There is little dispute that the Illinois Biometric Information Protection Act (“BIPA”) is a unique privacy law to the extent that it creates a private cause of action for any failures to notify individuals before their biometric information is collected and stored. That is, BIPA potentially creates a liability regardless of whether there was a breach of private information. Further complicating matters is the fact that many data collectors that qualify as “financial institutions” or “local and state governments” are exempted from BIPA. A recent motion to dismiss filed by New Albertson’s, Inc. (“Albertson’s), a defendant named in a BIPA action, has put the constitutionality of this exemption for financial institutions and state governments at issue.

As with many employers in Illinois, Albertson’s was named as a defendant in a lawsuit based on alleged violations of BIPA. In a lawsuit entitled Bruhn v. New Albertson’s, Inc, Case No. 2018 CH 1737, filed in the Circuit Court of Cook County, Illinois, a class action plaintiff alleged he worked as a pharmacist at a Jewel-Osco store located in Elgin, Illinois. Plaintiff claims Jewel required him to provide a scan of his fingerprints on a biometric device in order to access the pharmacy’s computer system. Plaintiff further claims Jewel violated BIPA when it collected and stored his biometric information without providing the proper notification. On August 20, 2019, Albertson’s filed a motion to dismiss which will push Illinois courts to examine the constitutionality of BIPA.

As for a quick refresher on Illinois Constitutional law, the Illinois Constitution provides the following which is generally referred to as the “special legislation clause:”

The General Assembly shall pass no special or local law when a general law is or can be made applicable. Whether a general law is or can be made applicable shall be a matter for judicial determination.

In support of its motion to dismiss, Albertson’s analyzes the legislative intent behind BIPA and argues “[i]n short, the legislator felt BIPA was necessary to protect consumers’ biometric data, particularly connected with financial information.” And, while the legislature’s intent behind BIPA was to protect information by placing burdens on entities that collect and store biometric data, Albertson’s questions how that purpose is served when the statute does not include many entities that may qualify as a “financial institution or an affiliate of a financial institution” and contractors, subcontractors and agents of state or local governments.  Based on these exclusions to BIPA, Albertson’s argues that BIPA violates the special legislation clause and, is therefore unconstitutional because “Broad Groups” of individuals are excluded from the statutory framework. In particular, Albertson’s claims BIPA’s exclusions for financial institutions and local governments give way to an unfair result that is unconstitutional.

In its brief, Albertson’s argues the question of whether a law violates the special legislation clause and is void includes the following two-step analysis: “…whether the statutory amendments discriminate in favor of a select group” and “if so, whether the classification created by the statutory amendments is arbitrary.” As for the exception of financial institutions, Albertson’s argues BIPA excludes essentially the entire financial industry. Albertson’s asserts the use of the term “financial institution” in BIPA could exclude a number of entities ranging from retailers that happen to issue credit cards to car dealerships and mortgage brokers and, therefore, BIPA is unconstitutional.

Albertson’s further asserts the BIPA exception for governments unconstitutionally “eliminates a wide swath of entities from the BIPA.”  Albertson’s argues the exclusion for governmental entities is overly broad to the extent it exempts contractors, subcontractors and agents of state and local governments while they were working for the government. Consequently, the stated purpose of BIPA is not served with these exclusions.

Albertson’s claims BIPA’s impact, which excludes a potentially large number of entities from protecting the public’s biometric data, “constitutes special legislation in violation of the Illinois Constitution.  Albertson’s argues it is entitled to have the action against it dismissed since “[a] general law could have been passed, and was in fact originally proposed to apply to both the government and financial institutions.”

Regardless of whether the court finds BIPA unconstitutional, Albertson’s still brings a valid point to light about the confusion BIPA causes for data collectors. For example, Albertson’s poses a hypothetical where a janitorial company providing services to a government building would not have to comply with BIPA while another janitorial service providing services to a private building would incur the costs to comply with BIPA. It will be interesting to see how the trial court, and most likely the Illinois appellate court, addresses this question.

The post More Than Just A Confusing Law? Defendant Argues Illinois’ Biometric Law Is Unconstitutional appeared first on Privacy Risk Report.

The March 26, 2018 decision in Hopper v. Schletter Inc., 17-cv-01, 2018 WL 1472485 (W.D. North Carolina 2018) leaves no question that courts are now prepared to hold employers liable if they disclose their employees’ information by mistake. And, if courts around the country adopt the reasoning in Hopper, employers can expect to have their cybersecurity protocols closely scrutinized after a breach or other incident.

On April 19, 2016, the defendant in Hopper, Schletter Group, sent a letter advising its employees and former employees that Schletter had sent its employees’ W-2 forms by mistake to a third-party after it fell prey to a phishing scam. Schletter offered credit monitoring and identity theft protection to those impacted. After the plaintiffs filed a lawsuit seeking alleged damages as a result of this incident, Schletter filed a motion to dismiss the complaint. The District Court denied Schletter’s motion to dismiss the plaintiffs’ claims for negligence and breach of implied contract, invasion of privacy and violations of North Carolina’s Unfair Trade Practices and Privacy Acts. The District Court, however, dismissed the breach of fiduciary duty claim.

