Despite some courts’ evident confusion about the impact of payment card theft on consumer cardholders, other courts are getting it right.  Just this week, a judge in the Northern District of Illinois issued an order dismissing the second amended complaint filed by consumer cardholders in In re Barnes & Noble Pin Pad Litig. (N.D. Ill.).  This order marked the third time that the court had dismissed the consumer cardholder claims due to lack of injury.  Here, as in every theft of credit or debit card data, the fact that consumers are held harmless for fraudulent charges on their cards means that such losses – which are borne by the issuing banks – do not result in injury to consumers sufficient to confer statutory or constitutional standing.  This leaves plaintiffs, like those in Barnes & Noble, to argue that they sustained actionable injury because of inconvenience (cards are replaced, accounts are temporarily frozen) or apprehension of potential future harm (future adverse credit impact).  The court in Barnes & Noble held the former to be insufficiently significant to allow claims under statutes requiring proof of loss, while the latter was deemed too speculative to permit standing.  Even though plaintiffs could show that they purchased credit monitoring services after the breach, the court held that money spent on attempts to mitigate future fraud are not injury that may be redressed under state unfair competition law.

Having dismissed three separate attempts to plead an actionable claim, the court dismissed the second amended complaint in Barnes & Noble with prejudice.  With this ruling, the court has provided additional support for defendants resisting consumer claims arising from theft of payment card data.

It seems as though we have been writing about this case for a lifetime.  Target Corporation’s data breach saga came one step closer to a conclusion this week.  On Tuesday, Target reached an $18.5 million settlement with 47 states and the District of Columbia to resolve the states’ investigation into the company’s 2013 data breach.   Alabama, Wisconsin, and Wyoming were not part of the settlement. Continue Reading Target Reaches $18.5 Million Dollar Settlement in Data Breach with States

Another day, another data incident.  If you use DocuSign, you’ll want to pay attention.

The provider of e-signature technology has acknowledged a data breach incident in which an unauthorized third party gained access to the email addresses of DocuSign users.   Those email addresses have now been used to launch a massive spam campaign.   By using the stolen email address database and sending “official” looking emails, cyber criminals are hoping that recipients will be more likely to click on and open the malicious links and attachments.

DocuSign’s alert to users says in part:

[A]s part of our ongoing investigation, today we confirmed that a malicious third party had gained temporary access to a separate, non-core system that allows us to communicate service-related announcements to users via email. A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed; and DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.

A portion of the phish in the malicious campaign looks like this:

 

Two phishing campaigns already detected and more likely

The DocuSign Trust Center has posted alerts notifying users of two large phishing campaigns launched on May 9 and again on May 15.

The company is now advising customers NOT TO OPEN emails with the following subject lines, used in the two spam campaigns.

  • Completed: [domain name]  – Wire transfer for recipient-name Document Ready for Signature
  • Completed [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature

We recommend that you change your DocuSign password in light of this incident as an extra measure of caution.    Also, DocuSign (and other similar services) offer two-factor authentication, and we strongly recommend that you take advantage of this extra security measure.

As always, think before you click.

Snatching victory of a sort from the jaws of defeat, shareholders who brought a derivative action alleging that the 2014 Home Depot data breach resulted from officers’ and directors’ breaches of fiduciary duties have reached a settlement of those claims.  As previously reported in this blog, that derivative action was dismissed on November 30, 2016.  That dismissal followed on the heels of dismissals of derivative actions alleging management breaches of fiduciary duties in connection with the Wyndham and Target data breaches.  Despite that discouraging precedent, the Home Depot shareholder plaintiffs noticed an appeal from the trial court’s order of dismissal.  The parties subsequently resumed settlement discussions that had broken off in the fall of 2016, on the eve of argument and decision of Home Depot’s motion to dismiss.  On April 28, 2017, the parties submitted a joint motion disclosing and seeking preliminary approval of the proposed settlement.  If approved, the proposed settlement would result in dismissal of the shareholders’ appeal and an exchange of mutual releases, thereby terminating the fiduciary claims arising from the Home Depot data breach. Continue Reading Appeal in Home Depot Data Breach Derivative Action Results in Settlement of Corporate Governance Claims

It was a busy April for the Office for Civil Rights (“OCR”) (see our prior post on a settlement from earlier in April).  On April 20, OCR announced a Resolution Agreement with Center for Children’s Digestive Health, S.C. (“CCDH”) related to CCDH’s failure to enter into a business associate agreement with a paper medical records storage vendor.  The cost of that missing agreement?  $31,000.  Then, on April 24, OCR announced a settlement with CardioNet, a remote monitoring company for cardiac arrhythmias, related to CardioNet’s failure to implement compliant HIPAA policies and procedures and failure to conduct a sufficient risk assessment.  The price of those failures?  $2.5 million! Continue Reading Two HIPAA Mistakes Lead to Fines from OCR

