs. In 2014, pursuant to Minnesota Law (§ 302A.241, Subd. 1), Target’s Board established a Special Litigation Committee (“SLC”) to address all of the derivative suits pending against the Board. The SLC included members of the legal community with no affiliation to the company which included a former Minnesota Supreme Court Chief Justice and a University of Minnesota law professor. Federal courts defer to a corporation’s special litigation committee decision to dismiss derivative actions if the SLC can demonstrate (1) that it possessed a disinterested independence and (2) that it conducted a good faith investigation into the derivative allegations. In re UnitedHealth Group Inc. S’holder Derivative Litig., 754 N.W.2d 544, 556 (Minn. 2008), and In re UnitedHealth Group Inc. S’holder Derivative Litig., 591 F. Supp. 2d 1023, 1030 (D. Minn. 2008). Target’s SLC was vested with complete power to investigate the allegations, claims and requests for relief and to determine whether and/or to what extent Target should pursue claims against the Board. The SLC spent 21 months investigating the circumstances of Target’s data breach and the claims levied in the various derivative actions. The committee retained independent counsel and experts, interviewed 68 witnesses, reviewed and analyzed thousands of documents, met frequently, and “considered [a] myriad factors bearing on Target’s best interests in deciding whether to pursue claims against the officers and directors” for the data breach. In a 91-page report issued in late March of 2016, the SLC determined that publishing a detailed finding in connection with prosecuting a derivative action would not be in Target’s best interests. The SLC found that doing so could imprudently create risks for the company. For this reason, the SLC concluded that it would not be in Target’s best interest to pursue claims against the Board arising from the data breach and recommended that Target seek dismissal of all pending derivative claims. The Court’s recent Order is in response to that application. This result has significance for both insurers and policyholders of Directors & Officers (“D&O”) liability insurance. There are difficulties for plaintiffs to establish a cognizable right to pursue a derivative claim against a corporation resulting from a large data breach. Companies that are prepared to respond to data breaches and those that are mindful about avoiding data breaches in the first place enjoy more and stronger defenses from such liability. However, given the notoriety of the Target breach and other recent victims, shareholders will expect more from their directors and officers regarding this risk. Add to Flipboard Magazine.
In one of the first decisions construing coverage under a stand-alone cyber insurance policy in the wake of a large-scale cyber security breach, the Arizona Federal District Court rejected restaurant franchisor P.F. Chang’s arguments to recover approximately $2 million in fees and assessments levied by MasterCard. According to the Court, P.F. Chang’s has no reasonable expectation of coverage for such assessments. As we have previously discussed, approximately 60,000 customer credit card numbers were stolen from P.F. Chang’s by hackers in June 2014. Ever since the breach, P.F. Chang’s has incurred investigation and remediation expenses and fielded multiple class action lawsuits, for which it has received approximately $1.7 million in coverage under a $5 million “CyberSecurity by Chubb Policy” issued by Federal Insurance Company to P.F. Chang’s parent company, Wok Holdco LLC. In March 2015, P.F. Chang’s credit card processor, Bank of America Merchant Services (BAMS), paid MasterCard $1.9 million in consolidated assessments and fees. Specifically, MasterCard sought approximately $1.7 million as a “Fraud Recovery Assessment” associated with fraudulent charges, approximately $160,000 as an “Operational Reimbursement Assessment” for the costs of notifying cardholders and reissuing cards and account numbers, and $50,000 as a flat “Case Management Fee.” P.F. Chang’s, in turn, reimbursed BAMS for its payment to MasterCard pursuant to the terms of a Master Service Agreement. P.F. Chang’s tendered the matter to Federal as a covered breach-related expense. Federal, however, denied coverage, compelling P.F. Chang’s to file suit. P.F. Chang’s argued that each of the three component charges levied by MasterCard against BAMS triggered coverage under separate parts the Federal policy. On May 31, 2016 the Court granted summary judgment in favor of Federal, finding that BAMS did not sustain any type of covered “Injury” and that the assessment payments were otherwise precluded from coverage. Although the court acknowledged that the $50,000 “Case Management Fee” levied by MasterCard could potentially qualify as a “Privacy Notification Expense,” it nevertheless found that P.F. Chang’s reimbursement of the MasterCard assessments was barred by two exclusions and the policy’s definition of “loss” because the payment arose out of P.F. Chang’s contractual assumption of liability under its Master Service Agreement with BAMS. The court disagreed with P.F. Chang’s argument that it would have been liable to BAMS in the absence of its contractual obligations. Finally, the Court rejected P.F. Chang’s argument for coverage under the reasonable expectation doctrine, finding that P.F. Chang’s had failed to meet its burden of proof. On June 14, 2016, Federal filed a motion to recover over $200,000 in attorneys’ fees and costs incurred as a result of the lawsuit. It is currently unclear as to whether P.F. Chang’s will pursue an appeal. The case has already sparked controversy and disagreement over the intended versus actual scope of coverage under stand-alone cyber liability policies. As one of the first of its kind, the case and the arguments asserted by the parties will likely play a large part in shaping how similar policies are sold, interpreted, and litigated in the future. Add to Flipboard Magazine.
