Published by Al Saikali

If you have noticed an increasing number of high profile problems for healthcare organizations with respect to privacy and security issues these last few weeks you’re not alone.  The issues have ranged from employee misuse of protected health information, web-based breaches, photocopier breaches, and theft of stolen computers that compromised millions of records containing unsecured protected health information (PHI).  These issues remind us that healthcare companies face significant risks in collecting, using, storing, and disposing of protected health information.

Pharmacy Hit With $1.4 Million Jury Verdict For Unlawful Disclosure of PHI

An Indiana jury recently awarded more than $1.4 million to an individual whose protected health information was allegedly disclosed unlawfully by a pharmacy.  The pharmacist, who was married to the plaintiff’s ex-boyfriend, allegedly looked up the plaintiff’s prescription history and shared it with the pharmacist’s husband and plaintiff’s ex-boyfriend.  The lawsuit alleged theories of negligent training and negligent supervision.  The pharmacy intends to appeal the judgment.

Health Insurer Fined $1.7 Million For Web-Based Database Breach

Meanwhile, the Department of Health and Human Services (HHS) recently fined a health insurer $1.7 million for engaging in conduct inconsistent with HIPAA’s privacy and security rules following a breach of protected health information belonging to more than 612,000 of its customers. The breach arose from an unsecured web-based database that allowed improper access to protected health information of its customers.

HHS’s investigation determined that the insurer:

(1) did not implement policies and procedures for authorizing access to electronic protected health information (ePHI) maintained in its web-based application database;

(2) did not perform an adequate technical evaluation in response to a software upgrade, an operational change affecting the security of ePHI maintained in its web-based application database that would establish the extent to which the configuration of the software providing authentication safeguards for its web-based application met the requirements of the Security Rule;

(3) did not adequately implement technology to verify that a person or entity seeking access to ePHI maintained in its web-based application database is the one claimed; and,

(4) impermissibly disclosed the ePHI, including the names, dates of birth, addresses, Social Security Numbers, telephone numbers and health information, of approximately 612,000 individuals whose ePHI was maintained in the web-based application database.

Health Plan Fined $1.2 Million For Photocopier Breach

In another example of privacy and security issues causing legal problems for a healthcare organization, HHS settled with a health plan for $1.2 million in a photocopier breach case.  The health plan was informed by CBS Evening News that CBS had purchased a photocopier previously leased by the health plan.  (Of all the companies to get the photocopier after the health plan, it had to be CBS News).  The copier’s hard drive contained protected health information belonging to approximately 345,000 individuals.  HHS fined the health plan for impermissibly disclosing the PHI of those individuals when it returned the photocopiers to the leasing agents without erasing the data contained on the copier hard drives.  HHS was also concerned that the health plan failed to include the existence of PHI on the photocopier hard drives as part of its analysis of risks and vulnerabilities required by HIPAA’s Security Rule, and it failed to implement policies and procedures when returning the photocopiers to its leasing agents.

blogged about photocopier data security issues last year, after the Federal Trade Commission issued a guide for businesses on the topic of photocopier data security.  Another resource I recommend to my clients on the topic of media sanitization is a document prepared by the National Institute of Standards and Technology, issued last fall.

Medical Group Breach May Affect Up To Four Million Patients

Lastly, a medical group recently suffered what is believed to be the second-largest loss of unsecured protected health information reported to HHS since mandatory reporting began in September 2009.  The cause?  Four unencrypted desktop computers were stolen from the company’s administrative office.  The computers contained protected health information of  more than 4 million patients.  As a result, the medical group is mapping all of its computer and software systems to identify where patient information is stored and ensuring it is secured.  The call center set up to handle inquiries following the notification of the patients is receiving approximately 2,000 calls each day.

The Takeaways 

So what are five lessons companies should take away from these developments?

  • Having policies that govern the proper use and disclosure of PHI is a first step, but it is important that companies audit whether their employees are complying with these policies and discipline  employees who don’t comply so that a message is sent to everyone in the company that non-compliance will not be tolerated.
  • As technology is upgraded or changed, it is important that companies continue to evaluate any potential new security risks associated with these changes.  An assumption should not be made that simply because the software is an “upgrade” the security risks remain the same.
  • There are hidden risks, such as photocopier hard drives.  Stay apprised of these potential risks, identify and assess them in your risk assessment (required by HIPAA), then implement administrative and technical safeguards to minimize these risks.  With respect to photocopiers, maybe this means ensuring that the hard drives are wiped clean or written over before they are returned to the leasing agent.
  • Encrypt sensitive information at rest and in motion where feasible, and to the extent it isn’t feasible, build in other technical safeguards to protect the information.
  • Train, train, train – having a fully informed legal department and management doesn’t do much good if employees don’t understand these risks and aren’t trained to avoid them. Do your employees know how seemingly simple and uneventful conduct like photocopying a medical record, leaving a laptop unaccompanied, clicking on a link in an email, or doing a favor to a friend who needs PHI about a loved one, can lead to very significant unintended consequences for your company (and, as a result, them)?  Train them in a way that brings these risks to life, update the training and require it annually, and audit that your employees are undertaking the training.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

 

Legislation was introduced in the U.S. Senate late last week that, if passed, would create proactive and reactive requirements for companies that maintain personal information about U.S. citizens and residents.  The legislation, titled the “Data Security and Breach Notification Act of 2013” (s. 1193) creates two overarching obligations:  to secure personal information and to notify affected individuals if the information is breached.  The bill requires companies to take reasonable measures to protect and secure data in electronic form containing personal information.  If that information is breached, companies are required to notify affected individuals “as expeditiously as practicable and without unreasonable delay” if the company reasonably believes the breach caused or will cause identity theft or other actual financial harm.