As an initial step, the District Court discussed all the warnings it believed Schletter had about phishing scams before it fell prey. In finding Schletter had ample notice of the potential for an incident, the District Court listed various FBI warnings, IRS alerts, articles and examples available of emails used in similar scams that it believed Schletter should have been aware of before the incident. After discussing all the ways the District Court believed the Defendant should have been aware of this scam, the District Court stated that “[d]espite the widespread prevalence of spoofing aimed at obtaining confidential information from employers and despite the warnings of the 2016 tax season W-2 email scam, [Schletter] provided its employees with unreasonably deficient training on cybersecurity and information transfer protocols prior to the Data Disclosure.” The District Court called Schletter’s preparation and response into question. The District Court provided the following examples of how it believed Schletter failed to properly train its employees:

• How to detect phishing and spoofing emails and other scams including providing employees examples of these scams and guidance on how to verify if emails are legitimate;
• Effective password management and encryption protocols for internal and external emails;
• Avoidance of responding to emails that are suspicious or from unknown sources;
• Locking, encrypting and limiting access to computers and files containing sensitive information;
• Implementing guidelines for maintaining and communicating sensitive data; and
• Protecting sensitive employee information, including personal and financial information, by implementing protocols on how to request and respond to requests for the transfer of such information and how to securely send such information through a secure file transfer system to only known recipients.

Based on this criteria, the District Court concluded “[t]he Data Disclosure was caused by the Defendant’s failure to abide by best practices and industry standards concerning the security of its computer and payroll processing systems.” In further support of its conclusion, the District Court listed the various ways it found Schletter had failed to implement the proper security measures to protect the W-2s.

Finally, the District Court opined that the two years of identity protection provided to Schletter’s employees was inadequate because the service “has neither prevented the Plaintiffs from experiencing fraudulent activity using their Personal Information nor alerted them that they had fallen victim to identity theft.”

Based on these findings, the District Court held Plaintiffs could survive Schletter’s motion to dismiss. In particular, the District Court denied Schletter’s motion to dismiss on the following grounds:

• Negligence and Breach of Implied Contract Claims: The Plaintiffs claimed that they were required to provide their Personal Information as a condition of their employment and Schletter failed to protect that information. The District Court found the allegations were sufficient to survive a motion to dismiss on the negligence/breach of implied contract claims.
• Invasion of Privacy: The Plaintiffs claimed Schletter’s unauthorized disclosure of Personal Information resulted in an invasion of the Plaintiffs’ privacy by intrusion. The District Court found Plaintiffs’ allegations that their names, birthdates, addresses and Social Security numbers were disclosed without authorization was sufficient to survive a motion to dismiss.
• Breach of Fiduciary Duty: The Plaintiffs claimed that Schletter was a “fiduciary in matters connected with their employment.” The District Court rejected Plaintiffs’ claim by finding Plaintiffs’ allegations that Schletter had a fiduciary duty merely by virtue of being an employer was insufficient to survive a motion to dismiss.
• Unfair Trade Practices and Privacy Acts: The Plaintiffs final causes of action were based on claimed violations of North Carolina’s Unfair and Deceptive Trade Practices Act and Identity Protection Act. The District Court found Plaintiffs’ allegations were sufficient to survive a motion to dismiss when they allege that Schletter “intentionally disclosed their Social Security numbers to an unauthorized third party and that the Defendant should have known in the exercise of reasonable diligence that the third party lacked a legitimate purpose for obtaining this information.”

The District Court’s reasoning should cause all data collectors to look at their cybersecurity protocols. This case may signal a shift by courts to start holding data collectors responsible for cyber incidents even though the disclosure was the result of being tricked by a sophisticated criminal. The outcome of this case may have been dramatically different a few years back before there was a large body of information available on proper safeguards. The District Court’s decision should not be misinterpreted to require all data collectors be liable if they have an incident. Rather, this decision merely establishes that a data collector may be held liable if a court finds the data collector failed to take necessary steps which includes employee training.

The post Here It Is: The Decision That Tells Data Collectors Exactly What They Should Have Known Before They Had A Breach appeared first on Privacy Risk Report.

At this point in the development of data breach litigation, it is clear that plaintiffs may be on a sinking ship when they try to establish liability and damages against defendants. In order to meet their burden, a plaintiff must show they suffered a concrete injury from a data breach and that they were injured by that particular data breach and not another unrelated incident involving their personal information. Consequently, the potential causes of action available to data breach plaintiffs seem to decrease with each new decision.

The October 31, 2017 decision of the District Court for the Southern District of Ohio provides another example of a court limiting plaintiffs’ chances of recovery after a data breach and dismissing their claims via a motion to dismiss.  The plaintiffs in Galaria v. Nationwide Mut. Ins. Co., 13-cv-257, 2017 WL 4918634 (Oct. 31, 2017 S.D. Ohio), filed action in the District Court for the Southern District of Ohio when they learned in November of 2012 that Nationwide breached personally identifiable data provided in insurance applications. In August 2017, the District Court issued an order dismissing all plaintiffs’ claims with the exception of a bailment claim.  (The Privacy Risk Report has addressed the dismissal of Plaintiffs’ other claims here).

In order to establish a viable implied bailment claim, the plaintiffs in Galaria were required to show they delivered their personal information to Nationwide “for the specific purpose” that the “property ‘shall be returned or accounted for when this special purpose is accomplished or retained until the bailor reclaims the property.’” That is, Nationwide’s liability hinged on whether the property was returned undamaged.

Prior to getting into its analysis, the District Court reviewed the reasoning of other courts on this issue:

“A number of courts across the country have considered bailment claims in the context of data security breaches and concluded that the scenario in which a person provides personally identifiable information to a business and the information is stolen does not give rise to a bailment liability.”

***

Applying the law of various states, those courts have concluded that a person in that scenario has not transferred possession of the data with “the expectation that the recipient will return the date and does not base any claim for damages on the recipient’s unlawful retention of the data.”

