Technical FACTA Violation Insufficient to Confer Standing

A federal court in Texas cut short a putative class action alleging violation of the truncation requirement under the Fair and Accurate Credit Transactions Act (FACTA), sending a clear message to plaintiffs that minor inconvenience flowing from a procedural violation of FACTA does not establish standing. This decision comes as more good news to the defense bar, as it joins a growing list of cases extending the U.S. Supreme Court’s watershed Spokeo decision to cases brought under FACTA.

The plaintiff sued Houston-based restaurant company Luby’s, Inc. after twice purchasing meals using his debit card and receiving computer-generated receipts displaying more than the last five digits of his card number. FACTA provides that “no person that accepts credit cards or debit cards for the transaction of business shall print more than the last five digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of sale or transaction.” 15 U.S.C. § 1681c(g)(1). Thus, the plaintiff alleged a clear violation of the statute.

But that isn’t enough, the court held, granting the defendant’s motion to dismiss for lack of subject matter jurisdiction and rejecting the plaintiff’s argument that simply alleging a statutory violation is sufficient to confer standing. “The Fifth Circuit has not had the occasion to consider the question of standing in a case involving a FACTA violation,” the court noted. “The U.S. Supreme Court’s holding in Spokeo, Inc. v. Robins, however, is instructive and does not support the plaintiff’s position,” reasoned U.S. District Judge Kenneth M. Hoyt.

Under Spokeo, a plaintiff must show an actual injury flowing from the statutory violation in question. That injury must be “concrete and particularized” and “actual or imminent, not conjectural or hypothetical.” As a consequence of receiving the offending receipts from Luby’s, the plaintiff alleged that he had to check his bank statements and credit report to ensure that he was not the victim of identity theft. Further, he argued that the defendant’s statutory violation “wrongfully placed a burden on [him] to make sure the receipts were either destroyed or secured.”

The court made short work of these allegations, holding that such inconveniences do not rise to the level of actual injury. Further, because it was undisputed that the plaintiff discovered the violation immediately and the receipts remained in his possession, there was no impending risk of harm. So the court sent the plaintiff packing pursuant to Fed. R. Civ. P. 12(b)(1) — and gave the defense bar an additional arrow in their 12(b)(1) quiver.

Tagged with: , , , , ,
Posted in Litigation, Privacy

Updated SEC Guidance Highlights Importance of Solid Cybersecurity Policies and Procedures

The Securities and Exchange Commission (“SEC” or “Commission”) has given public companies a heads up on where the Commission is setting its sights in the ever-developing world of cybersecurity. Here’s what you need to know, and what you need to do, to stay on the right side of the SEC.

Public companies have experienced some significant and high-profile data breaches since the SEC issued its previous cybersecurity guidance in 2011. In light of the issues we have seen in recent years, the SEC released a new interpretive guidance (available here), updating the 2011 document and emphasizing the importance and complexity of companies’ reporting obligations as they relate to cybersecurity.

Two topics included in the new guidance did not appear in the prior version, and therefore should be particularly heeded: (1) the need for public companies to have strong cybersecurity policies and procedures in place; and (2) how prohibitions on insider trading apply in the cybersecurity arena. The new guidance also drives home the SEC’s continuing commitment to monitoring cybersecurity-related disclosures.

The guidance makes clear that a head-in-the-sand approach to cybersecurity issues is not an option. Effective, proactive disclosure protocols and procedures are essential elements of appropriately handling cybersecurity threats (potential or actualized), the guidance notes, and “the Commission believes that the development of effective disclosure controls and procedures is best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks that the company has faced or is likely to face.”

The SEC also reminds public companies that cybersecurity policies and procedures must address insider trading, because information about a cybersecurity incident can easily fall under the “nonpublic material information” umbrella. When in possession of such information, directors, officers, and other corporate insiders must not trade company securities.

While the guidance contains many details that public companies should study carefully, the overarching lesson is that the SEC is taking cybersecurity very seriously and seems to be taking the position that the best defense is a good offense. Cozen O’Connor’s cybersecurity team stands ready to help companies develop and implement effective policies and procedures to minimize risk and maximize compliance with SEC rules and regulations as they relate to cybersecurity.

Tagged with: , , , , , ,
Posted in Data Security, Privacy, Regulations

EU’s New Privacy Law—What You Need to Know

The European Union (EU) Parliament’s new data privacy law, known as the General Data Protection Regulation (GDPR), is set to become enforceable in all EU member states on May 25, 2018, just six months from now. The GDPR replaces the former Data Protection Directive.