A violation of the obligations to secure or notify are considered unfair or deceptive trade practices that may be investigated and pursued by the FTC.  Companies that violate the law could be fined up to $1,000,000 for violations arising out of the same related act or omission ($500,000 maximum for failing to secure the personal information and $500,000 maximum for failing to notify about the breach of the personal information).

The legislation defines personal information as social security numbers, driver’s license numbers, passports numbers, government identification, and financial account numbers or credit/debit card numbers with their required PIN number.  The bill includes a safe harbor for personal information that is encrypted, redacted, or otherwise secured in a way that renders it unusable.

Here are some other important provisions of the legislation:

  • There is no guidance as to what “reasonable measures” means under the obligation to secure personal information, which is problematic (although not very different from state data breach notification laws) because it provides no certainty as to when a company may face liability for failing to adopt certain security safeguards.
  • With respect to the duty to notify, the bill explicitly allows for a reasonable period of time after a breach for the breached entity to determine the scope of the breach and to identify individuals affected by the breach.
  • The legislation would preempt state data breach notification laws, but compliance with other federal laws that require breach notification (e.g., HIPAA/HITECH) is deemed to be compliance with this law.
  • The bill requires that breached entities notify the Secret Service or the FBI if a breach affects more than 10,000 individuals.
  • The bill also allows for a delay of notification if such notification would threaten national or homeland security, or if law enforcement determines that notification would interfere with a civil or criminal investigation.
  • There is no private cause of action for violating the legislation.  The bill is silent as to whether private causes of action based on common law or other statutory claims (e.g., negligence, state unfair trade practices claims, etc.) may be pursued, to the extent such causes of action are recognized.

The remains, however, a big question as to whether this legislation will ultimately become law.  Given the political climate in D.C. and the lack of success of similar federal legislation in the past, the outlook is bleak.  The ambiguity of the required proactive security measures and the lack of clarity as to whether private causes of action may be pursued for non-statutory violations also raise political problems for the legislation on both sides of the aisle.   Nevertheless, there is growing climate of concern regarding privacy and security issues that may result in this legislation being included within a larger package of legislation on cybersecurity and data privacy.  It will be important to keep an eye on the status of this bill moving forward.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

The phrase “cyber attack” elicits thoughts of a compromised information system, a crashed computer network, or inappropriate access to sensitive electronic information.  It doesn’t usually conjure up images of machinery setting on fire, and smoke emerging from a factory.  Nevertheless, here is a video of an experimental cyber attack named Aurora, which took place on a generator in a manufacturing plant.

 

The experiment, which took place approximately five years ago, demonstrated potential vulnerabilities that could be used to attack much larger generators that produce the country’s electric power.  It is an interesting reminder of the impact that cyber attacks can have on critical infrastructure.

Until recently, individuals whose information was compromised as a result of a company suffering a data breach faced an uphill battle when suing the company in a class action lawsuit.  Far more often than not, Courts dismissed the lawsuits or entered summary judgment in favor of defendants on grounds that the plaintiffs could not establish a cognizable injury, preemption by breach notification statutes, or lack of evidence that the data breach (as opposed to some other act of identity theft) caused the plaintiff’s damages.  I’m still convinced that the pro-defendant environment remains the norm.  Nevertheless, four recent cases are being used to support the argument that the tide may be turning in favor of plaintiffs.

Burrows v. Purchasing Power, 12-cv-22800-UU (S.D. Fla.)

The most recent example is a proposed settlement in a class action lawsuit against Winn-Dixie and one of its service providers arising from a breach of personally identifiable information of Winn-Dixie grocery store employees.  The employees’ personally identifiable information was allegedly compromised when an employee of a company that provided an employee benefit program to Winn-Dixie employees misused his access to the PII and filed fraudulent tax returns with it.

Approximately 43,500 employees filed a class action lawsuit in the Southern District of Florida against Winn-Dixie and its employee benefits service provider.  The lawsuit includes counts of negligence, violation of Florida’s Deceptive and Unfair Trade Practice statute, and invasion of privacy.  Plaintiffs alleged that Defendants failed to adequately protect and secure the plaintiffs’ personally identifiable information, and that the defendants failed to provide the plaintiffs with prompt and sufficient notice of the breach.

