It was a quaint, innocent time before social engineering scams, ransomware or any of the other threats had evolved to hassle both large and small data collectors. In 2014 and 2015, large-scale data breaches at Home Depot, Best Buy and Target roamed the Earth. While all that has changed drastically in the last five years, we still have a few fossils providing insight on a time when huge data breaches caused huge damages to companies with huge insurance policy limits.

Five years, ago, on September 19, 2014, we posted about Target Corporation’s motion to dismiss a lawsuit filed by a number of banks that claimed they incurred costs to reissue credit/debit cards compromised in Target’s December 2013 data breach.

A year later, on September 16, 2015, we posted about the class action litigation brought by financial institutions related to the Target data breach. This litigation involved class action litigation brought by banks that had to reissue credit and debit cards that were compromised in Target’s massive data breach. We had been monitoring this litigation for months in 2014 and 2015 as Target and the Banks issuing cards caught in the Target’s breach slugged it out in court.

Almost four years later, the insurance coverage issues related to Target’s litigation with financial institutions is just reaching the courts. On November 15, 2019, Target Corporation (“Target”) filed a complaint seeking damages for breach of contract claims and seeking a declaratory judgment concerning insurance coverage in the United States District Court for the District of Minnesota against its insurer, ACE American Insurance Company (“ACE”).

The Complaint generally alleges the following facts gave rise to Target’s tender for insurance coverage:

In December 2013, Target discovered that a hacker had installed malicious software on its computer network (“Data Breach”). The Data Breach enabled the attacker to steal payment card data and personal contact information, thus rendering the related physical payment cards unusable. As a result, numerous banks were required to dedicate substantial resources to canceling and reissuing physical payment cards. These costs include, for example, the cost of producing the plastic card, mailing the card to consumers, and otherwise reissuing the physical card. Those banks subsequently sued Target for their losses, including the losses directly caused by the replacement of the physical cards.Target was able to settle all of the claims, including the claim for the replacement of physical payment cards.

More specifically, Target claims ACE had a duty under two general liability insurance policies that provide coverage for “Property Damage” defined to include the “loss of use of tangible property that is not physically injured.”  In particular, the banks claimed, “that, as a result of the Data Breach, they were forced to dedicate significant resources to canceling and reissuing these physical payment cards.”  Target claims it is entitled to coverage because it was found liable “for the loss of use of plastic payment cards that were not physically injured.”  The Complaint alleges the parties litigated the underlying class action brought by the banks to the point that the matter was ultimately settled for approximately $58 million. Target also settled with Visa, Mastercard, American Express and Discovery for approximately $138 million. The Complaint alleges that approximately $74 million went to the Banks for costs related to replacing cards compromised by the breach.

Target seeks coverage under two primary policies and an excess policy by asserting the Banks “sought damages for, among other things, loss of use of tangible property (i.e., physical plastic payment cards) that, while not physically injured, counsel not be used without risk to the customer and the bank.” The Complaint about Declaratory Judgment alleges ACE breached its duty when it refused to indemnify Target for damages incurred to reissue the compromised cards and seeks a judicial declaration that ACE owes coverage under all the policies.

In addition to serving as a reminder of a bygone era, the Target data breach provides insight into the unique issues data breaches cause under traditional lines of insurance for both large and small data collectors.  While this declaratory judgment matter is only in the initial pleading stages, Target is already making a unique argument that costs related to reissuing credit/debit cards by Banks fall into the definition of “property damage” in the CGL policies. Further, Target will need to show the retained limits of the policy, which is essentially a deductible, was exhausted solely on costs from reissuing the “physical plastic payment cards.”  This case may develop to provide some much-needed authority concerning breach claims under CGL policies. Either way, we can count on this case adding to the substantial body of privacy law in general created by the Target breach in 2013.

For more information, contact Tressler attorney Todd Rowe at trowe@tresslerllp.com.

The post Courts Are Still Picking Over The Bones From The 2013 Target Data Breach appeared first on Privacy Risk Report.

Data breach litigation inherently involves a significant amount of information, so it is no surprise to see discovery issues in breach cases. The typical data breach lawsuit may include discovery requests for pre-breach information (response plans, audits), response information (notification letters and phone scripts) and post breach information (remediation and vendor information).  Suffice it to say, there is ripe opportunity for discovery disputes with this amount of information needing to be exchanged between the parties.

The Blue Cross breach, or Premera breach, occurred in 2015 and involved the unauthorized disclosure of confidential information of approximately 11 million current and former members, affiliated members, and employees of Premera. The compromised data included members’ personal, medical and financial information. The breach on Premera’s computer network was publicly disclosed on March 17, 2015. A class action lawsuit was filed in the District Court for Oregon based on claims that the breach began in May of 2014 and went without detection for nearly a year.   In Re: Premera Blue Cross Customer Data Security Breach Litigation, 2019 WL 464963 (D. Ct. Or. Feb. 6, 2019), the District Court for Oregon addressed motions to compel discovery or documents and other information filed by the class action plaintiffs and Premera.

First, the District Court addressed the class action plaintiffs’ motion seeking the production of documents withheld by Premera based on the attorney-client privilege and the attorney work-product doctrine. The District Court provided the following analysis which can provide insight to data collectors:

• Email Communications: Based on the large body of law concerning attorney-client privilege, the District Court held only emails from Premera’s attorneys containing legal advice were protected.  Emails “containing merely a factual discussion” would not be protected.

