On May 5, 2020, the United States Court of Appeals for the Seventh Circuit issued a decision that will have an immediate impact on litigation concerning Illinois’ Biometric Information Protection Act (“BIPA”). The decision in Bryant v. Compass Group USA, Inc., 2020 WL 2121463 (7^th Cir. 2020), puts to rest the question of whether a litigant can establish Article III standing in a federal court for BIPA claims.

Prior to the Bryant decision, a number of federal district courts found BIPA plaintiffs did not have standing to bring an action in federal court because they could not allege an “imminent, concrete and particularized injury-in-fact.” BIPA is a unique law to the extent Illinois state courts have found the failure to provide formal notice to a person before collecting and storing their biometric information is sufficient to establish standing in state court. The Bryant court held, in a decision that is more consistent with Illinois state court decisions, that alleged BIPA violations such as collecting fingerprints without formal notice are potentially “an invasion of…private domain, much like an act of trespass would be.” (“We conclude that a failure to follow section 15(b) of the law leads to an invasion of personal rights that is both concrete and particularized.”)  Even though there are different requirements for standing for federal and state courts, the Bryant decision allows BIPA plaintiffs back into federal courts.

The underlying facts in Bryant are similar to many of the BIPA claims currently working their way through state and federal courts around the country:

• The Plaintiff, Christine Bryant (“Bryant”), had access to a “workplace cafeteria” provided by her employer, Compass, with vending machines that accessed accounts through fingerprints rather than taking cash.

• Bryant claimed she and her coworkers were instructed to scan their fingerprints into the vending system in order to purchase food from the machines or access their accounts.

In her Complaint, Bryant claimed Compass violated BIPA when it “never made publicly available a retention schedule and guidelines for permanently destroying biometric identifiers and information it was collecting and storing.” While Bryant does not deny that she was aware that her biometric information was collected, Bryant claims the failure “to make the requisite disclosures denied her ability to give informed written consent as required by Section 15(b)” of BIPA.

Prior to the Seventh Circuit’s decision, the District Court for the Northern District of Illinois found Bryant’s alleged BIPA violations did not establish Article III standing as they “were bare procedural violations that caused no concrete harm to Bryant…[and] remanded the action to the state court.”  The Seventh Circuit reversed the District Court’s decision and found Bryant had sufficiently alleged concrete harm and had standing to bring the action in the District Court.

The initial analysis for any court to determine whether a litigant has Article III standing to bring an action in federal court begins with three requirements: (1) did the litigant suffer an “actual or imminent, concrete and particularized injury-in-fact; (2) there must be a causal connection between the injury and the conduct complained of; and (3) there must be a likelihood that the injury can be redressed by a favorable decision.” See e.g., Lujan v. Defs. Of Wildlife, 504 U.S. 555, 560-61 (1992). Since a number of district courts had found alleged BIPA violations did not confer standing in federal court, the Bryant court’s Article III standing analysis was limited to the first requirement, whether Bryant suffered an “actual or imminent, concrete and particularized injury-in-fact.”

As seen in many BIPA and other privacy cases, the Seventh Circuit closely examined the United States Supreme Court’s decision in Spokeo, Inc v. Robins, 136 S. Ct. 1540 (2016), where it was held “that a ‘concrete’ injury must actually exist but need not be tangible” in order to meet the first requirement for Article III standing. In building off the Spokio decision, the Bryant court further opined that to have standing, “the plaintiff must show that the statutory violation presented an ‘appreciable risk of harm’ to the underlying concrete interest that [the legislature] sought to protect by enacting the statute.” Groshek v. Time Warner Cable, Inc. 865 F.3d 884, 887 (7^th Cir. 2017). The federal district courts held this requirement was not met when it found allegations that formal notice of biometric information being collected caused a “concrete” injury.