The defendants’ attempts to defeat the plaintiffs lawsuit on the pleadings failed.  Winn-Dixie was subsequently voluntarily dismissed from the lawsuit and the case proceeded against the service provider, which ultimately entered into a proposed settlement with the plaintiffs, agreeing to pay approximately $430,000 ($225,000 towards a settlement fund, $200,000 in attorney’s fees and costs, and a $3,500 incentive aware to the named plaintiff).  The settlement states that it was entered into “for the purpose of avoiding the burden, expense, risk, and uncertainty of continuing to litigate the Action, . . . and without any admission of any liability or wrongdoing whatsoever.”

The settlement requires the service provider to maintain rigorous security safeguards to minimize the risk of a similar incident in the future.  The settlement fund will be divided into four groups:  (1) a tax refund fraud fund (class members who show they were victims of tax refund fraud can be compensated for a portion of lost interest); (2) a tax preparer loss fund (class members can be compensated for fees paid to tax preparers for notifying the IRS of a tax fraud claim or assisting in resolving issues arising from the tax refund fraud, not to exceed $100); (3) a credit card fraud fund (class members who show they were victims of identity theft other than tax refund fraud that resulted in fraudulent credit card charges that the credit card company did not waive, up to $500); and, (4) a credit monitoring fraud (class members who receive compensation in any of the previous three groups may receive credit monitoring services for one year).  To “prove” they were victims of fraud, plaintiffs must prepare a statement under penalty of perjury regarding the facts and circumstances of their stolen identity.

The settlement was preliminarily approved by the court on April 12, 2013, and a fairness hearing is scheduled for October 4, 2013.  The amount of money being paid to plaintiffs and their lawyers in this case should give corporate counsel monitoring these lawsuits pause for concern.  The District Court’s order allowing the case to proceed beyond the pleadings phase will likely be used as an instruction manual for plaintiffs in future data breach cases.

Resnick v. AvMed, Inc., 1:10-cv-24513-JLK (S.D. Fla.)

I previously blogged about the Eleventh U.S. Circuit Court of Appeal’s opinion that allowed a data breach class action to proceed where the plaintiffs claimed they were victims of identify theft arising from the theft of a laptop computer containing their personal information.  I encourage corporate counsel to read that post to learn more about the factors the Eleventh Circuit looked to in allowing that case to proceed beyond the pleadings phase. That lawsuit remains pending in the U.S. Southern District of Florida.

Harris v. comScore, Inc., No. 11-C-5807 (N.D. Ill. Apr. 2, 2013)

Another recent legal development considered by many to be favorable to plaintiffs was a decision by the U.S. District Court for the District of Chicago court certifying a class of possibly more than one million people who claim that the online data research company comScore, Inc. collected personal information from the individuals’ computers and sells it to media outlets without consent.  Although the lawsuit did not arise from a data breach, some of the arguments regarding lack of injury and whether class certification is appropriate are the same.  The plaintiffs allege violations of several federal statutes including the Electronic Communications Privacy Act and the Stored Communications Act. The court rejected comScore’s arguments challenging class certification, including its argument that the issue of whether each plaintiff suffered damages from comScore’s actions precludes certification.  The lawsuit remains pending.

Tyler v. Michaels Stores Inc., SJC-11145, 2013 WL 854097 (Mass. Mar. 11, 2013)

The Massachusetts Supreme Judicial Court broadened the definition of the term “personal information” to include ZIP codes.  The court held that because retailers can use ZIP codes to find other personal information, retailers where prohibited by Massachusetts law (the Song-Beverly Credit Card Act) from collecting ZIP codes.  The court also ruled that the plaintiffs did not have to prove identity theft to recover under the statute.  They could instead rely on the fact that they received unwanted marketing materials and that their data was sold to a third party.  The fact that plaintiffs can proceed with their lawsuit without having to show that their information was actually compromised will undoubtedly be used by plaintiffs in data breach litigation to argue that the threshold for injury in such cases is lower that in other cases.

What’s the Takeaway?

What should corporate counsel take from these cases? It is still too early to tell if these cases are outliers or if they mark a new trend in favor of plaintiffs in privacy and data breach cases that will embolden the plaintiffs’ bar.  The most important takeaway for corporate counsel at this stage is that they must, at a minimum, monitor the litigation risks associated with data breaches and other privacy violations so they can advise their companies about these risks, which can in turn consider these risks when building security and privacy into various products and services.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

The following Data Security Law Journal post was authored by Becky Schwartz, my law partner at Shook Hardy & Bacon.  Becky is an experienced class action litigator who has developed a specialty in privacy litigation.  In this post, Becky discusses a recent U.S. Supreme Court decision that may make it more difficult for consumers to sue companies that suffer data breaches.  Special thanks to Becky for writing about this recent development in the law:

On February 26, 2013, the United States Supreme Court in Clapper v. Amnesty International confirmed a demanding threshold showing for plaintiffs suing based on increased risk of harm in privacy-related litigation.  The decision effectively resolves a circuit split over the application of the Article III standing requirement in data breach cases.  Plaintiffs must show that the threatened harm that establishes their standing to sue is “certainly impending,” not merely “possible.”  Given that many consumers cannot plead or prove that exposure of their data has resulted, or will result, in identity theft or any other financial injury, the high court’s recent decision should prove very useful to companies seeking early dismissal of individual or class action data breach litigation.