• Draft Documents: The District Court found documents prepared by attorneys, at the request of attorneys or sent to attorneys would most-likely be protected from discovery.  The District Court specifically noted that drafts of breach notification letters or press releases about the breach may not be protected if the documents are merely sent to the attorney to be included in the attorney’s file and do not solicit legal advice.

• Documents Related to Press Releases, Notices and Remediation: Once again, in reviewing the various documents discussing the breach, the District Court relies on the fundamental rule that protected communication must provide or solicit legal advice.  All communication simply discussing articles in the press may be discoverable unless the discussion “involves seeking advice about how that particular article might affect Premera or litigation, or how from a legal perspective Premera should comment on the article…”

Likewise, the District Court held drafts of scripts to be used to discuss the breach with members or FAQ documents would be protected as long as legal advice is being provided or sought.  Additionally, scripts were found to be protected to the extent they are prepared “in anticipation of litigation.”  That is, the District Court noted that Premera would not have taken the time to prepare scripts unless they anticipated litigation or regulatory inquiries.  Therefore, while the drafts of scripts were prepared by counsel, the “actual final scripts” were not protected.

Plaintiffs argued documents related to remediation are considered a business function and, therefore, would not be protected.  The District Court found all documents provided by vendors that contain or solicit legal advice are protected.  However, in a discussion concerning “attachments provided to counsel that were prepared by third-party vendors,” the District Court noted that “third parties performing general remediation efforts, even if hired by counsel, are performing a business function.”  Therefore, a vendor’s report by itself may not be protected if it is found to not provide “factual information to counsel so that counsel can provide sound and informed legal advice or have been sent to the attorney requesting the attorney’s legal advice and input.”

• Business and Technical Documents: Obviously, a substantial amount of technical data would be expected with a breach of this size.  The District Court found information related to Premera’s audits, investigations and their security may be discoverable because “[a]s a business, Premera needs periodically to audit its information technology and security and training.”  And, audits would have been done regardless of the breach.  Therefore, information concerning these activities may be discovery to the extent they have a business purpose more than a legal purpose.”   The District Court further noted that this information may be discoverable even if legal counsel relies on the information while formulating their advice since “[t]hese audits…are normal business functions performed on a regular basis, to enable Premera to assess the state of its technology and security.”  The District Court also found the information related to the investigation of the cause of this breach or into the corporation’s “physical security” was discoverable since Premera needed to conduct the investigation as a business anyway.  A document drafted by counsel using this data would be protected.

Importantly, the District Court found information related to “Premera’s response to the breach” would not be discoverable since it “was likely affected by the anticipation of litigation and regulatory inquiries.”  The District Court summarizes its ruling that documents related to the response to the breach may not be discoverable as: “Other than the initial business steps of remediation, notifying customers, and making public statements, which Premera would have had to do regardless, the later actions by Premera were likely guided by advice of counsel and concerns about potential liability.”

• Documents Disclosed to Third Parties. The District Court held that documents turned over to third-party vendors, including Mandiant, may not be discoverable.  These documents remain privileged as long as “an attorney is being asked to give legal advice about something to a third-party vendor is working on does not extinguish the attorney-client protection.”

Premera’s motion was far less complicated and merely sought an Order requiring the Plaintiffs produce their computers or other devices in order to investigate the “actual causal link between the Defendant data breach and their alleged harm.”  Specifically, Premera wanted to confirm each class action plaintiff could establish they suffered harm from Premera’s breach.  Premera claims plaintiffs cannot establish this causal link if their devices have “malware or evidence of other intrusions” unrelated to this breach.  Premara provided the following example of the information it needs to collect:

“…Plaintiff Mr. Chistopherson’s testimony that his bank account information was obtained by ‘scammers’ and that Premera is entitled to Mr. Christopherson’s Device ‘in order to determine precisely what the scammers took from Mr. Christopherson and whether such evidence disrupts the causal link that Plaintiffs allege exists between the Defendant breach and the alleged harm to Mr. Christopherson.’”

However, the District Court rejected this argument since “Plaintiffs are not alleging any identity theft-related injuries or seeking such damages.”  Therefore, the causal link is irrelevant to the damages sought by Plaintiffs.

Data breach litigation has always posed unique issues to the extent that data collectors must prepare for an incident but there was always questions as to whether those preparation documents could be used against them by plaintiffs in a data breach case.  For example, many data collectors struggle with whether breach response plans will be discoverable and used against them after a breach.  While the Premera Court does not directly address documents generated before the incident, the case makes clear that documents providing or soliciting legal advice have the best chance of being protected from discovery.  Consequently, if there were not enough reasons already to retain counsel for cyber security, data collectors must consider that operating without counsel may generate documents that will not be privileged.

The post Premera Breach Shows What Happens When Litigants Cross Each Other by Trying to Shield Documents from Discovery in Breach Litigation appeared first on Privacy Risk Report.

Not long ago, data collectors could feel secure in the fact that plaintiffs had a significant hurdle to establish standing to bring a lawsuit related to a data breach. However, on November 21, 2018, the Pennsylvania Supreme Court issued its decision in Dittman v. The Univ. of Pittsburgh Medical Center, 2018 WL 6072199 (2018), holding an employer can be liable under a negligence claim for breaching employees’ personal information if it does not have adequate security measures in place protecting that data. The reasoning in this decision may make it easier for employees to sustain a lawsuit against their employers after data breaches.

