The litigation arising out of the data breach at Schnuck’s Markets (“Schnuck’s) occurring from December of 2012 through March of 2013 is still providing us with insight as to how courts may treat data breach claims.  The latest development related to this breach was recently seen in Community Bank of Trenton v. Schnuck Markets, 2017 WL 1551330 (May 1, 2017), when the District Court for the Southern District of Illinois granted Schnuck’s motion to dismiss Trenton’s complaint.

Trenton, a bank that issued credit cards allegedly compromised in this data breach, filed its complaint seeking recovery for damages based on a theory that it would have instructed its customers to shop elsewhere or use cash or checks for purchases if Schnucks had been more upfront about the security of its data network.  Specifically, Trenton attempted to support its cause of action with allegations “that they were intended or third-party beneficiaries to the contracts between [Schnucks] and others in the card processing network because [Trenton] received an interchange fee or interest for processing cards.”　 Trenton’s complaint further alleged that unencrypted data “was potentially compromised for 2.4 million cards swiped at Schnucks’ stores from December 1, 2012 through March 30, 2013.　 The Complaint alleged Schnucks’ learned of the breach on March 14, 2013, but did not notify the public of the incident until March 30, 2013.　 Trenton claimed that during this time an estimated 340,000 additional cards may have been compromised (based on its calculations that 20,000 cards were being used each day).

In granting Schnucks’ motion to dismiss, the District Court first analyzed Trenton’s negligence claim brought under Missouri law.  Specifically, Trenton asserted Schnucks should be held liable under Missouri’s data breach notification law (Mo. Rev. Stat. § 407.500).  The District Court rejected Trenton’s argument finding “the data breach notification statute exclusively bestows the power to prosecute violations upon the Missouri Attorney General.”　 (“What is more, the statute does not contemplate a duty or remedies for anything other than a failure to notify.”)　 The District Court further rejected Trenton’s attempt to establish a private cause of action under Missouri’s breach notification laws by refusing to “read additional duties into a law carefully crafted by the legislature, particularly where the legislatures of other states have explicitly contemplated additional protections in legislation.”

After finding Trenton did not have a private cause of action based on Missouri’s breach notification laws, the District Court distinguished “out-of-circuit precedent” where courts have found defendants had a duty to safeguard data based on a business relationship.  (In re Home Depot, Inc. Customer Data Security Breach Litigation, 2016 WL 2897520 (N.D. Ga. 2016); Target Corp. Data Sec. Breach Litigation, 66 F. Supp.3d 1154 (Minn. D. Ct. 2014); and Sovereign Bank v. BJ’s Wholesale Club, Inc., 395 F. Supp.2d 183, 193-96 (M.D. Penn. 2005).  The District Court found these cases unpersuasive because the record in the Home Depot breach litigation suggest “Home Depot’s data security conduct…was egregious and intentional,” the Target Court relied on provisions that were unique to Minnesota law and the holding in BJ’s Wholesale Club “is frankly outdated.”

The holding in Schnuck’s provides clarity that many courts are not willing to find legislatures intended to create a private cause of action out of state breach notification laws. Rather, as pointed out by the Schnucks court, plaintiff’s may need to show a data breach resulted from the “egregious and intentional” conduct seen in the Home Depot breach litigation.  The Schnucks court distinguishes this case from the record in the Home Depot litigation where there was evidence showing Home Depot may have ignored warning signs of poor data security “and even went so far as to fire tech employees who tried to alert the company to the risks of the poor data security measures.”

The cyber security world has dramatically changed since the Home Depot breach and many data collectors have gained a better understanding of the importance of network security.  Therefore, there is less chance that a breach today would be handled in the same manner as the Home Depot breach.  Consequently, plaintiffs may have difficulty showing this level of intentional conduct giving rise to recent data breaches.

The post Schnucks Market Decision Discounts Argument That Breach Notification Law Gives Rise To Private Cause Of Action appeared first on Privacy Risk Report.

High profile data breaches are inevitably followed by a flurry of lawsuits, including derivative lawsuits filed by those companies’ shareholders. However, derivative suits have not found success and are frequently dismissed at the early stages of the lawsuit. Earlier this year, Judge Paul Magnuson of the U.S. District Court for the District of Minnesota dismissed the derivative lawsuit against Target’s directors and officers, and this week, the court in the Home Depot shareholder derivative action reached a similar conclusion as Judge Magnuson.

