In the latest decision concerning standing in data breach cases, the Fourth Circuit has vacated a district court’s dismissal and reinstated putative class action data breach litigation against the National Board of Examiners in Optometry Inc. (“NBEO”). In Hutton v. National Board of Examiners in Optometry, Inc., the court ruled that the plaintiffs alleged sufficient injury to meet the Article III standing requirement by virtue of hackers’ theft and misuse of plaintiffs personally identifiable information (“PII”), notwithstanding the absence of any allegation that the misuse had resulted in pecuniary loss to the plaintiffs. In so ruling, the Fourth Circuit struck a middle course on the question of when misuse of sensitive PII results in a sufficient injury to confer standing to sue in federal court.
With the recent enactment of data breach notification laws in South Dakota and Alabama, all 50 US states now have laws regulating data breach notification. We’ve updated the Mintz Matrix (maintained by the Mintz Privacy Team for nearly 10 years) to provide you with the latest information.
Managing the differing requirements remains a challenge, and points to the need for updated incident response plans. As an example, the chart below outlines the different timelines for notification. The Mintz Matrix contains information on all of these, and more.
Alabama has joined the “crazy quilt” of state data breach notification laws with the governor’s signature of the Alabama Data Breach Notification Act of 2018.
Things to take note of under the Alabama law:
- The law requires entities to “implement and maintain reasonable security measures” and includes a granular list of what such security measures should include. An interesting component of reasonable security measures is “keeping the management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures.”
- Notification to residents within 45 days after a breach has been discovered if it is reasonably likely to cause substantial harm.
- The definition of “personal information” is expanded to include health information and user name or email address in combination with a password.
- Notice to the Alabama Attorney General if notice is provided to more than 1,000 individuals at a single time.
- No private right of action, but the AG may enforce violations of the Act as a deceptive trade practice.
- The Act provides for civil penalties of not more than $5,000 per day for each consecutive day that a covered entity fails to take action to comply with notice provisions. “Knowing” violations of the Act (including a “reckless disregard in failing to comply with notice requirements”) could subject a covered entity to civil penalties of up to $500,000 per breach.
Only one U.S. state without a data breach notification law, that is.
South Dakota as become the 49th state to enact a data breach notification law, which take effect on July 1. The South Dakota law follows the pattern of the most recent notification laws, including an expansive definition of “Personal Information”.
The law defines personal information as a person’s first name/first initial and last name in combination with any one or more of the following:
- Social Security Number;
- Driver’s license number or other unique identification number created or collected by a government body;
- Account, credit or debit card number, in combination with any required security code, access code, password, routing number, PIN, or any additional information that would permit access to a person’s financial account;
- Health information;
- Identification number assigned to a person by the person’s employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes.
There is an additional definition of “protected information” that includes (a) a username or email address in combination with a password, security question answer, or other information that permits access to an online account; and (b) account number or credit/debit card number, in combination with any required security code, access code, or password that permits access to a person’s financial account. The definition of “protected information” does not include a person’s name.
Again, South Dakota includes an encryption “safe harbor,” but does require notification if the encryption key is compromised. Notice to the South Dakota Attorney General is required in any breach that exceeds 250 South Dakota residents.
Notification is required within 60 days of the discovery of the breach. A violation of the notification law is considered a deceptive act under South Dakota consumer protection laws, and the Attorney General has noted that this violation has the effect of creating a private right of action. The AG is also authorized to enforce the law and may impose a fine of up to $10,000 per day, per violation.
Alabama remains the sole U.S. state without a breach notification law, but the Alabama Data Breach Notification Act of 2018 passed the Alabama House unanimously and is now in the state Senate.
A update to the Mintz Matrix will be forthcoming this week with further details on this new South Dakota law, as well as some amendments to existing laws. Watch this space.
A circuit split on whether actual misuse of personal data is required to have standing to assert data breach claims remains unresolved. Last week the Supreme Court rejected a petition to review that issue in CareFirst v. Attias. In CareFirst, the D.C. Circuit joined several other circuits in holding that the threat of misuse of data, in and of itself, gives rise to standing. Other circuits require more concrete harm in the form of actual misuse of data. Until the Supreme Court settles the issue, companies will remain susceptible to data breach lawsuits in jurisdictions adhering to the liberal standard endorsed in CareFirst.