In determining whether this first requirement for Article III standing was met, the Bryant court analyzed the Illinois Supreme Court’s decision in Rosenbach v. Six Flags Entm’t Corp., 432 Ill. Dec. 654 (Ill. 2019).  In this oft-quoted decision, the Illinois Supreme Court in Rosenbach held “[b]ecause section 15(b) of BIPA confers a right to receive certain information from an entity that collects, stores, or uses a person’s biometric information, the violation of that right, standing alone, is an actionable grievance.” More specifically, the Bryant court considered the Illinois Supreme Court’s holding that “through the Act, our General Assembly has codified that individuals possess a right to privacy in and control over their biometric identifiers and biometric information.”  More simply, it is well-settled in Illinois law that “[a] key part of the right to control biometric information is ‘the power to say no by withholding consent.”  Given this reasoning, Illinois state courts found BIPA plaintiffs sufficiently alleged an injury and, therefore, had standing to bring suit in state court.

The Bryant court provided the following analysis to support its holding that the alleged lack of formal notice that biometric data will be collected and stored is sufficient to confer Article III standing in federal court:

When an entity fails to adhere to the statutory procedures and thereby denies someone the ability to make an informed decision about whether to provide her biometric identifier, “the right of the individual to maintain his or her biometric privacy vanishes into thin air” and “[t]he precise harm the Illinois legislature sought to prevent is then realized.” Id. (internal citation and quotation marks omitted). And as Compass emphasizes, the court declared that such a violation “is no mere ‘technicality.’ The injury is real and significant.” Id. In Compass’s view, the Illinois Supreme Court’s characterization of BIPA’s purpose and the nature of the injury is dispositive.

However, the Bryant court also had to address the fact “federal courts and Illinois courts define ‘injury-in-fact’ differently.”  Therefore, the Bryant court had to “independently determine whether BIPA violations Bryant alleges suffice to support Article III standing.”  In reversing the District Court in the Bryant matter and a majority of other district courts in the Seventh Circuit, the Bryant court finds Bryant’s alleged BIPA violations sufficient to trigger Article III standing in federal courts.  More particularly, the Bryant court held the following concerning the failure to allow a plaintiff to give informed consent as mandated by BIPA:

As the Illinois Supreme Court recognized in Rosenbach, the informed-consent regime laid out in section 15(b) is the heart of BIPA. The text of the statute demonstrates that its purpose is to ensure that consumers understand, before providing their biometric data, how that information will be used, who will have access to it, and for how long it will be retained. The judgment of Illinois’s General Assembly is that the sensitivity of biometric information and the risk of identity theft or other privacy or economic harm that may result from its dissemination necessitates that people be given the opportunity to make informed choices about to whom and for what purpose they will relinquish control of that information. Compass’s failure to abide by the requirements of section 15(b) before it collected Smart Market users’ fingerprints denied Bryant and others like her the opportunity to consider whether the terms of that collection and us-age were acceptable given the attendant risks.

BIPA is a unique law to the extent it does not require allegations that personal or biometric information was misused or breached.  The Bryant decision makes the federal court a viable option for BIPA plaintiffs by making standing requirements for federal courts consistent with Illinois state court requirements.

For more information, contact Tressler attorney Todd Rowe at trowe@tresslerllp.com.

The post Seventh Circuit Court Of Appeals Reopens Doors To Federal Courts For BIPA Plaintiffs appeared first on Privacy Risk Report.

Join us for this exciting new webinar…

The Final Countdown: Strategies for Illinois Schools to Get SOPPA Compliant Before the Deadline

Presented by Datamation and Tressler LLP

Thursday, March 12, 2020

10:00 AM – 11:00 AM CT

Click Here to Register!

Webinar Description

While data breaches are starting to become an accepted part of life, the public is not willing to accept breaches involving minors’ personal information. In particular, recent breaches at educational publisher Pearson and other vendors have put a priority on keeping student personal information secure. Illinois has taken the lead in privacy law by adopting the Student Online Personal Protection Act (“SOPPA”) to protect student personal information.  SOPPA is a unique privacy law in that compliance is mandatory and it places a number of objective requirements on public and private schools. This law requires Illinois schools to monitor the security measures taken by third parties entrusted with student data. This engaging presentation will address the requirements under SOPPA, including the July 1, 2021 compliance deadline.

About the Presenter: Todd Rowe, Attorney at Tressler LLP

Todd Rowe is an award-winning privacy and cyberliability attorney located in Chicago, IL. He is ready to help you meet the SOPPA deadline. Tressler LLP attorneys are known for providing responsive, friendly and cost-effective legal services. Our team can offer custom, flat-rate or project-based pricing to ensure that we meet your budget and exceed your expectations. Learn more at www.tresslerllp.com/soppa, or contact Todd at trowe@tresslerllp.com for a free consultation.