The Class Action Complaint filed in Dittman asserts that the Medical Center breached the personal information of its 62,000 employees. Furthermore, the Complaint alleged the Medical Center required Medical Center Employees provide this information as a condition of their employment. Ultimately, the Medical Center Employees claimed this information was used to file fraudulent tax returns after the breach.

The Medical Center Employees claimed the Medical Center was negligent when it breached “a duty to exercise reasonable care to protect their ‘personal and financial information within its possession or control from being compromised, lost, stolen, misused and/or disclosed to unauthorized parties.’” In particular, the Medical Center Employees argued the Medical Center failed to implement basic security measures protecting their information.

The Pennsylvania Supreme Court held first, the Medical Center owed employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm from breaching personal information and, second, the economic loss doctrine did not bar the Medical Center employee’s claim.

• An Employer Has A Duty To Use Reasonable Care And Safeguard Employee Personal Information.

The Medical Center Employees claimed the Medical Center had a duty to protect their data once it began collecting and storing the data.  The Medical Center countered it should not be liable for the breach since third-party criminals were responsible for the breach. That is, the Medical Center was merely employer and did not create the risk of harm. Therefore, the Medical Center claimed it had no duty.

The Pennsylvania Supreme Court rejected the Medical Center’s position and found it potentially could be at fault when it “collected and stored [personal information] on its internet-accessible computer system without use of adequate security measures, including proper encryption, adequate firewalls, and an adequate authentication protocol.”  In light of these allegations, the Supreme Court held the Medical Center “owed Employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of the act.”

• Recovery For Pecuniary Damages Is Permissible Under Pennsylvania’s Economic Loss Doctrine.

Next, the Medical Center argued that even if it had a duty, the Medical Center Employees’ claims could still be barred by the economic loss doctrine.  Under Pennsylvania law (as with most other states) the economic loss doctrine bars negligence claims against a party that are based solely on economic damages. The Pennsylvania Supreme Court found the economic loss doctrine did not bar the Employees’ claims because “this legal duty exists independently from any contractual obligations between the parties…”  In other words, the Dittman Court rejected the Medical Center’s position that the economic loss doctrine was applicable because the duty to secure employee personal information arises out of negligence law rather than contractual obligations.

There is a significant body of law addressing whether plaintiffs have “standing” to bring lawsuits against data collectors. However, the Pennsylvania Supreme Court did not directly address whether there was a causal link between the breach at the Medical Center and the Employees’ allegations that fraudulent tax returns were filed in their names with the breached information.  Consequently, under the reasoning in the Dittman decision, the best strategy for employers to limit liability in Pennsylvania is to make sure they have “adequate” security measures in place if a breach occurs involving employee data.  And, this case should make it clear to employers outside of Pennsylvania that plaintiffs are beginning to clear the hurdles to establishing liability for data breach incidents.

Please contact Todd M. Rowe at Tressler LLP for a copy of the Dittman decision.

The post Pennsylvania Supreme Court Finds Collecting and Storing Employee Data Gives Rise To Duty: Is the Pendulum Swinging Back In Favor Of Data Breach Plaintiffs? appeared first on Privacy Risk Report.

On October 17, 2018, the American Bar Association published Formal Opinion (“F.O. 483) to directly address cyber security for lawyers. Specifically, F.O. 483 provides guidance on “attorney’s ethical obligations when a data breach exposes client confidential information.”  As an initial matter, F.O. 483 defines a “data breach” as “a data event where material client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.”  While F.O. 483 provides guidance based on a lawyer’s ethical responsibilities, F.O. 483 is not intended to address “other laws that may impose postbreach obligations, such as privacy laws or other statutory schemes that law firm data breaches might also implicate.”

F.O. 483 is based primarily on two ABA Model Rules.

First, ABA Model Rule 1.1 states “[a] lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” In recognizing the impact on the practice of law, F.O. 483 generally requires “lawyers to understand technologies that are being used to deliver legal services to their clients” and compels lawyers and their staff to use this technology to protect their clients’ private information.  F.O. 483 provides the following best practices to meet the lawyer’s ethical obligations:

• Monitoring for a Data Breach: F.O. 483 states “lawyers must make reasonable efforts to monitor their technology resources to detect a breach” in order to meet the requirements of Rule 1.1. In other words, F.O. 483 warns the “potential for an ethical violation occurs when a lawyer does not undertake reasonable efforts to avoid data loss or to detect cyber-intrusion, and that lack of reasonable effort is the cause of the breach.”

• Stopping the Breach and Restoring the System:  F.O. 483 also requires a “lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach.” One method to meet this requirement is to adopt an incident response plan before an incident occurs.  Relying on the NIST standards, F.O. 483 reminds attorneys “[o]ne of the benefits of having an incident response capability is that it supports responding to incidents systematically (i.e., following a consistent incident handling methodology) so that the appropriate actions are taken. Incident response plans help personnel to minimize loss or theft of information and disruption of services caused by incidents.”

• Determining What Occurred: F.O. 483 obligates an attorney to “make reasonable attempts to determine whether electronic files were accessed, and if so, which ones” if a breach occurs.

