Archives: Privacy Litigation

Subscribe to Privacy Litigation

As reported on Friday in the Krebs on Security blog, online broker Scottrade had sent an e-mail to customers earlier that day stating that it recently had learned from law enforcement officials that Scottrade was one of a number of financial services companies that had been victimized by data thieves.  That very same day saw the first class action complaint arising from the breach was filed in federal court in San Diego.  Given the haste of the filing, the complaint unsurprisingly offers little more than conjecture about what took place.  Plaintiff’s allegations parrot facts reported by Brian Krebs – that the breach was detected by government investigators, did not compromise or access Scottrade’s trading platform, and appeared only to have resulted in the theft of names and addresses, despite hackers apparently having access to customers’ Social Security Numbers.  Thus, even though it was unclear whether Social Security Numbers had been stolen, Scottrade offered free credit monitoring to affected customers.  Beyond alleging that the breach occurred and that Scottrade’s credit monitoring offer provided inadequate relief, the complaint has nothing specific to say about the breach.  Instead, it speculates that Scottrade might have been targeted by the same hackers who stole data from J.P. Morgan in 2014 – itself an event discussed in the Krebs report on the Scottrade breach.  Plaintiff flatly alleges that Scottrade breached the industry standard of care in allowing the breach to occur, but does not allege precisely how Scottrade failed to do so.

The threadbare complaint against Scottrade illustrates the pitfalls of trying to be a “first mover” whenever a data breach occurs.  Until more is known about how the breach occurred and how, if at all, it affected Scottrade customers, it will not be possible to allege a plausible theory under which Scottrade may be held responsible for the breach.

This Is The End?

Settlement appears imminent in an employee class action against Sony Pictures Entertainment (“SPE”) arising from disclosure of their personally identifiable information (“PII”) in a massive data breach allegedly perpetrated by North Korean hackers in retaliation for SPE’s release of “The Interview,” a satirical comedy depicting an attempt on the life of North Korean dictator Kim Jong-Un.  A stipulation filed earlier this week by plaintiffs and SPE notified the court of the imminent settlement.  Terms of the settlement are as yet undeclared, but will become known on or before October 19, the deadline set in the stipulation for filing a motion for preliminary approval of the settlement.  Any classwide settlement will be subject to court approval after notice to members of the proposed class, who will have the right to object or to opt out of the settlement entirely. Continue Reading Sony: Stipulation Announces (but does not disclose) Employee Data Breach Class Settlement

Card-issuing banks are forging ahead with their lawsuit against Target arising from the 2013 holiday shopping season data breach.  Their July 1 motion for class certification has just been unsealed, allowing a glimpse at plaintiffs’ version of the events during November and December 2013 that resulted in theft of payment card data for 40 million Target customers.

The Target data breach occurred after hackers were able to compromise the security of a Target refrigeration vendor.  The vendor’s log-in credentials to the Target computer system provided a portal to infiltrate Target and install malware on point-of-sale (“POS”) terminals that was used to record and steal customers’ card data.  In their class certification motion, the banks focus heavily on Target’s alleged data security failings.  They claim that Target retained unencrypted card data, disregarded warnings about malware targeting POS terminals, disabled security features that purportedly would have detected the POS malware, ignored alerts generated by its malware detection software, and failed to audit the vendor’s data security practices.  Little in the allegations is new, but the allegations are calculated to demonstrate that Target acted negligently in a fashion that consistently and adversely affected the entire putative class of card issuer banks.

To certify their proposed nationwide class, the card issuers will have to establish that choice of law principles allow application of Minnesota law to card-issuing banks located in all 50 states.  Were the court to find that each bank’s claim is subject to the law of its state in which it is chartered or has its principal place of business, the numerous and substantial differences in the laws of those states could preclude adjudication of all of the banks’ claims in a single class.

