Published by Al Saikali

October 2013

Just when you thought it might be safe to go back into the water, another significant data breach lawsuit may be settling.  Last week, I wrote about the proposed settlement in the AvMed lawsuit.  The motion for a preliminary proposed settlement in that case was granted on Friday, and a Final Hearing is set for February 28, 2014.

At the end of last week, however, the St. Louis Post-Dispatch reported that Schnuck Markets has agreed to settle a proposed class action arising from a breach of its systems (a cyber attack in which a computer code was inserted into Schnucks’ payment system, allowing the capture of magnetic strip data from approximately 2.4 million customers’ payment cards between December 2012 and March 2013).

The Legal Theories

The lawsuit, which is pending before a St. Louis Circuit Court, alleges that Schucks: (1) failed to secure customers’ personal financial information, and (2) did not notify customers in a clear and timely manner that their information had been stolen.

The “failure to secure” theory is based on an argument that Schnucks did not abide by “best practices and industry standards concerning the security of its computer and payment processing systems.”  This allegation should scare every corporate entity.  Why?  Because the phrase “best practices and industry standards” is so ambiguous and can be defined so differently depending on who you ask.  For example, is the standard best measured by the Payment Card Industry’s Data Security Standards?  Perhaps it’s measured by NIST?  How about ISO?  Should you use some amorphous common law standard that has developed in the case law or laws that may not directly apply to you (e.g., HIPAA if you’re not a Covered Entity or Business Associate)?  Regardless of what standard you choose, it’s a moving target and changes as technology changes.  In other words, compliance with the “reasonableness” standard can be both expensive and very difficult to determine.

The second legal theory (that Schnucks failed to timely and adequately notify consumers) should also cause some concern to organizations that maintain sensitive information.  How did Schnucks notify its customers?  According to the plaintiffs, Schnucks, issued a national press release within two weeks of learning that its systems had been compromised, though they claim that no “individual notification” to class members occurred.  With respect when the notice took place, anyone who is experienced in breach response will tell you that notification within two weeks of learning of an incident involving a cyber attack is prompt.  It takes time to identify the affected systems, determine the source and scope of the intrusion, identify what information was affected, learn where the individuals whose personal information was affected are located (assuming the incident even affected personal information), and confirm that the compromise has been contained so there is no threat of a live hacker moving to other areas of your information systems while you’re undertaking notification.  With respect to how the notice took place, it is not clear whether Schnucks was perhaps trying to provide substitute notice under the applicable state data breach notification laws, which would have obviated the need for individual notice.

The causes of action in the Second Amended Class Action Petition are as follows:

(1) Breach of implied contract – plaintiffs claim that in providing financial data to Schnucks, plaintiffs entered into an implied contract with Schnucks obligating it to reasonably safeguard plaintiffs’ information and notify plaintiffs if the information was accessed without authorization.

(2)  Violation of Missouri’s Merchandizing Practices Act – plaintiffs claim that Schnucks engaged in “unfair conduct” by failing to properly implement adequate, commercially reasonable security measures to protect their personal information while shopping at Schnucks.  Plaintiffs also contend that Schnucks’ failure to provide timely and sufficient notice of the breach of its computer systems was an “unfair practice.”

(3) Invasion of Privacy by Public Disclosure of Private Facts – plaintiffs also allege that the breach resulted in a public disclosure of the plaintiffs’ private information.

Plaintiffs do not claim violation of any state data breach notification law as a cause of action, despite their factual allegations that Schnucks’ notification was inadequate and untimely.

Damages Sought

The plaintiffs seek damages for:  (1) out of pocket expenses incurred to mitigate the increased risk of identity theft, (2) the value of their time spent mitigating identity theft and the risk of identity theft, (3) the increased risk of identity theft, (4) the deprivation of the value of their personal information, and (5) anxiety and emotional distress.  These damages, for the most part, fall into the “weaker” side of the cognizable damages spectrum based on existing case law.  The proposed settlement, however, attempts to limit recovery to those plaintiffs who suffered cognizable damages.

Terms of the Proposed Settlement

The terms of the proposed settlement are set forth in the parties’ motion for preliminary approval of class action settlement.  Schnucks denies any wrongdoing as a term of the proposed settlement.  The proposed settlement fund would provide the plaintiffs with the following relief:

  • Fraudulent Charges – up to $10 for each credit or debit card that was compromised and had fraudulent charges posted on it, even if the charges were later reversed.
  • Out-of-Pocket Expenses – unreimbursed out-of-pocket expenses (bank fees, overdraft and late fees), and $10 per hour for up to three hours of time spent dealing with the security breach.  There would be a $175 per person cap on these expenses.
  • There is an aggregate cap of $1.6 million for the above two categories.  If the total claims exceed that amount, customers are guaranteed $5 for each compromised card.
  • Identity Theft – up to $10,000 for each related identity theft loss, with a cap of $300,000 in total
  • Attorney’s Fees – up to $635,000 for the plaintiffs’ attorney’s fees
  • Incentive Awards – $500 to each of the nine named plaintiffs in the lawsuit

It would be interesting to know how many members of the class can actually demonstrate the type of quantifiable and specific damages for which the settlement provides relief.

The Fat Lady Isn’t Singing Just Yet . . .