In applying this reasoning found in a number of data breach cases including In re Target Data Security Breach Litig., 66 F. Supp. 3d 1154, 1177 (D. Minn. 2014) and In re Sony Gaming Networks and Customer Data Sec. Breach Litig., 903 F. Supp. 2d 942 (S.D. Cal. 2012), the District Court found “[i]ntangible property, including personally identifiable data, may or may not constitute the sort of personal property that may be bailed.” However, the District Court did not have to address this question “because Plaintiffs have not alleged that they transferred control or custody of their personal identifiers to Defendant with the expectation that Defendant would hold them for some purpose and then return them undamaged to Plaintiffs.”   Here, the Plaintiffs never relinquished custody or control over the data. (“They retained their personal identifiers and continued to use them throughout the period of the alleged bailment.”) The Plaintiffs’ bailment claim failed since plaintiffs did not allege “that they expected Defendant to return the data because they were never without their personal identifiers.”

The District Court’s analysis illustrates the struggle data breach plaintiffs face to establish viable causes of action. Even if they demonstrate they have standing to bring suit against a data collector, plaintiffs still must address the fact that their data is intangible and, therefore, may not be subject to laws protecting tangible property. Further, while many states have laws protecting data, most privacy laws do not create a private cause of action to recover after a breach.

It is important to remember these cases, which may be used to limit liability, do not support a decision to pass on cyber insurance.  The costs of defending these cases more than justify the cost of cyber insurance.  There is more at stake than third-party liability in most data breach incidents.  Therefore, the costs of dealing with a cyber incident more than justify paying the premium and deductible of a cyber insurance policy.

For more information, click here to contact a Tressler attorney.

The post Court Refuses To “Bail Out” Data Breach Plaintiffs By Dismissing Bailment Claim appeared first on Privacy Risk Report.

Toymakers have recently received more than their share of scrutiny concerning the collection, storage and breaches of data belonging to children.  Cases involving this data move past questions of whether a data breach was avoidable and, instead, ask whether certain data can be collected in the first place.  A recent lawsuit against The Walt Disney Company and its related companies (“Disney”) sheds new light on how companies may be using “free” apps to gather data on their youngest customers and how that data can be used.

On August 3, 2017, a class action lawsuit was filed against in the United States District Court for the Northern District of California against Disney seeking recovery based on allegations “by parents of children, who while playing online games via smart phone apps, have had their personally identifying information exfiltrated by [Disney], for future commercial exploitation…”  (Complaint at ¶1)  In particular, the plaintiff, Amanda Rushing (“Rushing”), claims her child’s private information was improperly stored as her child used Disney’s app “Princess Palace Pets.” The Class Action Complaint includes claims against the “SDK Defendants” which were the companies that provided their own code to Disney’s apps for use in the games, known as “software development kits.”  The Complaint asserts that the SDK Defendants embedded software in Disney’s gaming apps that allowed for the app users’ personal information to be collected without authorization and “to facilitate subsequent behavior advertising.”  (Complaint at ¶7)

Before the specific allegations against Disney and the SDK Defendants, the Complaint contains a number of allegations against the app and gaming industry in general including that “[m]ost consumers, including parents of children consumers, do not know that apps created for children are engineered to surreptitiously and unlawfully collect the child-users’ personal information, and then exfiltrate that information off the smart device for advertising and commercial purposes.” (Complaint at 16) The plaintiff’s theories underpinning the allegations against Disney include:

“When children are tracked over time across the internet, various activities are linked to a unique and persistent identifier to construct a profile of the user of a given smart device.  Viewed in isolation, a persistent identifier is merely a string of numbers uniquely identifying a user, but when linked to other data point about the same user, such as app usage, geographic location (including likely domicile), and internet navigation, it discloses a personal profile that can be exploited in a commercial context.” (Complaint at ¶22)

The Complaint contains allegations that these actions taken by Disney and the SDK Defendants give rise to a violation of the Children’s Online Privacy Protection Act (“COPPA”) In short, COPPA prohibits gathering personal information of children under the age of 13 “without first obtaining verifiable consent from their parents.”   While the plaintiffs acknowledge that COPPA typically protects data more commonly understood to be personal information (names, email addresses, social security numbers, etc.), it also protects against the authorized collection of “persistent indentifier[s] that can be used to recognize a user over time and across different Web sites or online services.” (Complaint at ¶28)  In short, the Class Action Plaintiff claims the defendants violated COPPA by “incorporating the SDK Defendants’ behavioral advertising SDK’s into their child-directed apps and permitting them to track children by collecting, using, or disclosing their persistent identifiers without verifiable parental consent…”) (Complaint at ¶63)

The Complaint contains two causes of action against the defendants. Under the first cause of action for Intrusion Upon Seclusion, the Plaintiff claims Disney and the other defendants intentionally intruded on Plaintiff’s “solitude, seclusion, or private affairs by intentionally designing the Game Tracking Apps…to surreptitiously obtain, improperly gain knowledge of, review and/or retain Plaintiffs…activities through monitoring technologies and activities” as described in the Class Action Complaint.  Under the Plaintiff’s second cause of action entitled California Constitutional Right to Privacy, the Plaintiff claims her and the other class members have “reasonable expectations of privacy in their mobile devices and their online behavior” which Disney and the other defendants “intentionally intruded on.”