Next, ABA Model Rule 1.6(a) requires that “‘[a] lawyer shall not reveal information relating to the representation of a client’ unless certain circumstances arise.”  As for cyber security, F.O. 483 requires an attorney to take “reasonable efforts” to preserve client confidentiality in order to meet their ethical obligations.

Finally, F.O. 483 provides guidance for lawyers to provide notice to current and former clients. Overall, a lawyer has a duty to notify their clients of an unauthorized disclosure of their personal information “irrespective of what type of security efforts were implemented prior to the breach.”  As with many data breach laws, F.O. 483 requires the client disclosure “to provide sufficient enough information for the client to make an informed decision as to what to do next, if anything.”  The lawyer should also inform the client of the plan to respond to the incident and efforts to protect the client’s data.  Finally, F.O. 483 directs lawyers to evaluate their obligations under state and federal law.

Law firms have been plagued by cyber issues. The ABA’s Formal Opinion concerning a lawyer’s cyber security obligations does not necessarily go beyond the obligations that any other data collector may have. That is, all data collectors, regardless of whether they are lawyers, must take reasonable steps to protect data and provide proper notification if personal data is disclosed without authorization.  While these obligations may not go beyond existing state and federal obligations, the Model Rules of Conduct make the analysis of cyber issues slightly different for lawyers when a cyber security issue may result in a ethical issue.

The post New ABA Formal Opinion Indicates Data Breach May Present Ethical Issue for Lawyers appeared first on Privacy Risk Report.

The litigation resulting from the Neiman Marcus breach in 2013 continues to create interesting law and precedent.  The history on this matter is significant since Neiman’s breach exposed customers’ credit card numbers. This litigation has already created significant law on the issue of what data breach plaintiffs need to show to establish standing in federal cases. This litigation resurfaced on September 17, 2018 when the class action plaintiffs filed their motion to approve the award for attorney’s fees and other costs. Objectors, who were class members, challenged the plaintiffs’ motion through their own motions to decertify the class. The Court’s decision sheds new light on the requirements to certify a class of plaintiffs in data breach cases.

In reviewing the motions to decertify the class, the District Court for the Northern District of Illinois held a class cannot be certified if the class members have “impermissible intra-class conflicts. ”It is well settled that “[a] single class cannot be fairly or adequately represented by the named plaintiffs and class counsel if members of the class have antagonistic or conflicting claims.” In short, this decision provides one of the best examples of how courts may address the varying interests of plaintiffs in data breach class action lawsuits.

To approach the question of whether the plaintiffs in Neiman had divergent interests, the Court first addressed the fact that the class action plaintiffs had varying degrees of involvement in the Neiman data breach.  Specifically, the Court divided the class members into the following three groups based on where they fell in the “malware period” (the period within which the malware was operating):

• Those who made purchases during the time range within which the malware was operating;
• Those who made purchases during the malware period and while the malware was active at the location of their purchase; and
• Those who made purchases outside the malware period.

After breaking the class plaintiffs into groups, the Court found the first two groups presented the fewest problems for class certification, or in other words, they had similar sufficiently similar interests to be members of the same class.  Even though the Court found the first two groups had similar interests, the Court still found a slight “disparity of interests” between these first two classes to the extent the first group, who had their information taken, was at odds with the second group, who both had information taken in the breach while the malware was active.  The Court further noted that this disparity in interests made the parties’ settlement “suspect” when there was a requirement for class members to opt in before knowing if their information was at risk.  The aspect of the settlement does not sit well with the Court since it may force some class members to take unnecessary efforts when they cannot be certain that their information was compromised.  Given these issues, the Court reluctantly found the parties’ settlement involving the first two groups to be supported by law when “the class representatives and class counsel had equal incentive to represent the interests of all class members who made a purchase within the malware period.”

While the first two groups may have made the settlement in Neiman suspect, the Court found including the third group, made of individuals that made purchases outside the malware period, destroyed the class certification. These individuals knew from the outset of litigation that the malware was not active at the time of their purchases and, therefore, they had divergent interests from the first two classes when they had “no chance of monetary recovery.”

Based on these divergent interests between class members, the court decertified the class in the Neiman litigation and the motions to approve the settlement were denied.

The Court’s decision in Neiman may create another hurdle for plaintiffs in addition to surviving motions to dismiss.  Questions related to damages sustained by class action plaintiffs have always been closely scrutinized by courts.  Under this reasoning, class action plaintiffs will also need to show the class representatives have an incentive to represent the interests of every member of the class members.

Please reach out to Todd M. Rowe for a copy of the Memorandum Opinion And Order issued on September 17, 2018.

The post The Neiman Marcus Case is Back and is Causing “Class Warfare” appeared first on Privacy Risk Report.

Over the years there have been questions whether the term “cyber” is adequate in light of the exponential growth of privacy law.  First, the term “cyber” tried to do too much when it was used to describe everything from large-scale data breaches to small instances of corporate espionage.  Further, the term “cyber” did not do enough to distinguish between personal information being compromised through sophisticated computer attacks and information compromised through unsophisticated employee negligence.  Finally, the “one-size fits all” use of the term “cyber” has recently been called into question by a federal court.

