Barring a major development in the final weeks of this year, we appear to be ready to close the books on privacy/cyber law for 2017. Of course, with two weeks left in 2017, there is still time for last-minute data breaches, cyber incidents or other surprises. Just this week, we saw major news stories which include the US government blaming North Korea for the WannaCry cyberattack earlier this year and Sonic Drive-Ins being sued in a class action for its data breach. Therefore, while we are hesitant to put together a list with a couple of weeks left in 2017, it is safe to form at least some broad conclusions about 2017.
Cyber has been a moving target for years and 2017 has been no different. In 2017, we saw privacy laws evolve while legislatures attempted to keep up with the various threats. While we did not see a pivotal cyber insurance law case, 2017 had a fair share of cases that deserve further analysis. We saw a number of cyber incidents and data breaches that should keep litigants and our courts busy for many years. Overall, we saw a scenario where smaller data collectors have less personal information to protect and can make adjustments in 2018. The fact that large-scale data breaches are still occurring may indicate that, despite having better information concerning data protection, large-scale data collectors may not be able to make adjustments within their organizations quickly enough to keep up with changes rules and evolving threats.
The body of information concerning data collectors’ obligations is growing and 2017 provided the following insight for consideration in 2018 and beyond:
The Further Development Of State Privacy Laws
Without having a significant body of law to rely upon, state privacy laws typically provide the most guidance for data collectors. These laws regulate the type of information that must be protected, how to protect that information and the consequences if the information is not protected properly. In 2017, we analyze revisions and modifications to these laws that should be addressed.
What are “Reasonable Measures” For Data Collectors?
One central issue playing out in 2017 has been how “data collectors” adapt to modifications of state privacy laws. For example, Illinois amended its breach notification statute the Personal Information Act (815 ILCS §530/5) (“PIPA”) to include a requirement that any data collector holding “personal information concerning an Illinois resident” must “implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.” Illinois joined a number of other states that have expanded the definition of “personal information” to include an individual’s “user name or email address.” Therefore, an entity may have obligations to notify any individual who has had their user name or email address improperly disclosed. The Illinois legislature further broadened the definition of “personal information” to include medical information, health insurance information or biometric data.
PIPA was also amended in 2017 to require data collectors to take “reasonable measures” to protect personal information. While we really did not get much insight on what the legislature believes may constitute “reasonable measures,” by mid-January of 2017 we had already seen courts provide some guidance. In our January 19, 2017 post, we analyzed the Dittman decision in Pennsylvania to determine obligations for “data collectors” in the absence of controlling law. With scant law, a “data collector” may want to consider the advice in the Dittman concurrence opinion and take steps to encrypt data, establish adequate firewalls and implement an appropriate authentication protocol to protect data. Otherwise, we are still waiting on a court to address what the “Reasonable Measures” standards means.
On August 15, 2017, the Department of Commerce released Draft NIST Publication 800-53, entitled, Security and Privacy Controls for Information Systems and Organizations, which is intended to provide a “catalog of security and privacy controls for federal information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile attacks, natural disasters, structural failures, human errors, and privacy risks.”
The stated objectives of the NIST publication includes: “…to make the information systems we depend on more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable.” And, in meeting these objectives, the NIST publication provided the following “key questions that should be answered by organizations when addressing their security and privacy concerns”:
- What security and privacy controls are needed to satisfy the organization’s security and privacy requirements and to adequately manage risk?
- Have the security and privacy controls been implemented or is there an implementation plan in place?
- What is the desired or required level of assurance (i.e., confidence) that the selected security and privacy controls, as implemented, are effective in their application?”
At this point, NIST anticipates having a final draft of this publication complete by October 2017 and a final version published by December 29, 2017. While there may be no requirement to meet the NIST Standards, a data collector has a better chance of showing they took “reasonable measures” if they can demonstrate they attempted to address the NIST standards in addition to the vague requirements found in state privacy laws and the general standards of some industries.
States And Courts Take Steps To Protect Biometric Data
While we saw some changes concerning the storage of “personal data” in 2017, we also received a glimpse of the importance of protecting biometric data.
