Tax season is quickly becoming peak season for cyber and data incidents.  As seen during every recent tax season, last January the IRS issued warnings about fraudulent inducement scams where a corporate officer’s name is used to fraudulently request employee information from a company’s human resources department.  While there are a number of examples of the data perils to avoid during tax season, a recent case illustrates that not every incident involving data or personal information constitutes a data breach incident.  On February 20, 2018, the United States District for the Central District of California, found the claims in Lomelli v. Jackson Hewitt, Inc., 2:17-CV-02899-ODW (2018), did not constitute a data breach.

In Lomelli, the plaintiff claimed he was defrauded by the Jackson Hewitt, or more particularly, Jackson Hewitt’s agent, when his tax returns were first filed correctly with his approval and then again with additional expenses included without his approval which resulted in a fraudulent tax return being issued.  The plaintiff also claimed that he was enrolled in an “Assisted Refund” program that charged him additional fees without his approval.  Plaintiff was unaware of the fraudulent tax refunds until he received a cashier’s check for an amount different than he was expecting his tax refund to be and he learned that a bank account had been opened in his name which Jackson Hewitt was withdrawing fees without his consent.

Plaintiff filed a complaint based on allegations of fraud and that Jackson Hewitt’s agent’s filing of a fraudulent tax and violations of the California Customer Records Act (“CRA”), Cal. Civ. Code § 1798.80.  The CRA provides a private right of action where a business fails to “disclose a breach of the security of the system following discovery or notification of the breach…in the most expedient time possible and without unreasonable delay.” Cal. Civ. Code § 1798.82.

Jackson Hewitt argued plaintiff’s CRA claims should be dismissed since plaintiff failed to allege a data breach by an unauthorized person that would have required notice under the statute.  Rather, Jackson Hewitt took the position that the plaintiff authorized Jackson Hewitt and its agent to have access to his personal information in order to prepare his tax returns.  Here, the District Court makes the distinction that the allegations are “not that the information was disclosed to an unauthorized person, but, rather, that the information included in his tax returns was unauthorized.”  Based on this distinction, the District Court found these allegations do not constitute a violation under CRA and, therefore, Jackson Hewitt was entitled to judgment in its favor.

The District Court further held that plaintiff lacked standing to bring a viable claim under the CRA because his allegations were limited to harm that “may” occur in the future.  In finding in favor of Jackson Hewitt on this point, the District Court rejected plaintiff’s position that he would not have returned to have his later tax returns prepared by Jackson Hewitt if he was notified of the disclosure of fraudulent information on the early returns.

This case demonstrates that while data breaches are becoming more frequent, not every disclosure constitutes a data breach.  The District Court finds a distinction in the fact that plaintiff can only allege the misuse of his information rather than the disclosure of that information.  Even though we may feel bad for the plaintiff in this case as he will need to unravel all the damage done by having fraudulent tax returns filed in his name, his allegations did not amount to a data breach.

The post California Court Finds Misuse Of Information Is Not A Data Breach appeared first on Privacy Risk Report.

The threshold question in data breach lawsuits has been whether a litigant has “standing” to bring a cause of action against the party that allegedly caused a breach. This hurdle for litigants rises out of Article III of the Constitution that limits the jurisdiction of federal courts to “Cases” and “Controversies” “which are appropriately resolved through the judicial process.” Simply, litigants have not been able to move their cases forward unless they can show a concrete injury and demonstrate that future injuries are more than merely speculative.  Nevertheless, while a number of data breach cases have been lost at the initial pleadings states, some plaintiffs have been able to persuade courts that they suffered concrete injuries and could show the source of their alleged damages to survive a motion to dismiss.   As this body of law has developed over the years, one case in particular, Lewert v. P.F. Chang’s China Bistro, Inc., 14-3700 (7^th Cir. 2014), in the Seventh Circuit, has provided hope for data breach plaintiffs.  Recent developments in this case should provide more hope for plaintiffs.

The P.F. Chang’s data breach litigation traces its origins back to a 2014 data breach where plaintiffs claim their debit and credit card information had been hacked after they had visited a P.F. Chang’s in Illinois. P.F. Chang’s filed a motion to dismiss asserting first, that “the parties’ express contract precludes both an implied contract and a consumer fraud count”. (“Plaintiffs’ claims are that they purchased a meal at P.F. Chang’s and that, while P.F. Chang’s came through on the main course, it dropped the ball on the side order of data security.”) Additionally, P.F. Chang’s claimed plaintiffs’ case should have been dismissed because plaintiffs lacked standing and had no damage.  The District Court dismissed plaintiffs’ data breach action for lack of standing and, therefore, did not have to address P.F. Chang’s other arguments for dismissal.

