“Full Employment for CISOs in New York”: New York Proposes the Nation’s First Cybersecurity Regulation

If you’re a CISO living in New York get ready for the phone calls!!! On September 13, 2016, Governor Andrew M. Cuomo proposed the nation’s first cybersecurity regulation. Starting on September 28, 2016 there is a limited 45 day window of opportunity for financial institutions and interested parties to submit public comments before the regulations become final.

Here are the top ten reasons why CISOs in New York will be busier than ever if the regulations are finalized:

10.       If you are a financial institution regulated by the New York Department of Financial Services (“NYDFS”), you are REQUIRED to comply with these new cybersecurity regulations. It is not a “reasonable efforts” or “best practices” standard; it is mandatory. This includes banks, insurance companies, mortgage companies, lenders, and money services companies.

9.         Regulated financial institutions must designate a qualified individual to serve as Chief Information Security Officer (“CISO”). The CISO must report directly to the Board at least two times a year (a) identifying cyber risks; (b) assessing confidentiality, integrity and availability of information systems; (c) evaluating the effectiveness of the cybersecurity program; and (d) proposing steps to remediate any cybersecurity inadequacies.

8.         Regulated financial institutions must develop written policies and procedures for third-party vendors with access to nonpublic information, very broadly defined under Section 500.01(g).

7.         Regulated financial institutions must establish a cybersecurity program and adopt a written cybersecurity policy which includes procedures for protecting: (a) information security; (b) data governance and classification; (c) access controls and identity management; (d) disaster recovery; (e) network security; (f) application development; (g) customer data privacy; (h) vendor management; (i) risk assessments; and (j) incident responses.

6.         CISOs are required to conduct due diligence on third-parties to evaluate whether they have adequate cybersecurity practices. CISOs are also required to perform periodic assessments, at least annually, of third parties.

5.         Regulated financial institutions must implement multi-factor authentication for individuals who have access to internal systems or to support functions.

4.         Annual penetration testing and vulnerability assessments must be included in the financial institution’s cybersecurity program.

3.         Encryption is required for all nonpublic information held or transmitted by the financial institution. For transit data, there is one year to implement the encryption safeguards. For data at rest, there is a five year window to implement the encryption safeguards.

2.         Regulated financial institutions must establish a written incident response plan which effectively responds to a cybersecurity event. Section 500.16 of the proposed regulations provides seven areas that must be included in the incident response plan, including remediation of any identified weaknesses.

1.         Finally, under Section 500.17, regulated financial institutions are required to notify the superintendent of any Cybersecurity Event that has a “reasonable likelihood of materially affecting the normal operation” or “that affects Nonpublic Information.” The notification must be made within 72 hours “after becoming aware” of such a Cybersecurity Event. Additionally, the regulated financial institutions must annually submit a written statement by January 15th certifying that the institution is in compliance with the Cybersecurity regulations.

There are limited exemptions to many of these requirements, such as having fewer than 1000 customers and less than $5 million in gross annual revenues, but given these regulations are directed at NYDFS regulated entities, it is unlikely that many financial institutions will fall within these exemptions.

For more information regarding the NYDFS proposed cybersecurity regulations or for assistance with preparing public comments or developing cybersecurity policies and procedures, please contact Ryan P. Blaney or a member of Cozen O’Connor’s multidisciplinary Privacy, Data & Cybersecurity group.

Tagged with: , , , , , , , , ,
Posted in Data Security, Legislation, Regulations

FTC Overturns ALJ’s LabMD Decision and Reasserts its Role as a Data Security Enforcer

labMD security breachOn July 29, 2016, the Federal Trade Commission (“FTC” or “Commission”) reversed an FTC administrative law judge’s (“ALJ”) opinion which had ruled against the FTC, finding that the Commission had failed to show that LabMD’s conduct caused harm to consumers to satisfy requirements under Section 5 of the FTC Act. In reversing the ALJ, the FTC issued a unanimous opinion and final order that concluded, in part, that public exposure of sensitive health information was, in itself, a substantial injury.

The FTC initially filed a complaint against LabMD in 2013 under Section 5 of the FTC Act, alleging that the laboratory company failed to “provide reasonable and appropriate security for personal information on its computer networks,” which the FTC claimed lead to the data of thousands of consumers being leaked. The complaint resulted from two security incidents that occurred several years prior, which the FTC claimed were caused by insufficient data security practices.