The post New Webinar on March 12: Strategies for Illinois Schools to Get SOPPA Compliant Before the Deadline appeared first on Privacy Risk Report.

Biometric data is playing a larger role in employment law as more employers begin using equipment to scan employees’ fingerprints to clock in for work. Each week more employers are defending themselves against claims by the employees such as the class action lawsuit filed against Patriot Medical Transport in Cook County Circuit Court last month. The employees in the Patriot Medical litigation claim they “have suffered injury from the unlawful collection and storage of their fingerprints, hand geometry or other biometric data.” We can expect these class actions to continue to increase with the increased use of equipment that collects and stores biometric data.

While many of these cases are still in their early stages, the parties in Miller v. Southwest Airlines Co., 18-3476 (7^th Circ. 2018) have already had a decision and are in the midst of an appeal related to equipment used to track employees through biometric data. In their brief submitted to the Seventh Circuit Court of Appeals, the Class Action Plaintiffs, who are “ramp and operations agents who worked and/or work for Southwest at Chicago’s Midway International Airport,” claim Southwest Airline’s timekeeping system violates the Illinois Biometric Information Protection Act (“BIPA”).

Southwest adopted a timekeeping system that uses biometric identifiers and biometric information (fingerprints) to track their employees’ time at work. The Class Action Plaintiffs claim Southwest’s timekeeping system requires them to scan their biometric data into the system even though Southwest “did not obtain the requisite written consent, and did not publish a publicly available retention and destruction schedule.” In addition to claiming injuries from the alleged BIPA violation, the Class Action Plaintiffs “also alleged that they lost compensation as a result of Southwest’s actions as they ‘would not have agreed to work for [Southwest], at least not for the compensation they received, had they been informed pursuant to BIPA of the nature of Defendant’s biometric timekeeping system.’”

The Class Action Plaintiffs stated the question for the Seventh Circuit Court of Appeals as follows:

Did the district court err when it ruled that Plaintiffs-Appellants’ claims under the Illinois Biometric Privacy Information Act, 740 ILCS 14/1, et seq., were preempted by the Railway Labor Act, 45 U.S.C. § 151, et seq., because they constitute a “minor” dispute?

While this litigation is primarily based on employment law and related to issues between Southwest and its employees, there are a number of points where the Seventh Circuit will conceivably need to consider the reach of BIPA. Specifically, this litigation ended up before the Seventh Circuit when the U.S. District Court for the Northern District of Illinois held the Class Action Plaintiffs’ BIPA claim was preempted as a minor dispute under the Railway Labor Act (“RLA”).The RLA is intended “to promote stability in labor-management relations by providing a comprehensive framework for resolving labor disputes” by establishing a “mandatory arbitral mechanism for the ‘prompt and orderly settlement’ of two classes of disputes, characterized as ‘major’ and ‘minor’ disputes.’”

Specifically, the District Court reasoned that the Class Action Plaintiff’s Collective Bargaining Agreement (“CBA”) would govern whether the Class Action Plaintiffs were injured by the alleged BIPA violation:

…Plaintiffs further allege they ‘would not have agreed to work for Defendant, at least not for the compensation they received, had they been informed pursuant to BIPA of the nature of Defendant’s biometric timekeeping system.’ (Id.) Among the relief Plaintiffs seek is compensation for the commercial value of their biometric information. 

Because the CBAs govern the rates of pay, rules, and working conditions of Plaintiffs’ employment, Plaintiffs’ BIPA claim ‘requires interpretation of the CBA to determine whether [Defendant] has the authority to use a particular timekeeping system for employees.’ Johnson, 2018 WL 3636556, at *2. Specifically, the CBAs dictate employees’ wage rules, rates of pay, and bonuses. (See CBA, Jordan Decl. Ex. A (Dkt. No. 281) at Art. 28.) Defendant and TWU 555 negotiated the wage scales applicable to Plaintiffs, as well as other pay provisions relating to premium pay. (Jordan Decl. Ex. A (Dkt. No. 28-1) ¶ 8.) 

