By Danita L. Davis Sudac

Individuals’ willingness to share detailed accounts of their lives on social media sites, such as Facebook, has created an unparalleled source of evidence for lawyers seeking discovery.   There is little question that social media evidence can be helpful in the areas of civil litigation.  For example, it can be used to discredit a litigant or contradict allegations of damages. Recently, in the high profile matter of Brown v. City of Ferguson, 15-cv-831, (E.D. Mo., E Div. Jan. 27, 2017), U.S. District Judge E. Richard Webber ordered that the family of Michael J. Brown, Jr., the unarmed black teenager killed in 2014 by police in Ferguson, must disclose all relevant Facebook posts in their wrongful death action against the city.   The court disagreed with Brown’s family members’ claims that they had a right to privacy for notes sent through Facebook Messenger.  The court likened Messenger to a “personal diary” which the court found must be disclosed if it has entries relevant to a case.  The court reasoned that the social media posts would show the family members’ relationships with Brown, which will help calculate pain, suffering and psychological damages, as well as provide evidence that could be used by the City and other Defendants to impeach or show bias.  In addressing concerns as to overbreadth and relevance, the court noted that the disclosure was limited in time and the entry of a protective order would safeguard any remaining privacy concerns. 

In cases where the production of social media information is challenged, most courts note that discovery of such information is governed by the same legal principles that guide more traditional forms of discovery.   As one New York Superior Court opinion recognized, “fishing expeditions” of social media accounts are just as objectionable as their “analog  antecedents.”   Winchell v. Lopiccolo, 954 N.Y.S.2d 421 (2012).  Relevance is still a perquisite before broad social media discovery is allowed.  Once relevance is established, however, the  traditional rules of civil procedure generally apply.

Despite the fact that social media users may try to self-regulate their privacy settings to restrict public disclosure, in the litigation context, these posts may be deemed relevant and discoverable regardless of the users’ privacy intentions.  Further, when seeking social media discovery, attorneys should also think twice about “friending” a represented adverse policy. Such activity likely violates  the Rules of Professional Conduct which addresses communications with represented parties.  As it pertains to their own clients, attorneys must also be aware of issues related to the preservation of social media evidence.   Once involved in a lawsuit, a litigant cannot delete relevant social media evidence at issue in the litigation.

In sum, as social media continues to be a popular and accessible mode of communication, discovery of social media information will become more prominent. Attorneys and their insurer clients should familiarize themselves with rules and recent decisions regarding the production of social media information as  issues surrounding such discovery will  likely be the subject of objection and motion practice.

The post Emerging Privacy Issues In Discovery Of Social Media appeared first on Privacy Risk Report.

While we have seen defendants in data breach cases argue that plaintiffs were not injured and therefore lack standing to bring suit, litigants in a recent data breach case have directly addressed issues some litigants have previously danced around.

On August 6, 2015, Pamela Chambliss and Scott Adamson (Plaintiffs) filed a class action complaint in a Maryland District Court against Carefirst, Inc. (which operates under the tradename Carefirst Blue Cross Blue Shield) related to a data breach at Carefirst in 2014. The Plaintiffs claim they have health insurance through Carefirst and, therefore, were required to furnish private information to Carefirst. The class action complaint seeks damages based on allegations that Carefirst failed to adequately secure its computer hardware that stored the Plaintiffs’ personal information. Carefirst discovered this breach on May 20, 2015. The breach released the names, birthdates, email addresses and “subscriber information” of 1.1 million individuals. The class action complaint indicates Carefirst did not encrypt the stored data and was viewed as a “soft target” by hackers.

The first cause of action was based on allegations that Carefirst was negligent by failing to safely store personal information and “potentially confidential health information” of its members. The class action Plaintiffs further claimed this breach “proximately caused an unauthorized disclosure” of Plaintiffs’ information. The second cause of action was based on allegations that Plaintiffs’ relied on Carefirst’s representations concerning its privacy and security before they purchased health insurance. The third cause of action alleged Carefirst was unjustly enriched when it did not pay for the security and protection promised to the Plaintiffs. Finally, the Plaintiffs alleged Carefirst’s conduct constitutes a violation of the Maryland Personal Information Protection Act.