In its opinion, the FTC concluded that the ALJ had applied the wrong legal standard for unfairness and went on to find that LabMD’s data security practices constituted an unfair act or practice under Section 5 of the FTC Act. Specifically, the Commission found LabMD’s security practices to be unreasonable – “lacking even basic precautions to protect the sensitive consumer information on its computer system.” The Commission stated that “[a]mong other things, [LabMD] failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had protected.” As a result of these alleged shortcomings in data security, medical and other sensitive information for approximately 9,300 individuals was disclosed without authorization.

Further, and perhaps more importantly, the Commission concluded that “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n), and thus that LabMD’s disclosure of the [ ] file itself caused substantial injury.” Thus, contrary to the findings of the ALJ, the Commission essentially held that the mere exposure of sensitive personal and health information into the public domain may be enough to constitute a substantial injury for purposes of Section 5, without any proof that the information was ever misused.

As a result, the FTC ordered LabMD to establish a comprehensive information security program, obtain independent third party assessments of the implementation of the information security program for 20 years, and to notify the individuals who were affected by the unauthorized disclosure of their personal information and inform them about how they can protect themselves from identity theft or related harms.

Takeaway: While LabMD has announced its intention to appeal, the FTC’s decision reinforces its role as an enforcer of data security, even in the health care arena, where OCR has been the traditional enforcer of HIPAA and health care data breaches.   Thus, in addition to OCR, health care entities must continue to monitor FTC enforcement actions to see if there are any additional or conflicting data security standards mandated by both agencies.   Any companies handling PHI should, therefore, continue to ensure that their data security policies and procedures are being implemented and followed in accordance with industry standards. Inadequate security safeguards may contribute to data breaches resulting in government investigations and enforcement actions – not just by OCR, but the FTC as well.

Tagged with: , ,
Posted in FTC, HIPAA, OCR

Data Breach Plaintiffs Continue to Face Article III Standing Challenges

Standing remains a high hurdle for individuals whose personal information is compromised as a result of a data breach but who cannot establish that the stolen information was actually used improperly. Class action claims against CareFirst Blue Cross Blue Shield related to a 2014 breach were dismissed by D.C. District Court Judge Christopher R. Cooper last week after finding that they failed to meet Article III’s standing requirement. This ruling comes two months after a similar ruling by a Maryland district court judge in class actions claims related to the same CareFirst breach.

Judge Cooper’s decision does underscore the need to show harmful misuse of data to establish standing, but his opinion also raises the possibility that the type of information stolen may be important to determining the plausibility of alleged harm.

In the CareFirst breach, customers’ names, birthdates, email addresses, and subscriber numbers were compromised, but no social security numbers or credit card information. In his rejection of plaintiffs’ claims of injury, Judge Cooper specifically referenced the type of information that had been stolen in several instances. It is fair to ask: had either the social security numbers or credit card information of this plaintiff group been implicated, might the judge have seen a more plausible imminent harm?

Broadly speaking, Article III standing requires a plaintiff to show injury-in-fact, causation and redressability, and the alleged injury must be particularized, concrete or imminent. In the context of a class action, each named plaintiff must establish that he or she was personally injured.

The CareFirst plaintiffs’ class action complaint alleged various violations of state laws and breach of legal duties associated with protecting personal information. The claimed injuries included, inter alia, (1) an increased risk of identity theft; (2) identity theft in the form of a tax fraud; (3) economic harm through having to purchase credit-monitoring services; (4) economic harm through overpayment for insurance coverage; and (5) loss of intrinsic value of their personal information.

The district court found each claim without merit. Plaintiffs could not show how a hacker could steal their identities without their social security numbers or credit card numbers; could not claim the purchase of credit card monitoring services as an injury since that constitutes a “self-inflicted” harm; could not substantiate their claim that some portion of their insurance premiums are now allocated to paying for security measures; and could not show their personal information had been “devalued.”

With respect to the tax fraud claim, two named plaintiffs alleged that they suffered injury-in-fact because they had not yet received an expected tax refund. The court, however, found that the plaintiffs failed to show that their alleged injury was “fairly traceable” to the breach or how such tax refund fraud could have been carried out without their social security numbers and credit card information.