***

Plaintiffs’ BIPA claim cannot be resolved without interpreting the wage provisions of the CBAs and the relevant bargaining history to determine whether the wages TWU 555 and Defendant negotiated were intended to compensate employees for all conditions of their employment, including use of the biometric timekeeping system. Likewise Plaintiffs’ challenge to Defendant’s decision to implement the biometric timekeeping system requires an interpretation as to whether the decision falls within the scope of Defendant’s right to ‘manage and direct the work force.’”…

In short, the District Court ruled the Class Action Plaintiffs’ BIPA claim was a “minor dispute” under the RLA and dismissed their claim.

While there are a number of points where BIPA and employment intersect in this litigation, the Class Action Plaintiffs take positions that will undoubtedly test the reach of BIPA. For example, in addressing whether Southwest gave proper notice of the new timekeeping system, the Class Action Plaintiffs argue:

First, Southwest’s alleged notice was given in 2005, three years before BIPA had even been enacted into law, and therefore had nothing to do with BIPA (or with the information required to be disclosed under BIPA). Second, Southwest produced no evidence that such notice was given in writing as required under BIPA. See 740 ILCS 14/15. Third, when it notes merely that the Union “did not object or seek an amendment” to the CBA in response (ECF No. 28-3 ¶ 10), Southwest conceded that it did not obtain written consent under BIPA to collect biometrics. In short, Southwest provided no evidence whatsoever of BIPA-compliant notice to, or BIPA compliant consent from, anyone—be it the Union or otherwise. As such, interpretation of the CBAs is not required to resolve Appellants’ BIPA claim. The District Court erred when it found otherwise. 

The use of biometric data by employers is one of the first areas we can expect to see BIPA be tested by litigants. We have already seen a number of developments in 2019 related to BIPA when the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan. 25, 2019). The scheduling order in Southwest Airlines indicates the briefing should be complete by April 11, 2019.  Business owners and their insurers will need to watch the progression of this litigation in this decision and many other lawsuits in Illinois in order to fully access whether their use of biometric data exposes them to liability from customers and employees.

The post Illinois’ Biometric Information Protection Act Gets More Tangled With Employment Law appeared first on Privacy Risk Report.

While many states are still struggling to enact comprehensive cyber/privacy laws and the federal government still lacks a uniform framework, Illinois data collectors have been working under the most advanced privacy statutes and common law in the United States. Specifically, the Illinois legislature has taken steps through the Personal Information Protection Act and the Biometric Information Protection Act (“Biometric Act”) that will put data collectors and courts at the forefront of privacy law for years to come.

The latest development in Illinois privacy law was seen last Friday when the Illinois Supreme Court issued its decision in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan. 25, 2019) which provides insight on what is necessary to bring a cause of action under the Biometric Act.  In Rosenbach, the Illinois Supreme Court analyzed the provision in the Biometric Act which states that “[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.”  The central question for the Supreme Court was whether the use of the term “aggrieved” in the Biometric Act requires a plaintiff assert that they suffered an injury in addition to having their biometric data collected.  In reversing the Illinois Court of Appeals, the Supreme Court found a violation of the Biometric Act when a data collector merely took information from a minor without proper consent.  The most important aspect of this case is a data collector can be liable without breaching any information.

• The Facts In Rosenbach

The Defendant, Six Flags Entertainment Corporation (“Six Flags”), operates an amusement park located in Gurnee, Illinois.  The Plaintiff, Stacy Rosenbach (“Rosenbach”), is a parent of a 14-year-old boy that visited Six Flag’s amusement park for his class trip. Before the trip, Rosenbach purchased a season pass for her son using Six Flag’s website.  Rosenbach claims she was surprised to find out that her son was directed to scan his thumbprint to gain access to Six Flags and to receive his season pass card.  Rosenbach claims she would not have purchased the season pass for her son if she knew Six Flags intended to collect his thumbprint without obtaining written consent or disclosing their plan to collect such data. Rosenbach claimed she was “aggrieved” under the Biometric Act without any allegation that Six Flags breached any data.