The Decision

Clapper involved issues of constitutional privacy arising out of a challenge to a 2008 amendment to the Foreign Intelligence Surveillance Act of 1978 (“FISA”), 50 U.S.C. §1881a.  FISA allows the federal government to conduct surveillance on the electronic communications of non-U.S. persons located outside the United States, but only after obtaining approval from a Foreign Intelligence Surveillance Court (“FISC”).  Plaintiffs in Clapper were several attorneys and human rights, labor, legal, and media organizations who sued to obtain a declaration that FISA is unconstitutional, and to obtain a prospective injunction against the surveillance on the grounds that it would encompass plaintiffs’ own sensitive international communications with individuals believed to be likely targets of the federal government.

Under the well-established Supreme Court precedent of Lujan v. Defenders of Wildlife, to establish Article III standing plaintiffs are required to show an “invasion of a legally protected interest” that is both “concrete and particularized” and “actual or imminent, not conjectural or hypothetical,” along with a causal connection between the injury alleged and the conduct complained of.  The district court dismissed the Clapper complaint upon concluding that plaintiffs had failed to show the requisite “injury in fact” necessary to confer Article III standing.  The Second Circuit reversed, holding that the injuries plaintiffs claimed were sufficiently concrete and imminent.

In the Supreme Court, the Clapper plaintiffs offered two arguments to support their claim of Article III standing.  First, they argued that there was an “objectively reasonable likelihood” that their communications would be monitored under §1881a at some point in the future, thus satisfying the imminent injury requirement.  Second, they claimed that in order to avoid having their confidential communications compromised by surveillance that might occur under §1881a, they had incurred actual harm by undertaking costly and burdensome measures, including international travel to conduct meetings in person, in order to avoid that surveillance.

The Supreme Court rejected both arguments.  First, the Court held that any threatened injury sufficient to confer Article III standing must be “certainly impending,” not merely “possible.”  It found that plaintiffs had not met this standard because their standing argument relied on a “speculative chain of possibilities,” including assumptions about the actions of an independent third party (in that case FISC) – actions that could not be predicted.  The Court expressly refused to “endorse standing theories that rest on speculation about the decisions of independent actors.”

Plaintiffs’ second argument was equally ill-fated.  The Court declined to accept the notion that plaintiffs could “manufacture standing by inflicting harm on themselves based on fear of hypothetical future harm that is not certainly impending.”  Were it to do so, it noted, “an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.”

Justice Alito wrote for the majority in this 5-4 decision.

Key Takeaways

Notwithstanding its particular focus on governmental intrusions into privacy, Clapper broadly reinforces a stringent Article III standing requirement applicable in every data breach case where plaintiffs purport to have standing based solely on an increased risk of future harm.

Companies facing data breach litigation can and should consider moving to dismiss the complaint on the grounds that plaintiffs lack Article III standing, and may rely on Clapper to argue that:

  • The mere possibility that a third party criminal might someday misuse information obtained in a data breach is too speculative to demonstrate the “imminent” harm required to establish standing;
  • The actions of third-party hackers and/or criminals are utterly unpredictable; any assertion of standing premised on the probable acts of such persons improperly assumes the existence of a criminal who has both the ability and the desire to act on information obtained by way of a security breach;
  • Consumers cannot be permitted to “manufacture” standing for purposes of data breach litigation by voluntarily incurring costs to monitor their credit or otherwise guard against the mere possibility of harm that has yet to—and may never—materialize.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali or Rebecca Schwartz and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Rebecca Schwartz, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Late last week, another Federal District Court (the Southern District of Florida) weighed in on the circumstances under which a plaintiff may sue a breached entity civilly for damages when the plaintiff’s personally identifiable information (PII) is inappropriately accessed or acquired.  The Court allowed the case to proceed with counts for violation of Florida’s Unfair and Deceptive Trade Practices Act and negligence (assuming Plaintiff can clarify the damages he is seeking).

In Burrows v. Purchasing Power, LLC, No. 1:12-cv-22800-UU (S.D. Fla. Oct. 18, 2012), the court denied a motion to dismiss a class action lawsuit arising from a data breach.  According to the allegations of the lawsuit, Defendant Winn-Dixie, allegedly shared Plaintiff’s PII (without his consent) with Defendant Purchasing Power, to help Purchasing Power implement a program that allowed Winn-Dixie’s employees to purchase merchandise via automatic payroll deductions.  In January 2012, Winn-Dixie notified Plaintiff that a Purchasing Power employee inappropriately accessed Winn-Dixie employees’ PII.  Plaintiff alleges that Winn-Dixie and Purchasing Power knew of this access three months earlier.  Plaintiff claims that his PII was used to file a fraudulent federal income tax return on his behalf, causing him to incur credit monitoring costs to protect against identity theft and continued exposure to damages from people stealing his identity because his PII has been accessed.