Tagged with: , , , , ,
Posted in Data Breach, Litigation

OCR Announces New HIPAA Guidance on Ransomware

In response to the increasing prevalence of ransomware cyber-attacks by hackers on electronic health information systems in hospitals and medical practices, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced on Monday July 11, 2016 its publication of new HIPAA guidance on ransomware (“Ransomware Guidance”). According to OCR:

Ransomware is a type of malware (or malicious software) that encrypts data with a key known only to the hacker and makes the data inaccessible to authorized users. After the data is encrypted, the hacker demands that authorized users pay a ransom (usually in a cryptocurrency such as Bitcoin to maintain anonymity) in order to obtain a key to decrypt the data.

Notably, the HIPAA Security Rule already requires implementation of security measures to help covered entities and business associates prevent the introduction of malware (e.g., ransomware) into their systems, and to implement policies and procedures to assist in responding to ransomware attacks. The Ransomware Guidance addresses, among other areas, how to implement security measures in order to prevent, mitigate the chances of, or even recover from ransomware attacks. Not surprisingly, conducting a risk analysis (or risk assessment) is at the core of covered entities and business associates implementing security management processes as required by the HIPAA Security Rule. The Ransomware Guidance further notes that maintaining an overall contingency plan, as required by the Security Rule, that includes disaster recovery planning, emergency operations planning and frequent backups of data can also help covered entities and business associates respond to and recover from malware infections, including ransomware attacks.

In addition, the Ransomware Guidance states that ransomware attacks against a covered entity or business associate can be considered a breach under the HIPAA Rules. Specifically, the Ransomware Guidance provides, “[w]hen electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e. unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.” Therefore, unless it can be shown that there is a low probability that the PHI involved in the ransomware attack has been compromised based on the factors in the Breach Notification Rule, a breach is presumed to have occurred, which would trigger the applicable breach notification provisions.

Even before OCR’s publication of the Ransomware Guidance, in late June the Secretary of HHS sent a letter (“Letter”) to the attention of chief executive officers at health care entities addressing the threat of ransomware. The Secretary attached interagency guidance to the Letter containing best practices and mitigation strategies integral to combatting ransomware incidents.

Ransomware is immediately disruptive to the day-to-day operation of businesses, as seen by its impact earlier this year on health care systems like MedStar in Washington, D.C. and Hollywood Presbyterian Medical Center in Los Angeles (“HPMC”), resulting for example, in HPMC paying 40 Bitcoins (approximately $17,000) to regain control of its computer system. Although the Ransomware Guidance does not address whether payment or ransom should be paid to regain access to computer systems, the interagency guidance attached to the Letter advises against paying hackers because, among other reasons, paying a ransom doesn’t necessarily guarantee that an entity will regain access to its system. The Ransomware Guidance does recommend that an entity victimized by a ransomware attack contact its local FBI or United States Secret Service field office.

For more information about the Ransomware Guidance contact Gregory M. Fliszar, Ryan Blaney, J. Nicole Martin or a member of Cozen O’Connor’s Health Law team.

Tagged with: , , , , , , , , , , ,
Posted in HIPAA, Privacy

Cyber Attacks Reach Subrogation

It was just a matter of time. As cyber-attacks rose and the data security breaches became increasingly devastating to businesses and individuals, cyber breach insurance became more prevalent. And where insurance appears, subrogation recovery follows.

We have not seen an overwhelming number of cyber claims or lawsuits filed – yet. One of the main lawsuits filed involves a claim for $154,711.34, brought by Travelers Insurance as the insurer of Alpine Bank. Alpine Bank incurred over $150,000 in costs associated with notifying its customers of a security breach that occurred while Ignition Studio, Inc. was under contract to design and service the bank’s security system. Travelers alleges that Ignition failed to perform basic updates to the security system or place basic anti-malware software on the bank system server. Following the security breach, Travelers paid Alpine Bank under its insurance policy.

Alpine Bank got off relatively easy, as did the defendant security provider that settled out on this claim well before this ever got to trial. Cyberattacks are becoming increasingly costly, with an estimated 300 million records leaked and over $1 billion stolen in 2015. Not surprisingly, this loss totaling less than $155,000 settled before really being litigated. The docket shows that the complaint was filed on January 21, 2015 and a motion to dismiss for failure to state a claim was denied as moot likely because the matter was settled for an undisclosed amount in April 2015. As a result, we unfortunately do not have much judicial reasoning to look to for future cases.