Among other things, the GDPR provides new clarity about the applicability of its regulations to U.S. companies without data processing establishments in the EU. Under the old Directive, it was ambiguous as to whether U.S. companies without a physical presence in Europe were subject to its requirements. That ambiguity has been removed. The new Regulation states that, regardless of the location of a data processing establishment, the GDPR applies to all companies processing personal data of EU residents.

This expansion of jurisdiction is arguably the biggest change to the EU privacy laws. And it is of utmost importance for U.S. companies conducting business in the EU to understand and comply with the GDPR because violations come with heavy penalties.

Here are some of the GDPR’s key provisions:

  • Penalties – penalties can be as high as 4 percent of annual global turnover or €20 Million, whichever is greater.
  • Consent – requests for consent must be simple and easy-to-read, and include the purpose for data processing.
  • Withdraw – withdrawing consent must be as easy as providing consent.
  • Breach notification – notification must be made within 72 hours of first awareness of an incident in all EU member states where the breach is likely to “result in a risk for the rights and freedoms of individuals.”
  • Rights to access – rights are expanded as data subjects can request confirmation as to whether his/her personal data is processed, where and for what purpose. When requested, an electronic copy of the personal data shall be provided to the data subject, free of charge.
  • Right to be forgotten – the right to be forgotten allows the data subject to have the data controller erase his/her personal data and cease further dissemination of the data.
  • Data Portability – this new concept allows a data subject to request a data controller to transmit his/her data to another controller.
  • Privacy by Design – requires the inclusion of data protection from the onset of the designing of systems, rather than as an addition.
  • Data Protection Officer – controllers and processors whose core activities include regular and systematic monitoring of data subjects must appoint a data protection officer.

Again, the scope of the GDPR extends to all companies that process the personal data of any EU residents, even if your company does not have a physical presence in Europe, so keep the above concepts in mind as we head into the new year.

Tagged with: , , , , , , ,
Posted in Data Security, Privacy, Regulations, Standards

Cybersecurity Best Practices — How General Counsel Can Prepare For The Worst

Take note GCs: The question is not if you will have to respond to a cybersecurity incident—the question is when. That was the message from speakers and panelists at the Association of Corporate Counsel’s annual meeting this year.

Indeed, the majority of all U.S. businesses have experienced at least one cybersecurity incident in the last year, with some estimates as high as 80%. And a data breach involving so-called knowledge assets (confidential business information) costs an average of $5.4 million to resolve, up to a maximum of $270 million for the largest breaches.

The good news for GCs is that having a well-designed response plan in place can lower the risk of a breach and greatly minimize the damage if a breach occurs. Some best practices discussed at the ACC meeting, and elsewhere, are worth considering:

Best Practices

  • Cultivate close relationships with IT directors to make it more likely that GCs are contacted in the event of a breach or crisis.
  • Extend the relationships to as many IT employees as possible to overcome the personal responsibility that some employees feel when a breach occurs.
  • Evaluate and routinely measure employee security training levels.
  • Meet with as many relevant departments as possible to assess the specific risks and issues that could arise if/when a breach occurs.
  • Conduct a thorough survey of the data collected by the organization, focusing on employee, consumer, medical, and financial data, and determine if any data does not need to be stored.
  • Critically examine contracts and breach procedures of existing vendors that are privy to sensitive data or have access to internal systems.
  • Perform vendor due diligence before committing to any new contractual relationships and consider requiring vendors to fill out a questionnaire indicating their experience and policies with data breaches, training level of their employees, and general control procedures for sensitive data.
  • For vendors that have access to critical information, consider requiring the vendors to provide independent third-party security assessments or audits.
  • Create a standard data privacy and security addendum that can be attached to vendor contracts (which are usually drafted by vendors) to ensure that the organization’s data is being protected and include risk allocation provisions that apply should the vendor be subject to or lead to a breach.
  • Monitor relationships with vendors to ensure continued compliance with contract provisions, applicable laws, regulations, and industry standards. Further, ensure that once the relationship ends, the vendor destroys or returns company data as appropriate.
  • Document the plan. Create a list of policies and procedures to be followed if there is an incident, and include clearly defined roles and individuals who need to be contacted.
  • Make sure to focus on the immediate aftermath of a breach — the first 48 hours being most critical — and ensure that internal and external communications keep stakeholders apprised as the situation develops.
  • Consider working with a public relations firm to develop consistent messaging that can be efficiently communicated in a crisis.
  • Create an internal response team, including members of management, IT, legal, and public relations that can quickly decide remedial steps and appropriate communication.
  • Consider the company’s overall insurance program and whether cyber risks are covered.
Tagged with: , , , , , , ,
Posted in Data Breach, Data Security

Financial Services Committee Rounds Out Equifax Hearings

The House Financial Services Committee this morning rounded out a full week of congressional hearings for former Equifax CEO Richard Smith. Chairman Jeb Hensarling (R-TX) reiterated his earlier calls for national standards for data security and breach notifications.