Defendants moved to dismiss the lawsuit on several grounds, which are discussed in turn below:

I.          Standing

The Court held that Plaintiff had standing to proceed.  Defendants argued that Plaintiff lacked standing because he has not suffered an injury in fact and because his injury is not “fairly traceable” to Defendants.  The Court rejected this argument, citing to the Eleventh U.S. Circuit Court’s recent decision in Resnick v. AvMed as support for the proposition that the alleged misuse of an individual’s PII amounts to an injury in fact.  The Southern District Court determined that Plaintiff suffered a monetary loss when he failed to obtain his tax refund due to fraud.  Defendants argued that Plaintiff’s injury was speculative because Plaintiff has not yet even challenged the denial of his tax refund with the IRS.  The Court rejected the argument, ruling that the allegation of actual identity theft alone gave Plaintiff standing independent of any economic damages he claimed to have suffered.  The Court also ruled that Plaintiff’s injury was “fairly traceable” to Defendants’ actions, in part relying on the allegation that Plaintiff’s PII was used within months of the breach.

II.        Negligence (Count I)

The Court dismissed Plaintiff’s negligence count without prejudice, ostensibly to clarify some of the damages Plaintiff is seeking.  Plaintiff alleged that Defendants were negligent in storing his personal data, causing him to suffer monetary loss for the use of his PII and identity theft, loss of privacy, lost monetary value of his PII, and out-of-pocket expenses.  The Court held that Plaintiff “sufficiently alleged facts to support his claims for damages resulting from the monetary loss from the use of this PII and identity theft.”  The Court did not, however, allow Plaintiff to recover damages for the “monetary value of his PII” (perhaps in contrast to the RockYou decision, the Court held that “[p]ersonal data does not have an apparent monetary value that fluctuates like the price of goods or services”).  The Court also required Plaintiff to clarify what “other economic damages” he suffered.  Finally, the Court rejected Plaintiff’s damages for loss of privacy because invasion of privacy is an intentional tort that cannot be pleaded as part of a negligence claim.

III.       Violation of the Federal Stored Communications Act (FSCA) (Count II)

The Court dismissed the FSCA count with prejudice.  Plaintiff claimed that Defendants violated the FSCA, which makes it unlawful for an entity providing an electronic communications service or a remote computing service to the public to knowingly divulge to any person or entity the contents of any communication that is carried or maintained on that service.  Defendants argued successfully that the count should be dismissed because they do not provide an electronic communications service or a remote computing service.

IV.       Florida’s Deceptive and Unfair Trade Practices Act (FDUTPA) (Count III)

The Court denied Defendants’ motion to dismiss Plaintiff’s FDUTPA claim.  Plaintiff alleged that Defendants violated FDUTPA by:  (1) failing to properly implement adequate, commercially reasonable security measures to protect Plaintiff’s PII; (2) failing to immediately notify Plaintiff of the nature and extent of the data breach, and; (3) representing their services to be of a particular standard and quality which they failed to adhere to.

The Court held that Defendants’ alleged failure to adequately secure his PII was an unfair practice under FDUTPA because Winn-Dixie allegedly transferred to Purchasing Power the personal data of Winn-Dixie’s employees regardless of whether those employees had participated in the Purchasing Power program.

On Plaintiff’s second theory—Defendants’ alleged failure to immediately notify Plaintiff of the breach—the Court again agreed with Plaintiff that this was unfair.  The Court stated that by not “immediately” notifying Plaintiff that his PII had been compromised, Defendants did not afford Plaintiff the chance to take remedial measures such as credit monitoring or filing his federal tax return earlier.  As I read this portion of the opinion, I question whether the Court’s use of the term “immediately” unintentionally creates an obligation to notify affected individuals of a breach sooner than the “without unreasonable delay” standard currently set forth in section 817.5681(1)(a), Florida Statutes (2012) (Florida’s data breach notification law).

The Court did not appear to address Plaintiff’s third theory of FDUTPA violation—Defendants’ representation that their services were of a particular standard and quality that they failed to meet.

V.        Invasion of Right to Privacy (Count IV)

The Court dismissed Plaintiff’s count for invasion of right to privacy.  Plaintiff had relied on Florida’s constitutional right to privacy, which the Court dismissed with prejudice as Defendants were not acting on behalf of the government.  Plaintiff also relied on the common law right to privacy, which the Court also dismissed (though without prejudice) because any release of Plaintiff’s PII was not intentional.

Plaintiff must file an Amended Complaint no later than October 26th.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Last week, the United States Court of Appeals for the Eleventh Circuit decided Resnick v. AvMed, Inc., No. 11-13694 (11th Cir. Sep. 5, 2012).  The Court’s opinion addresses some important issues regarding an individual’s right to bring a private lawsuit when her personally identifiable information or protected health information is compromised.  In its decision, the Court reversed the dismissal of all but two counts in a class action lawsuit that arose from a data breach suffered by an integrated managed care organization.

Background

AvMed, Inc., an integrated managed care organization was the victim of a theft.  Two of AvMed’s unencrypted laptops containing PHI and PII for approximately 1.2 million current and former AvMed members (Plaintiffs) were stolen.  Plaintiffs alleged that an unknown third party used their information for fraudulent purposes 10 to 14 months after the theft.