In April of this year, the European Union (“EU”), adopted the General Data Protection Regulation (“GDPR”), a regulation intended to strengthen data protection for individuals residing in the European Union. The GDPR provides a single set of rules applicable to all member states. Its objective is to give individuals control over their personal data as well as to simplify the regulatory environment for business. Notably, the new law applies to all businesses which hold information on EU residents regardless of their size or location in the world. The GDPR requires each member state of the EU to establish a Supervisory Authority to hear and investigate complaints and sanction offenses. The law generally requires explicit consent for data to be collected including a requirement that data controllers prove the consent and that individuals are provided with an option to withdraw the consent. It requires that notice regarding time for data retention be provided and privacy settings must be set to high by default. The new law also requires that public entities require regular and systemic monitoring and the appointment of a data protection officer who will be under a legal obligation to notify the Supervisory Authority of any data breach. Significantly, the GDPR provides that a person be able to transfer their personal data from one electronic processing system to another without being prevented to do so by the data controller. In such cases, the data controller must provide the data in a structured and commonly used electronic format. In cases of a violation, GDPR provides for the imposition sanctions including a written warning in the case of a first or unintentional non-compliance, regular periodic data protection audits, and potential fines up to 20,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater. Europe’s new law will go into force in the second quarter of 2018. In anticipation of the foregoing, the National Data Protection Authorities, the Article 29 Work Party and the European Data Protection Supervisor will be issuing guidelines and opinions to assist organizations in preparation for compliance. Add to Flipboard Magazine.
On April 14, 2016, the Court of Appeals for 7th Circuit reinstated plaintiffs’ action against P.F. Chang’s restaurant chain that arose out of the well-reported breach of payment card information. The action was previously dismissed by the District Court for the Northern District of Illinois, Eastern Division, on the basis of what the lower Court ruled was the plaintiffs’ lack of Article III standing. As this Blog has discussed, P.F. Chang’s notified its customers of a PCI data breach in June 2014. Plaintiff Kosner dined at the P.F. Chang’s restaurant in Northbrook, Illinois. Some time later he incurred fraudulent credit card charges and associated them with the P.F. Chang’s breach. Kosner cancelled the credit card in question and retained a credit monitoring company to monitor his accounts. Plaintiff Lewert also dined at P.F. Chang’s in Northbrook, IL, but did not incur fraudulent charges. He monitored his card statements and credit reports for any fraudulent charges himself. Kosner and Lewert sought to represent a class action of P.F. Chang’s customers who paid with credit cards and whose data may have been stolen. The District Court previously dismissed their claim based upon lack of standing and the plaintiffs appealed. Article III of the Constitution requires plaintiffs to show that they “suffered a concrete and particularized injury that is fairly traceable to the challenged conduct, and is likely to be redressed by a favorable judicial decision.” Hollingsworht v. Perry, 133 S. Ct. 2652, 2661 (2013). In reversing the District Court’s dismissal, The 7th Circuit Court of Appeals found that Plaintiffs meet constitutional standing requirements and remanded the matter for further proceedings. In reaching its decision, the Court expressly relied upon its prior decision Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015). In Remijas, the 7th Circuit Court of Appeals found that customers whose data was breached suffered sufficiently concrete and particularized injuries under Article III to support standing. The injuries identified by the Remijas Court were an increased risk of fraudulent charges and an increased risk of identity theft. The Court of Appeals found that Remijas’ alleged injuries were “certainly impending” – the future harm required to establish standing. The Court noted that the customers should not have to wait until hackers commit identity theft or credit card theft in order to have standing because “objectively reasonable likelihood” exists that such injury will occur. The Court also found that the time and money spent resolving fraudulent charges and identity theft were sufficient injuries for purposes of standing. Applying the foregoing reasoning, the Appellate Court concluded that because Plaintiffs’ credit card data had already been stolen, the injuries to Kosner and Levert fall under the same categories as set forth in Remijas – increased risk of identity theft and credit theft. The 7th Circuit also found that Plaintiffs already suffered sufficient injuries to convey standing in the form of fraudulent charges and credit monitoring. As to the remaining criteria for standing, causation and redressability, the Court also found in favor of the Plaintiff determining with respect to causation that while a dispute exists as to the extent of the breach, that in itself does not destroy standing and will be the subject of discovery during litigation. With regard to redressability, the Court found that a favorable judgment would compensate Plaintiffs for their injuries via reimbursement of costs related to credit monitoring, and loss of accrual of points on the credit card while awaiting its replacement. Courts are now squarely pitted in different directions on this issue and the Spokeo case – where the U.S. Supreme Court may decide whether Article III standing is conferred upon a plaintiff who suffers no concrete harm, and could not otherwise invoke the jurisdiction of a federal court, by authorizing a private right of action based on the mere violation of a federal statute – is still outstanding. Add to Flipboard Magazine.
