Home Depot has staked its defense of consumer claims arising from the 2014 theft of payment card data from the home improvement retailer on the asserted absence of injuries sufficient to confer standing to sue. Because consumers rarely sustain out-of-pocket losses when their payment card numbers are stolen, lack of standing is typically the primary ground for seeking dismissal of consumer data breach claims. While many courts have been receptive to arguments seeking dismissal of consumer data breach claims for lack of standing, decisions in recent cases – including, most significantly, the Target data breach case – have found that non-pecuniary harms constitute sufficient injury to confer standing. The survival of the consumer claims will depend on which line of precedent the Home Depot court follows. Continue Reading
Happy June – the first day of meteorological summer!
In the last month, both a federal and state court denied coverage for claims relating to an insured’s handling of electronic data. In the first case, a federal court held that there was no coverage under a cyber insurance policy for a claim alleging that the insured had intentionally refused to return electronic financial data. In the second, a state supreme court held that there was no coverage under a general liability policy for a claim alleging that the insured had lost computer tapes storing personal information. Both of these decisions illustrate the importance of the specific language contained in an insurance policy as that language determines the scope and breadth of the coverage actually afforded under that policy. Continue Reading
If your company has an online presence — or provides marketing or advertising services — you should be registered for the fifth webinar in our 2015 Wednesday Privacy Webinar series: The Long Reach of COPPA. Recall the recent FTC settlement agreement with Yelp — clearly a site not targeted at children — that cost the online review company $450,000.
Register online here – NY and CA CLE credit is available.
Target’s attempt to resolve claims of MasterCard-issuing banks through a $19 million private settlement with MasterCard has been terminated for failure of issuers of 90% of the affected cards to accept the settlement by the Wednesday, May 20 acceptance deadline. Press reports on Friday, May 22 indicated that both Target and MasterCard had confirmed that failure to meet the 90% requirement had voided the settlement. The termination of the settlement means that MasterCard issuing banks no longer have the option to accept a portion of the proposed $19 million MasterCard settlement pool to settle their claims against Target.
For now, the claims that would have been resolved in the MasterCard settlement continue to be the subject of the consolidated class action pending in federal court in Minnesota. It remains to be seen whether Target and MasterCard will go back to the drawing board to craft a new and richer settlement, or if Target will abandon its attempt to obtain a private settlement and pursue resolution of the MasterCard claims through the federal court lawsuit.
The Network Advertising Initiative (NAI) has issued guidance for its members on the use of non-cookie technologies for Interest-Based Advertising (IBA) and Ad Delivery and Reporting (ADR) (Guidance). The NAI is a self-regulatory organization for third-party digital advertising companies. Consistent with the NAI Code of Conduct (NAI Code) which was designed based on the Fair Information Practice Principles, the Guidance explains how the NAI Code applies to members’ use of non-cookies technologies for IBA and ADR, sets best practices for members and offers insight into the NAI’s staff review of members using non-cookie technologies for IBA as a part of the NAI annual compliance reviews.
We all know what cookies are by now. So what is IBA and “non-cookie” technology?
Also commonly referred to as online behavioral advertising, IBA is online advertising tailored to consumers interests by companies promoting their products or services, accomplished by collecting consumer data across multiple web domains owned or operated by different entities, amassing consumer profiles, and then customizing ads based on the consumers’ interests and web usage patterns using cookie-based and non-cookie based technology. The NAI Code requires notice and choice with respect to IBA and imposes certain restrictions on members’ collection, use and transfer of data used for IBA. For more information about IBA, please click here. The NAI defines non-cookie technology as “mechanisms, other than cookies, used to identify your browser, which can include technologies such as browser cache, locally stored objects (LSO’s), or statistical identifiers… used for many purposes including, but not limited to, ensuring your online banking is secure, preventing online advertising fraud, or to engage in Interest-Based Advertising or Ad Delivery and Reporting”. For more information about non-cookie technology, please see the NAI FAQ’s on Non-Cookie Technologies.