In Rosenbach, The Illinois Supreme Court provided the following analysis of the term “aggrieved” as in the Biometric Act:

More than a century ago, our court held that to be aggrieved simply “means having a substantial grievance; a denial of some personal or property right.” Glos v. People, 259 Ill. 332, 340 (1913). A person who suffers actual damages as the result of the violation of his or her rights would meet this definition of course, but sustaining such damages is not necessary to qualify as “aggrieved.” Rather, “[a] person is prejudiced or aggrieved, in the legal sense, when a legal right is invaded by the act complained of or his pecuniary interest is directly affected by the decree or judgment.” (Emphasis added.) Id.  ¶

• The Illinois Court Of Appeals’ Decision Is Reversed

The Illinois Court of Appeals held the allegations that Six Flags took patrons’ thumbprints without proper consent was not a violation of the Act because the patrons were not “aggrieved” as required by the Biometric Act.  In reversing the Court of Appeals, the Illinois Supreme Court held:

In sum, defendants’ contention that redress under the Act should be limited to those who can plead and prove that they sustained some actual injury or damage beyond infringement of the rights afforded them under the law would require that we disregard the commonly understood and accepted meaning of the term “aggrieved,” depart from the plain and, we believe, unambiguous language of the law, read into the statute conditions or limitations the legislature did not express, and interpret the law in a way that is inconsistent with the objectives and purposes the legislature sought to achieve. That, of course, is something we may not and will not do.

• Potential Impact Of This Decision

The Rosenbach decision will undoubtedly cause ripples in privacy law for years to come as a party can conceivably maintain a viable cause of action without pleading any “actual injury or damage.”  This decision may close the door on data collectors being held liable only when they breach biometric data.  Rather, data collectors will need to review all processes that may collect biometric data to confirm they are complying with the Biometric Act.  For example, Six Flags may now need to revamp its use of thumbprints to make sure it obtains consent from a minor’s guardian and they make clear how the data will be used.

Further, this decision may undercut the usefulness of expensive equipment used to collect biometric data if a majority of people withhold their consent to have their information collected.  For example, many workplaces have started to track employees’ hours by using biometric data including fingerprints and thumbprints.  These new systems that rely on biometric data make “clocking in” more convenient than systems that may rely on employee numbers or time cards.  It will be interesting to see how employers will work with employees that refuse to consent to having their biometric information collected after the employer purchased the expensive equipment.  Suffice it to say, we can expect Illinois to continue to be the source of many influential developments in privacy law in the coming years.

The post Illinois Leaves Its “Thumbprint” On American Privacy Law As The Illinois Supreme Court Finds An Individual Can Bring An Action Under the Biometric Act Without Being Involved In A Breach appeared first on Privacy Risk Report.

Todd Rowe is a partner in Tressler’s Privacy Practice Group. He regularly advises insurers on complex matters, including the resolution of large claims and claims under specialty and commercial insurance lines throughout the country. His practice areas include Insurance, Litigation, Privacy, Cyberliability, Technology/Cyberliability Litigation, First Party Property, and Products Liability Litigation.  He received his J.D. from Marquette University Law School and currently works out of Tressler’s Chicago office.

 What do you like most about Tressler?

After working in Wisconsin and Michigan for a number of years, Tressler LLP has been my home for more than ten years.  The legal and insurance industries have gone through many changes in the years I have been at Tressler.  However, after growing up around the constantly evolving auto industry in Detroit, Michigan, I have learned to accept and embrace change.  I am surrounded by people at Tressler LLP that are ready to serve our clients’ evolving needs.  For example, Tressler built our Privacy Practice Group to assist clients with the emerging issues presented by data, cyber and privacy on the building blocks of our extensive insurance experience. I am proud of Tressler’s past and excited about our future.

 How did Tressler’s Privacy Practice Group develop?

Our Privacy Practice Group developed in distinct phases over the last nine years.  While working in insurance coverage, it became clear that data storage would give rise to claims that would not be covered as bodily injury, property damage or advertising injury under commercial general liability policies and may not constitute a peril under a traditional property insurance policy.  First, our Privacy Practice Group was able to gain valuable experience by working with small governments and school districts on their data retention and storage issues.  Next, by the time insurers needed assistance on cyber issues, our Practice Group had the unique experience in both responding to privacy issues and insurance coverage to assist with this new line of insurance.  While working with insurers, our Practice Group has been assigned matters occurring in a variety of industries spanning health care, manufacturing to financial institutions.

 How does Tressler’s Privacy Practice Group assist insurers?