However, many of the same lessons found in a run-of-the-mill subrogation case for negligent service or a faulty product will apply in cyber cases. To secure recovery, an insurer will still need a defendant that has liability insurance to cover negligent cyber security service/software or has sufficient assets to pay for the damages arising out of the cyberattack. The insurer will also have to demonstrate that the cyber security company failed to follow the basic standard of care for the industry (which is continuously evolving) or otherwise breached the security contract.

Additionally, the insured have to be fault-free is some jurisdictions or at least less than 51% responsible for the harm in others. This means that an insured company that provides no training to its employees about the danger of opening spam or downloading malware may destroy its insurer’s subrogation case before the case even starts.

Had Travelers’ case been larger, the outcome may have been very different. On one end Travelers may have had to deal with a defense of an insured never telling bank employees not to open strange emails. Alternatively, Travelers may have secured a verdict for its damages, but faced the possibility that it would not collect because there was no insurance and the security company became bankrupt by the claim. We do not know for sure how this case would have turned out if there had been more at stake. But we do know with absolute certainty that more cases are coming.

Lastly, we would be remiss if we did not mention that the expected rise in cyber related losses will be influenced by the internet of things. Currently there are 8 billion devices connected to the Internet.  By 2020, that number will rise to over 20 billion and continue to grow exponentially. As more devices, computer, cars, homes, businesses, etc. become more interconnected, the potential for cyber related claims (and corresponding negligence lawsuits) will increase for a party’s failure to act reasonably to protect from a breach. Further, as the Internet of Things grows, we will owe a greater duty to our “network neighbors” to act reasonably to protect the network so others on the network don’t get hacked.

Tagged with: , , , , , ,
Posted in Cyberattack, Data Breach, Legislation, Litigation

Courts: We Hear No Suit Based on Cyber Crime Before its Time

Two recent decisions out of the U.S. District Court for the District of Maryland illustrate the difficulty that cyber breach victims can have in establishing standing to sue. In both cases, the court dismissed the cyber breach suits for lack of standing because the plaintiffs had not yet sustained actual damages. The decisions reflect that whether a cyber breach victim has suffered cognizable damages is extremely fact intensive. Notably, the cases were dismissed or remanded for lack of subject matter jurisdiction under Federal Rule of Civil Procedure 12(b)(1), which can be raised at any point and is never waived.

Chambliss v. CareFirst, Inc., 1:15-cv-02288, involved a well-publicized data breach at CareFirst, a health insurance provider. Data breaches of confidential personal information of CareFirst’s subscribers occurred in 2014 and 2015. The personal information included the names, birthdays, e-mail addresses, and subscriber identification numbers of 1.1 million people. Plaintiffs sought to bring a putative class action alleging that CareFirst should have known earlier that the breaches could occur, as the stolen information was “highly coveted by and a frequent target of hackers.”

Plaintiffs further claimed that they had a reasonable expectation that their confidential personal information would remain private and confidential. Due to CareFirst’s failure to secure the personal information, plaintiffs claimed that they “have lost or are subject to losing money and property.” However, as the Court noted, the plaintiffs did not allege that they had yet suffered any actual injury, and thus there was not yet a ripe controversy under Article III of the Constitution.

The facts in Khan v. Children’s National Health System, 8:15-cv-02125, were substantially similar. Mr. Khan filed a putative class action against Children’s National Health System, asserting that hackers had obtained access to certain employee e-mail accounts that contained subscriber personal data.

Judge Chuang considered the increased risk of identity theft to be plaintiff’s most promising argument that she had an injury that could support Article III standing. Judge Chuang noted that district courts and even circuit courts have differed on whether identity theft is a cognizable injury that can support standing. However, he noted that rather than applying a different legal standard, the difference in the courts’ treatment of these cases is largely determined by their unique facts.

Both courts noted that the plaintiffs had not alleged that their data had yet been misused in any way. In Chambliss, the court also observed that the breach compromised names, birth dates, email addresses and subscribed identification numbers, not their social security numbers, credit card information or any other similarly sensitive data that could heighten the risk of harm.  (The Court may have been overly optimistic about whether names, birth dates and subscriber identification numbers can be used in a nefarious way.)

Both judges also rejected the claim that the plaintiffs had suffered harm in the way of mitigation costs, such as expenses incurred from obtaining credit monitoring services. The Chambliss Court reasoned that a plaintiff cannot manufacture standing by inflicting harm on himself, and the Khan Court stated that incurring costs as a reaction to a mere risk of harm does not establish a standing if the harm to be avoided is not itself “certainly pending.” Both judges also disregarded claims for decreased value of personal information, especially since plaintiffs had not yet alleged that they attempted to sell their personal information and/or that they were forced to accept a decreased price for that information.