Ranking Member Maxine Waters (D-CA) blasted the “stranglehold” that credit reporting agencies have on the American consumer and touted her newly introduced bill, H.R. 3755, the Comprehensive Consumer Credit Reporting Reform Act. H.R. 3755 would shift the burden of fixing credit mistakes towards the agencies and away from consumers. It would additionally limit the use of credit reports in the employment background check process.

Ranking Member Waters questioned the relevance of Smith’s presence before the committee, arguing that since he is no longer a permanent member of Equifax he cannot adequately inform Congress of the steps the company is taking to address the breach. Smith defended the relevancy of his testimony, stating that he is still an advisor to company leadership.

With five panel hearings completed, both the House and Senate have had extensive opportunity to both criticize Equifax for its shortcomings and gather information on the breach itself. Whether Congress will use this information and come to a consensus on how to ensure consumers’ rights are protected in the future remains to be seen.


Tagged with: , , , , , , ,
Posted in Cyber crimes, Cyberattack, Data Breach, Data Security, Legislation, Privacy

Equifax Hearings – Round Three

Richard Smith, former Chairman and CEO of Equifax, faced his third congressional hearing in two days, appearing this afternoon before the Senate Judiciary Committee’s Privacy, Technology, and the Law Subcommittee to discuss the recently revealed Equifax data breach and efforts to monitor data broker cybersecurity.

In a departure from the previous Equifax hearings, members of the committee were more reserved in their criticism of the consumer credit agency, adopting a stern but not aggressive tone on both sides of the aisle. Ranking Member Al Franken (D-MN) also broke from the pattern of previous hearings by addressing not only the consumer protection implications of the breach but national security concerns as well.

Another dissimilarity with previous Equifax hearings was the subcommittee’s decision to feature a second panel of expert witnesses instead of focusing its attention solely on Smith. In the second witness panel, subcommittee members heard from Jamie Winteron, the Director of Strategic Research Initiatives at Arizona State University’s Global Security Initiative, and Tyler Moore, an assistant professor of cybersecurity and information assurance at the University of Tulsa’s Tandy School of Computer Science.

The Judiciary subcommittee’s relatively subdued tone and focus on industry experts likely reflects the members’ desire to use the hearing to arrive at a substantive solution rather than to pile on the chorus of voices criticizing Equifax. Nevertheless, Smith will appear one more time before Congress this week at a hearing before the House Financial Services Committee on Thursday morning.


Tagged with: , , , , , , ,
Posted in Cyber crimes, Cyberattack, Data Breach, Data Security, Legislation, Privacy

Equifax Hearings Continue on the Hill

Former Equifax chief Richard Smith returned to Capitol Hill for a second day of congressional hearings into his company’s data breach, this time appearing before the Senate Banking, Housing, and Urban Affairs Committee.

Committee Chairman Mike Crapo (R-ID) characterized the Equifax breach as “shocking and concerning,” sentiments that were shared by both Republicans and Democrats alike. Ranking Member Sherrod Brown (D-OH) went further and said that “a goldmine for hackers” such as the trove of personal information stored by Equifax “should be a digital Fort Knox.” Brown continued to criticize Smith and Equifax for their handling of the breach, saying that the American public has grown accustomed to large companies getting off the hook for perpetrating similar large scale scandals.

During the hearing Smith unveiled Equifax’s plan to allow consumers to control access to their credit data by allowing them to lock and unlock their data at any time and at no cost. His proposal drew interest from the Banking committee members, who inquired about the details and logistics of the plan. According to Smith, this tool will roll out to consumers in early 2018.

The tool’s objectives mirror those of a bill touted by Representative Ben Ray Lujan (D-NM) in the previous day’s House Energy and Commerce Committee hearing on the Equifax breach. The Free Credit Freeze Act, H.R. 3878, would allow consumers to freeze and unfreeze their credit data at any time at no charge.