On November 30, 2016, Judge Thomas W. Thrash, Jr. of the U.S. District Court for the Northern District of Georgia granted the motion to dismiss filed by Home Depot’s directors and officers in a shareholder derivative suit. The derivative suit arises out of the 2014 data breach in Home Depot’s stores, which resulted in the theft of financial data of 56 million customers. Following the breach, multiple shareholders filed derivative complaints against Home Depot, which were eventually consolidated. In the consolidated lawsuit, the shareholders claim that Home Depot’s directors and officers breached their duties to the shareholders by failing to take the risk of a data breach seriously and failing to implement sufficient security measures prior to the breach. The shareholders allege causes of action for breach of fiduciary duty, waste of corporate assets and violation of the Securities Exchange Act.

The shareholders made no demand on Home Depot’s board that it file suit against the directors, which is generally a prerequisite to filing a derivative suit unless the demand is excused. The court’s analysis accordingly focused on whether the demand requirement was excused. As to the breach of fiduciary duty claims, the court found that the shareholders faced an “incredibly high hurdle” to demonstrate particularized facts beyond a reasonable doubt that a majority of the board faced substantial liability because it consciously failed to act in the face of a known duty to act. The court noted that it was “not surprising” that the shareholders failed to meet this burden. The gist of the shareholders’ complaint was that the board improperly exercised its business judgment, which was simply not sufficient to show the bad faith necessary to excuse demand.

The court held that the demand was not excused as to the corporate waste claims on similar grounds, finding that the shareholders’ claim was fundamentally a challenge to the board’s business judgment for delaying the update of Home Depot’s security systems. Finally, the court held that the demand was not excused as to the shareholders’ securities claims because the shareholders failed to point to specific statements in Home Depot’s proxy statements that were rendered misleading or false by the alleged omissions concerning security threats. The shareholders therefore did not meet their burden to demonstrate particularized factual allegations that raise a reasonable doubt that directors were disinterested and independent.

The dismissal of the Home Depot derivative litigation is the latest in a long line of unsuccessful attempts by shareholders to file derivative lawsuits against corporations that experience data breaches. It remains to be seen whether shareholders can satisfy the “incredibly high hurdle” for excusing the demand requirement, or, alternatively, can surpass the findings of a special litigation committee, like the committee appointed in the Target litigation. Based on court rulings to date in these types of actions, however, it seems more likely than not that where a board implements a security plan, even if it is not a perfect security plan, it will be protected by the business judgment rule.

The post Fallout From Home Depot Breach Continues to Cause Concern for Corporate Officers appeared first on Privacy Risk Report.

While the “internet of things” (IoT) is not a new concept for the insurance industry, many people outside the insurance industry are just beginning to discuss this issue. In general, the term “internet of things” refers to a network of “smart” devices (including appliances, vehicles, watches and toys) that collect and exchange data over the internet.

In the first few weeks of 2016, we have already seen a number of developments indicating the IoT will present many questions throughout the year. For example, Sony’s acquisition of an IoT chipmaker for $212 million shows IoT will become a household term in the near future. Also in the first few weeks of 2016, we saw the National Institute of Standards and Technology (NIST) take steps to create a cybersecurity project to improve safety related to wireless infusion pumps. This is a big step in the medical device field, as its use in hospitals and clinics presents the weakest point in healthcare’s defense systems. It is clear that the IoT will be with us for the long run.

As issues related to the IoT gain momentum, the insurance issues related to the IoT need to be analyzed. For example, the January 25, 2016 MIT Technology Review article, “Can We Insure the Internet of Things Against Cyber Risk?” states the problem with insurance for connected products is because they “…are too new, and too little is known about the economic losses or personal injury they might cause.” This article further suggests that “[w]hat the industry needs is data, and analytics to translate statistics on losses into policy standards and consistent pricing. Only then can emerging industries like self-driving cars and network-connected medical devices really take off…”

While courts have been called on to determine obligations under third-party cyber policies over the last year, there has been virtually no analysis of coverage for first-party claims arising out of cybersecurity. As the IoT becomes more ingrained in our homes and business, we can expect insurance coverage issues to continue to flourish. The vast majority of these issues caused by the IoT will raise questions under first-party insurance policies. Consequently, we anticipate cybersecurity and first-party insurance coverage to be an emerging trend in 2016.