The Maryland District Court in these two cases joined other courts across the nation in holding that there is no standing to sue, and thus no subject matter jurisdiction, until there has been actual misuse of data. In layman’s terms, the message to those affected by cyber breaches is, “Come back when you have a real problem.”

The judges in Chambliss and Kahn probably got this right. Still, it seems like only a matter of time before the hackers in those cases misuse the stolen data and, unwittingly, convey standing on their victims.

Tagged with: , , , , , , ,
Posted in Cyber crimes, Cyberattack, Data Breach, Litigation, Privacy

Chinese Leftovers: P.F. Chang’s Not Entitled to $2 Million in Breach Costs

In what is thought to be the first published decision in a cyber insurance coverage case, popular Chinese restaurant chain, P.F. Chang’s, was denied coverage for certain costs incurred as a result of a 2014 data breach. Unfortunate as it may be for P.F. Chang’s, this court ruling offers a valuable object lesson for others with respect to cyber policies. Namely, be aware of the full extent of potential cyber liabilities and know what your policy covers.

P.F. Chang’s initial breach occurred in June 2014, when hackers stole approximately 60,000 credit card numbers from 33 different P.F. Chang’s locations. When the breach was discovered, the restaurant chain already had a cyber policy in place. It maintained a $5 million “CyberSecurity by Chubb” policy through Federal Insurance Company.

Ultimately, Federal evaluated the cyber coverage and paid nearly $1.7 million of P.F. Chang’s claim for forensic investigation and litigation costs. However, that wasn’t the full extent of P.F. Chang’s liability. MasterCard charged P.F. Chang’s credit card service company (Bank of America Merchant Services) almost $2 million in fees and assessments, pursuant to the services agreement between the restaurant and Bank of America.

When P.F. Chang’s received notices of these charges, it promptly paid Bank of America to maintain the parties’ relationship and to maintain banking service without disruption. P.F. Chang’s then made an insurance claim for those fees and assessments with Federal. Federal analyzed the claim and determined that the policy did not cover those costs; accordingly, it denied coverage, prompting P.F. Chang’s to file suit.

The U.S. District Court for the District of Arizona granted summary judgment to Federal. The court found that, while the fees and assessments may fall within the scope of the insuring agreement, the “contractual liability” exclusion barred coverage. In the alternative, P.F. Chang’s argued that the “reasonable expectations” doctrine should apply – i.e., even not expressly covered under the policy, it “possessed the expectation that coverage existed under the Policy for the assessments.” Under the reasonable expectations doctrine, a contract term may not be enforced if one party has reason to believe that the other would not have consented to the contract’s terms had it known the term was present. Where appropriate, it provides some leeway to the general rule that contract terms trump all.

The court found that the doctrine would only apply in this case if two conditions were met: (1) the insured’s expectation as to coverage was reasonable and (2) the insurer had reason to believe that its insured would not have agreed to the policy terms if it had known of the now-challenged provision. Emphasizing that both parties (P.F. Chang’s and Federal) were experienced corporate actors, the court found no evidence that the restaurant chain believed it would be covered for such assessments following a breach and that P.F. Chang’s merely attempted “to cobble together such an expectation after the fact, when in reality no expectation existed at the time it purchased the Policy.” The court concluded, “[P.F.] Chang’s and Federal are both sophisticated parties well-versed in negotiating contractual claims, leading the Court to believe that they included in the Policy the terms they intended.”

Essentially, P.F. Chang’s got into trouble for knowing too much and too little. It was arguably ahead of the curve in its acknowledgement of risk and the need for cyber coverage. At the same time, it was not fully cognizant of the potential range of resultant breach costs nor the actual extent of its cyber policy. The takeaway here is obvious: a cyber policy is not designed to be a one-size-fits-all remedy all for every possible cost associated with a data breach. Historically, insurance policies were not designed to cover an insured’s contractual liabilities and, absent a specific policy provision or endorsement to the contrary, there is no reason to assume that a cyber policy is any different. Companies – especially those that process credit cards and are contractually bound to pay fees and assessments – should review their policies before a breach to understand what is covered and, maybe more importantly, what is not covered.