What are the NAI-recommended best practices for members’ use of non-cookie technology for IBA and ADR?
The Guidance sets forth baseline best practices for:
- Notifying consumers of a member’s use of non-cookie technology and providing transparency:
- Members using non-cookie technology for IBA must require websites collecting data for IBA through the non-cookie technology to clearly and conspicuously post a notice containing a disclosure that non-cookie technology may be used by third-parties on the site. Members are further required to make a reasonable effort to ensure that such notice is posted on their partners’ websites and that related language that is currently used by their partners is updated accordingly. Addendum A to the Guidance provides several examples of partner website notices.
- Members using non-cookies technologies for IBA that cannot be viewed or modified using native browser controls are required to implement a consumer-facing transparency tool which, at a minimum, displays: (1) on both the member’s website and the NAI’s opt-out page whether data is collected for IBA on a specific browser using non-cookie technology, and the opt-out status for such browser, and (2) on the NAI’s opt-out page only, a disclosure or an icon to inform consumers that the member is using non-cookie technology for IBA and to link back to the member’s website for information about the member’s use of such technology.
2. User control:
- Members engaging in IBA are required to provide an opt-out mechanism available both on the member’s website and through the NAI’s opt-out page that ensures that data collected using the non-cookie technology is not used for IBA after a consumer has opted out of such use of their data. The opt-out must cover the browser on which the choice is expressed. After a consumer exercised the opt-out choice and while the consumer is opted out, a member may continue to collect data using non-cookie technology only for non-IBA purposes and any such data may not be used for IBA at any time, regardless of future opt-out status and technology used.
- Under the Guidance, NAI members will be required to offer a centralized consumer opt out of non-cookie technologies through the NAI’s new opt-out tool once it is published to the NAI opt-out page. According to the NAI, this new tool will inform consumers when NAI members use non-cookie technologies for IBA as well as offer a redesigned opt-out experience.
3. User limitations:
- Members making a material change to their IBA data collection and use policies and practices are required to obtain opt-in consent before applying such change to data collected prior to the change; until opt-in consent is obtained or in its absence, any data collected prior to the change will continue to be governed by the data collection and use policies in effect when the information was collected.
- Members using non-cookie technology for IBA that do not allow the NAI to conduct reasonable technical oversight will be required to develop a process with the NAI staff whereby the NAI compliance team will be able to conduct reasonable, external oversight and monitoring (e.g., access to a member’s API).
- A member’s opt-out inspection service must provide the NAI: (1) a methodology to determine if changes to an ad interest profile have been made post the applicable consumer’s opt-out where such changes would be updated through the use of the non-cookie technology, and (2) some other methodology that provides adequate information to permit the NAI compliance staff to assess and ensure the member’s compliance with the NAI Code and the Guidance. Members are required to attest that their business practices are compliant with each aspect of the NAI Code.
The Guidance makes it very clear that “before a member may use non-cookie technology for IBA, the member must ensure that the requirements set forth in the Guidance have been adequately satisfied.” Although the Guidance is effective as of its publication on May 18, NAI members will have a grace period to implement policies and procedures to comply with the Guidance. Members that want to use non-cookie technologies for IBA and ADR during this time may do so but only in accordance with the requirements set forth in the Guidance. However, since the current NAI opt-out tool does not indicate when members use non-cookie technologies for IBA, the requirement to use the NAI’s opt-out tool will become effective after the NAI completes testing and integrating the new tool into its central industry opt-out page.
Key takeaway: The insurance applications and underwriting questionnaires prepared in connection with cyber insurance do matter.
Cyber security, and cyber insurance, have dominated the industry headlines for several years now, but even as companies, brokers and insurers work to develop these products, there has been a dearth of case law interpreting key provisions. This is beginning to change as disputes arise and make through way through the judicial system.