While Disney and the defendants have not responded to the allegations in the Complaint, The Hollywood Reporter reports that it received a statement from Disney related to the lawsuit indicating that it is taking the position that: “Disney has a robust COPPA compliance program, and we maintain strict data collection and use policies for Disney apps created for children and families. The complaint is based on a fundamental misunderstanding of COPPA principles, and we look forward to defending this action in Court.”

Of course, it is still early in this litigation and it may be years before we see whether the class action the Class Action Plaintiffs’ allegations have merit.  Nevertheless, the Class Action Complaint is clear that even if something is being given away for free (in this case apps based on Disney characters), people still expect to control their personal information.  As this area of the law continues to develop, data collectors must consider more than if they have the proper safeguards in place to protect data from a breach.  Rather, data collectors must consider if they have permission to collect data in the first place.  This case provides another example of where a party claims to be injured without their information being breached and what harm, if any, results from the unauthorized collection of data.

For more information, click here to contact a Tressler attorney.

The post Class Action Lawsuit Asks Whether Free Apps Were “Goofy” When They Collected Children’s Data appeared first on Privacy Risk Report.

On December 1, 2015, VTech Holdings Ltd., a manufacturer of digital toys and telephones, reported that it suffered a data breach on November 14, 2015.  VTech’s “smart toys” breached the personal information of at least 6.4 million children in addition to the records of 4.9 million adult customers. VTech further reported that this breach involved “child profile information,” including the name, gender and birth date of the child. The “unauthorized party” gained access to information stored as part of VTech’s “Learning Lodge” app store on the company’s website.  (In 2015, the Privacy Risk Report addressed the facts related to VTech’s breach on December 2, 2015 at great length.)

Now that we are a few years down the road since the breach, we have seen VTech’s customers file lawsuits and we have been able to get a better picture of how the breach may have impacted VTech’s business.  Therefore, even though we have no information concerning VTech’s insurance program, we still have sufficient information about VTech’s breach to analyze the value of third party liability and first party coverage in data breaches.

• VTech’s Good News: No Liability For The Breach (So Far)

On July 5, 2017, the District Court for the Northern District of Illinois granted VTech’s motion to dismiss related to its data breach. As seen in numerous other data breaches cases, the plaintiffs in this litigation could not establish that they had standing to bring a lawsuit against VTech. That is, the District Court found that the plaintiffs “fail to make the connection between the data breach they allege and the identity theft they fear.” On this point alone the District Court held the plaintiffs did not have standing to proceed against VTech.

The plaintiffs also argued that VTech breached its contractual obligations when there was a “temporary (and in some cases ongoing or permanent) suspension of the apps that were used on VTech’s products.” Of course, there was no contract to use the apps.  Rather than pointing to any contractual provision, the plaintiffs argued that pictures and descriptions of the apps on the product’s packaging obligated VTech to continually provide access to the apps. The plaintiffs alleged that “the toys were priced at a premium in part due to their ability to access” the apps. On the other hand, VTech argued that “each plaintiff’s initial purchase transaction as relating to the fully-functioning, physical toy itself, rather than a combination of the physical product and online services…” That is, VTech argued it could not breach its obligations to provide the apps when the apps were separately “offered to plaintiffs after they purchased the toys.”  The District Court was not persuaded by plaintiffs’ argument when they could have easily used the toys without downloading the apps or uploading their personal information.  And, the District Court agreed with VTech when it found “there is a difference between selling a product that combines a physical toy and a service, and selling a physical toy whose features may be supplemented by a separate service that VTech provided for free.” Ultimately, the District Court held “[t]he complaint does not allege facts sufficient to show that the initial purchase transaction included both the toy and VTech’s furnishing of online services” and, therefore, VTech did not breach any contractual obligations if the plaintiffs did not enter into an online services contract at the time of purchase.

Even though the plaintifffs failed to show they had damages and could survive a motion to dismiss, the value of third party cyber liability coverage is clear.  The costs related to briefing the complex issues on a motion to dismiss related to whether the plaintiffs have standing can be too much for many companies.  Further, if the plaintiffs survive a motion to dismiss, which is happening on a more routine basis, a company will need to endure possibly years of litigation leading to a settlement or adverse judgment.  Therefore, the VTech case (even though the plaintiffs case was dismissed) still underscores the need for third party liability insurance found in cyber policies. This coverage is an essential tool when defending against any liability claims related to a data breach.

• VTech’s Bad News: Potential First Party Losses

Even though VTech’s motion to dismiss was successful, a new study shows this breach may still have had a detrimental impact on VTech. A recent analysis by Comparitech, specialists in security and privacy, shows how a data breach can impact a company’s stock price.  Comparitech’s analysis examined data breaches involving anywhere from one million to 100 million records and included the breach at VTech along with Apple, Adobe, Anthem, Community Health Systems, Dun & Bradstreet, eBay, Experian, Global Payments, Home Depot, Health Net, JP Morgan Chase, LinkedIn, Monster, T-Mobile, Sony, Staples, Target, TJ Maxx, Vodafone, Yahoo.  In particular, Comparitech examined the closing share prices of these 24 companies from the day prior to the disclosure of a data breach and determined the following:

Admittedly, while Comparitech’s in-depth study of these large scale breaches easily demonstrates the importance of the first party coverage found in cyber policies for business loss at  large companies, it is not able to address the consequences of a data breach at smaller corporations. However, we have already seen proof that smaller companies suffer equally dire consequences when in January 2016, there were a number of reports concerning a cyber incident at FACC AG, an Austrian airplane component maker, that resulted in damages exceeding $50 million.   And, while a company may not be able to obtain insurance to cover losses in stock value, having a sophisticated cyber insurance portfolio may  provide confidence for investors and customers which, in turn, may limit a drop in stock value in the case of a breach.