Our Practice Group’s insurer clients initially requested our assistance in policy drafting since cyber insurance policies did not contain uniform policy language or coverages.  As cyber policies became more widely available, insurers asked our Practice Group to assist in responding to insureds’ cyber incidents.  While working with insurers, our Practice Group has developed a network of vendors of forensic, public relations and notification vendors.  We have responded to more than 50 cyber incidents involving everything from data breaches to ransomware.

 How does Tressler’s Privacy Practice Group assist data collectors?

While a number of law firms are reaching into privacy, Tressler has offered pre-breach and post-breach counseling to data collectors for years.  These services can range from creating response plans to connecting our clients with forensic and public relations vendors. Tressler is continuing to lead in this emerging area by offering its clients employee training to compliment technological safeguards.

Todd Rowe can be reached at trowe@tresslerllp.com. Learn more about our attorneys by visiting https://www.tresslerllp.com/attorneys.

Attorney Advertising | Prior results do not guarantee a similar outcome.

The post Attorney Spotlight: Todd Rowe appeared first on Privacy Risk Report.

By Danita L. Davis Sudac

Individuals’ willingness to share detailed accounts of their lives on social media sites, such as Facebook, has created an unparalleled source of evidence for lawyers seeking discovery.   There is little question that social media evidence can be helpful in the areas of civil litigation.  For example, it can be used to discredit a litigant or contradict allegations of damages. Recently, in the high profile matter of Brown v. City of Ferguson, 15-cv-831, (E.D. Mo., E Div. Jan. 27, 2017), U.S. District Judge E. Richard Webber ordered that the family of Michael J. Brown, Jr., the unarmed black teenager killed in 2014 by police in Ferguson, must disclose all relevant Facebook posts in their wrongful death action against the city.   The court disagreed with Brown’s family members’ claims that they had a right to privacy for notes sent through Facebook Messenger.  The court likened Messenger to a “personal diary” which the court found must be disclosed if it has entries relevant to a case.  The court reasoned that the social media posts would show the family members’ relationships with Brown, which will help calculate pain, suffering and psychological damages, as well as provide evidence that could be used by the City and other Defendants to impeach or show bias.  In addressing concerns as to overbreadth and relevance, the court noted that the disclosure was limited in time and the entry of a protective order would safeguard any remaining privacy concerns. 

In cases where the production of social media information is challenged, most courts note that discovery of such information is governed by the same legal principles that guide more traditional forms of discovery.   As one New York Superior Court opinion recognized, “fishing expeditions” of social media accounts are just as objectionable as their “analog  antecedents.”   Winchell v. Lopiccolo, 954 N.Y.S.2d 421 (2012).  Relevance is still a perquisite before broad social media discovery is allowed.  Once relevance is established, however, the  traditional rules of civil procedure generally apply.

Despite the fact that social media users may try to self-regulate their privacy settings to restrict public disclosure, in the litigation context, these posts may be deemed relevant and discoverable regardless of the users’ privacy intentions.  Further, when seeking social media discovery, attorneys should also think twice about “friending” a represented adverse policy. Such activity likely violates  the Rules of Professional Conduct which addresses communications with represented parties.  As it pertains to their own clients, attorneys must also be aware of issues related to the preservation of social media evidence.   Once involved in a lawsuit, a litigant cannot delete relevant social media evidence at issue in the litigation.

In sum, as social media continues to be a popular and accessible mode of communication, discovery of social media information will become more prominent. Attorneys and their insurer clients should familiarize themselves with rules and recent decisions regarding the production of social media information as  issues surrounding such discovery will  likely be the subject of objection and motion practice.

The post Emerging Privacy Issues In Discovery Of Social Media appeared first on Privacy Risk Report.

On February 10, 2017, Midwest America Federal Credit Union (Midwest America) filed a class action complaint in the U.S. District Court for the Northern District of Georgia against Arby’s Restaurant Group, Inc. Midwest America’s complaint alleges that defendants failed to comply with Card Operating Regulations issued by the payment card industry (MasterCard, VISA, Discover, and American Express), allowing a major data breach to occur between October 25, 2016, to January 19, 2017. Midwest America’s complaint alleges that this breach affected thousands of issuers of credit and debit cards nationwide.