In American Health Inc. v. Dr. Sergio Chevere, 2017 WL 6561156 (Dec. 22, 2017), the District Court for Puerto Rico examined the term “cyber” while determining the litigants’ cross-motions for summary judgment.  The dispute arose when the Defendant, Dr. Sergio Chevere, an employee of the Plaintiff, American Health Inc., forwarded fifty-four emails from his work email account, which was stored on the Plaintiff’s servers, to his personal email account.  Importantly, the District Court noted “Defendant did not cause damage to or erase data from plaintiffs’ computer systems.” Rather,  Plaintiff claims it was damaged because the emails contained confidential and proprietary information which violated state and federal law.  Plaintiffs further claim they spent more than $170,000 in litigation costs related to this incident.  Both parties moved for summary judgment thus prompting the District Court to decide if Plaintiff had a viable cause of action under federal or state laws.

In the section of the District Court’s opinion entitled “The Mise-En-Scène: An Overview of Malicious Cyber Acts and Plaintiffs’ Claims” the District Court first considered “some introductory notes on malicious cyber acts” that include:

Cyber technologies are a minefield of technical nuances. Naturally, the legal landscape that affects cyberspace can be seemingly riddled with gray areas and be difficult to navigate. Before jumping into the proverbial Minotaur’s maze, the court will, for clarity’s sake, consider some introductory notes on malicious cyber acts.

It is well-settled that malicious cyber acts can lead to civil liability and criminal prosecution. Indeed, criminal enterprises, malign actors, and those seeking to gain unfair advantages in their ventures increasingly turn to cyberspace to carry out or facilitate malicious acts.

 Based on this analysis, the District Court views malicious cyber acts as being separated into the following three distinct categories:

 Put plainly, malicious cyber acts consist of the use of computer driven technologies to commit malicious acts. They can be parceled into three distinct categories:

(1) acts in which a computer is the target of the malicious activity,

(2) acts in which a computer is used as a tool that is essential for the malicious activity, and

(3) acts in which the use of a computer is incidental to the malicious activity.

These distinctions are important when applying the law to malicious cyber acts. The court will discuss the first and second categories in more detail, insofar as the latter is immaterial to the issue at hand.

 In further developing the three distinct categories of malicious cyber acts, the District Court provided the following concerning the “first category:”

Acts in the first category, in which a computer is the target, can ordinarily only exist in cyberspace (e.g. hacking and distributed denial of service attacks). They are an entirely “new” breed of malicious activity. Traditional statutes are often ill-fitted or otherwise insufficient to carry civil claims and criminal prosecutions addressing malicious cyber acts of this sort. Thus, to properly make malicious cyber acts that fall into the first category actionable, specialized statutes that specifically target conduct in cyberspace are necessary.

And, the District Court provided the following concerning the “second category:”

On the other hand, acts in the second category, in which a computer is an essential tool, are mostly age-old malicious acts (e.g. fraud and theft) being committed in new ways. They are, in that sense, “old wine in new bottles.” Take, for example, a fraud committed in cyberspace and one committed in the physical world: both are fraud, but only the former is a malicious cyber act. They are different in that a computer was used as an essential tool in one but not in the other. A malicious cyber act falling into the second category can be properly addressed through a traditional statute, though specialized legislation could nonetheless streamline litigation or prescribe particular remedies. That is to say, while Congress could very well choose to enact legislation that specifically targets, say, instances of fraud committed through the use of a computer, traditional statutes addressing fraud could be perfectly adequate to carry the day.

After creating the framework for its decision, the American Health Court found Plaintiff’s allegations that Defendant engaged in the illegal misappropriation of confidential information was conduct falling within the second category of malicious cyber acts (acts in which a computer is essential for the alleged criminal action).  Using this methodology, the District Court found Plaintiff had no recourse under its alleged federal question claims (the Computer Fraud and Abuse Act (CFAA), the Wiretap Act, and the Stored Electronic Communications Act (SECA)). In particular, the District Court held “[t]hese three statutes are not catch-all nets for malicious cyber acts…[and] they target specific forms of conduct in cyberspace, under specific circumstances.” (“Hence, traditional laws may be more suitable conduits for plaintiffs legal action, rather than statutes that specifically target malicious cyber acts.”)  Consequently, the District Court found any relief due to the Plaintiff would be limited to traditional state laws.

While the District Court held Plaintiff may arguably be entitled to relief under state law, the Court did not have to analyze the state claims when the federal claims were dismissed.  Specifically, the District Court found it could not exercise supplement jurisdiction over Plaintiff’s state law claims (breach of contract, breach of duty of loyalty, breach of implied contractual and legal duty, and conversion under Puerto Rico’s Civil Code) when the federal claims were dismissed.  Consequently, Defendant’s motion for summary judgment was granted.

The American Health decision demonstrates the difficulty in using the term “cyber” for any activity that happens to involve a computer.  Here, the Defendant’s use of a computer was incidental to his alleged wrongful conduct.  That is, the Defendant could have printed out the confidential information found in the emails stored on the Plaintiff’s server and misappropriated the information with the hardcopies of the documents rather than transferring the information to his personal account through his computer.  Further, the District Court may have arrived at a different decision if Defendant actually destroyed the information stored on Plaintiff’s server.

Under the reasoning in the American Health decision, we may start to see the evolution of the term “cyber” be limited to incidents where “a computer is the target of the malicious activity.”  These activities, which may include hacking as an example, are what the District Court refers to as an “entirely ‘new’ breed of malicious activity.”  If the District Court’s analysis gains traction we may see legislation that would directly address this new breed of malicious activity rather than seeing various privacy claims being crammed into traditional laws.  Further, we may also see the evolution of cyber policies to be geared to providing coverage for this first category while possibly not providing coverage for the other two categories found in the American Health Court’s distinction of the use of the term “cyber.”