The post 2015 Data Breach At Toy Manufacturer VTech Continues To Provide Insight In 2017 appeared first on Privacy Risk Report.

Many litigants are struggling with how to fit the “square peg” of cyber security claims into the “round hole” of law that may have been around for a number of decades.  One recent example was seen on June 27, 2017, when the United States District Court for the Central District of California dismissed a case entitled Casillas v. Berkshire Hathaway Homestate Companies, et al., 15-04763, 2017 WL 2813145 (June 27, 2017). In Casillas, the plaintiffs alleged two insurance investigators hacked an online database created by HQSU Sign Up Services, Inc. (“HQSU”) which stored workers’ compensation litigation files.  In serving as an “administrative services” contractor to various workers’ compensation attorneys, HQSU stored everything from “personal data” (including the client’s full name, Social Security Number, birth date, home address, legal status, driver’s license information, and salary information) to the attorneys’ communications with their clients and personal notes about the various cases. In particular, the plaintiffs allege that over the course of two years, the investigators accessed and downloaded over 30,000 workers’ compensation files.  The complaint further alleges the hackers took this information to provide the insurance companies with “a counsel’s advantage” in pending litigation and to “intimidate and force concessions” from various plaintiffs.

The Casillas Court closely analyzed what is necessary to bring a viable cause of action under 18 U.S.C. § 2701(a)(1), the Stored Communications Act. This Act was designed decades ago to “protect against the unauthorized interception” of “stored wire and electronic communications and transactional records.” The Act creates a private right of action against anyone who:

(1)       “intentionally accesses without authorization”

(2)       a “facility through which an electronic communication service is provided” and

(3)       “thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage.

However, before finding the plaintiffs’ complaint should be dismissed, the Court analyzed what it refers to as the “technical distinction between “electronic communication services” and “remote computing services.” Specifically, in addressing this distinction, the Court held that “…though they aren’t mutually exclusive categories, the Act establishes ‘different standards of care” for different types of communication.’” The Court provides the following distinction between these two phrases:

• Electronic Communications Service: “Congress defined an ‘electronic communication service’ as ‘any service which provides to users thereof the ability to send or receive wire or electronic communications.’ Think email: ‘[C]ommunication by which private correspondence is … typed into a computer terminal, and then transmitted over telephone lines to a recipient computer operated by an electronic mail company.’”
• Remote Computing Service: “A ‘remote computing service,’ by contrast, is one that ‘provi[des] to the public [a] computer storage or processing service[ ] by means of an electronic communications system.’ Think off-site storage: ‘In the age of rapid computerization, … remote computer service companies have developed to provide sophisticated and convenient computing services to subscribers and customers from remote facilities.’”

Indeed, this importance of this distinction is seen firsthand as the portion of the Act which the plaintiffs sought relief under, 18 U.S.C. § 2701(a)(1), “applies only to the provision of electronic communication services, and therefore excludes the provision of remote computing services from its strictures.” The Casillas court found plaintiffs’ complaint was limited to allegations that their attorneys “used HQSU’s administrative services in a limited fashion—by ‘uploading and downloading documents’ to the online database and appending case-related ‘notes’ to those documents.” These allegations, the court opined, describe “remote computing service” which does not give rise to a private cause of action under the Act. In conclusion, the court found “it’s plain that the plaintiffs have mixed up their claims under the Stored Communications Act.

Litigants bringing claims related to cyber security, data breaches and privacy not only have to overcome significant hurdles to establish standing, but often have to work with law that was developed before the technology was developed that forms the basis for their claims.   Admittedly, it may be difficult to seek relief for damage caused by modern technology under laws that precede this technology by decades.  Even though the Casillas court acknowledges the distinction between “electronic communication services” and “remote computing services” may be “a bit dated,” the parties still must meet the requirements for a viable action under the Act.  This case demonstrates the complexity with cyber security and privacy claims and the need to retain counsel that has experience in this developing, highly-specialized area.

The post Square Pegs: Recent Case Shows Problems With Fitting Cyber Liability Claims Into Law That Is “A Bit Dated” appeared first on Privacy Risk Report.

There should be little question that data breach litigation will continue to present unique issues for courts.  However, we are also starting to see a trend showing settlements in data breach litigation may present novel issues.  For example, the documents publicly available related to the settlement of the Anthem breach shows plaintiffs, in addition to money, may be looking for a commitment from the breaching party to repair the damaged caused by a breach.

On June 23, 2017, the parties involved in the 2015 Anthem data breach brought the matter closer to a resolution when they filed documents with the District Court for the Northern District of California to settle the matter. This litigation involved seventeen class action lawsuits alleging Anthem failed to properly protect the plaintiffs’ personal information and Anthem delayed notifying impacted individuals of the breach. The Settlement Agreement and Release indicates that parties engaged in mediation sessions over the first half of 2017 before finally agreeing to settle the matter for $115 million. The Settlement Agreement contains a “Settlement Fund” provision providing exactly how the $115 million settlement payment will be allocated. First, the Anthem entities are required to deposit $25 million into a Qualified Settlement Fund ten days after the Court enters the Preliminary Approval Order to cover the costs for administrative experiences set-up costs for a “Credit Services” vendor which provides credit services monitoring for the plaintiffs, reasonable costs for providing notice of the terms of this Agreement and “Out-of-Pocket” costs as defined under the Agreement.  Next, the Anthem Entities are required to deposit the balance of the settlement payment in a Qualified Settlement Fund ten days after the Court enters the Final Approval Order and Judgment.  While the settlement amount is staggering, the commitment that Anthem has to make to protect and re-establish the plaintiffs’ credit after the settlement is also worth considering.