The Seventh Circuit reversed the District Court’s dismissal of the plaintiffs’ complaint based on Remijas v. Neiman Marcus Grp., LLC., 794 F.3d 688 (7^th Cir. 2015), another Seventh Circuit data breach case.  In particular, the Seventh Circuit reversed the District Court’s findings based on the following:

• The Seventh Circuit held in Remijas that the plaintiffs met their burden in showing their “injuries were concrete and particularized enough to support Article III standing. Likewise, in P.F Chang’s, the Seventh Circuit found allegations of an increased risk of fraudulent charges and identity theft met the plaintiffs’ burden.
• The Seventh Circuit also found the plaintiffs in P.F. Chang’s met their burden to show causation and that a favorable judgment would redress those injuries. Here, the P.F. Chang’s Court held Plaintiffs alleged sufficient facts to plausibly show their information was likely included in the hack at P.F. Chang’s. And, the plaintiffs were able to establish their financial injuries, which include lost opportunity to accrue points on his credit card while waiting for a replacement and time and resources spent to track any fraudulent charges, were sufficient to show a favorable judgment could redress plaintiffs’ alleged injuries.

Since the Seventh Circuit’s decision, the P.F. Chang’s case has been remanded back down to the trial court and the parties have continued to litigate issues related to P.F. Chang’s motion to dismiss. For example, On December 13, 2016, the District Court entered an order stating that because plaintiffs’ complaint was dismissed by the District Court for lack of standing, the District Court did not address P.F. Chang’s additional arguments for dismissal.  The District further ordered the parties to submit briefs discussing the issues that remained unresolved after the Seventh Circuit found plaintiffs had standing to bring suit. Last February P.F. Chang’s filed a motion for leave to file additional briefs in support of its motion to dismiss. In its briefs, P.F. Chang’s argued plaintiffs’ complaint should be dismissed because the plaintiffs’ purchases formed express contracts rather than implied contracts and plaintiffs’ allegations did not support allegations that P.F. Chang’s violated the Illinois Consumer Fraud Act.  Plaintiffs filed a brief in opposition which argued that P.F. Chang’s “filed a new, full-throated motion to dismiss.”

On April 26, 2017 the District Court filed a minute order which merely stated the “motion to dismiss is denied for the reasons stated in open court.” The District Court further granted plaintiffs’ motion to compel P.F. Chang’s to participate in a Rule 26(f) conference and begin discovery.

While it took a while to get here, we are finally at the point in this case where we will see if plaintiffs can gather sufficient evidence to support their claims. Data breach plaintiffs have struggled to survive the pleadings stage as many courts found their damages were too speculative to survive a motion to dismiss.  It will be important to watch this case get through the discovery phases and move toward trial in order to get the full picture regarding liability for cyber security. Further, the P.F. Chang’s litigation is even more important since the Neiman Marcus case recently settled before we could see how that litigation unfolds through discovery and further motion practice.

The post P.F. Chang’s Leftovers: District Court Refuses To Address Motion To Dismiss Again After Seventh Circuit Finds Plaintiffs Have Standing In Data Breach Case appeared first on Privacy Risk Report.

In May 2015, the U.S. District Court for the district of Utah denied an insured’s motion for partial summary judgment in Travelers Property Casualty Company of America et al. v. Federal Recovery Serv. et al., Case No. 2:14-cv-00170. The court previously found no duty to defend under a CyberFirst Policy issued by Travelers. The defendants, Federal Recovery Services, Inc. and Federal Recovery Acceptance, Inc., (Federal Recovery) provided electronic data and information handling for its customer, Global Fitness Holdings, LLC, who in the underlying action, alleged Federal Recovery withheld this information and data. The central issue before the District Court in May 2015 was “whether the Global Fitness action triggered Travelers’ duty to defend under the Technology Errors and Omissions Liability Form.” And, the District Court held Traveler’s did not have a duty to defend Federal Recovery. The District Court’s decision only left Federal Recovery’s counterclaims to be litigated.