The data breach was first reported last week by cyber security expert Brian Krebs, who said in an online report that he was alerted to problems by banks and credit unions affected. Arby’s subsequently acknowledged the breach, telling him it involved malware on payment systems of its restaurants. In a statement on its website, Arby’s said it immediately notified law enforcement when it become aware of the breach and removed the malware.

The class action complaint alleges that the payment card industry issued Card Operating Regulations that mandate that Arby’s comply with industry standards. These standards require that all businesses upgrade to new card readers that accept EVM chip technology. EVM chip technology uses embedded computer chips to store payment card data. Every time an EVM card is used, the chip creates a unique transaction code that cannot be duplicated.

EVM technology increases payment card security, because, if stolen, the unique number cannot be used by hackers. The deadline for the installation of such systems was October 1, 2015. The class action alleges that Arby’s did not meet this deadline, as it has not installed chip card readers in its stores. The Card Operating Regulations dictate that businesses that continue to accept payment cards without chip readers will be liable for any damages as a result of data breaches.

The complaint alleges that Arby’s knew of the danger of not safeguarding its terminal network because Target, Home Depot and Wendy’s suffered similar data breaches. In 2015, Target agreed to pay $39.4 million to banks and credit unions in a suit relating to a 2013 data breach. Proposed class actions by banks and credit unions over Home Depot’s 2014 breach and Wendy’s 2015 breach are still pending in federal courts.

This recent breach demonstrates how difficult cyber security can be for large businesses that have seen a number of their competitors deal with large breaches and may have the resources to properly address cyber security concerns. This case, and other large scale breaches, may explain why smaller targets may dismiss cyber security safeguards based on the misconception that breaches only take place when there is a large amount of data at risk. However, it is important to keep in mind that many hackers have found smaller targets have lighter security than larger targets. Therefore, while large scale breaches are still taking place, there have been a number of recent examples of why smaller targets should continue to prepare for a cyber incident.

The post Class Action Suit Filed by Credit Union over Arby’s Data Breach appeared first on Privacy Risk Report.

The New York Times has reported that a Texas federal judge sentenced former St. Louis Cardinals Director of Baseball Development, Christopher Correa, to 46 months in prison after pleading guilty to five counts of unauthorized access of a protected computer. The sentence includes two years of supervised release and a restitution payment of $279,038. Correa remains out on bond until he reports to prison in the next two to six weeks.

Under 18 U.S.C.A. § 1030, a person found guilty of unauthorized access of a protected computer could face up to five years in prison for each count. Correa’s sentence is significant in that the punishment stretched beyond restitution to the victims, and the prison time is substantial. Cyber crime is no longer considered merely a nuisance; rather, it is prosecuted robustly at the federal level. This case sets the precedent for further cases of “cyber espionage,” and provides an understanding in the legal community as to how these types of cases may be viewed by the court.

During his plea, Correa admitted to hacking into “Ground Control,” the scouting database used by the Houston Astros. He told the court that he accessed the e-mail of an Astros’ employee who formerly worked for the Cardinals. Correa was able to access the e-mail because this employee used a similar password to the one he used when he worked for the Cardinals. Correa admitted to the court that he “guessed” the password, granting him access. Through the e-mail, Correa was able to gain access to two other Astros’ employee accounts, and see information in the Ground Control database. The information Correa accessed was given an estimated value of $1.7 million by the U.S. Attorney’s office.

This breach demonstrates that cyber security is no longer a luxury, it can happen as simply as a password being stolen, resulting in $1.7 million in damages to an entity. Even if an organization does not grant internet access to its employees, confidential corporate information can be breached simply by using an e-mail address.

Further, this situation is another example of a cyber incident committed by a person that does not fit the classic hacker stereotype. The common misconception of a hacker is a tech-savvy person, using cutting edge equipment to steal valuable information. This misconception is dangerous to the extent that it allows smaller targets to dismiss cyber security as being necessary for only larger, high-value targets. This situation, involving an unsophisticated tactic with a very industry-specific target, is a great reminder that significant damage can be done by those with inside access.

The post Cardinals’ Exec’s Prison Sentence Sets Stage for Future “Cyber Espionage” Cases appeared first on Privacy Risk Report.