The Settlement Agreement contains detailed provisions concerning notice, credit services and “Alternative Compensation” for impacted individuals:

Notice

The Settlement Agreement provides precise requirements concerning how the plaintiffs are to be notified of the settlement. The “Notice Plan” provides details on how plaintiffs are to be located and how options are to be presented for the plaintiffs.

Credit Services Provisions

The section of the Settlement Agreement addressing Credit Services requires the Anthem Entities to arrange for Experian to provide for credit monitoring services to the plaintiffs. In addition to credit monitoring, the parties agreed that plaintiffs would be provided with:

• “ID Theft Insurance” which would provide insurance for theft related expenses up to $1 million;
• “Internet Surveillance” which including monitoring the “dark web” for plaintiffs’ personal information;
• “Identity Restoration Services” that would provide plaintiffs with “fraud resolution assistance,” and
• “Minor Plus” which provides added protection for plaintiffs that are minors

The Credit Services provision makes it clear that the plaintiffs are going to look to Anthem to make arrangements to put them back to where they were prior to the breach.  This provision will not allow Anthem to simply pay its money and move on.  Rather, Anthem will need to act as an administrator to make sure it meets all obligations to the plaintiffs.

Alternative Compensation

The Settlement Agreement also provides for “Alternative Compensation” for those plaintiffs that already have some form or credit monitoring and do not enroll in the Credit Services offered under the Settlement Agreement.  Here, Anthem will need to confirm each plaintiff that makes the necessary election qualifies for the Alternative Compensation.

Out-of-Pocket Costs

The Agreement defines “Out-of-Pocket” costs as “expenditures that a [plaintiff] actually incurred that are fairly traceable to the Data Breach.” These costs may include unreimbursed fraud charges, professional fees incurred from identity theft or falsified tax returns, credit freezes or credit monitoring that was ordered after January 2015. These costs may also include reimbursement for time spent attempting to remedy issues related to the data breach at a rate of $15 per hour. The Agreement states that $15 million will be reserved from the Settlement Fund.  And, once again, Anthem will need to a system in place to review these costs.

Documents Filed Under Seal

Another interesting aspect of this settlement is seen in the parties’ Joint Administrative Motion To File Under Seal Portions of Plaintiffs’ Memorandum in Support of Motion for Preliminary Approval of Action Class Settlement And Exhibits to Settlement Agreement. In particular, the parties sought to redact sensitive information found in the Memorandum including “detailed and confidential information about Anthem’s information security.” Anthem claims this information, if publicly disclosed, could cause further harm “by giving potential cyberattackers insights into Anthem’s cybersecurity practices and protocols.”

This is not the first time parties have been concerned about information that could be extracted from court documents.  During the settlement negotiations related to its breach in 2015, Target Stores contended that if documents related to its data breach litigation were filed unsealed, there was a chance that hackers would have access to detailed information about Target’s IT infrastructure, Target’s information security controls, and information about Target’s information security policies and procedures.  Following Target’s lead, a number of courts around the country have started to consider what information they are making available online.

Lasting Commitment

As the Anthem litigation draws to a close it is clear that a cyber security incident can have a lasting impact.  Even at this point when the parties have agreed to settlement terms, Anthem will be responsible over the next few years to make sure the Settlement Fund is being properly adminstered over, the Settlement Fund is being funded and the plaintiffs are being made whole.  The Anthem Breach and Settlement makes it clear that entities cannot simply pay damages related to a breach and walk.  Rather, Anthem and the plaintiffs are now partners in addressing any fraudulent acts that arise out of the Anthem Breach, re-establishing plaintiffs’ credit and getting plaintiffs assistance to address any credit or tax issues that arise from the breach.

The post Through Thick And Thin: Anthem Breach Shows Lasting Commitment For Data Breach Cases appeared first on Privacy Risk Report.

The litigation arising out of the data breach at Schnuck’s Markets (“Schnuck’s) occurring from December of 2012 through March of 2013 is still providing us with insight as to how courts may treat data breach claims.  The latest development related to this breach was recently seen in Community Bank of Trenton v. Schnuck Markets, 2017 WL 1551330 (May 1, 2017), when the District Court for the Southern District of Illinois granted Schnuck’s motion to dismiss Trenton’s complaint.

Trenton, a bank that issued credit cards allegedly compromised in this data breach, filed its complaint seeking recovery for damages based on a theory that it would have instructed its customers to shop elsewhere or use cash or checks for purchases if Schnucks had been more upfront about the security of its data network.  Specifically, Trenton attempted to support its cause of action with allegations “that they were intended or third-party beneficiaries to the contracts between [Schnucks] and others in the card processing network because [Trenton] received an interchange fee or interest for processing cards.”　 Trenton’s complaint further alleged that unencrypted data “was potentially compromised for 2.4 million cards swiped at Schnucks’ stores from December 1, 2012 through March 30, 2013.　 The Complaint alleged Schnucks’ learned of the breach on March 14, 2013, but did not notify the public of the incident until March 30, 2013.　 Trenton claimed that during this time an estimated 340,000 additional cards may have been compromised (based on its calculations that 20,000 cards were being used each day).