In late 2016 and 2017, we saw a push by state legislatures to enact new laws that also protect biometric data, such as the Illinois Biometric Information Privacy Act (BIPA). “Biometrics” defines “the field of science relating to the identification of humans based upon unique biological traits, such as fingerprints, DNA, and retinas” and recently “has produced new ways of conducting commercial transactions.” In particular, the protection of biometrics is a growing concern as this technology is turning up in everything from watches that may collect health data, finger-scanners at grocery stores and gas stations to retina scanners for financial transactions.
Not only is this technology is here to stay, but it is already involved in litigation across the country. For example, in Vigil v. Take-Two Interactive Software, Inc., the U.S. District Court for the Southern District of New York found class action plaintiffs lacked standing to bring suit under BIPA for claims related to how their faces were used to create personalized avatars in a video game. Without a doubt, this will not be the last time a court will be called on to interpret BIPA or similar statutes across the country. In 2018, we can expect to see data collectors find other uses for biometric information and, therefore, more effort will be needed to protect this information.
By March of 2017, we saw another biometric data case when the Eastern District for the Northern District of Illinois analyzed BIPA in Rivera v. Google Inc., 16 C 02714 (N.D. Ill 2016), and found allegations that Google created and stored face-scans from pictures taken on Google devices may constitute a violation under BIPA and at least may survive a motion to dismiss.
As we move into 2018, we can expect the protection of biometric data will continue to grow in importance for data collectors.
Another Large-Scale Data Breach in 2017: Equifax
While it appeared in 2017 that large-scale data breaches may not occur as frequently as we saw a couple of years ago with Target Stores, Home Depot, Best Buy or the federal government, 2017 still had its fair share of large data breaches. The growing consensus that fewer data breaches may indicate large data collectors were taking better precautions with personal information was called into question when it was announced in September that Equifax had a significant breach. Admittedly, we are still learning the full scope of Equifax Inc.’s massive data breach which was announced on September 8, 2017. While different numbers have been discussed, it appears about 143 million people may have been impacted. Suffice it to say, this was a huge data breach.
The FTC’s website provides the following facts on the Equifax breach:
The breach lasted from mid-May through July. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people. And they grabbed personal information of people in the UK and Canada too.
Equifax’s breach response at this point initially included offering one free year of its credit monitoring service and provides information via its website created just for this breach. However, Equifax soon faced a backlash including the following complaints related to its response:
- News reports indicate that a number of people are struggling to determine if their information was included in Equifax’s breach using a website provided by Equifax. After making a number of attempts to use the website, many commentators found the website “hopelessly broken.” By September 8, 2017, Equifax had to issue a statement claiming to have fixed the problems with its website.
- Equifax’s offer to provide free credit monitoring for a year is being called into question as not providing sufficient time to properly monitor one’s credit and as a marketing ploy to get subscribers after the first year has expired. Leaving some commentators to say “so, yes, your worst suspicions are now confirmed. Equifax may actually make money on this breach.”
- Equifax had to issue a statement to address growing concerns that the terms of service that consumers must accept before enrolling in the free credit monitoring service required them to waive their rights to sue Equifax for a breach. Equifax’s statement attempted to clarify its position that nothing in the terms of service would apply to this breach.
- More than 20 proposed class-action lawsuits were filed around the country in less than a week since the breach was announced.
- Shares of Equifax closed down 8.2% on September 11, 2017 after falling more that 13% on September 8, 2017.
- SEC filings show that three Equifax executives sold nearly $2 million in shares of the company days after the cyberattack was discovered. Equifax had to issue another statement after its announcement indicating that while the three executives sold a “small percentage” of their shares August 1 and August 2, 2017, they “had no knowledge that an intrusion had occurred at the time they sold their shares.”
Unfortunately, Equifax’s various supplemental announcements after the initial announcement placed Equifax’s response under further scrutiny. After the Equifax breach, it became clear that not all large data collectors, despite seeing breach scenarios play out over and over, may not be prepared for a data breach.
Allegations in Uber Breach Demonstrate Need For Clear Response To Incident
If Equifax made it clear that we are not out of the woods on large-scale data breaches, the allegations against Uber after its breach may have shed more light on how large-scale data collectors are handling breaches. On November 28, 2017 when the City of Chicago and Illinois (“plaintiffs”) filed their Complaint in a case entitled City of Chicago et al. v. Uber Technologies, Inc., Case No. 2017CH15594 (Nov. 28, 2017). The Complaint is based on allegations that “[f]or the past several years, Uber has repeatedly failed to protect the privacy of its customers’ and drivers’ personal information.” More specifically, the plaintiffs assert Uber took steps to cover up its breach in an effort to avoid negative publicity. This case, regardless of whether the allegations are proven, should cause “data collectors” to consider what information they are putting (or not putting) out concerning any incidents prior to notification of the incident.