On September 24, 2015, Carefirst filed its motion to dismiss the class action complaint, asserting Plaintiffs’ action is defective because “Plaintiffs have not alleged that they suffered an injury cognizable under Article III of the Constitution.” That is, Carefirst claims the Plaintiffs lacked standing to bring the action because the Plaintiffs’ data was not alleged to be misused in any manner.  In its supporting brief, Carefirst points out the difficulty class action plaintiffs are having surviving motions to dismiss:

Data theft is an unfortunate and increasingly common occurrence in contemporary life, victimizing literally millions of Americans. Fortunately, data loss does not always produce actual harm. Just as companies are learning how to harden their defenses against cyber theft, our Nation’s courts are learning to sort out the claims of truly injured victims from those who launch class actions without having suffered any real harm. This action falls into the latter category.

On November 5, 2015, the Plaintiffs filed their opposition to Carefirst’s motion to dismiss. The Plaintiffs wasted no time addressing what appeared to be the current trend of plaintiffs having difficulties showing damage from a data breach. The opening paragraphs take aim at Carefirst’s argument as follows:

Defendants, in their Motion, assert that data theft is a “common occurrence” as if that somehow excuses them from culpability for failing to take the reasonable, necessary steps to protect the plethora of sensitive, highly confidential personal and medical information in their possession and the harms that their insureds suffer as a result of that failure. Brief at 1.1 Defendants cannot get off so easily. In fact, the commonness of such breaches actually makes each subsequent breach all the more egregious. Just as the landlord in a high-crime area can be held liable when he fails to install a secure lock on a tenant’s door and a criminal breaks into a tenant’s apartment and harms her as a result, see e.g. Lay v. Dworman, 732 P.2d 455 (Okla. 1987), so, too, can a health insurer, who knows of the risk of cyberattack, be liable when it fails to secure its insureds’ confidential personal information.

Of course, the current dispute in the Carefirst case is based on what is becoming a substantial body of law concerning standing for data breach cases. In just the last year, we have seen the following developments on the standing issue:

• 7th U.S. Circuit Court of Appeals: On July 20, 2015, the 7th Circuit issued its decision in Remijas v. Neiman Marcus Group, LLC, directly addressing Article III of the U.S. Constitution, the standing for data breach plaintiffs. In reversing the District Court, the 7th Circuit held that “[a]llegations of future harm can establish Article III standing if that harm is ‘certainly impending,’ but ‘allegations of possible future injury are not sufficient.’” In short, the 7th Circuit found the plaintiffs met the requirement under Clapper “that injury either already [has] occurred or [was] ‘certainly impending.’”
• District Court for Southern District of Texas: In Peters v. St. Joseph Serv., Corp., the District Court dismissed plaintiff’s claims on a 12(b)(1) Motion after finding that allegations of an increased risk of future harm were not sufficient to confer standing.
• District Court for Northern District of Georgia: Home Depot filed a motion to dismiss asserting the Class Action Plaintiffs lacked standing to bring suit for its data breach.
• District Court for Minnesota: In the Target litigation, the District Court held the Financial Institutions’ action survived Target’s Motion to Dismiss.

All of these cases trace their origins back to the Supreme Court’s 2013 opinion in Clapper v. Amnesty Int’l finding that the mere increased risk of future harm does not confer Article III standing.

The briefs in the Carefirst case demonstrate that litigants are starting to directly address the difficult questions related to data breach cases as courts gain a better understanding of these cases. While plaintiffs have hit a number of hurdles in establishing damages, defendants’ argument that everyone is suffering a data breach may lose credibility with courts.

The post Let’s Get Ready to Rumble: Gloves Come Off in Data Breach Standing Case appeared first on Privacy Risk Report.

Last week, the Obama Administration announced one of the largest breaches ever of federal employees’ data. This latest breach, involving records of nearly four million current and former government workers, originated in China. There are reports that this breach may have included information from background checks and, therefore, may impact families of federal workers as well. This follows a breach in late May of IRS records where criminals accessed information related to at least 100,000 taxpayers. While the American taxpayers may be on the hook rather than insurers, these breaches provide insight on how the targets for cyber criminals may be shifting from financial information, such as credit card data, to personal/health information. There is also information indicating medical devices in hospitals pose a significant risk.

Medical Records/Personnel Data

The recent breaches in the federal government contribute to a growing trend of hackers targeting data beyond credit card information. Experts believe the shift away from credit card information may be due to the black market becoming oversaturated with credit card information from breaches at big retailers. Hackers seem to be using smaller, more surgical attacks. At present, estimates indicate that medical information may be worth 10 times more than credit card information.

Medical Devices

A recent Report indicates that medical devices used in hospitals and clinics may present the weakest point in healthcare’s defense systems. Commentators point out that these newest targets may not be limited to only medical information, but may include diagnostic equipment (PET scanners, CT scanners, MRI machines, etc.), therapeutic equipment (infusion pumps, medical lasers and LASIK surgical machines) and life support equipment (heart-lung machines, medical ventilators, extracorporeal membrane oxygenation machines and dialysis machines).