Mintz Levin Benefits attorney Patricia Moran recently authored an article for the Society for Human Resources Management’s latest publication describing the cybersecurity risks involved with 401(k) Plan sponsorship. The article is a great resource for employers who sponsor 401(k) or other retirement plans, especially those who share employees’ sensitive information with third party administrators. For the full story, click here.
As we near the end of a year that has seen more than its share of massive data breaches, two bills have been introduced (one re-introduced) in the U.S. Senate. Continue Reading Two Data Breach Bills Introduced in US Senate
Recently proposed legislation in Ohio could provide businesses with special protection from lawsuits in the event of a hack under certain circumstances. Senate Bill 220 would shelter businesses that have been proactive in instituting defenses to guard against data breaches. The idea is to encourage firms to voluntarily enact privacy protections by promising them the ability to later claim an affirmative defense in court should a hack still occur.
Other states already require businesses to meet specific standards with regard to providing cyber security protections and preventing data breaches. In New York, businesses licensed by the Department of Financial Services (DFS) must meet compliance standards in accordance with DFS cybersecurity regulations. These standards require licensees to have a written cybersecurity program in place, maintain a cybersecurity policy that covers 14 regulation-specific areas, designate a qualified employee as a Chief Information Security Officer, and implement an incident response plan, among additional imperatives. Similarly, states differ with regard to their requirements of businesses in providing data breach notices. For example, in Massachusetts, notices must be provided to the affected resident, the Attorney General’s office, and to the Office of Consumer Affairs and Business Regulation (OCABR).
Ohio’s Senate Bill 220 is interesting in that it does not lay out a minimum set of standards that, if not met, could serve as grounds for litigation in the event of a breach. Businesses will be tasked with instituting their own cybersecurity programs using one of eight industry-specific frameworks developed by the National Institute of Standards and Technology. The legislation provides for an evolving standard, which means lawmakers won’t have to continually revisit the issue to update a minimum set of standards. Whether or not a business qualifies for the safe harbor provision will be up to a judge to determine if such business has met its burden. Ultimately, the key takeaway is that this new legislation will provide for compliance as an affirmative defense for businesses facing a lawsuit as a result of a data breach.
The Mintz Levin team will continue to monitor this pending legislation and update our readers as it develops.
Has your company recently beefed up its employee identification and access security and added biometric identifiers, such as fingerprints, facial recognition, or retina scans? Have you implemented new timekeeping technology utilizing biometric identifiers like fingerprints or palm prints in lieu of punch clocks? All of these developments provide an extra measure of security control beyond key cards which can be lost or stolen, and can help to control a time-keeping fraud practice known as “buddy punching.” If you have operations and employees in Illinois (or if you utilize biometrics such as voice scans to authenticate customers located in Illinois), your risk and liability could have increased with the adoption of such biometric technology, so read on …. Continue Reading The Law of Unintended Consequences: BIPA and the Effects of the Illinois Class Action Epidemic on Employers
This week’s disclosure that a 2013 data breach may have affected all 3 billion Yahoo accounts then in existence could alter the scope of the consolidated data breach cases currently pending against Yahoo in the federal court in San Francisco. In the wake of the court’s August 30 order denying Yahoo’s motion to dismiss the case, the parties have been in the process of negotiating a schedule for discovery and motion practice. The parties had been due to make their joint scheduling submission to the Court today. However, just last night, Judge Lucy Koh issued an order postponing the submission deadline in order to allow the parties to address the impact of Yahoo’s recent disclosure. The court ordered Yahoo to “disclose to Plaintiffs available information regarding the recent data breach disclosure by October 6, 2017, so that the Joint Case Management Statement can propose a realistic amended case schedule.” The court also directed that Yahoo “expedite its production of discovery regarding the recent data breach disclosure and include a proposal to do so” in the parties’ joint scheduling submission, which is now due to be submitted on October 11, 2017.