Published by Al Saikali

October 2011

The U.S. Circuit Court of Appeals for the First Circuit recently weighed in on the causes of action and damages that are (and are not) cognizable in a data breach case.  In Anderson v. Hannaford Bros. Co., No 10-2384 (1st Cir. Oct. 20, 2011), the plaintiffs were customers of a grocery store chain.  The grocery store chain used an electronic payment processing system that was breached by hackers, allowing the hackers to steal up to 4.2 million credit and debit card numbers and identifying information of the stores’ customers.  Many of the plaintiffs had unauthorized charges against their credit/debit card accounts.  Several were charged replacement card fees by their banks to replace their credit/debit cards.  The customers sued the grocery store chain.

The plaintiffs’ lawsuit was based on several causes of action:  breach of implied contract, breach of implied warranty, breach of duty of a confidential relationship, failure to advise customers of the theft of their data, strict liability, negligence, and violation of Maine’s Unfair Trade Practices Act.  In its 35-page opinion, the First Circuit analyzed each of these causes of action and held that only the negligence and implied contract causes of action were viable.

The Plaintiffs sought various types of damages, including the cost of replacement cards, fees for accounts overdrawn by fraudulent charges, fees for altering pre-authorized payment arrangements, loss of accumulated reward points, inability to earn reward points during the transition to a new card, emotional distress, time and effort spent reversing unauthorized charges and protecting against further fraud, and costs incurred for purchasing identity theft/card protection insurance and credit monitoring services. The First Circuit held that only the plaintiffs’ claim for mitigation expenses (like the consumer’s purchase of credit reports or credit insurance) and card replacement costs consumers incurred were recoverable.

Civil lawsuits arising from data breaches are a new and developing area of the law, and this new opinion is important because it is among the first U.S. Circuit Court opinion to analyze the issues of the proper causes of action and recoverable damages, and to do so in depth.  The decision is also important because, as journalist Jaikumar Vijayan wrote in an article for Computerworld, the case is “a rare instance of a court siding with consumers in a data breach lawsuit.”  It is certainly worth a read for anyone interested in these issues, and it should be an exciting time for anyone who practices in this area because we are watching the law develop from the beginning.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

 

The findings of a recent Thomson Reuters Accelus survey entitled Better Board Governance:  Communications, Security and Technology in a Global Landscape of Change raises questions about the level of security some corporations are taking (or failing to take) to protect sensitive and confidential corporate information transmitted between the corporate entity and its board members.

The survey finds that, “corporate policies and practices for managing board documents and communications may not be keeping pace with requirements for security and compliance.”  Some of the problems that the survey identified include:

  • Board Papers – 61% of all boards disseminate important board materials in paper format instead of using secure online methods like board portal tools.
  • Board Communications – board members communicate via methods that lack any encryption.  Many use public email services such Yahoo!, Gmail, and Hotmail to conduct important board business.  A significant number of board members print out their materials and carry them with them, exposing the materials to loss or theft and no ability to destroy them remotely.
  • Document Retention & Discovery – board members are storing corporate documents on their private home computers and private mobile devices, so the documents may not be captured in response to a discovery request.
  • Secure Communications – board members are not provided secure computing/communication devices.
  • Security – board documents are accessible via unsecured wifi networks, exposing them to theft or hacking.  A significant number of board members have reported that their laptops, mobile devices, or sensitive docs were lost, stolen, or left in public places.
  • Increased International Role – two-thirds of board members are managing global issues for their company and 83% of companies have board members who travel internationally extensively.  This raises the issues of how board members are communicating and accessing their materials overseas and what measures are in place to ensure that the international communications and transmission of materials are secure.

The survey’s findings raise several questions.  For example, with board members increasingly traveling overseas and managing international issues, are data security measures only as good as the protection available in the countries where board members are traveling?  What is the right balance between security and business needs?  To many board members, the convenience of access to all of their business information on one device may outweigh the security risk and the expense of implementing certain security measures.  What policies and procedures are in place to ensure that “sufficient” data security measures are being taken?

Perhaps the best “takeaway” from this study is that there may be a gaping hole in the protection of corporate board communications and materials.  Corporate in house counsel should be aware of the risks and perhaps work with the company’s  IT department to evaluate the most cost-effective options to secure corporate board information.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

 

When a company decides to store its data in the cloud, one of the choices it must make is whether to store the information on physical resources devoted solely to its data and computing services, or share those resources with other entities who are using the same cloud provider’s services.  At the risk of oversimplifying, an analogy is deciding whether to rent a house or rent a unit in a multi-tenant building.  The latter option is often less expensive and, as a result, seemingly more attractive, but it may raise more security concerns because you share the same space with other renters.

 

A recent study entitled, “Hey, You, Get off of My Cloud:  Exploring Information Leakage in Third-Party Compute Clouds,” suggests there may be certain risks associated with the multi-tenant or “multiplexing physical infrastructure environment” when it comes to cloud computing.  The study explains how it may be possible for an attacker to place a malicious virtual machine (“VM”) in the multi-tenant environment cloud server and then extract confidential information via a cross-VM attack.  The study concludes that, “there exist tangible dangers when deploying sensitive tasks to third-party compute clouds.”

 

What does this mean for a company looking to store confidential information in the cloud?  At a minimum, an inquiry should be made to determine whether and to what extent the company will be sharing infrastructure with other entities using the same cloud provider.  If there will be a sharing of infrastructure, the study suggests a few approaches for mitigating the risks associated with such sharing.  First, the cloud provider can adjust the internal structure of their services to complicate an attacker’s ability to place the VM on the same machine as its target.  Also, the provider can put into place blinding techniques that minimize the amount of information that can be leaked.  The only “foolproof solution,” however, is to “insist on using physical machines populated only with their own VMs and, in exchange, bear the opportunity costs of leaving some of these machines under-utilized.”

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.