On January 12, 2016, the District Court denied Traveler’s motion for summary judgment seeking a dismissal of Federal Recovery’s counterclaims for breach of contract, breach of the implied covenant of good faith and fair dealing and breach of fiduciary duty. The court found the following concerning Federal Recovery’s three counterclaims:

• Breach of Contract: Travelers argued this claim fails in light of the District Court’s finding that Federal Recovery was not entitled to coverage. The court refused to review its determinations related to coverage issues addressed in its May 2015 order granting Traveler’s motion for summary judgment (“It is improper for Defendants to now argue that extrinsic evidence must be used in determining the duty to defend when they failed to do so previously and failed to respond to Travelers’ argument that extrinsic evidence should not be considered”). In granting Traveler’s motion on this count, the District Court held it did not have to revisit its finding on this issue.
• Breach of the Implied Covenant of Good Faith and Fair Dealing (defense obligation): The District Court denied Federal Recovery’s motion based on well-settled Utah law holding that “when an insured’s claim is fairly debatable, the insurer is entitled to debate it and cannot be held to have breached the implied covenant of good faith if it chooses to do so.” The District Court reasoned Travelers could not have breached any duty because Federal Recovery’s claim was “fairly debatable.

However, the portion of Federal Recovery’s breach of implied covenant of good faith and fair dealing claim related to Traveler’s attempt to recover defense costs survived Traveler’s motion for summary judgment. Federal Recovery’s expert witness opined that Travelers botched the initial reporting of Federal Recovery’s report of the claim by “requiring the filing of a lawsuit as a condition precedent to accepting Defendants’ claim report.” On this narrow issue, the District Court held the question of whether Travelers “inappropriately required the filing of suit papers in contravention of the CyberFirst Policy provisions, which may have resulted in a dilatory denial of defense causing severe financial consequences to the Defendants, is a factual issue and may be submitted to the jury.” Consequently, Federal Recovery is permitted to litigate this issue.

• Breach of Fiduciary Duty: The District Court found no question of fact precluding dismissal of Federal Recovery’s breach of fiduciary claim based on its earlier finding that Travelers did not have a defense obligation (“Without a duty to defend, Defendants cannot show that Travelers breached its fiduciary duty to defend”).

Federal Recovery retained an expert who opined that Traveler’s claims handling was “contrary to industry customs, practices and standards.” This decision does not give sufficient information to determine whether Travelers acted appropriately. The District Court merely found this issue could be submitted to a jury. However, this case serves as a reminder that while cyber insurance may have a number of novel concepts, ultimately, this coverage is based on fundamental insurance principles. The court’s analysis focused on the insurance provision concerning Traveler’s “duties in the event of a Claim or Suit.” Consequently, the District Court’s reasoning in the Federal Recovery decision is based on case law from a number of run-of-the-mill insurance cases.

The post District Court Examines Cyber Insurer’s Obligation to Investigate Claims Prior to Suit appeared first on Privacy Risk Report.

On January 5, 2016, a federal District Court granted the removal petition of Lloyd’s of London in a declaratory judgment action involving coverage under a cyber policy. The Hotel Monteleone originally filed a lawsuit on December 10, 2015 in the District Court of Orleans Parish, Louisiana, alleging it was entitled to coverage under an Ascent CyberPro Policy for damages related to a breach at the Hotel in 2014. The Petition for Damages filed in state court provides the following information concerning the cyber policy:

• Ascent sold the Ascent CyberPro insurance policy which provided $3 million in limits to the Hotel.
• The CyberPro policy contained a “Payment Card Industry Fines or Penalties” endorsement that limited certain coverage to $200,000 for “a monetary fine or penalty” from credit card company related to a breach.

The Petition provides the following information concerning the cyber attacks on the Hotel and its attempt to obtain coverage for such attacks:

• Prior to purchasing the CyberPro policy, the Hotel suffered a cyber attack in 2013 involving the theft of credit card information. The Hotel had losses related to this 2013 attack exceeding $200,000. The Hotel did not have cyber coverage at the time of this 2013 attack.
• After the 2013 attack, the Hotel sought insurance coverage specifically for “operational fraud and operational reimbursement amounts for fraudulent charges and the costs of replacing payment cards as a result of a cyberattack.”
• The Hotel alleges that it purchased the CyberPro policy for this coverage. Specifically, the Hotel alleges “it would not have paid $20,277.40 for only $200,000 in coverage for operational fraud and operational reimbursement amounts for fraudulent charges and the costs of replacing payment card…” that was provided through the endorsement.
• On October 17, 2014, the Hotel discovered it had suffered an attack that involved the breach of payment card numbers.
• After the attack, the Hotel claims a number of payment card companies demanded reimbursement for amounts they paid related to the Hotel’s breach to replace compromised cards.