In particular, the plaintiffs contend that, in order to avoid “negative public attention, Uber paid hackers $100,000 to delete the data based on the hackers’ agreement to never speak publicly of the incident.” The plaintiffs claim the alleged cover up came to light because “criminal hackers couldn’t possibly be trusted to protect user data” and they ultimately disclosed the breach. The Complaint states that “Uber went so far as to even track down the criminal hackers and enter into nondisclosure agreements with them as if they were common business partners…” Further, the plaintiffs claim Uber made this payment so that it appeared to be related to its “bug bounty program” rather than a ransom payment. The Complaint asserts “[t]his concealment kept riders, drivers, and government agencies in the dark for over a year about Uber’s substandard security practices…”
The alleged cover up continued until November 21, 2017, when Uber’s Board of Directors investigated the practices of Uber’s security team. Uber has still not disclosed this incident to its customers or drivers.
Litigation In 2017 Looked Like Litigation In 2016: “Standing” To Bring Suit Still Questionable In 2017
As seen in prior years, the threshold question in data breach lawsuits during 2017 is still whether a litigant has “standing” to bring a cause of action against the party that allegedly caused a breach. This hurdle for litigants rises out of Article III of the Constitution that limits the jurisdiction of federal courts to “Cases” and “Controversies” “which are appropriately resolved through the judicial process.” Simply, litigants have not been able to move their cases forward unless they can show a concrete injury and demonstrate that future injuries are more than merely speculative. Nevertheless, while a number of data breach cases have been lost at the initial pleadings states, some plaintiffs have been able to persuade courts that they suffered concrete injuries and could show the source of their alleged damages to survive a motion to dismiss.
As this body of law has developed over the years, one case in particular, Lewert v. P.F. Chang’s China Bistro, Inc., 14-3700 (7th Cir. 2014), in the Seventh Circuit, has provided hope for data breach plaintiffs. Developments in 2017 in the P.F. Chang’s litigation should provide more hope for plaintiffs.
The P.F. Chang’s data breach litigation traces its origins back to a 2014 data breach where plaintiffs claim their debit and credit card information had been hacked after they had visited a P.F. Chang’s in Illinois. P.F. Chang’s filed a motion to dismiss asserting first, that “the parties’ express contract precludes both an implied contract and a consumer fraud count.” (“Plaintiffs’ claims are that they purchased a meal at P.F. Chang’s and that, while P.F. Chang’s came through on the main course, it dropped the ball on the side order of data security.”) Additionally, P.F. Chang’s claimed plaintiffs’ case should have been dismissed because plaintiffs lacked standing and had no damage. The District Court dismissed plaintiffs’ data breach action for lack of standing and, therefore, did not have to address P.F. Chang’s other arguments for dismissal.
On April 26, 2017 the District Court filed a minute order which merely stated the “motion to dismiss is denied for the reasons stated in open court.” The District Court further granted plaintiffs’ motion to compel P.F. Chang’s to participate in a Rule 26(f) conference and begin discovery.
While it took a while to get here, we are finally at the point in this case where we will see if plaintiffs can gather sufficient evidence to support their claims. Data breach plaintiffs have struggled to survive the pleadings stage as many courts found their damages were too speculative to survive a motion to dismiss. It will be important to watch this case get through the discovery phases and move toward trial in order to get the full picture regarding liability for cyber security. Further, the P.F. Chang’s litigation is even more important since the Neiman Marcus case recently settled before we could see how that litigation unfolds through discovery and further motion practice.
Take-Away For 2018
Based on the developments in 2017, we can expect smaller data collectors to have a wealth of information to use when determining their obligations for storage of personal information. Smaller data collectors have state privacy laws, industry regulations and cases to look to for guidance. On the other hand, Equifax may show us that larger data collectors may have trouble in 2018. Even though all data collectors have the same information available concerning their obligations, large data collectors may have too much information and too much red tape to properly prepare for an incident. Out of all the large-scale data collectors, one would hope Equifax was prepared for a breach and had a response ready to go. We may see a scenario where smaller data collectors, despite fewer resources, have a better chance to protect data.