Published by Al Saikali

The Illinois Supreme Court’s decision last week in Rosenbach v. Six Flags may have closed the first of what will be several chapters in class action litigation arising from the Illinois Biometric Information Privacy Act (BIPA).  The court addressed the very narrow issue of what it means for a person to be “aggrieved” under BIPA.  Ultimately, the court held that a violation of the notice, consent, disclosure, or other requirements of BIPA alone, without proof of actual harm, is sufficient for a person to be considered “aggrieved” by a violation of the law.

There are several important issues, however, that were not before the court and remain to be litigated.  One of those issues is implied notice and consent. Defendants will argue that the plaintiffs who checked in/out at work using fingerscan timekeeping systems (which is the fact pattern of almost all of the almost 200 class action lawsuits filed in state court) knew that the fingerscans were being collected and used by their employers for timekeeping purposes, and they voluntarily provided that information.

Federal courts have dismissed such lawsuits, reasoning that plaintiffs effectively received notice and gave consent.  In Howe v. Speedway LLC, for example, the court in a fingerscan timekeeping case held that the plaintiff’s “fingerprints were collected in circumstances under which any reasonable person should have known that his biometric data was being collected.”  Similarly, in Santana v.Take-Two Interactive Software, Inc.the U.S. Court of Appeals for the Second Circuit held that plaintiffs essentially received the notice and consent contemplated by BIPA because “the plaintiffs, at the very least, understood that Take-Two had to collect data based upon their faces in order to create the personalized basketball avatars, and that a derivative of the data would be stored in the resulting digital faces of those avatars so long as those avatars existed.”  In dismissing for lack of standing, the McGinnis court reasoned that the plaintiff “knew his fingerprints were being collected because he scanned them in every time he clocked in or out of work.”

Another significant defense is constitutional standing.  Federal courts have recently dismissed BIPA lawsuits on the ground that they do not meet Article III standing requirements.  Defendants in state court will argue that Illinois constitutional standing (which Illinois state courts have held should be similar to federal law) requires a level of harm that, at a minimum, should be what Article III of the U.S. Constitution requires. To hold otherwise would lead to a different result for a party based entirely on whether the lawsuit is filed in federal or state court.

Defendants will argue that most of the claims are barred by the one-year statute of limitations that applies to claims involving the right of privacy.  Assuming that the one-year statute of limitations is applied, the classes of affected individuals will shrink considerably.

Defendants will also contend that the information collected/stored by the timekeeping devices is not considered biometric information under BIPA.  There is no library of fingerprints stored by these timekeeping devices.  Instead, the devices measure minutiae points and convert those measurements into mathematical representations using a proprietary formula that cannot be used to create a fingerprint.  More security is layered on top of that — the mathematical representation is encrypted.  For these reasons, no plaintiff in any of these biometric cases has been able to point to a single data breach involving biometric information.  The technology is essentially tokenization(similar to Apple Pay), where if a hacker were to access the actual device, he’d find nothing there to steal because the valuable thing (the credit card number or, in this case, fingerprint) is not stored on the device but is instead replaced by a numerical representation.

Plaintiffs will also have to prove that the defendants didn’t just violate BIPA, but did so negligently or intentionally.  This is not an easy standard to meet, especially if the trier of fact determines that these are “gotcha” lawsuits, meant to catch companies off-guard about a little known and rarely used state law.

Assuming the plaintiffs jump all these hurdles, they must still demonstrate that these cases are appropriate for class certification. The cases involve different facts regarding whether individual plaintiffs received notice, whether they gave consent, whether they used the fingerscan method of authentication or another method like PIN number or RFID card, whether they enrolled in Illinois, and whether their claim involves a violation of BIPA beyond collection or storage. Given these differences between plaintiffs, it will be difficult for them to meet the commonality and fairness requirements for class certification.

To be sure, some Defendants will face their own challenges.  A line of cases has held that where companies used their time-clock provider’s cloud service to store or back up timekeeping information from the clock, they may be in violation of BIPA’s prohibition against disclosure of biometric identifiers to a third party.  But at least one court has disagreed with that logic, stating that not all disclosures to a third party automatically present a concrete injury, and whether the third party has strong protocols and practices in place to protect data is relevant to the inquiry.