The Petition alleges that the Hotel sought coverage for the amounts claimed by the payment card company but quickly learned Ascent planned to limit coverage under the CyberPro policy to the $200,000 limit in the endorsement. In its Petition, the Hotel claims it is entitled to the entire $3 million in limits under the policy rather than $200,000 under the endorsement to the policy. The Hotel’s breach of contract claim seeks to enforce the insuring agreement of the CyberPro policy absent the “Payment Card Industry Fines or Penalties” endorsement. In the alternative, the Hotel claims the CyberPro policy is ambiguous and requests the District Court find all the Hotel’s damages from the 2014 breach are covered under the CyberPro policy.

In addition to claims against the insurer, the Petition also contains allegations against the broker for negligent failure to procure insurance coverage. The Hotel supports these claims with allegations that the broker “advised [the Hotel] about the terms and extent of coverage afforded by the 2014 CyberPro Insurance Policy and procured a cyberinsurance policy that met [the Hotel’s] coverage needs.” The Hotel’s claims illustrate that some confusion in the cyber insurance marketplace is expected, as these products develop and the threats constantly evolve. Regardless of the outcome of this litigation, this case demonstrates the importance of insurers, brokers and policyholders coordinating to make sure everyone understands a policyholder’s particular risks and the safeguards put into place.

The post Cyber Insurance Lawsuit Demonstrates Need to Coordinate on Cyber Risks appeared first on Privacy Risk Report.

As the number of hacks and breaches increase in the news, people are not just becoming more accepting of data breaches, they are expecting to see data breaches. Now businesses are also expecting to see their competitors attempt to hack them.

For example, in early 2014, Uber discovered a breach involving the names and license numbers of nearly 50,000 drivers. By March 2014, Uber filed a lawsuit in the U.S. District Court for the Northern District of California against an unknown party related to the breach. In its Complaint, Uber claimed a “security key” was used without its authorization to gain access to its list of drivers. Count One of Uber’s Complaint, based on a violation of the Computer Fraud and Abuse Act, seeks damages for the unauthorized access to Uber’s driver database. Count Two of Uber’s Complaint, based on alleged violations of California’s penal code, seeks damages for the theft of information from Uber’s proprietary database. As this case proceeds through court, the unknown defendant, identified as “Subscriber,” filed various documents under seal. It appears the litigation will continue for a while as the court recently held that it was “reasonably likely” that Uber’s investigation would uncover the identity of the party referred to as “Subscriber.” The court has set a case management hearing for January 28, 2016.

While the Uber litigation does not mention Lyft in the allegations, recent information indicates Uber expects to find Lyft to be the source of the hack. In addition to Uber’s lawsuit, this breach has also spurred a investigation by the U.S. Department of Justice (DOJ). The DOJ has found that the source of the breach may be traced back to Uber’s main competitor, Lyft. Access to the compromised driver database was found on GitHub, a code-development website. After being contacted by Uber, GitHub determined only one IP address associated with the Uber hack that did not belong. Specifically, Reuters reports that Lyft’s technology chief, Chris Lambert, may have had his internet address come up in the investigation of the breach.

This is not the first time these two companies have been found competing outside the car-service apps. For example, Uber’s “playbook” for sabotaging Lyft was published online in August 2014. Uber has been accused of having its employees order and cancel rides and recruiting Lyft drivers in an effort to slow Lyft’s growth in new markets.

Secondly, consumers are expecting to see more hacks from the businesses they deal with. In addition to the privacy issues created by this litigation related to Uber drivers, there are also questions as to whether hacks at Uber and Lyft are compromising the safety of customers. For example, it has been recently reported that a “Rogue Lyft Driver” became angry when a woman in Chicago refused a ride. In a recent Facebook post, a Lyft customer described the following incident:

My driver was supposed to be an older black woman in an SUV. I got the notification saying my driver arrived. Went up the car window to check that the driver matched the picture and saw it was a man in his 40s. Car was different too. As I turned away to go back inside, he said, “Brittany? Get in the car!” I said, “You’re not my driver. I’m going inside.” But he kept shouting that “it doesn’t matter” and to get in the car. “I can drive you.”

About 10 seconds later, my actual Lyft driver, the woman, pulls up and asks what’s going on and who he is. At that point, the man speeds away. I leave eventually with the original woman and the man comes back and follows us for two or three blocks before we lose him at a light.