One such suit came last week when CNA filed a declaratory judgment action against its insured Cottage Health System, seeking reimbursement of both defense costs and a $4.125 million settlement it had paid out on a claim made under Cottage’s cyber policy. In January 2014, Cottage was sued in a class action in California state court, where it was alleged that the records of more than 30,000 of Cottage’s patients had been disclosed to the public via the internet. Cottage allegedly stored such records on an internet-accessible system but failed to install encryption or use other safeguards. The California court granted approval of the $4.125 million settlement fund in December 2014. CNA, which had reserved rights, filed this action. You can read more about the underlying lawsuit here.
In it, CNA invokes the exclusion for “failure to follow minimum required practices” which precludes coverage if the insured does not “continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance.” In its application Cottage had indicated that it regularly re-assessed its exposure to information security and privacy threats, among other, more specific, data-protection procedures. CNA asserts that this representation in the application was false.
Insureds and insurers in the cyber space would do well to watch this matter unfold. The exclusion invoked, and the application questions it relies on, are broadly worded and may leave room for strong arguments on both sides. Regardless of the outcome, we can be sure that this is only the beginning of judicial interpretation of the key terms of cyber-related policies. Interested readers can also review one of the first cyber-related decisions in the country, which came out of the District Court of Utah last week, here.
It’s Monday morning — do you know your privacy/security status?
Here are a few bits and bytes to start your week.
SEC to Registered Investment Advisers and Broker-Dealers: It’s Your Turn to Pay Attention to Cybersecurity
The Division of Investment Management of the Securities & Exchange Commission (SEC) has weighed in on cybersecurity of registered investment companies (“funds”) and registered investment advisers (“advisers”) as an important issue because both funds and advisers increasingly use technology to conduct their business activities, and need to protect confidential and sensitive information related to these activities from third parties. That information includes information concerning fund investors and advisory clients. We’ve summarized key points from the recently-issued Guidance.
The Guidance recommends a number of measures that funds and advisers may wish to consider in addressing cybersecurity risk, including:
- Conduct a periodic assessment of:
- the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses;
- internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems;
- security controls and processes currently in place; and
- the impact should the information or technology systems become compromised; and the effectiveness of the governance structure for the management of cybersecurity risk.
- Create a strategy that is designed to prevent, detect and respond to cybersecurity threats, such a strategy could include:
- controlling access to:
- various systems and data via management of user credentials;
- authentication and authorization methods;
- firewalls and/or perimeter defenses;
- sensitive information and network resources;
- network segregation;
- system hardening; and
- data encryption.
- controlling access to:
- protecting against the loss or exfiltration of sensitive data by:
- restricting the use of removable storage media; and
- deploying software that monitors technology systems for:
- unauthorized intrusions;
- loss or exfiltration of sensitive data; or
- other unusual events.
- data backup and retrieval; and
- the development of an incident response plan
- routine testing of strategies could also enhance the effectiveness of any strategy.
- Implement the strategy through:
- written policies and procedures; and
- training that:
- provides guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats; and
- monitors compliance with cybersecurity policies and procedures.
Most of this should not be a surprise to any business dealing with sensitive financial information these days, but a recent SEC cybersecurity sweep examination by the SEC’s Office of Compliance Inspections and Examinations (OCIE) found that 88 percent of the broker-dealers (BDs) and 74 percent of the registered investment advisers (RIAs) they visited experienced cyber-attacks directly or indirectly through vendors.
Penn State University Confirms Cyberattack Originated in China
If you’re studying at Penn State’s College of Engineering, you will not have access to the Internet for a while. The University said last week that of two recent cyber attacks at the College, at least one was carried out by a “threat actor” based in China. Penn State was alerted to a breach by the FBI in November and has been investigating since – during that time, a 2012 breach was also discovered. The 2012 breach apparently originated in China, and compromised servers containing information on about 18,000 people.
For more: Cyberattack on Penn State University
Digital Advertising Alliance to Enforce Mobile App Principles
Starting September 1, the Digital Advertising Alliance (DAA) will begin to enforce its Application of Self-Regulatory Principles to the Mobile Environment. The DAA issued the mobile principles back in July of 2013 (see our post here), but delayed enforcement while the DAA implemented a choice mechanism for the mobile environment. Mobile tools for consumers were released in February: App Choices and the Consumer Choice Page for Mobile Web.
