Published by Al Saikali

September 2012

On September 19th, U.S. Senator John Rockefeller, writing on behalf of the Senate’s Committee on Commerce, Science, and Transportation, sent a letter to the Fortune 500 Chief Executive Officers seeking information about their cybersecurity policies and their positions on certain cybersecurity issues.  (Read the Committee’s press release here).

The letter is a result of the Senate’s recently failed effort to pass the Cybersecurity Act of 2012 in August.  As Senator Rockefeller explains in his letter, the Committee “would like to hear more – directly from the chief executives of leading American companies about their views on cybersecurity, without the filter of beltway lobbyists.”  Senator Rockefeller argued that the legislation failed in part due to significant opposition from various business lobbying groups, including the U.S. Chamber of Commerce.  (The Chamber disagrees that this is the reason why it failed).

The letter asks the Fortune 500 CEOs to answer the following questions:

  • Has your company adopted a set of best practices to address its own cybersecurity needs?
  • If so, how were these cybersecurity practices developed?
  • Were they developed by the company solely, or were they developed outside the company?  Does your company’s board of directors or audit committee keep abreast of developments regarding the development and implementation of these practices?
  • Has the federal government played any role, whether advisory or otherwise, in the development of these cybersecurity practices?
  • What are your concerns, if any, with a voluntary program that enables the federal government and the private sector to develop, in coordination, best cybersecurity practices for companies to adopt as they so choose, as outlined in the Cybersecurity Act of 2012?
  • What are your concerns, if any, with the federal government conducting risk assessments, in coordination with the private sector, to best understand where our nation’s cyber vulnerabilities are, as outlined in the Cybersecurity Act of 2012?
  • What are your concerns, if any, with the federal government determining, in coordination with the private sector, the country’s most critical cyber infrastructure, as outline in the Cybersecurity Act of 2012?

These questions raise several issues for the companies responding to them.  For example, how much detail should a company provide in response to these questions, keeping in mind that responses will likely be a matter of public record and may be viewed by competitors or potential cyber attackers?  What about companies that have not yet prepared formal cybersecurity practices?  Do they now have to admit this failure on the record, keeping in mind that the Committee also wants to know when those practices were developed?  Regarding the Cybersecurity Act, the responses will likely need to express concern about excessive government intervention and regulation while at the same time demonstrate sensitivity to protecting critical infrastructure like utilities, transportation, and telecommunications.

The lessons to be learned from this letter are not just for the Fortune 500.  All companies can benefit from auditing their systems and policies, implementing properly tailored cybersecurity measures for their organizations, and staying abreast of the best practices in their respective industries.

Responses to Senator Rockefeller’s letter are due by October 19th.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Last week, the United States Court of Appeals for the Eleventh Circuit decided Resnick v. AvMed, Inc., No. 11-13694 (11th Cir. Sep. 5, 2012).  The Court’s opinion addresses some important issues regarding an individual’s right to bring a private lawsuit when her personally identifiable information or protected health information is compromised.  In its decision, the Court reversed the dismissal of all but two counts in a class action lawsuit that arose from a data breach suffered by an integrated managed care organization.

Background

AvMed, Inc., an integrated managed care organization was the victim of a theft.  Two of AvMed’s unencrypted laptops containing PHI and PII for approximately 1.2 million current and former AvMed members (Plaintiffs) were stolen.  Plaintiffs alleged that an unknown third party used their information for fraudulent purposes 10 to 14 months after the theft.

The operative complaint alleged the following causes of action:  negligence, breach of implied and express contracts, unjust enrichment, negligence per se, breach of fiduciary duty, and breach of implied covenant of good faith and fair dealing.

The Southern District of Florida dismissed the lawsuit, in part because the complaint failed to allege cognizable injury.  The Eleventh Circuit has now reversed the trial court’s dismissal on all but two counts, holding that Plaintiffs had standing, alleged a cognizable injury, and adequately alleged causation.

Standing

The Court first addressed the issue of whether Plaintiffs had standing.  The Court held that Plaintiffs alleged all three elements necessary to meet the standing requirement:

  • Plaintiffs suffered an injury in fact – they were victims of identity theft and suffered monetary damages
  • Plaintiffs’ injuries were “fairly traceable to AvMed’s actions” – Plaintiffs had personal habits of securing their sensitive information yet became the victims of identity theft after the laptops containing their PHI were stolen
  • A favorable resolution of the case in Plaintiffs’ favor could redress their injuries – compensatory damages would redress their injuries.

Cognizable Injury

The Court next dealt with the issue of whether Plaintiffs suffered a cognizable injury. Plaintiffs alleged the following damages: money spent placing alerts with various credit reporting companies, money spent contesting fraudulent charges, money spent purchasing credit monitoring services, lost wages for missing work while filling out police reports, travel related costs, cell phone minutes, postage, and overdrawn amounts in their bank accounts.  The Court held that Plaintiffs’ allegations of monetary loss and financial injury were cognizable injuries under Florida law, though the Court did not address the validity of each one of these damages elements separately.