The Lyft customer believes the “rogue” driver may have hacked into the Lyft app and saw she was looking for a driver. Denying a hack of its system, Lyft has responded that the “Rogue Driver” showed up because the Lyft customer cancelled the low-rated driver before placing an order for the second Lyft driver. Even if this incident turns out to be unrelated to a hack, it demonstrates that Lyft customers are considering hacks as part of the marketplace when using technology.

Consequently, cybersecurity is now a consideration in how businesses interact with competitors, as well as how they deal with customers. The Uber incident demonstrates that businesses expect competitors to attempt to hack them. Likewise, the “Rogue Driver” situation, even if it was not caused by a hack or a breach, shows that consumers are prepared and actually expect to see businesses hacked.

The post Uber and Lyft Demonstrate How Cybersecurity Changes the Way Businesses Deal With Each Other and Customers appeared first on Privacy Risk Report.

As data breach plaintiffs are starting to overcome questions of whether or not they have standing to bring lawsuits in federal court under Article III of the U.S. Constitution, a recent decision may place an additional burden on plaintiffs. The August data breach of Ashley Madison, a website that refers to itself as “the world’s leading married dating service for discreet encounters,” has given rise to a number of lawsuits.

For example, one plaintiff recently filed a lawsuit in an Arkansas federal court seeking damages, on behalf of himself and others, related to the theft and exposure of his personal information stored by Ashley Madison. The plaintiff claims Ashley Madison was unjustly enriched by charging customers for a “paid delete” service to remove customer information but did not actually delete the information.

Ashley Madison recently argued that the plaintiff’s suit should be dismissed because he filed suit under the pseudonym John Doe rather than using his real name. On December 14, 2015, the U.S. District Court for the Eastern District of Arkansas denied Ashley Madison’s motion, but held the plaintiff had to sue in his real name. The District Court held that under the First Amendment “[t]here is a ‘strong presumption in favor of parties proceeding in their own names.’”

In analyzing this issue, the District Court relied on Plaintiff B v. Francis, 631 F.3d 1310, 1315 (11th Cir. 2011), which instructs courts to consider the following factors to determine if “privacy concerns” warrant a party to proceed anonymously:

• Is the plaintiff challenging a government activity?
• Will the plaintiff “be required to disclose information of the utmost intimacy?”
• Is there risk of criminal prosecution for admissions that may be made by the plaintiff?

The plaintiff argued the second “privacy concern” factor permitted him to proceed anonymously because disclosing his real name would subject his “sexual habits [to] public scrutiny.” The District Court disagreed and issued an order requiring the plaintiff to file an amended complaint under the following reasoning:

Rather, [signing up for the website] simply reveals that at one time he was a member of a website that catered to individuals who wanted to have “discreet relationships.” The details of whether Plaintiff did anything beyond signing up are not relevant to the claims in the complaint, which means there would be no revelation of Plaintiff’s sexual proclivities. Plaintiff’s privacy concerns do not outweigh the “strong presumption” in favor of requiring a party to proceed under his own name.

Based on the court’s reasoning, the plaintiff is required to file an amended complaint with his proper name by December 23, 2015.

A number of plaintiffs are struggling to meet the requirements for Article III standing to bring suit for data breaches. Here, the District Court’s holding that the plaintiff must use his proper name in data breach litigation may prove to be another obstacle to bring a suit for a data breach. While not every data breach has the potential to cause reputational damage to the extent seen with the Ashley Madison breach, some people may not want to pursue litigation under their proper names if that litigation would further highlight the fact that their name is associated with a breach at a certain political organization or related to a questionable service or purchase.

The post Ashley Madison Litigation Reveals Another Hurdle for Data Breach Plaintiffs: Real Name vs. Pseudonym appeared first on Privacy Risk Report.

While we have seen defendants in data breach cases argue that plaintiffs were not injured and therefore lack standing to bring suit, litigants in a recent data breach case have directly addressed issues some litigants have previously danced around.

On August 6, 2015, Pamela Chambliss and Scott Adamson (Plaintiffs) filed a class action complaint in a Maryland District Court against Carefirst, Inc. (which operates under the tradename Carefirst Blue Cross Blue Shield) related to a data breach at Carefirst in 2014. The Plaintiffs claim they have health insurance through Carefirst and, therefore, were required to furnish private information to Carefirst. The class action complaint seeks damages based on allegations that Carefirst failed to adequately secure its computer hardware that stored the Plaintiffs’ personal information. Carefirst discovered this breach on May 20, 2015. The breach released the names, birthdates, email addresses and “subscriber information” of 1.1 million individuals. The class action complaint indicates Carefirst did not encrypt the stored data and was viewed as a “soft target” by hackers.