Smith is slated to appear before the Senate Judiciary Committee later this afternoon and before the House Financial Services Committee tomorrow morning. Whether after five high profile hearings Congress is able to come together with legislative solutions to both prevent such breaches from occurring in the future and mitigate the damage from the still-unfolding Equifax breach remains to be seen.

Tagged with: , , , , , ,
Posted in Cyber crimes, Cyberattack, Data Breach, Data Security, Litigation, Privacy

House Holds Hearings on Equifax Breach

The House Committee on Energy and Commerce’s Subcommittee on Digital and Consumer Protection held the first in what will be a series of Congressional hearings on the recently revealed data breach at major credit agency Equifax. Former CEO of Equifax Richard Smith testified before the committee on the hack and took the opportunity to apologize to Congress and the impacted public for the damage.

The chairmen and ranking members of both the full committee and the subcommittee criticized Smith for the company’s cyber practices as well as its post-breach response. Committee Chairman Greg Walden (R-OR) accused Equifax of failing to put consumers first, while subcommittee Ranking Member Jan Schakowsky (D-IL) said that the company “deserves to be shamed.”

While Republicans on the panel lodged complaints with the former CEO over the breach during the hearing, Democratic members took a more aggressive stance. Led by Ranking Member Schakowsky and Representative Ben Ray Lujan (D-NM), the Democratic members pushed for specific legislative solutions. Schakowsky noted she had reintroduced the Secure and Protect Americans’ Data Act (SPADA) in advance of the hearing. SPADA would enhance companies’ data security requirements and require timely notification and assistance to consumers in the event of a data breach.

Representative Lujan similarly touted his Free Credit Freeze Act, which would allow consumers to freeze and unfreeze their credit at no cost in order to prevent hackers from creating new financial accounts with their stolen information.

The subcommittee’s hearing kicks off a week of congressional scrutiny on data protection and the Equifax breach. The House Oversight and Governmental Reform Committee is slated to hold a hearing on the cybersecurity of the Internet of Things just hours after the Equifax panel concludes. On Wednesday, the Senate Banking and Judiciary committees will also hold hearings on the Equifax data breach at 10:00am and 2:30pm, respectively.

Tagged with: , , , , , ,
Posted in Cyberattack, Data Breach, Data Security, Legislation, Privacy, Regulations

Latest Spokeo Decision Adds to the Growing Body of Law Supporting Article III Standing for Cybersecurity Plaintiffs

We recently wrote about a decision in Attias v. CareFirst, Inc., holding that a class of plaintiffs whose information was compromised in a cyberattack had sufficiently demonstrated standing to survive a motion to dismiss. The U.S. Court of Appeals for the Ninth Circuit now has added to the toolbox for plaintiffs in cyber cases whose standing is challenged.

In Robins v. Spokeo, which the Ninth Circuit heard on remand from the U.S. Supreme Court, the issue was whether the plaintiff —who alleged that an inaccurate report about him on Spokeo’s consumer reporting web site constituted willful violations of the Fair Credit Reporting Act — had alleged a sufficiently “real” injury to meet the elements necessary for Article III standing.

The district court dismissed the complaint, holding that the plaintiff’s allegation of a bare violation of the statute did not show that he had suffered an injury-in-fact. The Ninth Circuit reversed in Spokeo I, holding that by alleging a violation of his statutory rights, the plaintiff had alleged a concrete and particularized injury. The U.S. Supreme Court granted certiorari and vacated that opinion, holding that the Ninth Circuit’s analysis had been incomplete, and remanded for further consideration of whether the injury was sufficiently concrete to support standing.

Specifically, the court considered “the extent to which violation of a statutory right can itself establish an injury sufficiently concrete for the purposes of Article III standing.” While the FCRA provides an individual right to sue for violations of the statute, the Supreme Court made clear that such a right does not satisfy the injury-in-fact requirement for Article III standing per se.

Rather, “even when a statute has allegedly been violated, Article III requires such violation to have caused some real — as opposed to purely legal — harm to the plaintiff.” Congress’s decision to provide a right of action is instructive, however, in cases in which the harm alleged is intangible, the Supreme Court noted in kicking the case back to the Ninth Circuit. And some statutory violations are enough on their face to demonstrate concrete harm. Thus, the Ninth Circuit faced two questions: “(1) whether the statutory provisions at issue were established to protect [the plaintiff’s] concrete rights (as opposed to purely procedural rights), and if so, (2) whether the specific procedural violations alleged in this case actually had, or present a material risk to, such interests.”