Defendants need only win one of these (or several other) defenses.  Plaintiffs must win them all.  In the meantime, plaintiffs must hope that the Illinois legislature does not notice that hundreds of BIPA lawsuits are flooding the Illinois state court system creating potentially crippling liability for companies that tried to adopt more secure methods of authentication, which could lead to an amendment that would make the law more consistent with its original intent. 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

On Friday afternoon an Illinois intermediate appellate court decided that the bar for a plaintiff bringing a class action lawsuit under the Illinois Biometric Information Privacy Act (BIPA) is low, creating a conflict with its sister intermediate appellate court. The Illinois Supreme Court is expected to resolve the conflict early next year. How the court resolves the conflict will significantly impact companies doing business in Illinois.

Background

BIPA requires companies to provide notice and obtain consent from Illinois residents before collecting their biometric information. It also limits what companies can do with biometric information and requires the adoption of certain security safeguards. Any person “aggrieved by a violation” of the law may sue for actual damages or statutory damages ranging from $1,000 to $5,000 per violation. You can learn more about BIPA from my earlier blog post.

Beginning in the fall of 2017, Illinois businesses of all sizes were hit with “gotcha” class action lawsuits brought by former employees looking for reasons to sue their former employers. Those companies used timekeeping systems that required employees to scan their fingers to punch in and out of work. Ironically, the timekeeping systems improved security by reducing fraud and strengthening authentication. Nevertheless, many companies were not aware of BIPA or the possibility that it might apply to their timekeeping systems. The plaintiff’s bar was quick to pounce. Over 150 class actions were filed by former employees claiming that they did not receive BIPA’s requisite notice and consent (despite the fact the employees voluntarily placed their fingers on these devices every day). The lawsuits in aggregate seek tens of millions of dollars from companies doing business in Illinois.

Requisite Harm for a Private Cause of Action

A key question in the BIPA litigation is what it means to be “aggrieved by a violation.” Is it enough that an employee doesn’t receive notice and consent, or must they show that they suffered some actual harm (e.g., financial loss or identity theft) as a result of the violation, as would be necessary in a typical data breach lawsuit?

In December of 2017, the Illinois Appellate Court (Second District) in Rosenbach v. Six Flags Entertainment Corp. held that a person aggrieved must allege some actual injury, adverse effect, or harm. The outcome makes sense because BIPA does not say that the data subject can sue “for a violation.” It requires two things: a violation of BIPA and that someone be aggrieved.

Nevertheless, last week the Illinois Appellate Court (First District) weighed in on the issue and reached an opposite conclusion, holding that a mere violation of BIPA, without additional harm, is all that is necessary to meet the “aggrieved by” standard for a private cause of action. The case, Sekura v. Krishna Schaumburg Tan, Inc., was brought against a tanning salon that used finger scans to admit members into its salons. The court rejected its sister court’s ruling in Rosenbach and held that aggrieved means only the deprivation of a legal right. The court further held that disclosure of biometric information to a third party (e.g., storing the information in the cloud) was sufficient to meet the “aggrieved by” standard, as was an allegation of mental injury. In short, the bar for meeting the “aggrieved by” standard, according to the First District’s conclusion, should be incredibly low.

What’s Next and When?

Presumably, the Sekura decision will be appealed quickly and joined with the Rosenbach case already pending at the Illinois Supreme Court. It is unclear what impact Sekura will have on the timing of a ruling from the Supreme Court on the issue, as briefing in the Rosenbach case was finished in September and the parties were simply awaiting the scheduling of an oral argument. It’s possible the court will wait for briefing to be perfected in the Sekura case before scheduling oral argument, or an expedited briefing process may take place because the issues in the two cases are so similar.

Substantively, one of the most significant consequences of the Sekura decision is that it could give the Illinois Supreme Court something to cite if it were inclined to reverse Rosenbach. I would argue that the reasoning in Rosenbach actually appears stronger in contrast to the Sekura decision. For example, the Sekura analogy of disclosing encrypted biometric information to a third party as equivalent to a disclosure of whether someone has AIDS under the AIDS Confidentiality Act is misplaced. Similarly, the Sekura reasoning makes the words “aggrieved by” meaningless as a mere violation of the statute also is all that is necessary to bring a private cause of action under the decision.