Otherwise, the linchpin of plaintiffs’ argument is that this case should be tried as a class action because all of the banks suffered common harms arising from the regulatory requirements that apply to compromised cards, including costs associated with card cancellation, notice to customers, account monitoring activity, and refunds for fraudulent charges.   Plaintiffs fail, however, to address predominance issues associated with the inability to determine whether fraud losses on compromised cards arose from the Target breach, or from theft of the card data somewhere else.  In In re TJX Cos. Retail Sec. Breach Litig., 246 F.R.D 389 (D. Mass. 2007), the court held that endemic fraud levels in the payment card industry made it impossible to determine with any certainty which losses result from a data breach, thereby requiring individualized proceedings on damages that preclude class certification.  Plaintiffs allege that their expert can accurately calculate which fraud losses were attributable to the Target breach.  It is likely that Target’s opposition papers have focused on this issue and will contest the ability to trace fraud losses to the Target breach.

Finally, plaintiffs’ papers ignore the question of whether resolution of claims in the federal court is superior to use of the Visa and MasterCard dispute resolution processes.  Although the recently-announced Visa settlement had not been finalized as of the July 1 filing of plaintiff’s motion papers, the earlier unsuccessful attempt to resolve claims through the MasterCard settlement process plainly demonstrates the availability of that process to resolve card issuer data breach claims.  Plaintiffs make no attempt to address that issue either.  Given their conclusion of the Visa settlement and renewed attempts to pursue a MasterCard settlement, Target is likely to argue that the availability of such processes mean a federal court class action does not afford a superior mechanism to resolve the claims of card-issuer banks.

Target’s opposition to the class certification motion was filed on August 5 but, like plaintiffs’ motion papers, was filed under seal.  Target’s papers will not be available to the public until redactions can be made to avoid disclosure of commercially sensitive information.

Rather than our usual Privacy Monday “bits and bytes,” we have a breaking story relating to the ongoing Wyndham/FTC saga.

Today, Wyndham Worldwide Corp. lost a critical round in the Third Circuit.   Anticipated since April, 2014, the three-judge panel upheld U.S. District Judge Esther Salas’ ruling that the Federal Trade Commission (FTC) has the authority under the “unfairness” prong of Section 5 of the FTC Act to bring suit against companies over data security practices.

For all the background leading up to today’s ruling, we send you back to our April 2014 post  summarizing Judge Salas’ ruling and a recap of the entire case history, going back to June 2012 when the FTC filed its complaint.  The FTC originally alleged that Wyndham had engaged both in unfair and deceptive business practices in violation of Section 5 by failing to maintain reasonable and appropriate security measures.  The alleged security failures led to at least three data breaches between April 2001 and January 2010, exposing consumer data and payment card account numbers.  Wyndham has been fighting back all along the way, using this case to oppose the FTC’s authority and claiming that the agency exceeded statutory powers.

The appeals court said that Wyndham “cannot argue it was entitled to know with ascertainable certainty the cybersecurity standards by which the FTC expected it to conform….[T]he company can only claim that it lacked fair notice of the meaning of the statute itself — a theory it did not meaningfully raise and that we strongly suspect would be unpersuasive under the facts.”

This precedential opinion squarely rejects Wyndham’s argument that the FTC exceeded its statutory authority and Congress never intended for the commission to be able to use its Section 5 powers to police “failures to institute voluntary industry best practices” and virtually ensures the position of the FTC as “top cop” for data privacy and security regulation.

 

Target has announced that it has entered into a settlement with Visa to resolve claims of issuers of Visa credit and debit cards arising from Target’s November 2013 data breach.  The proposed settlement will pay issuers of Visa payment cards up to $67 million to reimburse losses associated with the theft of card numbers from Target POS terminals.  Unlike an earlier proposed $19 million settlement with MasterCard, the Visa settlement does not require card issuer approval.  The MasterCard settlement agreement terminated in May 2015 for failure to gain the required approval of issuers of 90% or more of the affected cards.  Additional details of this settlement will follow as they become available.