The post First-Party Insurance Claims Related to the “Internet of Things” an Emerging Issue for 2016 appeared first on Privacy Risk Report.

On July 1, 2015, Home Depot filed a motion to dismiss the “Financial Institution Plaintiffs’” class action lawsuit filed in the District Court for the Northern District of Georgia. The class action is based on the breach suffered by Home Depot when hackers accessed Home Depot’s payment data systems using the credentials of third-party vendors in April of 2014. Once gaining access to Home Depot’s systems the hackers installed malware on Home Depot’s self check out registers and stole customers’ payment information.

No Standing To Bring Suit

As seen in other litigation related to data breaches, Home Depot argues the class action should be dismissed because “[n]o bank has identified any specific loss or injury, and the vast majority of the general categories of losses alleged were – by the Banks’ own admission – incurred by them when ‘taking steps to prevent future fraud.’” This argument has been successful for many data breach defendants. Specifically, Home Depot argues the Banks’ allegations are limited to losses when they had to cancel and reissue cards after the breach, shut down accounts, notify customers and investigate fraud. That is, Home Depot is arguing the Banks lack standing because their damages are limited to costs they may incur in the future.

As seen in other data breach litigation, Home Depot also contends that a series of complex contracts between various banks require the Financial Institutions to look elsewhere for their damages. Home Depot’s argument is that the Financial Institutions issued their payment cards (the “Issuers”) under contracts with other banks that handle the purchases with the payment cards (the “Acquirers”). And, as part of the contracts, the Issuers must follow certain procedures to be reimbursed for their costs generally referred to as “the Card Brand Recovery Process.” In turn, the Acquirers can seek indemnification for costs incurred in “the Card Brand Recovery Process” from the merchant. Target made this argument in its motion to dismiss claims brought by banks related to its data breach.

Home Depot asserts that the Financial Institutions claims should be denied because they lack standing under the reasoning in the U.S. Supreme Court’s decision in Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013). In particular, Home Depot relies on Clapper for the proposition that “[n]ot just any financial loss or injury will suffice to confer standing.  Rather, to satisfy Article III, an injury must be “fairly traceable to the challenged action.” And, in support of its Motion to Dismiss, Home Depot argues the Financial Institutions lack standing because the Banks have not “identified a ‘concrete particularized’ injury” and protection against future harm does not create standing.

Negligence Claims Fail As a Matter of Law

Additionally, Home Depot argues the Banks’ negligence claims should be dismissed, even if they can establish standing, because the Economic Loss Rule bars recovery.  In general, the Economic Loss Rule holds there is no recovery in tort for economic losses unless they result from injury to person or property.” Home Depot asserts the Financial Institutions’ claims are barred by the Economic Loss Rule because their claimed damages incurred “from intentional conduct and steps the Banks took to mitigate the risk of possible future harm.”

Home Depot also seeks dismissal of the Financial Institutions’ negligence causes of action because, under Georgia law, “there is no legal duty to anticipate criminal acts of third parties or to control the conduct of those parties.”  Under this theory, Home Depot argues it cannot be held liable when there is “no common law duty to safeguard personal information under Georgia law.”

The Target Decision Should Shed Light on Home Depot’s Arguments

The litigation related to the Target data breach will undoubtedly provide guidance on the issues presented by Home Depot’s Motion to Dismiss. Of course, in the Target litigation, the District Court for Minnesota held the Financial Institutions’ action survived Target’s Motion to Dismiss. Therefore, we expect the Home Depot court to address the Target decision by either adopting the reasoning of the Minnesota District Court or distinguishing Home Depot’s breach from Target’s breach.

The post Home Depot Breach Litigation Goes Down Well-Worn Path appeared first on Privacy Risk Report.

The post Following 2014’s “Year of the Breach,” 2015 is Shaping Up to Be the “Year of Data Breach Litigation” appeared first on Privacy Risk Report.

In the March 31, 2015 article, “Why Data Breaches Don’t Hurt Stock Prices,” the Harvard Business Journal discusses why stock prices may not be immediately impacted by a data breach at a company. The article discusses the fact that shareholders may be growing “numb” to data breaches and are beginning to just assume breaches are a cost of doing business.