A Final Observation

Most concerning to me about the BIPA litigation generally is that it appears to be based on an unfounded fear and misunderstanding of the underlying technology companies use to collect, store, and share the subject information. Businesses are not collecting, storing, or sharing images of fingerprints, which might be accessed without permission and/or potentially misused. The finger scanning machines in question measure minutiae points and turn them into mathematical representations, which cannot be reverse engineered into a fingerprint. As a belt on these suspenders, the information is encrypted.

Two facts in the biometric privacy context are particularly telling and dispositive. First, no plaintiff or amici in any briefing in the more than 150 BIPA class actions has identified an example where biometric information was compromised. Why? Because the manner in which the finger scan information is collected is much like tokenization (a technology companies use to replace credit card numbers with valueless characters) – if a bad guy breaks in, all he can steal is a random set of characters that have no value.

Another important fact: all state data breach notification laws exempt encrypted information from the definition of personal information and the obligation to notify if it is the subject of a data breach. Why? Because there is no risk that a hacker can access the information and misuse it. Here, the subject information is encrypted so there is no risk of harm to the individuals bringing these lawsuits. The lawsuits are instead based on an unfounded fear of what could happen.

I wonder what impact a more fulsome explanation of the technology would have on the outcome of these cases. In the meantime, companies continue to spend significant sums of money defending these lawsuits and they face the risk of millions of dollars in potential liability.

While the privacy world is focused on the Equifax data breach, another development is taking place that could have a more lasting effect on privacy law.  In the last month, plaintiffs’ lawyers in Illinois have filed over 20 lawsuits against companies that authenticate their employees or customers with their fingerprints.  The lawsuits are based on the Illinois Biometric Information Privacy Act (BIPA), which requires companies that possess or collect biometric information to provide notice to and obtain a written release from individuals whose biometric information the companies collect.

Why Do These Lawsuits Matter?

Companies are increasingly collecting biometric information from their customers and employees (“data subjects”) because this information helps authenticate users with greater accuracy.  It allows the company to provide customers a more seamless, secure, and tailored experience.  It also allows employees to securely and conveniently punch in and out of work by placing their finger on an electronic reader, which has the additional benefit of minimizing “buddy punching” (where employees ask their colleagues to check them in/out of work improperly).

What Is Biometric Information?

BIPA applies to “biometric Identifiers” and “biometric Information.”  A biometric identifier is a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.  Biometric identifiers do not include, among other things, writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color.  Biometric information means any information based on an individual’s biometric identifier used to identify an individual.  Because BIPA does not treat biometric identifiers differently from biometric information, this blog post refers to both categories collectively as “biometric information.”

To Whom Does BIPA Apply?

BIPA applies to companies in possession of biometric information or companies that collect, capture, purchase, receive through trade or otherwise obtain biometric information about Illinois residents.  BIPA does NOT apply to entities governed by HIPAA or GLBA.  Nor does it apply to state or local government agencies or any court of Illinois.

What Does BIPA Require?

Companies that possess biometric information must develop a written policy, made available to the public, that establishes a retention schedule and guidelines for permanently destroying biometric information when the initial purpose for collecting or obtaining the information has been satisfied, or within three years of the individual’s last interaction with the private entity, whichever occurs first.  The company must comply with this retention schedule and destruction guidelines, unless a valid warrant or subpoena issued by a court of competent jurisdiction provides otherwise.  The company must also adopt reasonable security safeguards to protect the storage and transmission of biometric information.  These safeguards must be at least the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.

Companies that collect, capture, purchase, receive through trade, or otherwise obtain a person’s biometric information must:  (1) inform the subject in writing that biometric information is being collected or stored, and the specific purpose and length of term for which the information is being collected, stored, and used; and (2) obtain a written release executed by the subject of the biometric information.

What Conduct Does BIPA Prohibit?