In granting Schnucks’ motion to dismiss, the District Court first analyzed Trenton’s negligence claim brought under Missouri law.  Specifically, Trenton asserted Schnucks should be held liable under Missouri’s data breach notification law (Mo. Rev. Stat. § 407.500).  The District Court rejected Trenton’s argument finding “the data breach notification statute exclusively bestows the power to prosecute violations upon the Missouri Attorney General.”　 (“What is more, the statute does not contemplate a duty or remedies for anything other than a failure to notify.”)　 The District Court further rejected Trenton’s attempt to establish a private cause of action under Missouri’s breach notification laws by refusing to “read additional duties into a law carefully crafted by the legislature, particularly where the legislatures of other states have explicitly contemplated additional protections in legislation.”

After finding Trenton did not have a private cause of action based on Missouri’s breach notification laws, the District Court distinguished “out-of-circuit precedent” where courts have found defendants had a duty to safeguard data based on a business relationship.  (In re Home Depot, Inc. Customer Data Security Breach Litigation, 2016 WL 2897520 (N.D. Ga. 2016); Target Corp. Data Sec. Breach Litigation, 66 F. Supp.3d 1154 (Minn. D. Ct. 2014); and Sovereign Bank v. BJ’s Wholesale Club, Inc., 395 F. Supp.2d 183, 193-96 (M.D. Penn. 2005).  The District Court found these cases unpersuasive because the record in the Home Depot breach litigation suggest “Home Depot’s data security conduct…was egregious and intentional,” the Target Court relied on provisions that were unique to Minnesota law and the holding in BJ’s Wholesale Club “is frankly outdated.”

The holding in Schnuck’s provides clarity that many courts are not willing to find legislatures intended to create a private cause of action out of state breach notification laws. Rather, as pointed out by the Schnucks court, plaintiff’s may need to show a data breach resulted from the “egregious and intentional” conduct seen in the Home Depot breach litigation.  The Schnucks court distinguishes this case from the record in the Home Depot litigation where there was evidence showing Home Depot may have ignored warning signs of poor data security “and even went so far as to fire tech employees who tried to alert the company to the risks of the poor data security measures.”

The cyber security world has dramatically changed since the Home Depot breach and many data collectors have gained a better understanding of the importance of network security.  Therefore, there is less chance that a breach today would be handled in the same manner as the Home Depot breach.  Consequently, plaintiffs may have difficulty showing this level of intentional conduct giving rise to recent data breaches.

The post Schnucks Market Decision Discounts Argument That Breach Notification Law Gives Rise To Private Cause Of Action appeared first on Privacy Risk Report.

Last week, the parties in Remijas v. Neiman Marcus, Case No. 14-cv-1735, a class action lawsuit related to a data breach at retailer Neiman Marcus was settled in the Northern District of Illinois.  The Seventh Circuit’s reversal of the District Court’s decision to grant Neiman Marcus’ motion to dismiss was widely considered to be a favorable decision for data breach plaintiffs because it showed that plaintiffs may be able to adequately allege damages to demonstrate they had standing to bring suit.  Even though we may not get to see how discovery and further motion practice may play out, the settlement provides a significant amount of guidance on the value of damages for data breach cases and the securty measures companies are expected in the short time since this breach occurred.

In 2013, the credit card information of approximately 350,000 Neiman Marcus customers was stolen by hackers. Several affected customers filed a class action against under the Class Action Fairness Act, 28 U.S.C. §1332(d). The District Court dismissed the class action suit based on its finding that the individual plaintiffs and the class member lacked standing under Article III. The Seventh Circuit found the District Court erred and held the plaintiffs satisfied Article III requirements with allegations that the Neiman Marcus data breach inflicted concrete, particularized harm on them. The Seventh Circuit was persuaded that plaintiffs suffered injury when they lost time and money resolving fraudulent charges and protecting themselves against future identity theft as well as the financial loss suffered when they bought items at Neiman Marcus that they would not have purchased had they “known of the store’s careless approach to cybersecurity.”

In reversing the District Court, the Seventh Circuit held that “[a]llegations of future harm can establish Article III standing if that harm is ‘certainly impending,’ but ‘allegations of possible future injury are not sufficient.’” In short, the Seventh Circuit found the plaintiffs met the requirement under Clapper  “that injury either already [has] occurred or [was] ‘certainly impending.’”  After the Seventh Circuit reversed the District Court’s decision, the case was remanded back to the District Court for further proceedings before the parties settled the matter.

The Plaintiffs’ Amended Motion for Preliminary Approval of Class Action Settlement and Certification of Settlement Class (“Motion for Preliminary Approval”) filed with the District Court filed with the District Court last week indicates a Settlement Fund will be created in the amount of one million, six hundred thousand dollars $1,600,000 which will be used to pay “ eligible claimants who submit valid and timely Claims.”   The Motion for Preliminary Approval also includes statements that this settlement will allow “Settlement Class Members and other customers shopping at Defendant’s stores since this action was filed also benefit from changes to Defendant’s business practices designed to further strengthen its information technology security.”

Specifically, Neiman Marcus’ Memorandum filed in support of the settlement agreement states that in addition to the settlement amount, Neiman Marcus has taken the following security measures to protect customer information:

• Chief Information Security Officer. Neiman Marcus created and filled the position of Chief Information Security Officer (CISO), an executive position with responsibility to coordinate and be responsible for Neiman Marcus’s program(s) to protect the security of customers’ payment card data including account numbers, expiration dates, card verification values, and cardholder names;
• Information Security Organization. Neiman Marcus created a new organizational unit responsible for information security and has hired employees to fill the organization, including a Director of Security Operations and a Director of Security, Risk Management and Compliance;
• Senior Leadership Reporting. Neiman Marcus increased the frequency and depth of reporting to its executive team and members of its board of directors about its cybersecurity efforts and the cybersecurity threat landscape;
• Chip-Based Payment Card Infrastructure. Neiman Marcus equipped all of its stores with devices that allow customers to pay for purchases using payment cards containing embedded computer chips;
• Employee Education. Neiman Marcus expanded its program to educate and train its workforce on methods to protect the privacy and security of its customers’ information;
• Information Sharing. Neiman Marcus joined several public-private partnerships that facilitate information sharing concerning cybersecurity and threat awareness.