 

Neiman Marcus Petition Claims that Seventh Circuit Decision Invents Harm to Find Standing to Bring Data Breach Claims

Retailer Neiman Marcus has filed a petition seeking en banc review by the entire Seventh Circuit of the decision by a three-judge panel of that court in Remijas v. Neiman Marcus Group, LLC reversing dismissal of consumer data breach claims for lack of standing.   As we previously reported, the panel decision in Remijas held that injuries consisting of 1) lost time and money resolving the fraudulent charges, and 2) lost time and money protecting against future identity theft, were sufficient to confer Article III standing for consumers to bring suit.   In so ruling, the panel rejected the district court’s holding that plaintiffs’ allegations of potential future harms arising from stolen credit card numbers were too remote to satisfy the standing requirements set forth by the Supreme Court in Clapper v. Amnesty Intʹl USA, 133 S. Ct. 1138 (2013).  Continue Reading Neiman Marcus Chides Seventh Circuit Panel

Seventh Circuit Rules Consumers Have Standing to Sue in Neiman Marcus Payment Card Data Breach Case

In Remijas v. Neiman Marcus Group, LLC, the Seventh Circuit reversed a district court decision dismissing consumer payment card data breach claims for lack of standing.  The appellate panel held that injuries consisting of 1) lost time and money resolving the fraudulent charges, and 2) lost time and money protecting against future identity theft, were sufficient to confer Article III standing for consumers to bring suit.  The district court, following Clapper v. Amnesty Intʹl USA, 133 S. Ct. 1138 (2013), had construed plaintiffs’ allegations of potential future harms to be too remote to confer standing.  The Seventh Circuit distinguished Clapper, finding that Clapper does not foreclose suit based on all future harm, just suit based on speculative future harm.  Unlike Clapper, which concerned potential NSA interceptions of the plaintiffs’ communications, Remijas alleged actual theft of payment card data, making the potential for misuse of that information, in the Seventh Circuit’s view, not unduly speculative.  Accordingly, costs to avoid potential injury to consumers’ credit were deemed cognizable harm for purposes of Article III standing. Continue Reading Change in the Prevailing Winds in Consumer Data Breach Cases?

In its recently-filed motion to dismiss claims of card-issuing banks arising from the September 2014 theft of payment card data from Home Depot point of sale terminals, Home Depot employs an approach typically used to respond to consumer claims.  In payment card data breach cases, defendants typically argue that consumers lack standing to sue because card issuers hold consumers harmless for any fraudulent charges on their credit or debit cards.  Such standing arguments are not ordinarily advanced against the claims of the card-issuing banks that end up paying those bogus charges.  Home Depot, however, argues that the card issuer plaintiffs do not allege sufficient injury to have standing to bring suit in federal court.  In particular, Home Depot maintains that the card issuers’ consolidated complaint, despite listing 68 separate named plaintiffs, does not contain any specific allegations that identify with particularity what losses, if any, those plaintiffs suffered. Only two of the complainants 285 paragraphs allege the harms suffered by card issuers, but both do so without identifying which particular harms alleged had been sustained by any named plaintiffs.  Home Depot argues that the failure to plead the existence of concrete injuries suffered by named plaintiffs is fatal to the card issuers’ complaint.

In addition, Home Depot asserts that alleged losses incurred to avoid potential future harms – such as the cost of issuing new cards – are not cognizable injuries under the Supreme Court’s ruling in Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013).  Clapper held that, to be sufficient to confer Article III standing, losses must be “fairly traceable” to a defendant’s purported wrongdoing.  Losses willingly incurred to protect against a possibility of future harm do not suffice.  See id. at 1152-53.  Quoting Clapper, 133 S. Ct. 151, Home Depot contends that the card issuers “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”   Thus, without conceding that other types of losses might confer standing, Home Depot argues that losses directed toward future harms, even if alleged with particularity, would be insufficient as a matter of law to confer Article III standing on the card issuer banks.

A second significant ground on which Home Depot seeks dismissal of the card issuers’ claims is lack of ripeness. This argument is premised on the complex and detailed rules governing the interrelationship between card issuing banks, banks that accept charges made on cards and the card brands that issue the cards.  Each of the card brands establishes a process for resolving claims relating to fraudulent charges made on their cards.  In its brief, Home Depot collectively refers to the ongoing adjudication of data breach claims under those roles as the “Card Brand Recovery Process.”  According to Home Depot, the Card Brand Recovery Process is ongoing and could substantially resolve card issuers’ claims.  At a minimum, Home Depot contends that card issuers would not be entitled to seek recovery in the consolidated federal court lawsuit that is duplicative of amounts awarded through the Card Brand Recovery Process.  Accordingly, Home Depot argues that the card issuers’ claims will not be ripe until the Card Brand Recovery Process has been completed and the extent of their injuries, if any, are then known.