On July 7, 2016, Judge Paul Magnuson of the United States District Court for the District of Minnesota granted several motions to dismiss by Target directors and officers seeking dismissal of derivative suits filed by various Target shareholders. The derivative suits stem from the 2013 data breach at Target stores where hackers stole private data from an estimated 70 million customers, including credit and debit card information, names, mailing addresses, phone numbers and e-mail addresses.

Of the bevy of litigation that stemmed from the breach, a total of six derivative suits arose from Target shareholders. One of those was filed by shareholder Maureen Collier, wherein she alleges Target’s board of directors and top executives bear the responsibility for the financial and reputational damages to the company as a direct result of the data breach (Collier v. Steinhafel et al.). In her suit, Collier brings claims for breach of fiduciary duty, gross mismanagement, waste of corporate assets and abuse of control.

In order to assess the allegations, a special litigation committee (SLC) was appointed by the company, including a former Minnesota Supreme Court justice and a University of Minnesota law school professor. In March 2016, after a nearly two-year long investigation, the committee issued a 91-page report concluding that Target should not pursue claims against the directors and officers.

In May 2016, after completion of the report, the SLC filed its Motion for Approval and Dismissal moving to dismiss the derivative actions. As outlined in the SLC’s Motion, courts do not question a SLC’s conclusions or re-examine the merits of its decisions, rather the court’s evaluation is limited to determining whether the SCL’s members are disinterested and independent.

By Order on July 7, 2016, Judge Magnuson granted the SLC’s Motion for Approval and Dismissal as well as Motions to Dismiss brought by three other individual defendants. While the instant motion was granted, the Plaintiffs did retain the right to move the court for legal fees and expenses from Target.

This dismissal comes as yet another hit to Plaintiff litigation in cybersecurity derivative lawsuits. In addition to the Target litigation, several other cases have also failed to advance past a Motion to Dismiss. In December 2009, a derivative suit against Heartland Payment Systems, its CEO and CFO was dismissed by the United States District Court for the District of New Jersey. In October 2014, the same court dismissed a similar lawsuit against Wyndham Worldwide and its directors and officers.

While, to date, Plaintiffs have not had much success with this issue, cybersecurity derivative litigation is still within its infancy. As technology advances so too does the proclivity for such data breaches, wherein the necessity falls upon top executives and directors to handle these matters accordingly to avoid derivative litigation.

The post Shareholders’ Derivative Suit Misses Target, Still Offers Warning to Directors & Officers appeared first on Privacy Risk Report.

The Federal Communications Commission (FCC) recently fined Cox Communications, Inc. (Cox) $595,000 for failing to properly protect its customers’ personal information related to a 2014 data breach. In the November 5, 2015, FCC order, the FCC stressed the importance of protecting cable and satellite consumers’ personal information and the consequences of failing to protect such information. This may be a signal that the FCC is ready to be more vigilant against cable and satellite service providers for data breaches.

Cox’s electronic data systems were breached in August 2014 when a hacker pretended to be from Cox’s IT department and convinced a Cox customer service representative and a Cox contractor to provide their Cox IDs and passwords to a fake website controlled by the hacker. With these Cox IDs and passwords, the hacker then gained access to personal data of Cox’s current and former customers, including their name, home addresses, email addresses, phone numbers, partial social security numbers, and partial license numbers. The hacker then posted some of this personal information on social network sites, changed the passwords of some customers, and shared some customers’ personal information with another hacker.

As part of the settlement with the FCC, Cox agreed to improve its privacy and data security practices, including designating a senior corporate manager, who is a certified privacy professional, to:

• oversee compliance with the consent decree,
• conduct privacy risk assessments,
• implement a written information security program,
• maintain a reasonable oversight of third-party vendors,
• implement a better data breach response plan, and
• provide privacy and security awareness training to employees and third-party vendors.

Over the last year, we have seen the Securities and Exchange Commission address cybersecurity in addition to the U.S. Court of Appeals for the 3rd Circuit’s holding that the Federal Trade Commission has the authority to regulate cybersecurity for American businesses and corporations. In addition to the FCC’s fines against telecommunications providers, this action brought by the FCC provides the latest example in a long line of government agencies having to regulate emerging issues concerning data security.

The post The First Cable Operator to Be Targeted by the FCC for Data Breach Settles for $595,000 appeared first on Privacy Risk Report.