Even though it would have been interesting to see how the parties would have handled discovery and further motion practice, this settlement is still important for the following reasons:

First, the small settlement amount indicates that even if plaintiffs survive a motion to dismiss and a court is willing to find allegations may give rise to the potential for damages in data breach cases, plaintiffs still may have a substantial hurdle to show they are entitled to a substantial damage award. Here, with allegations of 350,000 customers being impacted the settlement amount of $1.6 million may not provide an incentive for plaintiffs to bring these actions.

Next, the non-monetary portion of the settlement agreement is worthy of examination because it shows the shift in how companies approach data protection since the breach at Neiman Marcus in 2013.  At the time of the breach in 2013, the fact that corporation did not have a Chief Security Information Officer and train employees on these issues may not have been surprising. Of course, a corporation that is not implementing such procedures today is operating at its own peril.

Finally, the Seventh Circuit’s reversal of the District Court’s decision granting Neiman Marcus’ motion to dismiss was often cited by plaintiffs attempting to demonstrate they had standing to bring these actions. The Neiman Marcus case could have provided even more solid ground for plaintiffs if the class action plaintiffs continued their success through discovery and into trial.  Of course, it could have also shown plaintiffs’ allegations may survive a motion to dismiss, but would struggle supporting those allegations as the case proceeded through discovery.

We will discuss this settlement and more at Horton Group’s Anatomy Of A Cyber Attack: Risks And Threat Mitigation this Thursday, April 6, 2017 at the Hilton Chicago/Oak Brook Hills Resort & Conference Center.

The post Neiman Marcus Case Settles After Years Of Haggling Over Price Of Data Breach Cases appeared first on Privacy Risk Report.

Last week, we analyzed Rivera v. Google Inc., 16 C 02714 (N.D. Ill 2016), a decision by the District Court for the Northern District of Illinois which examined the Illinois Biometric Information Privacy Act (“BIPA”) (740 ILCS 14/1 et seq.). BIPA, and various laws like it, protect against the unauthorized disclosure of information that is “biologically unique to the individuals” rather than financial or similar data that can be changed if compromised. BIPA recognizes that a person cannot easily change their fingerprint if the print is compromised in the same manner they could change a password.  In Rivera, the District Court found allegations that Google stored face-scans taken from pictures taken on Google devices may constitute a violation under BIPA and at least may survive a motion to dismiss.  The District Court first held that “face templates” created by Google from pictures submitted to and stored by Google qualified as a biometric identifier under BIPA.

The District Court also found the Plaintiffs survived Google’s motion to dismiss based on the following reasoning:

• Google’s Argument That BIPA Did Not Apply Because Google Did Nothing In Illinois.

In its lengthy decision, the District Court also rejected Google’s second argument “that the Plaintiffs claims cannot proceed because “applying the Privacy Act to Google would result in extraterritorial application of the statute” or, in other words, “this Illinois law applies only in Illinois, and Google is not doing anything in Illinois.” The central question in this analysis is “whether Google’s activities—making face templates of Rivera and Weiss in photographs uploaded automatically from Google Droid devices in Illinois—are extraterritorial (and therefore not-actionable) applications of the Privacy Act.” And, the District Court found no bright line test to determine whether a transaction occurs within Illinois.

In relying on a test applied to the Illinois Consumer Fraud Act, the District Court analyzed whether “the circumstances relating to the transaction occur primarily and substantially” inside Illinois. Here, the difficulty in answering this question is the fact that Google’s conduct took place online or on a “cloud” and was not fixed to one particular location. On this point, the Plaintiffs argued the Act applied because they were Illinois residents, the photographs were taken in Illinois and photos were automatically uploaded in Illinois to the cloud-based Google Photos service.

However, to support its motion to dismiss, Google asserted that the alleged violations of BIPA, the unauthorized face scans, did not occur “primarily and substantially” in Illinois.  Google noted that the Complaint was devoid of any allegations concerning the location for the face scanning.

In rejecting Google’s arguments, the District Court found Plaintiffs’ allegations were sufficient to at least deem the asserted violations occurred in Illinois in order to survive the motion to dismiss.  The District Court found that Google’s motion to dismiss was appropriately denied under this reasoning because “[d]iscovery is needed to determine whether there are legitimate extraterritoriality concerns.” That is, the District Court wanted additional discovery completed on whether the claimed violations took place on Illinois.

Even though the Plaintiffs survived Google’s motion to dismiss, developing facts to demonstrate Google’s conduct took place in Illinois may be difficult when Google stored the face scans on cloud-based technology.  BIPA provides the legislative intent behind this Act as “[t]he use of biometrics is growing” and “[m]ajor national corporations have selected the City of Chicago and other locations in the State as pilot testing sites for new applications of biometric-facilitated financial transactions…”  This case demonstrates that Illinois courts are also being tested by this technology when they are called upon to review such novel questions as where activities on the “cloud” take place.

The post Illinois Court Struggles With Biometric Information Stored On The “Cloud” appeared first on Privacy Risk Report.