The post One-Size Does Not Fit All: Court Finds Not Every Crime Involving A Computer Is A Cyber Crime appeared first on Privacy Risk Report.

At this point in the development of data breach litigation, it is clear that plaintiffs may be on a sinking ship when they try to establish liability and damages against defendants. In order to meet their burden, a plaintiff must show they suffered a concrete injury from a data breach and that they were injured by that particular data breach and not another unrelated incident involving their personal information. Consequently, the potential causes of action available to data breach plaintiffs seem to decrease with each new decision.

The October 31, 2017 decision of the District Court for the Southern District of Ohio provides another example of a court limiting plaintiffs’ chances of recovery after a data breach and dismissing their claims via a motion to dismiss.  The plaintiffs in Galaria v. Nationwide Mut. Ins. Co., 13-cv-257, 2017 WL 4918634 (Oct. 31, 2017 S.D. Ohio), filed action in the District Court for the Southern District of Ohio when they learned in November of 2012 that Nationwide breached personally identifiable data provided in insurance applications. In August 2017, the District Court issued an order dismissing all plaintiffs’ claims with the exception of a bailment claim.  (The Privacy Risk Report has addressed the dismissal of Plaintiffs’ other claims here).

In order to establish a viable implied bailment claim, the plaintiffs in Galaria were required to show they delivered their personal information to Nationwide “for the specific purpose” that the “property ‘shall be returned or accounted for when this special purpose is accomplished or retained until the bailor reclaims the property.’” That is, Nationwide’s liability hinged on whether the property was returned undamaged.

Prior to getting into its analysis, the District Court reviewed the reasoning of other courts on this issue:

“A number of courts across the country have considered bailment claims in the context of data security breaches and concluded that the scenario in which a person provides personally identifiable information to a business and the information is stolen does not give rise to a bailment liability.”

***

Applying the law of various states, those courts have concluded that a person in that scenario has not transferred possession of the data with “the expectation that the recipient will return the date and does not base any claim for damages on the recipient’s unlawful retention of the data.”

In applying this reasoning found in a number of data breach cases including In re Target Data Security Breach Litig., 66 F. Supp. 3d 1154, 1177 (D. Minn. 2014) and In re Sony Gaming Networks and Customer Data Sec. Breach Litig., 903 F. Supp. 2d 942 (S.D. Cal. 2012), the District Court found “[i]ntangible property, including personally identifiable data, may or may not constitute the sort of personal property that may be bailed.” However, the District Court did not have to address this question “because Plaintiffs have not alleged that they transferred control or custody of their personal identifiers to Defendant with the expectation that Defendant would hold them for some purpose and then return them undamaged to Plaintiffs.”   Here, the Plaintiffs never relinquished custody or control over the data. (“They retained their personal identifiers and continued to use them throughout the period of the alleged bailment.”) The Plaintiffs’ bailment claim failed since plaintiffs did not allege “that they expected Defendant to return the data because they were never without their personal identifiers.”

The District Court’s analysis illustrates the struggle data breach plaintiffs face to establish viable causes of action. Even if they demonstrate they have standing to bring suit against a data collector, plaintiffs still must address the fact that their data is intangible and, therefore, may not be subject to laws protecting tangible property. Further, while many states have laws protecting data, most privacy laws do not create a private cause of action to recover after a breach.

It is important to remember these cases, which may be used to limit liability, do not support a decision to pass on cyber insurance.  The costs of defending these cases more than justify the cost of cyber insurance.  There is more at stake than third-party liability in most data breach incidents.  Therefore, the costs of dealing with a cyber incident more than justify paying the premium and deductible of a cyber insurance policy.

For more information, click here to contact a Tressler attorney.

The post Court Refuses To “Bail Out” Data Breach Plaintiffs By Dismissing Bailment Claim appeared first on Privacy Risk Report.

For many years, governmental bodies and some commercial companies have had a responsibility to provide information conveniently to the public.  Specifically, under Open Records Acts, Freedom of Information Action requests and other similar requirements, many governmental bodies have to provide sensitive information to the public.  However, over the last few years, these same governmental bodies and commercial companies have also started to face additional requirements to adopt cyber security safety measures to protect data.  It is not difficult to see how these various requirements may become competing interests that cause confusion.  Therefore, we are starting to see new methods to address the need to provide information to the public in a convenient format while properly securing information.

One recent example of the need to strike a balance between providing information and safeguarding information is seen in Taylor v. School Administrative Unit #55, 2017 WL 4172944 (September 21, 2017), when the New Hampshire Supreme Court found providing information on a thumb drive, rather than through email, was acceptable given the cyber security concerns in protecting that information.

On May 12, 2016, the School Administrative Unit #55 (“School District”) voted to go into a nonpublic session to discuss the superintendent’s evaluation and “emergency functions.”  The School District voted to seal the minutes while in the nonpublic session.  The following month, the plaintiff, David Taylor, requested the superintendant’s office send him the minutes of the May 12, 2016 nonpublic session. Taylor was told the minutes could not be provided because they were sealed.  In response to a second email sent by Taylor, the superintendent’s office denied the request based on the School District’s “Right-To-Know” procedure which allowed records to only be provided  to a member of the public that brings a sealed thumb drive (or purchases a thumb drive directly from the School District) for the records to be downloaded.