The Guidance addresses mobile-specific issues such as privacy notices, enhanced notices and opt-out mechanisms for data collected from a particular device regarding app use over time and cross-app data; privacy notices, enhanced notices and opt-in consent for geolocation data; and transparency and controls — including opt-in consent — for calendar, address books, photo/video data, etc. created by a user that is stored on or accessed through a particular device.
After September 1, any entity that collects and uses any of this type of data will be required to demonstrate compliance with the Guidance or risk being subject to the DAA’s accountability mechanism.
REMINDER — UPCOMING PRIVACY WEDNESDAY WEBINAR
Don’t forget to register for the next in our Privacy Wednesday Webinar series: The Long Reach of COPPA. Webinar is eligible for NY and CA CLE credit — register here.
Wednesday, May 13 – Mintz Employment Law Summit (Boston)
A discussion of hot topics facing employers, including Privacy in the Workplace. Free event, breakfast and lunch included. Register here.
Wednesday, May 13 – National Security, Privacy, and Renewing the USA PATRIOT Act, Hudson Institute, NY
Live streaming starts at noon. #PATRIOTAct. More information here.
Wednesday, May 13 – Ninth Annual Law & Information Society Symposium – Fordham Law School
Trends in the global processing of data, developments in new technologies, privacy enforcement actions and government surveillance put international privacy at the center of the global law and policy agenda. Government regulators, policymakers, legal experts, and industry players need to find solutions to cross-border conflicts and to the issues presented by innovative technologies. This conference seeks to create a robust, but informal dialog that will explore possible solutions to current questions arising from the international legal framework, infrastructure architecture and commercial practices. Information here.
Thursday, May 14 – IAPP KnowledgeNet (Boston area)
Learn about data privacy issues posed by wearables, wellness tracking apps, company wellness programs and other technologies and services here in the U.S. and abroad. Register here.
Monday, May 18 – 36th IEEE Symposium on Security & Privacy – Fairmont Hotel (San Jose)
Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for presenting developments in computer security and electronic privacy, and for bringing together researchers and practitioners in the field. The 2015 Symposium will mark the 36th annual meeting of this flagship conference. More information here.
Wednesday, May 27 – Mintz Privacy Wednesday Webinar – The Long Reach of COPPA
The fifth in our Wednesday Webinar series will focus on a discussion of COPPA, the long-awaited amendment and issues. We’ll also discuss the latest Federal Trade Commission settlements and how to avoid being the next target. Register here.
Senior U.S. District Court Judge Paul Magnuson issued an order on Thursday, May 7 denying a request by counsel for card issuer banks to enjoin the settlement of data breach related claims negotiated between Target and MasterCard. As we have previously reported, the proposed settlement would provide compensation to MasterCard-issuing banks for fraud losses and the cost of reissuing credit and debit cards. Banks that agree to accept the settlement are required to release all data breach claims against Target arising from compromised MasterCard accounts. Crediting substantive objections to the proposed settlement, Judge Magnuson wrote that “[t]he Court agrees with Plaintiffs’ counsel that the terms of the settlement do not appear altogether fair or reasonable.” He also signaled disapproval of conducting settlement negotiations outside of the court proceedings without participation by or notice to class counsel, stating that “the way this issue has arisen is neither fair nor is it how the Court expects attorneys to conduct themselves in litigating matters before the Court.” Nonetheless, Judge Magnuson concluded that he was powerless to enjoin the settlement, insofar as Fed. R. Civ. P. 23, which governs class actions, empowers parties to settle claims that are the subject of a class action privately, without court approval, at any time prior to certification of a plaintiff class. “Before a class is certified,” he wrote, “a Court’s authority over settlements such as these is limited to curing communications that constitute ‘actual or threatened misconduct of a serious nature.’” He concluded, however, that Target’s and MasterCard’s communications with card issuers concerning the settlement were not so misleading or deceptive that the Court would be empowered to enjoin the solicitation of card issuers to participate in the settlement. Accordingly, the judge declined to enjoin the Target-MasterCard settlement.