Tagged with: , , , , ,
Posted in Data Breach, Insurance, Litigation

Delaware Court Allows Some Claims To Proceed In Data Breach Subrogation Action

Earlier this month, a Delaware state court dismissed multiple implied-warranty claims in a subrogation lawsuit against cybersecurity company Trustwave Corp., but allowed discovery to proceed on certain claims.

The suit involved a data breach at Euronet Worldwide Inc., a credit card processer. Trustwave had contracted with Euronet to provide vulnerability scans, compliance assessments, network-penetration attempts and compliance with the Payment Card Industry Data Security Standard requirements to Euronet. In December 2011, Euronet discovered that a software vendor had failed to turn on certain necessary encryption, leaving stored credit card data unencrypted, which, coupled with a malware intrusion into Euronet’s network, resulted in a breach of approximately two million credit card numbers.

Following the breach, Euronet paid out approximately $6 million in damages. Euronet was insured by National Union Fire Insurance Co. of Pittsburgh, Pennsylvania. National Union paid Euronet under the policy, and subsequently filed a subrogation action against Trustwave in October 2014, alleging the breach was the result of Trustwave’s faulty security services. Trustwave moved to dismiss the claims or to require National Union to amend its complaint. National Union filed an amended complaint in July 2015, and Trustwave again moved to dismiss.

In May 2016, Judge Mary M. Johnston of the Delaware Superior Court granted Trustwave’s motion to dismiss National Union’s “implied warranty of accuracy” claims, holding there was no legal basis for those claims. Judge Johnston found that even if there were a legal basis, the service contracts at issue between Trustwave and Euronet contained valid disclaimers, vitiating all implied warranty claims, which she dismissed with prejudice.

Judge Johnston granted Trustwave’s motion to dismiss several other claims, but without prejudice. The judge found that there was insufficient evidence at this stage to support twelve claims against Trustwave’s affiliate, Trustwave Holdings Inc., for its role in the breach. Instead of dismissing the claims outright, Judge Johnston granted discovery to determine “which Trustwave entity performed what task.”

The judge also granted discovery to clear up a discrepancy with the forum selection clauses contained in the contracts at issue. In 2006, the contract between Euronet and Trustwave identified Delaware in its forum selection clause. In 2011, the contract identified the courts of England and Wales. Since it is unclear exactly when the data breach occurred—National Union contends it was “sometime before December 2011”—the court held it was unclear which forum selection clause was triggered.

The case is National Union Fire Insurance Co. of Pittsburgh, Pa. v. Trustwave Ltd. et al., case number N14C-10-160, in the Superior Court of the State of Delaware.

Tagged with: , , , ,
Posted in Data Breach, Litigation

Recent SCOTUS Decision on Standing Will Significantly Impact Data Breach Cases

Whether a plaintiff has standing to sue is a wellspring of dispute in the context of data breach cases, and in Spokeo, Inc. v. Robins, the U.S. Supreme Court recently made clear that the battle must be fought on two fronts. Whether suing individually or on behalf of a class, a plaintiff must allege an “injury-in-fact” — i.e., both a “concrete” and “particularized” injury — to have standing to bring a case before the courts. (Additionally, plaintiffs must show that the injury is “fairly traceable to the challenged conduct of the defendant” and “likely to be redressed by a favorable judicial decision”). In data breach cases, whether an injury is sufficiently concrete to support standing often is a point of contention.

In Spokeo, the Supreme Court made clear that the “concrete” injury requirement is not to be swept under the rug, bouncing a Fair Credit Reporting Act (“FCRA”) case back to the Ninth Circuit to determine whether the plaintiff’s allegations on that point were sufficient to keep him in court. The plaintiff sued Spokeo, which operates a “people search engine” that allows employers and other interested parties to gather information about a person, after the company allegedly performed a search on him which returned inaccurate results. The case was filed as a class action in federal court in California.

The trial court dismissed the complaint for lack of standing, but the Ninth Circuit reversed, finding that the plaintiff had sufficiently alleged a particularized injury by stating that “Spokeo violated his statutory rights, not just the statutory rights of other people” and that “Robins’s personal interests in the handling of his credit information are individualized rather than collective.” Spokeo appealed, arguing that the Ninth Circuit only analyzed half of the injury-in-fact issue, ignoring the equally important requirement that the plaintiff allege a “concrete” injury.