The Report provides details on the following three “real-world targeted hospital attacks:”

• Hospital Lab Blood Gas Analyzer Attack: Blood gas analyzers are devices used during surgery. The Report found attackers “were moving laterally through the networks due to three malware-infected blood gas analyzers that had ‘enabled backdoors into the hospital networks’” and were able to obtain unencrypted data and send that data to sources in Europe.
• Hospital Radiology: In the second example, the Report discusses an intrusion through equipment in a hospital’s radiology department. The source of the intrusion was a nurse’s workstation which had been used on the internet.
• X-ray Systems: The Report also found an example of malware on a hospital’s system that was installed through a backdoor on the hospital’s x-ray equipment.

Based on these scenarios, commentators caution that hackers could do more damage than merely stealing valuable medical data. For example, vulnerable medical devices could give access to drug infusion pumps which would allow drug dosage to be remotely controlled by a person that may not have the best intentions. As for the insurance industry, these scenarios show that a criminal’s access to an insured’s data may not be limited to only a computer network. Electronic devices used by an insured may provide another path to the insured’s assets.

These recent breaches in the federal government, while perhaps having no immediate impact on insurers, show the early stages of how the threat against insureds has evolved past large-scale credit card data theft. Large-scale credit card theft from big box stores such as Home Depot or Target may become less frequent. As seen with the breach on Sony pictures in December 2014, insurers and insureds have to consider a number of potentially valuable assets while considering insurance coverage for data storage risks. Further, the insurance industry may need to consider the impact of smaller attacks rather than only bracing for the “big one.” Consequently, these breaches at the federal government just made assessing the risk more difficult for the insurance industry.

The post Insurance Implications of Recent Federal Government Data Breaches appeared first on Privacy Risk Report.

We have previously reported on other states, including California and New Jersey, strengthening their data breach notification laws. Illinois Attorney General, Lisa Madigan, is now proposing similar steps be taken in Illinois. In support of her attempt to modify the 2005 law, Madigan stated: “In light of last year’s massive data breaches, it is clearer than ever that much more must be done to protect sensitive data while ensuring that people know when their information has been compromised….”

In particular, the Attorney General is proposing the following modifications to Illinois’ Personal Information Protection Act (PIPA):

• Expanding the definition of “personal information” to include medical information, biometric data, geolocation information, certain consumer marketing data, contact information when combined with other identifying information;
• Requirements that businesses take reasonable steps to protect personal information coverage under PIPA; and
• Requirement that the Attorney General’s office be notified of any breach involving information of Illinois residents.

Of course, while these heightened standards may be good for Illinois residents, anyone holding personal information of Illinois residents will be responsible for meeting the current and, at some point, the proposed requirements. The expanded definition of “personal information” will increase the number of entities subject to the current version of PIPA.Therefore, the best strategy is to continue to review your breach response plan to confirm it reflects the current laws.

Additionally, these proposals in Illinois and other states will have a direct impact on insurance coverage for data breaches. First, these proposals require insureds to inform not only their insurance carrier of a breach, but also the Attorney General’s office in addition to those individuals involved in the breach. Second, the risk to insureds increases as the scope of data breach notification laws widens. Therefore, we can expect the need for cyber insurance to continue to increase as more states strengthen their laws.

The post Modification of Data Breach Laws Directly Impacts Insurers and Insureds appeared first on Privacy Risk Report.

In a case of first impression within the Fifth Circuit, a district court has dismissed a putative class action complaint brought after a data breach against one of the larger health organizations operating in California and Texas. In Peters v. St. Joseph Services Corp., the District Court for the Southern District of Texas dismissed plaintiff’s claims upon a 12(b)(1) Motion after finding that allegations of an increased risk of future harm were not sufficient to confer standing.

Plaintiff Beverly Peters alleged that hackers had accessed and stolen her information after breaching St. Joseph Health Systems’ data network. Peters alleged that someone had attempted – albeit unsuccessfully – to make purchases on her Discover card and had attempted to access her Amazon account using a family member’s name. Peters claimed these incidents as evidence that she was at an increased risk of imminent harm stemming from the breach. In dismissing the complaint for lack of standing, the court joined the Third Circuit, as well as district courts in Ohio, New Jersey, and the District of Columbia, in finding that Peters’ allegations of an increased risk of future identify theft and fraud were insufficient to survive a motion to dismiss. “’Unless and until these conjectures become true’…Peters’ alleged future injuries are speculative – even hypothetical – but certainly not imminent.” The decision relied upon the Supreme Court’s 2013 opinion in Clapper v. Amnesty International in finding that the mere increased risk of future harm does not confer Article III standing. In doing so, the Southern District of Texas argued that the Clapper decision had “arguably resolved the circuit split” as to whether allegations of risk of future harm were sufficient to confer standing in data breach cases.