Companies that possess biometric information are not allowed to sell, lease, trade, or otherwise profit from a person’s biometric information.  Additionally, disclosure, redisclosure, and other dissemination of the information is prohibited unless:  (1) the data subject consents to the disclosure; (2) the disclosure completes a financial transaction requested or authorized by the data subject; (3) the disclosure is required by law; or (4) the disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.

Can My Company Be Sued For Violating BIPA?

Any person “aggrieved by a violation” of BIPA can sue the violating company.  He or she may be entitled to $1,000 in liquidated damages for a negligent statutory violation or $5,000 in liquidated damages for an intentional statutory violation.  (If actual damages are greater, the plaintiff may seek those instead, but for the reasons discussed below, this is not usually the case).  Additionally, the prevailing party (plaintiff or defendant) may recover attorney’s fees and costs.

What Is This Latest Wave Of BIPA Lawsuits All About?

Between BIPA’s enactment in 2008 and a couple months ago there were relatively few lawsuits based on violations of BIPA.  Within the last couple of months, however, the Illinois plaintiffs’ bar has filed over 20 BIPA lawsuits.  Almost all of those lawsuits are based on the same underlying factual scenario:  an employee places his/her finger on a time clock to authenticate himself/herself when checking in or out of work.  In addition to suing the employer, plaintiffs are also suing the companies that sell/distribute the time clocks that use fingerprint readers.

Given the timing of the lawsuits and their almost identical language, this is surely a coordinated effort by the plaintiff’s bar to obtain quick settlements from risk-averse companies that would prefer to avoid or cannot afford the cost of litigation.  It is also a shotgun approach to flood the courts with these lawsuits in the hope that one or two of them will result in favorable precedent that can be used to file more lawsuits, so I don’t see this trend ending anytime soon.

Do The Lawsuits Have Merit?

No.  You can expect to see strong arguments by the defendants on the underlying technology and the meaning of biometric information.  But these lawsuits are meritless primarily because the plaintiffs didn’t suffer any real harm.  The lawsuits appear to be filed by former employees with axes to grind against their former employers.  Setting that aside, however, the arguments in the complaints are not persuasive.

The complaints allege that BIPA was designed to ensure that the plaintiffs receive notice that their biometric information is being collected, and that the plaintiffs should have been asked to sign written releases.  This lack of notice argument is silly when you remember that these individuals were essentially receiving notice every day by placing their fingers on a time clock to log in and out of work.  This latest wave of cases does not present the situation, as other BIPA cases have, where biometric information is being collected without the data subject’s knowledge.

The complaints also allege that the plaintiffs were not provided a policy explaining the use of their information. If we assume first that the plaintiffs would have read these policies (because we all read policies provided to us during the onboarding process), then what would those policies have told the employees?  Anyone familiar with the technology will tell you that the policies would say that the company does not actually collect fingerprint images at all, that there isn’t a database of employee fingerprints somewhere, that to the extent the company has access to numerical representations of their fingerprints those representations are useless to anyone else because they can’t be reverse-engineered, and the information is not shared with third parties (primarily because it serves no use).

The complaints are also significant in what they do NOT allege.  They do not allege, for example, that unauthorized third parties (like hackers) accessed the information.  Nor do the complaints allege that the employers shared the information with any authorized third parties.  So again, what is the harm suffered?

For these reasons, most courts that have addressed the lack of harm argument in the BIPA context have dismissed the lawsuits.  See, e.g., McCollough v. Smarte Carte, Inc. (N.D. Ill. Aug. 1, 2016); Vigil v. Take-Two Interactive Software, Inc. (S.D.N.Y. Jan. 27, 2017).  Those courts concluded that even if there was a technical violation of BIPA, the plaintiffs were not “aggrieved by those violations.”

What Can Companies Do To Minimize These Risks?

First, determine whether BIPA even applies to you.  This may require consulting with counsel knowledgeable in the requirements of BIPA and the underlying technology.  Even if you are not currently collecting biometric information from Illinois residents, could you in the future?  Additionally, while Illinois is currently the only state that creates a private right of action for violation of its biometric information privacy statute, other states have similar laws enforced by their respective Attorneys General.

Second, if BIPA applies, use experienced counsel to ensure that you comply with BIPA – draft a BIPA retention policy, prepare and obtain written releases, and evaluate the security and use of the information.  This process may require coordination with your information technology staff and the vendor you use for your authentication devices.