When data thieves steal payment card data, consumers suffer no legally cognizable injuries.  Card issuers absorb the fraudulent charges and replace the affected cards.  Because fraudulent charges are not billed to consumers, they do not show up on consumers’ credit reports or otherwise affect their credit ratings.  Moreover, because the thieves end up possessing terminated and useless payment card numbers, they cannot inflict any future harm. Thus, consumers have no need for credit monitoring services – whether for free or otherwise – in the wake of a payment card data breach.  With no out of pocket losses, no risk of future losses, and no reasonable basis to expend resources on credit monitoring, a consumer whose payment card data has been stolen has no standing to bring suit in federal court.  Continue Reading Kimpton Data Breach Decision Highlights Lingering Confusion on Standing Issues

After a quiet winter there has been significant activity in state legislatures to enact, strengthen or clarify their data breach notification statutes. The latest happenings are summarized below and we have updated our “Mintz Matrix” to reflect these new and pending laws.  Continue Reading States Take Action! New Mexico, Tennessee and Virginia Pass New Data Breach Legislation

 

While your business may indeed be a “victim” when hit by a phishing attack, your enterprise can also be responsible for violations of law associated with the incident.   Earlier this week, the HHS Office for Civil Rights (“OCR”) announced a $400,000 settlement with Metro Community Provider Network (“MCPN”) related to a 2012 HIPAA breach caused by a phishing scam. The phishing scam, carried out by accessing MCPN employees’ email accounts, gave a hacker access to the electronic protected health information (“ePHI”) of 3,200 individuals. In investigating the breach, OCR determined that, prior to the breach, MCPN had not conducted a security risk analysis (a requirement under HIPAA). Further, OCR found that even after MCPN conducted a risk analysis, its analysis was insufficient to meet the requirements of the HIPAA Security Rule.

In addition to the $400,000 fine, MCPN agreed to a corrective action plan with OCR. That plan requires MCPN to conduct a comprehensive risk analysis and to submit a written report on the risk analysis to OCR. Additionally, MCPN will be required to develop an organization-wide risk management plan, to review and revise its Security Rule policies and procedures, to review and revise its Security Rule training materials, and to report to OCR any instance of a workforce member failing to comply with its Security Rule policies and procedures.

The MCPH settlement underscores the importance of risk analyses and workforce training to avoid phishing scams. Additionally, it is crucial that entities regulated by HIPAA conduct an enterprise-wide HIPAA risk analysis, update that analysis to address new threats, and implement policies and training based on identified risks. Failure to comply with these essential HIPAA requirements can turn a relatively routine breach investigation into a $400,000 settlement.

A copy of the MCPN resolution agreement and corrective action plan is available here. OCR’s press release on the settlement is available here. General Security Rule guidance from OCR is available here.

We are anxiously waiting to learn the fate of the data breach notification statute recently passed by state lawmakers in New Mexico. The bill remains on the desk of the governor who has until the end of the week to sign the legislation into law. If she does, New Mexico will join 47 other states (along with the District of Columbia, Puerto Rico, and the Virgin Islands) to impose at least some obligations on persons or entities holding personal information in the wake of a security incident.  We may need to update the Mintz Matrix soon. Continue Reading Better Late Than Never: New Mexico on the Cusp of Enacting Data Breach Notification Statute

 

We are well into March Madness … and Happy St. Patrick’s Day!

You may have already had your bracket busted by now…..but you should have Mintz Levin’s Third Annual Employment Law Summit on your schedule and the panel on Cybersecurity and Employee Data Breaches may help you avoid a security incident/personal data buster.

Teamwork is a key to advancing in the Big Dance and HR and IT could make a powerful team in fighting cybersecurity risks in your company. Just because cybersecurity threats affect cyberspace does not take the human element out of the prevention/mitigation loop.   And the Luck of the Irish has nothing to do with it……

Even though IT plays the role of the center in managing the game flow with respect to the company’s data security, the HR department should not sit on the bench. HR has the point guard skills necessary to mitigate important insider threats and properly train the rest of the team to play it safe.

Businesses are a treasure trove of information about people – customers, employees, business contacts. Loss or theft of any of these can cost a company both in cold cash and in reputation. We’ll take a look at the crazy-quilt of laws and discuss how HR managers and counsel can make the important connections between HR professionals and security professionals and keep your company in the game.

We hope you will join us in New York on April 6th as our panel ventures into cyberspace. Please remember to register here, as you won’t want to miss this important event.