The court had “little difficulty” concluding that consumers have a concrete interest in accurate credit reporting about themselves, noting that “given the ubiquity and importance of consumer reports in modern life … the real-world implications of material inaccuracies in those reports seem patent on their face.” Further, “the interests that FCRA protects also resemble other reputational and privacy interests that have long been protected by the law.”

Turning to the second question, the court distinguished between a violation of the statute that did not result in the creation or dissemination of an inaccurate consumer report and a violation like the one at hand, which did result in dissemination of inaccurate information about the plaintiff. The latter category can support standing, if the nature of the inaccurate disclosure is such that it creates a real risk of harm. The Ninth Circuit determined that the inaccuracies at issue — which related to the plaintiff’s age, marital status, educational background, and employment history — are “the type that may be important to employers or others making use of the consumer report” and do not constitute insignificant technical statutory violations. Further, the court held, the injury was not speculative, because it had already occurred. “It is of no consequence how likely Robins is to suffer additional concrete harm” (emphasis in original).

Thus, the Ninth Circuit sent the case back to the district court for trial, paving the way for future FCRA plaintiffs whose standing to sue is called into question.

Tagged with: , , ,
Posted in Litigation, Privacy

CareFirst Data Breach Appeal Holds Three Key Lessons for Cyberattack Litigants

A recent federal appellate decision suggests that it might be getting easier for cyberattack plaintiffs to establish standing in a manner sufficient to survive a motion to dismiss. According to the U.S. Court of Appeals for the District of Columbia Circuit, people whose personal information was compromised in a cyberattack have standing to sue so long as they allege that a data breach traceable to the target company’s negligence exposed them to a substantial risk of identity theft, and they reasonably spent money to protect themselves in the wake of the attack. The case is Attias v. CareFirst, Inc., decided on August 1, 2017.

In so holding, the Court of Appeals reversed the district court’s dismissal of the action, admonishing the lower court for giving “the complaint an unduly narrow reading.” Both decisions turned on whether the plaintiffs had alleged that their social security or credit card numbers had been stolen. The lower court concluded that the plaintiffs did not demonstrate a sufficiently substantial risk of harm, and therefore lacked standing, because they had “not suggested, let alone demonstrated how the CareFirst hackers could steal their identities without access to their social security or credit card numbers.”

The Court of Appeals took issue with this approach, because it presumed that the plaintiffs did not allege that this information had been stolen. However, the court noted, the complaint alleged that “PII/PHI/Sensitive Information” had been taken, and included in the definition of that term “patient credit card … and social security numbers.” Further, the complaint alleged that identity thieves could use the information accessed in the attack to “open new financial account[s] [and] incur charges in another person’s name.” At the motion dismiss stage, this combination of allegations is sufficient to establish a substantial risk of future harm, the court held.

A distinguishing feature of cyberattack cases, the court noted, is that an unauthorized party has already accessed another person’s information. In this circumstance, “it is much less speculative – at the very least, it is plausible – to infer that this party has both the intent and the ability to use that data for ill,” the court reasoned.

Having found that the plaintiffs had sufficiently alleged an “injury in fact” to establish standing, the Court of Appeals then addressed the second prong in the standing analysis: whether the injury could be fairly traceable to the alleged conduct of the defendant. CareFirst argued that this prong was not met, because there was no allegation that the attacker was affiliated with the company. But such a direct connection is not required, the Court of Appeals concluded. Rather, the plaintiffs’ allegations that CareFirst’s failure to properly secure their data creates enough of a link to the injury to satisfy the “fairly traceable” standard.

Finally, the court made short work of finding that the plaintiffs had satisfied the final requirement for standing – that the harm they suffered was “likely to be redressed by a favorable judicial decision” – by alleging that they had reasonably spent money to protect themselves against the potential for identity theft. This money could be recovered through an award of money damages, thereby meeting the third prong of the standing analysis.

In conclusion, Attias v. CareFirst carries three main takeaways for cyberattack litigants on the question of standing: (1) some courts will take a broad reading of complaint allegations at the motion to dismiss stage, and may infer from the cyberattack itself an intent harm to the victims; (2) the hacker need not be affiliated with the target company for the plaintiffs’ alleged harm to be traced back to that company; and (3) if the plaintiffs reasonably incurred costs to protect themselves from identity theft in the wake of the attack, they will, at least in some jurisdictions, satisfy prong three of the standing analysis.

Tagged with: , , , , ,
Posted in Cyberattack, Data Breach, Litigation
About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Receive Email Updates


Cozen O’Connor Blogs