Finally, if your company has already been sued, there are strategies that counsel should immediately bring to your attention that will lower the cost of litigation, increase the likelihood of success, and help you identify traps for the unwary.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

One of the most significant questions in data security law is whether reports created by forensic firms investigating data breaches at the direction of counsel are protected from discovery in civil class action lawsuits.  They are, at least according to an order issued last week in In re Experian Data Breach Litigation. 15-01592 (C.D. Cal. May 18, 2017).  This post analyzes the decision, identifies important practical takeaways for counsel, and places it in context with the two other cases that have addressed this issue.

Why Do Lawyers Hire Forensic Firms?

When a breach occurs, companies often retain legal counsel to advise them on legal issues like whether the company adopted “reasonable” security safeguards; whether the company is obligated to notify affected customers and, if so, when and how; whether notice to regulators is required; and, what remedial measures are required.  To properly advise clients on these issues, legal counsel needs to know whether personally identifiable information (PII) was affected by the incident, when the intrusion occurred, whether the PII was actually accessed or acquired, what safeguards were in place to prevent the attack, and how the vulnerability was remediated.  A good forensic firm will help you answer these questions so you can advise clients accurately.  The reports often contain information that plaintiffs’ lawyers would love to get their hands on – it can provide details about why the breach occurred, how it could have been prevented, and whether the company’s safeguards were consistent with standards of reasonableness.  It is important that the forensic firm be able to perform its investigation without fear that its reports will be subject to misinterpretation and criticism by a plaintiff’s lawyer or other third party.  Hence the need for protection of these reports in civil litigation.  For the time being, there is no statutory protection for these types of documents (though there should be) so we must turn to the attorney-client privilege and work-product doctrine for protection.

What Happened In Experian?

In October 2015, Experian announced that it suffered a data breach.  A class action was filed the next day.  Experian immediately hired legal counsel who in turn hired Mandiant, one of the world’s leading forensic firms, to investigate the data breach and identify facts that would allow outside counsel to provide legal advice to Experian.

The plaintiffs requested a copy of Mandiant’s report and documents related to that investigation.  Experian objected, arguing that the documents are privileged and protected by the work-product doctrine because they were prepared in anticipation of litigation for the purpose of allowing counsel to advise Experian on its legal obligations.  The plaintiffs moved to compel production of the documents.

The court held that the documents were protected from discovery by the work-product doctrine.  Plaintiffs had argued that Experian had an independent business obligation to investigate the data breach, and it hired Mandiant to do that after realizing its own experts lacked sufficient resources.  The court rejected this argument because Mandiant conducted the investigation and prepared the report for outside counsel in anticipation of litigation, “even if that wasn’t Mandiant’s only purpose.”  The court pointed to, among other things, the fact that Mandiant’s full report was not provided to Experian’s internal incident response team.

Plaintiffs argued that the report should not be protected because it was prepared in the ordinary course of business.  Plaintiffs cited the fact Mandiant had previously worked for Experian.  The court disagreed because Mandiant’s previous work for Experian was separate from the work it did for Experian regarding the subject breach.

Plaintiffs argued that even if the documents were created to allow counsel to advise Experian, plaintiffs were not able to obtain the information that was included in the Mandiant report by other means because Mandiant accessed Experian’s live servers to do its analysis, which plaintiffs’ experts would not be able to do.  The court disagreed, citing information in the record demonstrating that Mandiant never in fact accessed the live servers, but only observed server images to create its report.

Lastly, the plaintiffs argued that even if the information was protected by the work-product doctrine, Experian waived the protection by sharing the documents with a co-defendant (T-Mobile’s counsel).  In what I believe will be the most underrated yet arguably most important part of the order, the court ruled that the sharing of the report with the co-defendant pursuant to a joint defense agreement did not constitute a waiver of the work product doctrine.