The first cause of action was based on allegations that Carefirst was negligent by failing to safely store personal information and “potentially confidential health information” of its members. The class action Plaintiffs further claimed this breach “proximately caused an unauthorized disclosure” of Plaintiffs’ information. The second cause of action was based on allegations that Plaintiffs’ relied on Carefirst’s representations concerning its privacy and security before they purchased health insurance. The third cause of action alleged Carefirst was unjustly enriched when it did not pay for the security and protection promised to the Plaintiffs. Finally, the Plaintiffs alleged Carefirst’s conduct constitutes a violation of the Maryland Personal Information Protection Act.

On September 24, 2015, Carefirst filed its motion to dismiss the class action complaint, asserting Plaintiffs’ action is defective because “Plaintiffs have not alleged that they suffered an injury cognizable under Article III of the Constitution.” That is, Carefirst claims the Plaintiffs lacked standing to bring the action because the Plaintiffs’ data was not alleged to be misused in any manner.  In its supporting brief, Carefirst points out the difficulty class action plaintiffs are having surviving motions to dismiss:

Data theft is an unfortunate and increasingly common occurrence in contemporary life, victimizing literally millions of Americans. Fortunately, data loss does not always produce actual harm. Just as companies are learning how to harden their defenses against cyber theft, our Nation’s courts are learning to sort out the claims of truly injured victims from those who launch class actions without having suffered any real harm. This action falls into the latter category.

On November 5, 2015, the Plaintiffs filed their opposition to Carefirst’s motion to dismiss. The Plaintiffs wasted no time addressing what appeared to be the current trend of plaintiffs having difficulties showing damage from a data breach. The opening paragraphs take aim at Carefirst’s argument as follows:

Defendants, in their Motion, assert that data theft is a “common occurrence” as if that somehow excuses them from culpability for failing to take the reasonable, necessary steps to protect the plethora of sensitive, highly confidential personal and medical information in their possession and the harms that their insureds suffer as a result of that failure. Brief at 1.1 Defendants cannot get off so easily. In fact, the commonness of such breaches actually makes each subsequent breach all the more egregious. Just as the landlord in a high-crime area can be held liable when he fails to install a secure lock on a tenant’s door and a criminal breaks into a tenant’s apartment and harms her as a result, see e.g. Lay v. Dworman, 732 P.2d 455 (Okla. 1987), so, too, can a health insurer, who knows of the risk of cyberattack, be liable when it fails to secure its insureds’ confidential personal information.

Of course, the current dispute in the Carefirst case is based on what is becoming a substantial body of law concerning standing for data breach cases. In just the last year, we have seen the following developments on the standing issue:

• 7th U.S. Circuit Court of Appeals: On July 20, 2015, the 7th Circuit issued its decision in Remijas v. Neiman Marcus Group, LLC, directly addressing Article III of the U.S. Constitution, the standing for data breach plaintiffs. In reversing the District Court, the 7th Circuit held that “[a]llegations of future harm can establish Article III standing if that harm is ‘certainly impending,’ but ‘allegations of possible future injury are not sufficient.’” In short, the 7th Circuit found the plaintiffs met the requirement under Clapper “that injury either already [has] occurred or [was] ‘certainly impending.’”
• District Court for Southern District of Texas: In Peters v. St. Joseph Serv., Corp., the District Court dismissed plaintiff’s claims on a 12(b)(1) Motion after finding that allegations of an increased risk of future harm were not sufficient to confer standing.
• District Court for Northern District of Georgia: Home Depot filed a motion to dismiss asserting the Class Action Plaintiffs lacked standing to bring suit for its data breach.
• District Court for Minnesota: In the Target litigation, the District Court held the Financial Institutions’ action survived Target’s Motion to Dismiss.

All of these cases trace their origins back to the Supreme Court’s 2013 opinion in Clapper v. Amnesty Int’l finding that the mere increased risk of future harm does not confer Article III standing.

The briefs in the Carefirst case demonstrate that litigants are starting to directly address the difficult questions related to data breach cases as courts gain a better understanding of these cases. While plaintiffs have hit a number of hurdles in establishing damages, defendants’ argument that everyone is suffering a data breach may lose credibility with courts.