The operative complaint alleged the following causes of action:  negligence, breach of implied and express contracts, unjust enrichment, negligence per se, breach of fiduciary duty, and breach of implied covenant of good faith and fair dealing.

The Southern District of Florida dismissed the lawsuit, in part because the complaint failed to allege cognizable injury.  The Eleventh Circuit has now reversed the trial court’s dismissal on all but two counts, holding that Plaintiffs had standing, alleged a cognizable injury, and adequately alleged causation.

Standing

The Court first addressed the issue of whether Plaintiffs had standing.  The Court held that Plaintiffs alleged all three elements necessary to meet the standing requirement:

  • Plaintiffs suffered an injury in fact – they were victims of identity theft and suffered monetary damages
  • Plaintiffs’ injuries were “fairly traceable to AvMed’s actions” – Plaintiffs had personal habits of securing their sensitive information yet became the victims of identity theft after the laptops containing their PHI were stolen
  • A favorable resolution of the case in Plaintiffs’ favor could redress their injuries – compensatory damages would redress their injuries.

Cognizable Injury

The Court next dealt with the issue of whether Plaintiffs suffered a cognizable injury. Plaintiffs alleged the following damages: money spent placing alerts with various credit reporting companies, money spent contesting fraudulent charges, money spent purchasing credit monitoring services, lost wages for missing work while filling out police reports, travel related costs, cell phone minutes, postage, and overdrawn amounts in their bank accounts.  The Court held that Plaintiffs’ allegations of monetary loss and financial injury were cognizable injuries under Florida law, though the Court did not address the validity of each one of these damages elements separately.

Causation

The Court then addressed causation – whether Plaintiffs had alleged sufficient facts showing that the theft of the AvMed computers caused Plaintiffs’ injuries.  The Court held that Plaintiffs’ allegations were sufficient to show that causation was “plausible”.  Specifically, the Court relied on three allegations:  (1) before the breach, Plaintiffs never had their identities stolen or sensitive information compromised; (2) before the breach, Plaintiffs took substantial precautions to protect themselves from identity theft; and, (3) Plaintiffs became the victims of identity theft for the first time in their lives 10 to 14 months after the laptops containing the PHI were stolen.

A key fact for the Eleventh Circuit was that the sensitive information on the stolen laptops was the same sensitive information used to steal Plaintiffs’ identity.

With respect to unjust enrichment (the one count that did not require causation), Plaintiffs alleged that a portion of Plaintiffs’ monthly premiums went towards AvMed’s data security administrative costs, and AvMed should not be permitted to retain that money because AvMed failed to implement proper security measures.  The Court allowed this count to proceed.

The Dismissed Counts

The Eleventh Circuit did, however, affirm the dismissal of Plaintiffs’ negligence per se and breach of covenant of good faith and fair dealing.  The negligence per se count was based on an allegation that AvMed violated Section 395.3025, Florida Statutes, by disclosing Plaintiffs’ health information without authorization.  The Court held that because AvMed is a managed-care organization and not a hospital, ambulatory surgical center, or mobile surgical facility, it was not subject to the statute.  The Court dismissed the breach of covenant of good faith and fair dealing count because any failure by AvMed to secure Plaintiffs’ data did not result from a “conscious and deliberate act” on AvMed’s part.

The Dissent

The opinion included a vigorous dissent that argued Plaintiffs had failed to allege a plausible basis for finding that AvMed caused Plaintiffs to suffer identity theft.  The dissenting judge observed that an obvious alternative explanation for the identity fraud existed – an unscrupulous third party that possessed the Plaintiffs’ sensitive information might have sold it to identity thieves who opened the fraudulent accounts, or a careless third party might have lost the information that then found its way into the hands of those thieves.

What Are The Takeaways?

First, it is important to note that as of the date of this alert, the opinion is not yet final.  That said, the opinion in its current form could lead to a dramatic uptick in data security litigation within the Eleventh Circuit, as plaintiffs will likely use the opinion to argue that the bar for causation in such cases is low and cognizable damages can be extensive (and arguably speculative).

Companies maintaining personally identifiable information and protected health information about residents in the Southeast United States would be well served to ensure that they are taking proactive steps to implement reasonable data security measures in an effort to avoid a data breach.  In this instance, for example, encryption of the subject laptops might have prevented the subject lawsuits.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Well THAT didn’t take long!  Less than 10 days after LinkedIn announced that it suffered a data breach of approximately 6.5 million user passwords, a class action lawsuit was filed against it in California federal court seeking in excess of $5 million.  The lawsuit alleges that, contrary to its Privacy Policy, LinkedIn failed to comply with long standing industry standard encryption protocols, thereby jeopardizing its users’ personal information.  Specifically, the plaintiffs contend that LinkedIn failed to “salt” its users’ passwords and store them in hashed format.  Salting is the process of adding random values to a password before it is stored.  Hashing is a format in which at least a portion of the password is made unreadable and encrypted.  The plaintiffs also claim that LinkedIn should have stored the passwords on a separate, secure server, apart from all other user information.