It is unclear whether class counsel intend to seek interlocutory appellate review of Judge Magnuson’s order. Such review is highly unusual and difficult to obtain.
As a result of this ruling, the settlement process under the Target-MasterCard settlement agreement can continue to go forward. In order to participate in the settlement, issuer banks must affirmatively elect to join the settlement and provide releases to Target. Target can walk away from the settlement if issuers of fewer than 90% of the affected payment card accounts opt into the settlement. It is likely that class counsel will encourage issuer banks to decline the settlement and continue to participate in the class action. The success or failure of such a campaign will determine whether MasterCard-related claims continue to be litigated in federal court before Judge Magnuson. Also unclear at this point is whether a similar settlement is in the works between Target and Visa to resolve the claims of Visa-issuing banks and, if so, what the terms of that settlement will be.
Fitbit, the fitness-tracking company with six wearable devices that track and collect data about things like calories burned, steps logged, “quality” of sleep and sleep patterns, heart rate, etc.) as well as web and mobile apps and premium services, has filed with the Securities and Exchange Commission for a $100 million initial public offering. We have discussed the SEC’s Cybersecurity Guidance issued in 2011 and based on that Guidance, how the SEC expects public companies (and soon-to-be public companies) to disclose specific cybersecurity risk to investors — see our discussion here. Given that, we thought we would check Fitbit’s S-1 filing to see how a company collecting gobs of health and fitness data on millions of users (nearly 21 million units sold last year) discloses cybersecurity risk.
Boilerplate, or discussion of company-specific risk? You be the judge (the entire S-1 can be obtained here):
We collect, store, process, and use personal information and other customer data, which subjects us to governmental regulation and other legal obligations related to privacy, information security, and data protection, and our actual or perceived failure to comply with such obligations could harm our business.
We collect, store, process, and use personal information and other user data, and we rely on third parties that are not directly under our control to do so as well. Our users’ health and fitness-related data and other highly personal information may include, among other information, names, addresses, phone numbers, email addresses, payment account information, height, weight, and biometric information such as heart rates, sleeping patterns, GPS-based location, and activity patterns. Due to the volume and sensitivity of the personal information and data we manage and the nature of our products, the security features of our platform and information systems are critical. If our security measures, some of which are managed by third parties, are breached or fail, unauthorized persons may be able to obtain access to sensitive user data. If we or our third-party service providers, business partners, or third-party apps with which our users choose to share their Fitbit data were to experience a breach of systems compromising our users’ sensitive data, our brand and reputation could be adversely affected, use of our products and services could decrease, and we could be exposed to a risk of loss, litigation, and regulatory proceedings. Depending on the nature of the information compromised, in the event of a data breach or other unauthorized access to our user data, we may also have obligations to notify users about the incident and we may need to provide some form of remedy, such as a subscription to a credit monitoring service, for the individuals affected by the incident. A growing number of legislative and regulatory bodies have adopted consumer notification requirements in the event of unauthorized access to or acquisition of certain types of personal data. Such breach notification laws continue to evolve and may be inconsistent from one jurisdiction to another. Complying with these obligations could cause us to incur substantial costs and could increase negative publicity surrounding any incident that compromises user data. Our users may also accidentally disclose or lose control of their passwords, creating the perception that our systems are not secure against third-party access. Additionally, if third parties we work with, such as vendors or developers, violate applicable laws, agreements, or our policies, such violations may also put our users’ information at risk and could in turn have an adverse effect on our business. While we maintain insurance coverage that, subject to policy terms and conditions and a significant self-insured retention, is designed to address certain aspects of cyber risks, such insurance coverage may be insufficient to cover all losses or all types of claims that may arise in the continually evolving area of cyber risk.