The post Let’s Get Ready to Rumble: Gloves Come Off in Data Breach Standing Case appeared first on Privacy Risk Report.

While large cyber attacks and data breaches may get the headlines, a recent study prepared by the Ponemon Institute and Hewlett-Packard and a recent criminal conviction of a Los Angeles Times reporter that disclosed corporate passwords on a hacker website serve as additional reminders that “malicious insiders” still pose the largest security threat to an organization.

Ponemon Institute/Hewlett-Packard Study: Malicious Insiders Can Cause the Most Serious Cyber Incidents

The Ponemon Institute and Hewlett-Packard (HP) published the study, “2015 Cost of Cyber Crime Study: Global,” which provides insight into the increasing frequency and costs of cyber attacks against governments and businesses around the world. Specifically, the study examines the “economic impact of cyber attacks and observes cost trends over time” and relies on data taken from 252 organizations in seven countries. Most importantly, the study finds that the most costly cyber crimes are caused by “malicious insiders,” people from within an organization.

For example, the study found cyber attacks committed by malicious insiders cost the responding organizations, on average, $144,542 to resolve. The costs related to malicious insiders exceeded costs related to denial of service attacks, phishing scams and stolen devices. Further, the study found the time required to resolve issues created by malicious insiders greatly exceeded the time to resolve issues related to other attacks. Specifically, time to resolve issues related to malicious insiders (54 days) exceeded web-based attacks (28 days) and denial of service attacks (19 days). While the threat created by malicious insiders has been understood for some time, this study puts these threats into context when measured against other cybersecurity threats.

Matthew Keys’ Conviction Demonstrates Real World Dangers Associated with Malicious Insiders

The findings in the Ponemon/HP Study related to the malicious insiders threat were further supported when earlier this month a former Los Angeles Times reporter was convicted under the Computer Abuse and Fraud Act (CFAA). Matthew Keys was convicted of posting confidential server passwords on a hacker website and urged hackers to “go [expletive] some [expletive] up” on websites maintained by his employer, the Tribune Company. Keys had access to the passwords during his employment. After Keys posted the passwords, a hacker gained access to the Los Angeles Times website and created a fake headline for a story.

While there may be questions as to whether Keys was properly charged and convicted under the CFAA, another important consideration is the fact that he does not fit the mold of a “traditional” hacker. During the criminal trial it became clear that Keys had nothing more than a basic working knowledge of computers and no experience as a “hacktivist.” Costs related to the investigation of the hacks, related vandalism, security issues repairs and lost employee productivity were estimated to be nearly $1 million.

The Greatest Threat Comes from Inside an Organization

The Ponemon/HP Study and Keys’ conviction demonstrate that while large-scale hacks from foreign countries make news, employees continually prove to be the greatest threat to cybersecurity. Monitoring the conduct of employees and former employees continues to be just as important as maintaining cutting-edge technology in order to safeguard data or other valuable information. Further, the difficult question related to the amount of damages Keys actually caused leads into an interesting issue related to cyber insurance.

For example, while Keys’ employer claimed it suffered $1 million in damages, this amount was called into question by Keys because many of the hours logged to fix the damage caused by leaked passwords were attributed to journalists and executives rather than technical staff. This dispute over what costs were justified and attributable to Keys’ conduct illustrates the importance that insurers and insureds have a complete understanding prior to a cyber incident of the costs and damages covered under cyber policies.

The post New Study and Recent Criminal Conviction Sheds Light on the “Malicious Insiders” Threat appeared first on Privacy Risk Report.

On August 6, 2015, the Illinois Court of Appeals issued its opinion in Maglio v. Advocate Health and Hosp. Corp., dismissing the complaints filed in two class action lawsuits seeking damages related to a theft of Advocate Health’s computers containing information of approximately four million hospital patients. After a burglary on July 15, 2013, Advocate Health immediately notified patients of the incident, set up a call center to answer questions and offered the patients one year of free credit-monitoring services. By September 2013, class action lawsuits had been filed in Lake and Kane County, Illinois (the two circuit court actions had been consolidated by the time they reached the appellate court).

Plaintiffs filed class action complaints based on claims of negligence and invasion of privacy, violations of the Illinois Personal Information Protection Act and the Consumer Fraud and Deceptive Practices Act. The class action complaints did not allege that the Plaintiffs’ personal information was actually used after the computers were stolen. Rather, the Plaintiffs claim they faced “an increased risk of identity theft and/or identity fraud.” The trial court granted Advocate Health’s motion to dismiss finding the disclosure of the information “did not constitute an injury-in-fact sufficient to confer standing,” and the class action complaints failed to state a claim upon which relief could be granted.