In a brief, unpublished decision, the U.S. Court of Appeals for the Fourth Circuit affirmed a ruling that Travelers must defend Portal Healthcare Solutions in an underlying lawsuit involving the disclosure of confidential medical records on the internet. The court’s opinion commended the District Court’s analysis of the dispute and adopted its conclusion with an abbreviated discussion of the legal issues. The ruling from the U.S. District Court for the Eastern District of Virginia provides a full discussion of the factual backdrop of the claim. Portal is a business specializing in the electronic safekeeping of medical records for hospitals, clinics and other medical providers. Portal contracted with Glenn Falls Hospital to store and maintain its patients’ confidential medical records. On April 18, 2013, a class action suit was filed alleging that Portal failed to safeguard confidential medical records of patients at Glen Falls, posting those records on the internet, and causing the records to be accessible on the internet. Two Glen Falls patients discovered the records when they performed a Google search of their names, and found that they were accessible, viewable, copyable, printable and downloadable from the internet between November 2012 and March 2013. Travelers issued two commercial general liability policies to Portal covering January 31, 2012 to January 31, 2014. The policies required Travelers to afford coverage for injury arising from the “electronic publication of material that … gives unreasonable publicity to a person’s private life” or “the electronic publication of material that … discloses information about a person’s private life.” Travelers filed suit against Portal seeking an adjudication of its duty to defend Portal in the underlying class action suit. Both parties moved for summary judgment, and the District Court granted Portal’s motion. The central dispute addressed by the District Court was whether the fact that Portal made confidential medical records publicly accessible via an internet search constituted a “publication” under the Travelers policy. The District Court cited to the dictionary definition of “publication” as meaning “to place before the public (as through a mass medium).” The District Court held that the underlying lawsuit concerned Portal’s action of placing records before the public by making them available through a simple online search of a patient’s name. The court rejected Travelers’ argument that the intent of Portal controlled the issue, finding that “the definition of ‘publication’ does not hinge on the would-be publisher’s intent.” Instead, the focus was merely whether the information was placed before the public. Put another way, an unintentional publication is still a publication. Travelers also argued that a “publication” cannot exist because the underlying complaint failed to allege that a third party actually viewed the information. The court rejected that argument, finding that the issue is not whether anyone accessed it, but rather that it was available for view by a third party or placed before the public. The court distinguished the facts at bar from those addressed by Recall Total Info. Mgmt. Inc. v. Fed. Ins. Co., 83 A.3d 664 (Ct. App. Conn. 2013). In Recall Total, computer tapes fell out of the back of a van and were taken by an unknown person and never recovered. The court found that a general liability policy did not afford coverage for claims made by impacted individuals. The District Court explained that the facts at issue in Portal were different because the information was “posted on the internet and thus, was given not just to a single thief but to anyone with a computer and internet access.” The District Court went on to find that the availability of the information gave “unreasonable publicity” to the patent’s private life and “disclosed” information about that patient’s private life, as required by the policy. The court again referenced dictionary definitions of those terms, finding that “publicity” involved “the quality or state of being obvious or exposed to the general view” and “disclosure” is “the act or process of making known something that was previously unknown; a revelation of facts.” As Portal gave unreasonable publicity to patients’ private lives and made otherwise unknown medical information available on the internet, Travelers owed a duty to defend Portal. The Fourth Circuit’s short opinion endorsed the District Court’s use of the “Eight Corners Rule” in evaluating Travelers’ duty to defend. The underlying complaint potentially or arguably alleged a “publication” of private medical information and, if proven, that conduct would have given unreasonable publicity to and disclosed information about patients’ private lives. The fact that any member of the public with an internet connection could have viewed the plaintiffs’ private medical records was sufficient to trigger a duty to defend. The Fourth Circuit therefore affirmed the District Court’s ruling. Add to Flipboard Magazine.