In addition to growing numb, shareholders may also not be concerned about data breaches because there is a lack of a clear understanding of the damages caused by a data breach. Specifically, the article indicates that “[t]he long and mid-term effects of lost intellectual property, disclosure of sensitive data and loss of customer confidence may result in loss of market share, but these effects are difficult to quantify. Therefore, shareholders only react to breach news when it has direct impact on business operations, such as litigation charges (for example, in the case of Target) or results in immediate changes to a company’s expected profitability.”

The Harvard Business Journal also included a number of recent examples where a company’s data breach did not meaningfully impact the company’s stock price, including:

• Costs related to Home Depot’s data breach were estimated to exceed $62 million yet the company’s stock only decreased shortly after the breach and bounced back shortly thereafter; and
• After its breach, Target’s stock dropped 10%, “but by the end of February [2014], Target had experienced the highest percentage stock price regain in five years.”

The article concludes that “[s]hareholders should look beyond short-term effects and examine the impact on other factors, such as overall security plans, profitability, cash flow, cost of capital, legal fees associated with the breach and potential changes in management.”

The potential for damage caused by a breach and how shareholders account for damages caused by a breach in a company’s stock price are two different questions. The authors of this article are careful in limiting their analysis to the immediate impact of a data breach on a company’s stock price. The article is not intended to address the potential damage a data breach can cause to a company. It also does not address the validity of shareholder derivative actions or actions by the SEC related to a company’s data security.

The post Shareholders May Be Growing “Numb” to Data Breaches at Publicly Traded Companies appeared first on Privacy Risk Report.

On January 21, 2015, Travelers Casualty and Surety of America (Travelers) sued Ignition Studio Inc. (Ignition) based on professional negligence and breach of contract claims in the District Court for the Northern District of Illinois. Travelers filed the action based on its subrogated interest and on behalf of its insured, Alpine Bank. Ignition was hired to design and service Alpine’s website. However, the complaint alleges that Ignition “negligently allowed one or more hackers to access Alpine Bank’s website through lax Internet security on the server where the website was hosted. Because of Defendant’s negligence, Alpine Bank had to expend substantial funds to comply with data breach notification obligations.” The complaint also seeks damages related to the significant funds to notify bank customers of the unauthorized access to their private information.” Count I of the complaint, entitled professional negligence, asserts Ignition breached its duty to perform website maintenance and servicing work. Count II of the complaint, entitled breach of contract, asserts Ignition breached its agreement with Alpine to provide maintenance for Alpine’s website.

The data breach was first reported in September 2012 when Alpine bank notified a small number of its customers that their social security numbers and account numbers may have been compromised. Alpine also informed their customers to be cautious and monitor their credit and other financial accounts. Additionally, Alpine provided affected customers with one year of free credit monitoring.

Alpine Bank has less than 20 branches in northern Illinois. It is not a Home Depot, Target or Sony. Thus, data breaches are no longer just a concern for large retailers or other large corporations. Rather, hackers are targeting smaller, regional businesses. These smaller-scale hacks can be just as devastating to smaller corporations as the larger hacks are to larger businesses. Even more devastating is the fact that a smaller business may not have proper protection or insurance in place. Admittedly, banks have been the best prepared against data breaches. Unfortunately, it is only a matter of time before we see hacks take place at smaller businesses that are not as well-equipped to handle these attacks.

The post Lawsuit Involving Regional Bank Should Serve as a Warning to Smaller Businesses appeared first on Privacy Risk Report.

At this point, we have been bombarded with many of the details and a lot of speculation related to the November 2014 Sony Pictures hack. In short, hackers stole sensitive information and data including everything from private employee information, emails sent inside and outside the company and unreleased films. In addition to the damage caused by the hack, Sony Pictures potentially suffered damages from extortion attempts and lost revenue from the limited release of the film The Interview.

While the details related to this hack are widely available in newspapers and entertainment magazines, the information publicly known at this time can provide insight for anyone considering cyberliability insurance.

• An insured may have more information at risk beyond that included in the statutorily-defined “personal information.”