There are some limitations to the court’s order:

  1. The court only ruled on whether the work-product doctrine applied to the Mandiant documents, not whether the attorney-client privilege applied.
  1. Mandiant delivered its report to outside counsel only, who shared the reports with in house counsel.  The full report was not shared with Experian’s incident response team (it is not clear who comprised that team).
  1. Mandiant performed an analysis of Experian’s systems two years before this incident. The court did not conclude that the 2013 report was privileged.  The court also did not conclude that any work Mandiant performed before outside counsel was hired is privileged. It is not clear from the order whether the court was ruling that the pre-incident and pre-engagement materials were not protected at all, not protected by the attorney-client privilege, or simply not ruling one way or the other.  My interpretation is that it is the latter.

How Have Other Courts Ruled?

Only two other courts have addressed the applicability of privilege or work-product protection to the production of forensic reports.  Both have applied privilege and/or work product to the documents.

In In re: Target Corporation Customer Data Security Breach Litigation, No. 14-2522 (D. Minn. Oct. 23, 2015), the court held that documents relating to a forensic investigation performed to provide legal advice to the company was privileged and work product.  Following its breach, Target established a data breach task force at the request of Target’s in-house lawyers and its retained outside counsel so that the task force could educate Target’s attorneys about aspects of the breach and counsel could provide Target with informed legal advice.  What makes the Target case different from Experian is that Target undertook two forensic investigations (both by the forensic firm, Verizon) – one as described (to enable counsel to advise Target in anticipation of litigation and regulatory inquiries) and a second was required by several credit card brands (commonly referred to as a “PFI” or payment card forensic investigation).  This second investigation, Target conceded, was not protected by privilege or the work-product doctrine.  The court allowed production of certain information (emails to Target’s Board of Directors which updated the Board on Target’s business-related interests), but held that information relating to Verizon’s investigation for the data breach task force was protected by the attorney-client privilege and work-product doctrine.  The court reasoned that there were forensic images and the PFI documents that plaintiffs could use to learn how the data breach occurred and how Target responded.

In Genesco, Inc. v. Visa U.S.A., Inc., No. 3:13-cv-00202 (M.D. Tenn. Mar. 25, 2015), the court denied Visa’s request for discovery related to remediation measures performed by IBM on Genesco’s behalf.  The court reasoned that Genesco retained IBM to provide consulting and technical services to assist counsel in rendering legal advice to Genesco. Therefore, the documents were privileged.

Experian came out the same way as Target and Genesco, but there are subtle differences that should be kept in mind whenever a company decides to retain a forensic company and expects privilege or work product to apply.  Experian is arguably the most important of the three because it is the far more common scenario.  Most companies will not spend money to hire two forensic firms (or one firm with two teams) to perform two separate investigations on the same incident.  So where only one investigation is performed, the company and counsel would be wise to read the Experian filings and order before commencing the engagement of counsel and a forensic firm.

Takeaways

Here are some practical takeaways if a breached entity wants to minimize the risk of disclosure of a forensic report:

  • The forensic firm should be hired by outside counsel, not by the incident response team or the information security department.
  • Create a record and think about privilege issues early in the engagement by doing the following:
    • ensuring that the engagement letter between the breached entity and outside counsel envisions that outside counsel may need to retain a forensic firm to help counsel provide legal advice;
    • the MSA and/or SOW between outside counsel and the forensic firm makes clear that the forensic firm is being hired for the purpose of helping counsel provide legal advice to the client;
    • limit the scope of the forensic firm’s work to those issues relevant to and necessary for counsel to render legal advice;
    • ensure that the forensic firm communicates directly (and only) with counsel in a secure and confidential manner;
    • not sharing the forensic firm’s full report with anyone other than in house counsel; and
    • incorporate the forensic firm’s report into a written legal memorandum to demonstrate how the forensic firm’s findings were used to help counsel provide legal advice to the client.
  • Work a forensic firm undertakes before outside counsel is involved will not be protected, so the breached entity should engage counsel immediately.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Earlier this year, Bloomberg Law reported that Edelson PC, a leading plaintiffs’ firm in privacy and data security law, filed a class action lawsuit against a regional law firm that had vulnerabilities in its information security systems.  This week, the identity of the firm and the allegations of the lawsuit were unsealed.  The case, Shore v. Johnson & Bell, LTD, No. 1:16-cv-04363 (N.D. Ill. Apr. 15, 2016), alleges that Johnson & Bell (“the firm”), a Chicago-based law firm, was negligent and engaged in malpractice by allowing information security vulnerabilities to develop that created risks to client information.  This blog post explains the alleged vulnerabilities, analyzes the merits of the lawsuit, and discusses what it means for other law firms, their clients, and service providers.