Before the case can settle, however, the court must first consider a motion to intervene that was filed by an individual pursuing a related federal lawsuit against Schnucks elsewhere.  She argues that there are four pending federal class action lawsuits that arise from the same operative facts as the state court case, and the proposed settlement risks releasing Schnucks from the federal lawsuit.  Ostensibly, the intervening party believes she can obtain greater relief in federal court.

Whether the intervening party succeeds, the proposed settlement still has value because it is another example of the types and extent of damages some defendants are willing to agree to in data breach lawsuits.  It is also a glimpse into what the plaintiffs individually are being awarded as damages, and how much their lawyers are being awarded as fees. But the bigger lessons to be learned from all of this are:  (1) there appears to be a standard of “reasonableness” developing in data breach cases that is amorphous and therefore difficult to comply with, and (2) when and how you notify affected individuals can be a source of potential liability in a data breach class action.

A case review is scheduled in this case for December 25, 2013.  Merry Christmas.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.    

How much of a headache can a couple of stolen laptops cause your organization?  How about a $3 million headache??  That is the amount of a settlement proposed in an Unopposed Motion in Support of Preliminary Approval of Class Action Settlement in Resnick/Curry v. AvMed, Inc., No. 1:10-cv-24513-JLK (S.D. Fla.), a data breach lawsuit pending in the Southern District of Florida.

Background

Resnick involved the theft of two unencrypted laptops from a conference room in the defendant’s corporate office.  Unfortunately, the laptops contained personal information of approximately 1.2 million customers/insureds (“the plaintiffs”).  The plaintiffs filed a class action lawsuit claiming that AvMed failed to adequately secure the plaintiffs’ personal information.

The District Court dismissed the lawsuit in July 2011, finding that the plaintiffs had failed to show any cognizable injury.  The 11th Circuit, however, reversed the trial court, holding that the plaintiffs had in fact suffered cognizable injuries.

Of particular note was the portion of the 11th Circuit’s opinion addressing the plaintiffs’  unjust enrichment count.  The plaintiffs had argued that a portion of their insurance premiums was ostensibly for the defendant’s administrative costs in implementing safeguards that protected the plaintiffs’ information.  The plaintiffs contended that, as evident by the stolen unencrypted laptops, a portion of those costs should be returned because their information was ultimately compromised and the defendant had not adopted reasonable security measures to protect their information.  The 11th Circuit agreed, and held that the unjust enrichment count (among other counts) could proceed on remand.

The Settlement Terms

The $3 million settlement fund is to be disbursed as follows:

(1) approved premium overpayment claims — class members can receive up to $10 per year for each year they paid the defendant for insurance before the data breach, subject to a $30 limit.  These are the unjust enrichment damages.

(2) approved identity theft claims — class members who suffered any unreimbursed monetary losses as a result of identity theft related to the breach are eligible to have those amounts reimbursed.

(3) settlement administration expenses — these are the costs for providing notice to the settlement classes and the costs of administering the settlement.  At first blush these may seem small, but remember that there are potentially 1.2 million individuals involved.

(4) class counsel’s attorney’s fees and costs — $750,000 to class counsel (Edelson LLC, one of the few plaintiffs’ firms that has demonstrated a pattern of success in privacy and data security litigation).

(5) plaintiff’s incentive awards — $10,000 to be split evenly amongst the class representatives.

Perhaps the most valuable part of the settlement for those of us who advise clients about privacy and data security legal matters is the portion relating to what the defendant has agreed to do in the future, which reads a little like an FTC consent order:

(1) mandatory security awareness and training programs for all company employees;

(2) mandatory training on appropriate laptop use and security for all company; employees whose employment responsibilities include accessing information stored on company laptop computers;

(3) upgrading of all company laptop computers with additional security mechanisms, including GPS tracking technology (this latter part seems a bit much, its usefulness is questionable, and it could lead to other privacy issues related to employee location tracking);

(4) new password protocols and full disk encryption technology on all company desktops and laptops so that electronic data stored on such devices would be encrypted at rest;

(5) physical security upgrades at company facilities and offices to further safeguard workstations from theft; and,

(6) the review and revision of written policies and procedures to enhance information security.

Lessons To Be Learned

Why are the prospective measures so important? They provide a roadmap for what companies should do to minimize the risk of similar litigation. They also make good business sense and are likely compatible with the expectations of a company’s consumers. They are safeguards all companies should consider. Had the two laptops in Resnick been encrypted, one has to wonder whether a lawsuit would have been filed at all.

Another lesson — what are you saying in your consumer-facing policies and notices about the security safeguards your company has adopted to protect consumer information?  Such statements, though useful and sometimes required, could expose your organization to the same unjust enrichment argument that the plaintiffs made in Resnick.

Finally, this is the second data breach lawsuit that has resulted in a substantial settlement for the plaintiffs and both were filed in the Southern District of Florida.  (The other was Burrows v. Purchasing Power, which I blogged about here, and resulted in a settlement of approximately $430,000).  The settlements are in sharp contrast to the vast majority of cases that have been dismissed for lack of standing and damages. It will be interesting to see what impact these recent settlements will have on future data security and privacy litigation.

10/26/13 UPDATE:  The Southern District of Florida wasted no time considering the unopposed motion seeking preliminary approval of the class action settlement.  On October 25th, just four days after the motion was filed, the court granted it and set the Final Approval Hearing for February 28, 2014.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.