A number of states base their data breach notification laws on whether “personal information” has been compromised. In general, “personal information” includes social security numbers, drivers’ license numbers and credit/debit card information. However, in addition to taking some of this information, the Sony hackers also obtained confidential information such as unreleased films. Therefore, while many states provide a concise definition of the information potentially at risk, insureds should consider whether their data and other information includes items beyond the short list of items in the definition of “personal information.”

• An insured’s defenses against a hack or breach will be at issue.

Recently, the pre-breach strength of a party’s security systems has become a central issue in data breach litigation. For example, in the lawsuit filed by banks against Target for its breach in December 2013, the banks claimed Target was liable for failing to disclose “material weaknesses” in its data security systems. Likewise, there were claims that Home Depot’s data breach could have resulted from Home Depot’s failure to perform regular tests on its Point of Sale systems, hiring their Senior IT security architect after he sabotaged his former employer’s network, and running an outdated version of Symantec Antivirus software from 2007. Therefore, underwriters will need to take an applicant’s overall defenses against hacks into account when assessing the risk prior to issuing a policy.

• The strength of this insurance will start with the underwriting process.

In light of the recent cyber attacks and data breaches, there should be little question that cyberliability insurance can provide valuable protection. Of course, a “cookie-cutter” approach using standard policy forms may not work for every insured. The Sony breach involved a substantial amount of information that only a movie studio would be expected to be storing on its systems. Obviously, a hospital would not need cyberliability coverage for unreleased motion pictures. The utility of this insurance will be limited by how closely the insurance applicant and the underwriters work together before a policy is issued. The key will be for insureds to disclose the specific data they want to protect and for underwriters to understand the insured’s business.

The post Early Observations Concerning the Sony Hack and Cyberliability Insurance appeared first on Privacy Risk Report.

Recent news of a data breach involving SP+, the owner of a number of parking garages around Chicago, provides another reminder that Target and Home Depot should not be alone in their concern over data breaches. SP+ informed its customers late last week that malware was used to capture data at a number of its parking garages. (SP+ provided a complete list of the 17 parking garages on its website). It has been reported that the malware installed on SP+’s systems gathered customer credit card information.

As seen with this latest example, data breach targets are increasingly becoming smaller, local businesses. While a smaller company may store less personal data, hackers are finding value in smaller targets which may not have the safeguards implemented by large, multinational corporations. However, as seen with larger corporations, smaller companies are getting the message and are protecting their personal data from hackers. A recent article in Crain’s Chicago Business discusses how many smaller, regional companies are finding value in implementing data breach plans. Crain’s also reports that a recent survey found that cyber liability insurance policies are becoming an integral part of any data breach plan regardless of whether the company is large or small. For example, 26% of the respondents to the study discussed in the Crain’s article stated they had cyber liability insurance coverage, which was a 16% increase over the prior year.

What does the news of a data breach at SP+ mean for us? First, smaller businesses are going to need to take direction from larger businesses and work on their data breach protection plans. Hackers will target smaller corporations which can cause devastating data breaches. Second, insurers will need to continue to develop and offer products that can be integrated into data breach protection plans devised by smaller businesses. Finally, this should translate into increased security for everyone’s private data.

The post Recent Data Breach at Chicago Parking Garages Shows Us the Danger When Hackers Seek Smaller Targets appeared first on Privacy Risk Report.

Home Depot’s data breach has already cost the company more than $60 million, not including potential costs for civil damages in suits brought by consumers, shareholders, and financial institutions. However, Home Depot’s potential costs do not stop there. Recent reports indicate Home Depot may have known their systems were open to attack and did not act to fix the problem.

According to former members of the Home Depot IT security team, Home Depot failed to perform regular tests on its Point of Sale systems, hired their Senior IT security architect after he sabotaged his former employer’s network, and ran an outdated version of Symantec Antivirus from 2007. Commentators have started to discuss whether Home Depot’s actions, or lack thereof, could mean criminal liability for the retailer. Criminal negligence in a data breach would require evidence that an entity failed to perceive a substantial and unjustifiable risk that a data breach will occur.

While it is still early, one lesson from the Home Depot data breach case is that while companies can expect data breaches to be probable, they cannot just sit on their hands. Indifference to the risk and failure to take proper precautions against the probability of a data breach could mean criminal negligence charges.

The post Home Depot Data Breach Provides Glimpse of Potential Causes of Action appeared first on Privacy Risk Report.