In a case that we believe reflects a real future trend in the cyber-risk industry, Las Vegas casino operator Affinity Gaming (“Affinity”) is suing Chicago-based IT security firm Trustwave Holdings, Inc. (“Trustwave”) for breach of contract, negligence, and fraud based on Trustwave’s alleged failure to fully eliminate malware from Affinity’s computer systems. According to the complaint, Affinity first discovered in early October 2013 that hackers had compromised its network security and stolen customer credit card information. After notifying its cyber insurer of the breach, Affinity Gaming was referred to Trustwave for “professional forensic data security investigator” (PFI) services. The parties executed an Incident Response Agreement outlining the scope of Trustwave’s services. After an investigation at Affinity’s offices, Trustwave produced a PFI report stating that it had identified, contained, and removed the malware responsible for the breach. Trustwave reported that the hackers responsible for the breach had likely removed the malware themselves sometime in mid October after being detected. In April 2014, Affinity retained Ernst & Young to perform penetration testing on its systems in compliance with new gaming regulations. The test allegedly revealed that the malware previously identified by Trustwave had, in fact, not been completely contained and removed as reported. Consequently, Affinity Gaming hired another data security firm Mandiant, a direct competitor to Trustwave, to perform a second investigation. According to Affinity, Mandiant’s review allegedly revealed that Trustwave’s prior investigation failed to identify the original malware’s remote access point and two other related malware programs and that hackers had continued to compromise Affinity’s systems during Trustwave’s remediation efforts. In addition to the fees it paid to Trustwave, Affinity seeks to recover from Trustwave the costs of Mandiant’s services, legal expenses associated with its defense of multiple investigations, and fees paid to financial institutions related to the re-issuance of compromised credit cards. On February 29, 2016, Trustwave filed a motion to dismiss Affinity Gaming’s complaint for failure to state a claim. Trustwave argues, among other things, that the Incident Response Agreement demonstrates that Trustwave only “agreed to investigate certain specific cardholder data components of Affinity’s network; not Affinity’s entire network.” Trustwave argues that Affinity failed to plead its fraud-based claims with the required specificity and that such claims are “nothing more than dressed-up breach of contract claims.” Trustwave further contends that Affinity Gaming’s tort claims are barred by the economic loss doctrine, and that its declaratory judgment claim is “wholly duplicative” of its other causes of action. Affinity filed a response to Trustwave’s motion on April 4, 2016 arguing that its constructive and equitable fraud claims establish a special relationship with Trustwave, “in light of Trustwave’s specialized knowledge and skills and Affinity’s unique vulnerability to and reliance on Trustwave’s superior position.” Affinity refutes that any of its claims are barred by the economic loss doctrine because they “target both Trustwave’s contractual misrepresentations”—meaning misrepresentations made in the Incident Response Agreement itself—“as well as Trustwave’s breaches of duties independent of its contractual duties.” According to the Court docket, Trustwave has until April 19, 2016 to reply. It is still too early to tell which side will prevail, though Trustwave does have the benefit of strong contractual language executed by “sophisticated business entities,” and will likely emphasize this in its reply brief. The Trustwave case has captured the attention of the entire cyber-risk industry because it portends to be an indication of a coming trend in the theories of liability associated with cyber-risk. It puts professional technology services providers and IT firms on notice that they are also held to a standard of care that if deviated from has the potential to cause third party damages. Technology service providers and IT firms should always discuss risk with their own counsel to receive comprehensive legal advice and maintain privilege. In doing so, service providers should reevaluate the strength and scope of their own engagement agreements, subcontracts, and the sufficiency of performance standards of professional operations. They should also seek appropriate insurance coverage including cyber-insurance to further mitigate their risk. Add to Flipboard Magazine.