The card brand claim adjudication process has already played a significant role in connection with card issuers’ claims in the consolidated data breach class action against Target.  In that case, Target attempted to obtain a global resolution of the claims of MasterCard-issuing banks through a settlement negotiated with MasterCard under its dispute resolution rubric.  The proposed settlement was conditioned on approval by issuers of at least 90% of the eligible accounts and failed due to lack of support by issuing banks.  Target’s lack of success in using the card brand dispute resolution process to dispose of card issuer claims casts some doubt on whether Home Depot’s ripeness argument, even if accepted, would facilitate a final resolution of claims outside of federal court.  Allowing the Card Brand Recovery Process to continue, however, could reduce the number of outstanding claims and yield more manageable proceedings in federal court.

The U.S. Office of Personnel Management (OPM) announced that hackers have stolen the personal information of approximately 4 million current and former federal employees, including names, birthdates and social security numbers.  OPM serves as the human resources department -and holds employee records – for the entire federal government, ranging from security clearances to the identities of covert CIA agents.  Every federal agency is potentially affected by this breach.  Notifications to affected employees will begin going out on Monday, June 8th, via email or US mail.  OPM will provide credit monitoring, identity theft insurance and recovery services for 18 months to affected individuals.

OPM is working with the Department of Homeland Security’s Computer Emergency Readiness Team – CERT – and the FBI to assess the full extent of the breach.  Early reports suggest that the breach originated in China.

Compounding the pain for OPM and the affected individuals is the revelation in OPM’s website  notice that the agency recently implemented an “aggressive effort” to update its network security.  Unfortunately, this effort only revealed the hack, but was not implemented in time to prevent it.

OPM’s breach follows a highly publicized IRS data breach, in which hackers accessed the personal information of 100,000 taxpayers and used it to file false refund requests.  In 2014 alone, the US Postal Service, White House, National Weather Service and US Department of State were all victims of cyber-attacks, some of them suspected of originating in China.

As of now, federal data breach numbers pale in comparison to private sector breaches, but it will be interesting to see if these incidents create a credibility problem for federal regulators, who can’t seem to keep their own systems secure.  According to Mark Robinson, a former federal prosecutor and cyber defense litigator at Mintz Levin:

At a minimum, the government’s own inability to keep it’s cyber security house in order will be used defensively by private companies breach victims as a glowing example of how easily hackers can get in to even the most fortified government controlled computer systems.

It will also be interesting to see if this breach results in private litigation on behalf of affected employees, particularly those whose safety and ability to do their jobs depends on the secrecy of their identities.  According to Kevin McGinty, Mintz Levin privacy class action litigator:

As day follows night, class actions typically follow data breaches.  Here, most OPM employees would have a difficult time alleging any injury sufficient to confer standing to sue.  The most plausible harm that could flow from this data breach, identity theft, is addressed by the services already being offered by OPM.  Unless a would-be litigant could allege some additional and imminent risk of harm that would not be covered by the services that OPM is offering, a private lawsuit would be likely to face dismissal for lack of standing.

We will have more on this story as it evolves.

Home Depot has staked its defense of consumer claims arising from the 2014 theft of payment card data from the home improvement retailer on the asserted absence of injuries sufficient to confer standing to sue.  Because consumers rarely sustain out-of-pocket losses when their payment card numbers are stolen, lack of standing is typically the primary ground for seeking dismissal of consumer data breach claims.  While many courts have been receptive to arguments seeking dismissal of consumer data breach claims for lack of standing, decisions in recent cases – including, most significantly, the Target data breach case – have found that non-pecuniary harms constitute sufficient injury to confer standing.  The survival of the consumer claims will depend on which line of precedent the Home Depot court follows. Continue Reading Home Depot Moves to Dismiss Consumer Data Breach Claims for Lack of Standing