Who are the plaintiffs?  The plaintiffs are two classes – (1) all individuals and entities in the U.S. who had a LinkedIn account on or before June 6, 2012, and (2) everyone in the previous class who paid a monthly fee for an upgraded account.

What is the essence of the plaintiffs’ allegations?  The plaintiffs claim that LinkedIn’s data breach was a result of an “SQL injection”, a hacking technique that makes use of a web form to exploit a vulnerability in the LinkedIn website software.  The plaintiffs imply that it would have been easy for LinkedIn to adopt security measures that would have avoided SQL injection vulnerabilities.  Perhaps hoping that their class action complaint will gain the attention of the FTC, the plaintiffs draw a comparison to an FTC action against a different company for claiming to secure customer data while remaining vulnerable to SQL injection attacks.

What are the legal causes of action?  The lawsuit is based on several different causes of action:

  • Violation of California’s Unfair Competition Law – that LinkedIn failed to expend the resources necessary to protect its users’ data and created a perception that it followed industry standard protocols for security when in fact it did not.
  • Violation of California’s Consumers Legal Remedies Act – that LinkedIn deceptively induced the plaintiffs to register with LinkedIn based upon deceptive and misleading representations that it would take reasonable steps to safeguard its users’ sensitive personal information.
  • Breach of Contract (all-users class) – that LinkedIn failed to comply with the portion of its User Agreement and Privacy Policy in which it promised to protect its users’ personal information by implementing industry standard protocols and technology.
  • Breach of Contract (premium users class) – same allegation of the previous breach of contract claim, but here the plaintiffs paid actual money for upgraded services.
  • Breach of Implied Covenant of Good Faith and Fair Dealing – that LinkedIn breached the implied covenant of good faith and fair dealing by failing to safeguard and secure sensitive personal information from unauthorized access and theft.  Instinctually I wonder how this count can stand when it is precisely the same as the breach of express contract count, but again, I’m sure this is something the parties will litigate.
  • Breach of Implied Contract – that pursuant to implied contracts with Plaintiffs, LinkedIn was obligated to take commercially reasonable steps to secure and safeguard the plaintiffs’ information.
  • Negligence – that LinkedIn had a duty to exercise reasonable care to secure the plaintiffs’ information and to use industry standard protocols and technology to do so, but it failed to do that.
  • Negligence per se – that LinkedIn’s violation of California’s Unfair Competition Law  (see first count) is automatically negligence.

So what are the class members’ damages?  The plaintiffs contend that they paid for LinkedIn’s services with actual dollars (in the case of premium services) and with their personal information (first name, last name, email address, and password).  Remember, the plaintiffs are divided into two classes.  With respect to the first class (all LinkedIn users), those plaintiffs claim to “have lost money and/or property”, but their specific explanation of money lost is “money in the form of the value of their personal data.”  (I’m skeptical that such damages will be cognizable with the court, as money is money, not personal data, but this is not totally out of left field, as the RockYou decision demonstrates).  Their lost property is “in the form of their breached personal data.”   With respect to the second class (premium members), those plaintiffs claim to have lost money in the form of monthly membership fees.

In sum, damages, standing, and the proper causes of action are all interesting issues that the court is sure to address at some point, depending on how long this litigation proceeds.  No matter how the litigation proceeds, however, it is yet another example of consumers and their lawyers rushing to the courthouse to file lawsuits soon after a high-profile data breach.  It will be interesting to see how  this one unfolds . . . .

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

The title of this blog entry is somewhat of a misnomer because there is no single national data breach notification law that governs all information the same way as the state data breach notification laws do.  So, for the time being, companies and consumers are forced to determine which state data breach notification laws apply to them and what the differences are between them.  Nevertheless, there are federal laws that require disclosure of data breaches in certain instances, and usually these laws are “industry specific.”

Examples of federal laws that require data breach notification are two laws governing the health care industry – the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).  Together, these laws require “covered entities” and many of their service providers to maintain administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of “protected health information” (commonly referred to as “PHI”).  A covered entity is a health plan, a health clearinghouse, or a health care provider who transmits health information.

If there is a breach, the covered entity must notify the individuals whose information has been accessed (and law enforcement) without unreasonable delay and no later than 60 days after the breach was discovered.  (The law also requires notification to the media in cases where the breach affects more than 500 individuals).  Whether there is a breach that triggers the duty to notify depends on whether, with some exceptions, there was an impermissible use or disclosure that compromises the security or privacy of the PHI such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.  The notice must state what occurred, what type of information was accessed by the breach, what steps individuals should take in response, what is being done to investigate, mitigate, and protect against further harm, and contact information should be provided.  HITECH imposes these same notification requirements on the covered entity’s vendors and service providers.

Another example of a federal data breach notification requirement is found within the Gramm-Leach-Bliley Act (GLB), which governs companies engaged in financial services.  Under GLB, when a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct an investigation to determine the likelihood that the information has been or will be misused.  If there is a determination that the misuse has occurred or is reasonably possible, the institution must notify the affected customer as soon as possible, save a law enforcement determination that notification will interfere with a criminal investigation.