The Supreme Court agreed, vacated the Ninth Circuit’s decision, and remanded with instructions that the court “consider both aspects of the injury-in-fact requirement” (emphasis in original).  The Supreme Court was careful to note, however, that an injury can be “concrete” without being “tangible” and that a “risk of real harm” could suffice under appropriate circumstances. On the other hand, the Court emphasized that a “mere procedural violation” will not get the job done.

The Spokeo decision is particularly significant in the context of data breach cases, where actual harm from the breach might not have materialized for any given plaintiff when a complaint is filed. Though the Supreme Court was careful to cabin its opinion, noting that it took no position on whether the Ninth Circuit was correct in determining that the “particularity” requirement was satisfied, its analysis will no doubt play a significant role in data breach litigation moving forward.

Tagged with: , , ,
Posted in Data Breach, Litigation, Privacy

When “Shhh” turns to “Oh $%*#!” – No Pseudonyms for Ashley Madison Plaintiffs

Nothing good has come from the Ashley Madison hacking incident, except hopefully some well-deserved apologies to loved ones. Now the E.D. Mo. Court hearing the In Re Ashley Madison Customer Security Breach Litigation, MDL No. 2669, has shaken its finger at the forty-two named plaintiffs who moved the Court for permission to use pseudonyms rather than their actual names in the lawsuit. See April 6, 2016 Order.

The primary basis for the forty-two named plaintiffs’ plea to the Court to use pseudonyms was “‘to reduce the risk of potentially catastrophic personal and professional consequences that could befall them and their families’ should the named plaintiffs be publicly identified as someone whose sensitive personal information, i.e., names, email addresses, credit card information, and sexual preferences and habits, was contained in Avid’s ‘cheating website’ database.” While it is true that significant hardship has fallen on many whose personal information was outed, and with all due respect to the tragedies that have resulted, this isn’t about credit card information. Those cards can obviously be canceled and reissued. It’s about reputational effect. No one forced these individuals to serve as named plaintiffs. And they can choose not to do so, as the Court aptly points out.

From a legal perspective, the Court’s ruling is sensible on a number of levels. For one, masking the names is largely irrelevant since the leak of information itself has made access to the entire list of users, who presumably are also the lion’s share of class members – whether named or not – possible through a few keystrokes and mouse clicks. Moreover, the Court noted that a totality-of-the circumstances balancing test must be applied to decide whether a litigant has the right to sue under a pseudonym, in light of the favored presumption of openness in judicial proceedings. Critical factors that the Court considered include that: 1) The Ashley Madison plaintiffs’ privacy interests don’t rise to the level of precedent cases in which plaintiffs have been permitted to file a suit using pseudonyms; 2) Putative class members should have the ability to evaluate the adequacy of representation by named plaintiffs; 3) Named plaintiffs generally receive an incentive award for being named plaintiffs when damages are calculated (if any); and 4) Any one of the forty-two named plaintiffs that does not want to proceed with his true name may dismiss the complaint and still stand the potential for recovery as a putative, unnamed class member.

Wisely, the Court recognized the prematurity in the argument that if a class rep chooses to dismiss his case, such action may result in sub-classes if there are no other individuals willing to disclose their name(s). That is something for the Court to address if and when it occurs. I personally don’t think it matters.

From my perspective, practically speaking, if you voluntarily make a bed, you sleep in it. Yes, pun intended. If an Ashley Madison user is still trying to conceal their attendance at the virtual amusement park of infidelity, that’s a personal issue. And if it affects professional reputation, well it was a choice in the first instance. Try having some humility and remorse for mistakes made. There are no “get out of jail free” cards in the real world, nor should there be.

The bottom line to me is that this is just a continuation of the same “I want to have my cake and eat it too” mentality that Ashley Madison users have had for years in their personal lives. The Court has reinforced the fact that absent class members’ ability to demonstrate the adequacy of class representatives, along with a public interest in disclosure and the lack of harm rising to the level of a need for pseudonyms on a pleading, shouldn’t allow these plaintiffs to lick the frosting from the cake batter while their dessert is baking. At bottom, deal with the consequences of what you chose to do, folks.

Tagged with: , , ,
Posted in Data Breach, Data Security, Litigation, Privacy
About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Receive Email Updates

Email:

Follow Us
Friend me on FacebookFollow my company on LinkedInFollow me on Twitter
Cozen O’Connor Blogs