Causation

The Court then addressed causation – whether Plaintiffs had alleged sufficient facts showing that the theft of the AvMed computers caused Plaintiffs’ injuries.  The Court held that Plaintiffs’ allegations were sufficient to show that causation was “plausible”.  Specifically, the Court relied on three allegations:  (1) before the breach, Plaintiffs never had their identities stolen or sensitive information compromised; (2) before the breach, Plaintiffs took substantial precautions to protect themselves from identity theft; and, (3) Plaintiffs became the victims of identity theft for the first time in their lives 10 to 14 months after the laptops containing the PHI were stolen.

A key fact for the Eleventh Circuit was that the sensitive information on the stolen laptops was the same sensitive information used to steal Plaintiffs’ identity.

With respect to unjust enrichment (the one count that did not require causation), Plaintiffs alleged that a portion of Plaintiffs’ monthly premiums went towards AvMed’s data security administrative costs, and AvMed should not be permitted to retain that money because AvMed failed to implement proper security measures.  The Court allowed this count to proceed.

The Dismissed Counts

The Eleventh Circuit did, however, affirm the dismissal of Plaintiffs’ negligence per se and breach of covenant of good faith and fair dealing.  The negligence per se count was based on an allegation that AvMed violated Section 395.3025, Florida Statutes, by disclosing Plaintiffs’ health information without authorization.  The Court held that because AvMed is a managed-care organization and not a hospital, ambulatory surgical center, or mobile surgical facility, it was not subject to the statute.  The Court dismissed the breach of covenant of good faith and fair dealing count because any failure by AvMed to secure Plaintiffs’ data did not result from a “conscious and deliberate act” on AvMed’s part.

The Dissent

The opinion included a vigorous dissent that argued Plaintiffs had failed to allege a plausible basis for finding that AvMed caused Plaintiffs to suffer identity theft.  The dissenting judge observed that an obvious alternative explanation for the identity fraud existed – an unscrupulous third party that possessed the Plaintiffs’ sensitive information might have sold it to identity thieves who opened the fraudulent accounts, or a careless third party might have lost the information that then found its way into the hands of those thieves.

What Are The Takeaways?

First, it is important to note that as of the date of this alert, the opinion is not yet final.  That said, the opinion in its current form could lead to a dramatic uptick in data security litigation within the Eleventh Circuit, as plaintiffs will likely use the opinion to argue that the bar for causation in such cases is low and cognizable damages can be extensive (and arguably speculative).

Companies maintaining personally identifiable information and protected health information about residents in the Southeast United States would be well served to ensure that they are taking proactive steps to implement reasonable data security measures in an effort to avoid a data breach.  In this instance, for example, encryption of the subject laptops might have prevented the subject lawsuits.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

As I wrote in a previous post, the Securities and Exchange Commission’s (SEC) Division of Corporation Finance issued a Disclosure Guidance on October 13, 2011, that states publicly traded companies may be obligated to disclose cyber incidents and the risk of cyber incidents, depending on the application of various factors.

Now, according to a recent Bloomberg article, the SEC is cracking down on publicly traded companies’ failure to comply with the Guidance.  The SEC apparently sent “dozens” of letters to companies asking about their cybersecurity disclosures and pushing them to disclose.  Six of the companies who the SEC instructed to disclose included AIG, Amazon.com, Eastman Chemical Co., Google, Hartford Financial Services Group, and Quest Diagnostics, Inc.

With respect to Amazon.com, its Zappos.com unit was the victim of a cyber attack that resulted in the theft of addresses and credit card numbers belonging to 24 million of its customers.  In April, the SEC asked Amazon to disclose the attack, which, according to Bloomberg, Amazon now has, though not without objection.  Amazon initially resisted disclosing the cyber attack because, according to Amazon, Zappos did not contribute material revenue to Amazon.

Google, too, has now agreed to disclose a cyber attack that it had previously disclosed publicly in January 2010.  The SEC believed that disclosure in a formal SEC filing was necessary to “provide the proper context for your risk factor disclosures.”  Accordingly, Google agreed to repeat the information in its earnings report.

Hartford told the SEC that it hadn’t suffered a “material” cyber attack, but the SEC instructed it to disclose “any” attack.

AIG agreed to state in a future quarterly report that it had “from time to time, experienced threats to our data and systems, including malware and computer virus attacks, unauthorized access, systems failures and disruptions.”

The SEC’s action is significant because the Guidance is not technically a rule, though the SEC is effectively creating a rule by taking the position that these companies should have disclosed their breaches.  Failure to comply with an SEC letter can lead to fines amounting to hundreds of thousands of dollars; fighting the SEC in litigation could cost millions.  It will be interesting to see whether and to what extent the SEC will continue to crack down on companies that do not disclose cyber attacks and risks of cyber incidents.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.