By August of 2016,  Taylor had filed a complaint initiating this lawsuit based on allegations that the School District had violated New Hampshire law by voting in a closed session to seal the minutes of the nonpublic meeting and “refusing to forward to him, by email, the records he requested.” Taylor sought a declaration that the School District’s policy requiring information to be downloaded on a thumb drive violated New Hampshire and an order requiring the records be transferred via email.

The School District argued a number of “cyber security concerns” validated its procedure for using thumb drives rather than transferring the information through email. In agreeing with the School District, the New Hampshire Supreme Court held “we find valid the [School District’s] concern that responding to records requests by e-mail ‘would introduce unreliability into the process because sometimes e-mails are too big to be received, and there is no way for the [School District] to confirm receipt of e-mails it sends.” The Supreme Court was further concerned over the potential for mistakes once the School District started sending a number of responses to “Right-To-Know” requests via email.  Specifically, the Supreme Court agreed with the trial court’s finding that “while plaintiff may be correct that the simple forwarding of one email poses a very small cyber security risk, the greater potential risk comes from repeated email exchanges with multiple parties making Right-To-Know-Requests.”  Further, the Supreme Court held that the thumb drive policy did not necessarily diminish the use of records provided on thumb drives and “serves the governmental interest of protecting public bodies’ and agencies’ information technology systems…”

Governmental bodies have to walk a thin line between the need to make information available to the public and the need to have cyber security safeguards in place to protect the public. Here, the School District was required to provide access to information, but it also had a fiduciary duty to protect private information.  The School District’s agreement to provide the requested information on a thumb drive provides another example of how entities can use all available technology to overcome cyber security concerns.  While downloading data to a thumb drive may not be the most convenient method to provide this information, it allowed the School District to meet is fiduciary obligation to protect information.

The post The Line Between Obligations To Disclose Information And Obligations To Protect Private Information appeared first on Privacy Risk Report.

On December 1, 2015, VTech Holdings Ltd., a manufacturer of digital toys and telephones, reported that it suffered a data breach on November 14, 2015.  VTech’s “smart toys” breached the personal information of at least 6.4 million children in addition to the records of 4.9 million adult customers. VTech further reported that this breach involved “child profile information,” including the name, gender and birth date of the child. The “unauthorized party” gained access to information stored as part of VTech’s “Learning Lodge” app store on the company’s website.  (In 2015, the Privacy Risk Report addressed the facts related to VTech’s breach on December 2, 2015 at great length.)

Now that we are a few years down the road since the breach, we have seen VTech’s customers file lawsuits and we have been able to get a better picture of how the breach may have impacted VTech’s business.  Therefore, even though we have no information concerning VTech’s insurance program, we still have sufficient information about VTech’s breach to analyze the value of third party liability and first party coverage in data breaches.

• VTech’s Good News: No Liability For The Breach (So Far)

On July 5, 2017, the District Court for the Northern District of Illinois granted VTech’s motion to dismiss related to its data breach. As seen in numerous other data breaches cases, the plaintiffs in this litigation could not establish that they had standing to bring a lawsuit against VTech. That is, the District Court found that the plaintiffs “fail to make the connection between the data breach they allege and the identity theft they fear.” On this point alone the District Court held the plaintiffs did not have standing to proceed against VTech.

The plaintiffs also argued that VTech breached its contractual obligations when there was a “temporary (and in some cases ongoing or permanent) suspension of the apps that were used on VTech’s products.” Of course, there was no contract to use the apps.  Rather than pointing to any contractual provision, the plaintiffs argued that pictures and descriptions of the apps on the product’s packaging obligated VTech to continually provide access to the apps. The plaintiffs alleged that “the toys were priced at a premium in part due to their ability to access” the apps. On the other hand, VTech argued that “each plaintiff’s initial purchase transaction as relating to the fully-functioning, physical toy itself, rather than a combination of the physical product and online services…” That is, VTech argued it could not breach its obligations to provide the apps when the apps were separately “offered to plaintiffs after they purchased the toys.”  The District Court was not persuaded by plaintiffs’ argument when they could have easily used the toys without downloading the apps or uploading their personal information.  And, the District Court agreed with VTech when it found “there is a difference between selling a product that combines a physical toy and a service, and selling a physical toy whose features may be supplemented by a separate service that VTech provided for free.” Ultimately, the District Court held “[t]he complaint does not allege facts sufficient to show that the initial purchase transaction included both the toy and VTech’s furnishing of online services” and, therefore, VTech did not breach any contractual obligations if the plaintiffs did not enter into an online services contract at the time of purchase.

Even though the plaintifffs failed to show they had damages and could survive a motion to dismiss, the value of third party cyber liability coverage is clear.  The costs related to briefing the complex issues on a motion to dismiss related to whether the plaintiffs have standing can be too much for many companies.  Further, if the plaintiffs survive a motion to dismiss, which is happening on a more routine basis, a company will need to endure possibly years of litigation leading to a settlement or adverse judgment.  Therefore, the VTech case (even though the plaintiffs case was dismissed) still underscores the need for third party liability insurance found in cyber policies. This coverage is an essential tool when defending against any liability claims related to a data breach.