The Court of Appeals upheld Lake County circuit court’s decision to dismiss Plaintiffs’ complaint based on the finding that Plaintiffs did not allege facts that “would plausibly establish an ‘imminent’ or ‘certainly impending’ risk that they will be victimized.” Likewise, the Court of Appeals upheld Kane County circuit court’s decision to dismiss the Plaintiffs’ complaint on the same grounds. In addition to addressing the standing issue seen in various federal court decisions recently, the Court of Appeals further noted its decision was impacted by the fact that only two plaintiffs (out of the 4 million patients that had their information taken) received notice of any fraudulent activity related to their personal information.

Coincidentally, the Court of Appeals decision finding Plaintiffs lacked standing to file a lawsuit related to Advocate Health’s data breach was issued after the Seventh Circuit’s July 20, 2015 decision in Remijas v. Neiman Marcus Group, LLC, finding plaintiffs had standing to file suit. The decisions in Remijas and Maglio, both arising out of data breaches in Illinois and litigated in Illinois courts, demonstrate that questions related to standing have not been fully resolved. Therefore, the facts related to a particular data breach and the aftermath of that data breach will be determinative on the standing issue.

The post Illinois Appellate Court Decision Does Not Adopt Seventh Circuit’s Reasoning in Data Breach Case appeared first on Privacy Risk Report.

On July 20, 2015, the U.S. Court of Appeals for the Seventh Circuit issued its decision in Remijas v. Neiman Marcus Group, LLC, directly addressing Article III of the U.S. Constitution, the standing for data breach plaintiffs. The issue of Article III standing, in the context of data breaches, has been examined by a number of courts related to the Home Depot breach, the Target breach as well as a number of other similar cases. The roots of this argument are found in the U.S. Supreme Court decision in Clapper v. Amnesty Int’l USA, which requires that a plaintiff must allege a data breach resulted in an “imminent risk of a concrete injury” to have standing under Article III. To date, a number of courts have dismissed data breach cases because they lacked standing, as plaintiffs were not able to show a concrete injury and the alleged future injuries were too speculative to survive a motion to dismiss.

In 2013, the credit card information of approximately 350,000 Neiman Marcus customers was stolen by hackers. Several affected customers filed a class action against under the Class Action Fairness Act, 28 U.S.C. §1332(d). The District Court dismissed the class action suit based on its finding that the individual plaintiffs and the class member lacked standing under Article III. The Seventh Circuit found the District Court erred and held the plaintiffs satisfied Article III requirements with allegations that the Neiman Marcus data breach inflicted concrete, particularized harm on them. The Seventh Circuit was persuaded that plaintiffs suffered injury when they lost time and money resolving fraudulent charges and protecting themselves against future identity theft as well as the financial loss suffered when they bought items at Neiman Marcus that they would not have purchased had they “known of the store’s careless approach to cybersecurity.”

In reversing the District Court, the Seventh Circuit held that “[a]llegations of future harm can establish Article III standing if that harm is ‘certainly impending,’ but ‘allegations of possible future injury are not sufficient.’” In short, the Seventh Circuit found the plaintiffs met the requirement under Clapper “that injury either already [has] occurred or [was] ‘certainly impending.’”

Since this decision, a number of commentators have argued that the Neiman Marcus decision will breathe new life into data breach litigation. While the Neiman Marcus decision is important on the issue of Article III standing, there are a number of cases that could have a greater impact on data breach litigation. For example, the Seventh Circuit identifies one important case in its Neiman Marcus decision, “We note that these allegations go far beyond the complaint about a website’s publication of inaccurate information, in violation of the Fair Credit Reporting Act, that is before the Supreme Court in Spokeo, Inc. v. Robins.”

As previously reported, even though the Spokeo case does not involve a data breach, it still could have an immediate impact on data breach litigation. That is, if the U.S. Supreme Court were to rule in favor of the plaintiffs in Spokeo, it could potentially lower the threshold for plaintiffs to establish standing in data breach claims. Developments in Spokeo can be monitored on the Supreme Court’s blog. Consequently, while the Neiman Marcus decision is important, it may be tempered by the Supreme Court’s decision in Spokeo.

The post Seventh Circuit Weighs In on Article III Standing for Data Breach Plaintiffs appeared first on Privacy Risk Report.