Despite the court’s opinion that Clapper has resolved the circuit split over standing in data breach lawsuits, there remains significant division among circuit courts (and even, post-Clapper, among district courts within the same circuit) as to whether an alleged increased risk of future harm stemming from a data breach constitutes imminent injury under Article III. While the Seventh and Ninth Circuits held that such allegations were sufficient to confer standing, both decisions were issued prior to Clapper and district courts within those circuits have decided the issue both ways since the Supreme Court’s opinion. What does appear clear is that plaintiffs in data breach cases face a significant hurdle in a motion to dismiss for lack of standing in the wake of Clapper, and that absent allegations of actual harm already suffered (rather than an increased risk of harm), defendants stand a good chance of dismissing class actions at an early stage.

The post Another Court Dismisses Data Breach Class Action on 12(b)(1) Standing Grounds appeared first on Privacy Risk Report.

Apple unveiled its first “smartwatch” on September 9, 2014 and it will be available to the public in early 2015. It is widely reported that, in order for the Apple Watch to be a success, Apple will need to partner with health insurance carriers to use the device to monitor and collect private health data. Fitness tracking devices are already being used to gauge health insurance premiums. For example, British Petroleum has used a fitness bracelet to track the health data of its employees and their spouses in order to lower its health insurance premiums.

Whether people will use health monitoring devices such as the Apple Watch to the extent they have used iTunes or other apps remains to be seen. Beyond the ethical questions, there are a number of questions of whether this data has value and will be targeted by hackers. One thing is certain, the risks for a data breach increases with each new method for data collection and storage.

The post Apple Watch Poses a Number of New Privacy Risks appeared first on Privacy Risk Report.

Patients of Community Health Systems filed a Complaint initiating a class action in the Northern District of Alabama against the hospital system on August 20, 2014. The class action arises out of the breach of an estimated 4.5 million patients’ protected data. Plaintiffs allege claims typical to those in other data breach cases, including breach of contract, negligence, and unjust enrichment. However, Plaintiffs additionally assert claims for willful and negligent violations of the Fair Credit Reporting Act, alleging that Community Health Systems is a consumer reporting agency covered by the FCRA. Courts have yet to address the viability of claims against healthcare institutions under the FCRA, as only a handful of data breach complaints have actually stated claims for damages under the Act.

If the Court allows Plaintiffs’ claims under the FCRA to stand in this action, healthcare providers will face significantly greater statutory damages in the event of a data breach.

The post Class Action Alleges Breach of Data for 4.5 Million Patients appeared first on Privacy Risk Report.

In finding plaintiffs lacked standing to bring an action for a data breach, the U.S. District Court for the District of Columbia held the “increased likelihood” of personal information being used was insufficient to establish a viable cause of action. In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 2014 U.S. Dist. LEXIS 64125 (D.D.C. May 9, 2014), the plaintiffs’ medical information was stolen from a car owned by an employee of the Science Applications International Corporation, a company that handles data for the U.S. Government.

The SAIC Court held the majority of the plaintiffs lacked standing because they could not show they had suffered any injuries. The fact that the plaintiffs may be more likely to be subjected to identity theft or that the plaintiffs may need to incur costs related to monitoring their credit did not establish that the plaintiffs had suffered a compensable injury.

The SAIC Court also found the minority of plaintiffs that could show they suffered some form of an injury from identity theft could not establish such injuries were directly caused by the theft of the tapes. Here, the SAIC Court held that even if the plaintiffs suffered injury, the alleged injury was caused by the theft of financial information and the plaintiffs alleged only that thief obtained unrelated medical data from the car.

The SAIC Court noted there was evidence submitted that approximately 3.3% of the population will experience some form of identity theft. Therefore, it was not unexpected to see some of the plaintiffs had suffered identity theft. The plaintiffs were not able to show this identity theft was caused by their medical information being stolen from the car.

Consequently, at a bare minimum, to establish standing in a data breach case, a party must demonstrate actual injury that was directly caused by the data breach.

The post District Court Analyzes Requirements to Establish Standing For Data Breach Cases appeared first on Privacy Risk Report.