Sometimes a company’s duty to disclose may be required by a government agency.  For example, publicly traded companies need to be aware of the October 13, 2011, SEC Disclosure Guidance:  Topic No. 2.  Although the guidance is not the law but rather an agency’s interpretation of the law, it clearly states that publicly traded companies should report significant instances of cyber incidents to the SEC. The company must determine whether a reasonable investor would consider information about the incident important to an investment decision.  In making this determination, a company should consider several factors, set forth in the guidance, in determining whether to make the disclosure.  The guidance also states what information should be in the disclosure.

These examples and the descriptions of them are admittedly very superficial and are not meant to capture the entire universe of federal laws requiring data breach notification.  The point of this post is that there is no uniform federal data breach notification law.  Data breach notification requirements at the federal level arise from a variety of laws and other legal authority.  As a result, a company that believes it may have suffered a data breach must consult the laws of any state where any of its customers reside, a variety of federal legal sources that regulate the company’s industry, and—as will be explained in an upcoming post—international law. If your company has customers overseas, it will need to be aware of data breach notification requirements abroad.  The next part of this series on data breach notification laws will focus on Europe as a case study of how data breaches notifications are addressed in other countries.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

In 2005, a company called ChoicePoint, which collected personal and financial information for millions of consumers, was the victim of a security breach.  Criminals stole from ChoicePoint personal information for more than 145,000 individuals.  The floodgates opened and a variety of other corporations and organizations revealed similar data breaches that had resulted in unauthorized access to the personal information of 52 million individuals.

As a result of the ChoicePoint breach, states began enacting data breach notification laws that required companies and organizations to disclose major data breaches.  California was the first such state, and its law has been the model for data breach notification laws all over the country.  See  Cal. Civ. Code §§ 56.06, 1785.11.2, 1798.291798.82   In fact, the only states that do not currently have data breach notification laws are Alabama, Kentucky, New Mexico, and South Dakota.

This blog post discusses how these data breach notification laws operate generally, keeping in mind that there are some differences from state to state.  The most important issues are who/what is protected by the laws, when is a data breach considered to have occurred so that the law is triggered, when should notification take place and what must the notice contain, and what are the penalties for failure to comply with the laws.

What/who is protected by data breach notification laws?  The laws protect the “personal information” of a state’s residents.  Personal information is usually defined as a person’s name in combination with some other private information such as a social security number, driver’s license number, account/credit card number, medical information, or health insurance information.  Some states have expanded the definition to include biometric data, fingerprints, retina images, and DNA profiles.  Personal information does not include publicly available information such as publicly available property information or criminal records.  The laws apply to any person or business that conducts business in the state where the law exists, including businesses not located in the state that are collecting information about the state’s residents, and any state agency that owns or licenses personal information.

When are the data breach notification laws triggered?  Data breach laws typically apply when there is an unauthorized acquisition of computerized data.  It includes a wide range of activity, from the intentional (hacking, theft, and corporate espionage, for example) to the negligent (losing a hard drive containing private customer information, or misdirecting electronic information).  Most data breach notification laws, however, do not apply to data that is encrypted (though the level of encryption and whether encryption is required at rest and/or in motion, is not clear) and sometimes the laws do not apply if the information is redacted.

When should notification of the data breach take place?  Once a company has determined that it was a victim of a data breach, it must usually provide notice of the breach to those individuals whose data has been accessed in an unauthorized manner.  Some states provide a specific deadline for when notice must take place, but many states simply require that disclosure take place within “the most expedient time possible and without unreasonable delay.”  An organization’s disclosure can usually be delayed if it would impede an ongoing criminal investigation.  In some states, notice is not required if, after an independent investigation or consultation with law enforcement, there is a determination that the breach did not result in harm to consumers.  In certain states there is a requirement for service providers who suffer data breaches to notify the companies that hired them of the breach.

What must be in the notice?  If a determination is made that notice must be provided, then the data breach notification laws usually provide how that notice must be provided (i.e., what information should be in the notice).  The notice should be clear, and as easy to understand as possible.  The notice should explain what information was accessed and it may need to include a credit reporting agency’s telephone number.  Many states require that notice of the breach also be provided to the state Attorney(s) General.

What are the penalties for failure to comply?  If an organization does not comply with the requirements of a data breach notification statute it can be subject to significant administrative penalties of thousands of dollars per day after the disclosure deadline.  Additionally, many states have created a private cause of action (i.e., you can be sued) for not following the data breach notification requirements.

In short, it is important, once an organization suspects that it might be the victim of a data breach, to immediately engage legal counsel to assist in determining whether the breach requires disclosure and, if so, how and when the disclosure should take place.  It should be evident from the above information that the data breach notification laws vary from state to state, so any disclosure notice should be tailored with all relevant state and federal data breach notification laws in mind.  The fact that there are so many different data breach notification statutes is a compelling reason why Congress should step in and pass legislation that makes the data breach notification requirements more uniform.  Congress previously considered such legislation, but it did not become law.

Speaking of federal data breach notification laws, in addition to the state laws governing data breach notifications, there are also federal and international laws that govern data breaches.  Those laws impose even more notification requirements.  They will be discussed in the next post.  Stay tuned.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.