• VTech’s Bad News: Potential First Party Losses

Even though VTech’s motion to dismiss was successful, a new study shows this breach may still have had a detrimental impact on VTech. A recent analysis by Comparitech, specialists in security and privacy, shows how a data breach can impact a company’s stock price.  Comparitech’s analysis examined data breaches involving anywhere from one million to 100 million records and included the breach at VTech along with Apple, Adobe, Anthem, Community Health Systems, Dun & Bradstreet, eBay, Experian, Global Payments, Home Depot, Health Net, JP Morgan Chase, LinkedIn, Monster, T-Mobile, Sony, Staples, Target, TJ Maxx, Vodafone, Yahoo.  In particular, Comparitech examined the closing share prices of these 24 companies from the day prior to the disclosure of a data breach and determined the following:

Admittedly, while Comparitech’s in-depth study of these large scale breaches easily demonstrates the importance of the first party coverage found in cyber policies for business loss at  large companies, it is not able to address the consequences of a data breach at smaller corporations. However, we have already seen proof that smaller companies suffer equally dire consequences when in January 2016, there were a number of reports concerning a cyber incident at FACC AG, an Austrian airplane component maker, that resulted in damages exceeding $50 million.   And, while a company may not be able to obtain insurance to cover losses in stock value, having a sophisticated cyber insurance portfolio may  provide confidence for investors and customers which, in turn, may limit a drop in stock value in the case of a breach.

The post 2015 Data Breach At Toy Manufacturer VTech Continues To Provide Insight In 2017 appeared first on Privacy Risk Report.

Many litigants are struggling with how to fit the “square peg” of cyber security claims into the “round hole” of law that may have been around for a number of decades.  One recent example was seen on June 27, 2017, when the United States District Court for the Central District of California dismissed a case entitled Casillas v. Berkshire Hathaway Homestate Companies, et al., 15-04763, 2017 WL 2813145 (June 27, 2017). In Casillas, the plaintiffs alleged two insurance investigators hacked an online database created by HQSU Sign Up Services, Inc. (“HQSU”) which stored workers’ compensation litigation files.  In serving as an “administrative services” contractor to various workers’ compensation attorneys, HQSU stored everything from “personal data” (including the client’s full name, Social Security Number, birth date, home address, legal status, driver’s license information, and salary information) to the attorneys’ communications with their clients and personal notes about the various cases. In particular, the plaintiffs allege that over the course of two years, the investigators accessed and downloaded over 30,000 workers’ compensation files.  The complaint further alleges the hackers took this information to provide the insurance companies with “a counsel’s advantage” in pending litigation and to “intimidate and force concessions” from various plaintiffs.

The Casillas Court closely analyzed what is necessary to bring a viable cause of action under 18 U.S.C. § 2701(a)(1), the Stored Communications Act. This Act was designed decades ago to “protect against the unauthorized interception” of “stored wire and electronic communications and transactional records.” The Act creates a private right of action against anyone who:

(1)       “intentionally accesses without authorization”

(2)       a “facility through which an electronic communication service is provided” and

(3)       “thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage.

However, before finding the plaintiffs’ complaint should be dismissed, the Court analyzed what it refers to as the “technical distinction between “electronic communication services” and “remote computing services.” Specifically, in addressing this distinction, the Court held that “…though they aren’t mutually exclusive categories, the Act establishes ‘different standards of care” for different types of communication.’” The Court provides the following distinction between these two phrases:

• Electronic Communications Service: “Congress defined an ‘electronic communication service’ as ‘any service which provides to users thereof the ability to send or receive wire or electronic communications.’ Think email: ‘[C]ommunication by which private correspondence is … typed into a computer terminal, and then transmitted over telephone lines to a recipient computer operated by an electronic mail company.’”
• Remote Computing Service: “A ‘remote computing service,’ by contrast, is one that ‘provi[des] to the public [a] computer storage or processing service[ ] by means of an electronic communications system.’ Think off-site storage: ‘In the age of rapid computerization, … remote computer service companies have developed to provide sophisticated and convenient computing services to subscribers and customers from remote facilities.’”

Indeed, this importance of this distinction is seen firsthand as the portion of the Act which the plaintiffs sought relief under, 18 U.S.C. § 2701(a)(1), “applies only to the provision of electronic communication services, and therefore excludes the provision of remote computing services from its strictures.” The Casillas court found plaintiffs’ complaint was limited to allegations that their attorneys “used HQSU’s administrative services in a limited fashion—by ‘uploading and downloading documents’ to the online database and appending case-related ‘notes’ to those documents.” These allegations, the court opined, describe “remote computing service” which does not give rise to a private cause of action under the Act. In conclusion, the court found “it’s plain that the plaintiffs have mixed up their claims under the Stored Communications Act.

Litigants bringing claims related to cyber security, data breaches and privacy not only have to overcome significant hurdles to establish standing, but often have to work with law that was developed before the technology was developed that forms the basis for their claims.   Admittedly, it may be difficult to seek relief for damage caused by modern technology under laws that precede this technology by decades.  Even though the Casillas court acknowledges the distinction between “electronic communication services” and “remote computing services” may be “a bit dated,” the parties still must meet the requirements for a viable action under the Act.  This case demonstrates the complexity with cyber security and privacy claims and the need to retain counsel that has experience in this developing, highly-specialized area.

The post Square Pegs: Recent Case Shows Problems With Fitting Cyber Liability Claims Into Law That Is “A Bit Dated” appeared first on Privacy Risk Report.