By coincidence, Fortune reported earlier this week that China stole data from major U.S. law firms:  “The evidence obtained by Fortune did not disclose a clear motive for the attack but did show the names of law firm partners targeted by the hackers. The practice areas of those partners include mergers and acquisitions and intellectual property, suggesting the goal of the email theft may indeed have been economic in nature.”  These developments are reminders that information security must be a high priority for all law firms.

The Johnson & Bell Lawsuit

The lawsuit is based on three alleged vulnerabilities in the firm’s information security infrastructure.  According to a court filing, the vulnerabilities have now been addressed and fixed.

First, the lawsuit alleges that the firm’s Webtime Server, an application attorneys use via any web browser to remotely log in and record their time, was based on the 2005 version of the Java application JBoss.  The Complaint alleges that the 2005 version of JBoss has been identified by the National Institute of Standards and Technology as having an exploitable vulnerability. Plaintiffs also allege hackers have taken advantage of the vulnerability in other situations to conduct ransomware attacks.

Second, the lawsuit alleges that the firm’s virtual private network (VPN) server contains a vulnerability.  Companies use VPNs to allow their employees to remotely access company information in an encrypted, secured manner.  The secured nature of a VPN connection allows companies to feel comfortable providing access to highly sensitive internal resources and databases.  Sometimes, a temporary disconnection occurs while an employee is using a VPN connection.  The Complaint alleges generally that when the firm’s VPN sessions were disconnected, the renegotiation (or re-connection of the VPN session) was insecure, making it vulnerable to a “man-in-the-middle” attack.  A man-in-the-middle attack is a cyberattack in which the hacker gains access to a system to eavesdrop on communications and steal confidential information.

Finally, the Complaint alleges that the firm’s email system was vulnerable because it supports version 2.0 of SSL.  Secure Sockets Layer (SSL) is a form of technology that creates an encrypted tunnel between a web server and a browser to ensure that information passing through the tunnel is protected from hackers. Version 2.0 was replaced by version 3.0 in 1996.  In 1999, Transport Layer Security (TLS) replaced SSL entirely.  Since then, TLS has been updated at least twice.  According to the Complaint, the use of SSL 2.0 made the firm susceptible to a DROWN (Decrypting RSA with Obsolete Weakened Encryption) attack that could allow hackers to access the contents of the firm’s emails and attachments.  The Complaint claims that the Panama Papers breach was a result of a similar attack.

Notably, the Complaint does not allege that the firm actually suffered a compromise of sensitive information, that a successful cyberattack occurred, or even that a cyberattack was attempted.  In other words, the lawsuit is based on the firm’s alleged state of security that may make it vulnerable to an attack in the future.

Who is the class?  Plaintiffs (Jason Shore and Coinabul, LLS) are former clients of the Johnson & Bell firm.  The firm defended Plaintiffs in a class action lawsuit alleging that Plaintiffs defrauded consumers by accepting payments in the form of bitcoins while refusing to ship gold or silver ordered by customers.  See Hussein v. Coinabul, LLC, No. 14 C 5735 (N.D. Ill. 2014).  Plaintiffs define the class as all of the firm’s clients within the statute of limitations period except insurance companies and clients operating in the healthcare industry. Why insurance and healthcare companies are not included in the proposed class is not evident from the allegations.  It could be that those industries are more highly regulated in privacy and data security and therefore would have had a greater duty to ask questions of the firm about its information security practices.  Though why financial institutions, the most highly regulated sector in data security, would not also have been included in this group is not clear.

The Complaint is based on four causes of action:

  1. Breach of implied contract – Plaintiffs allege that, as a term of the engagement agreement, the firm promised to keep a file for the work they performed on Plaintiffs’ matter.  The Complaint claims there was an implied promise that the firm would use reasonable methods to keep Plaintiffs’ information confidential, which was breached by the firm’s security vulnerabilities.
  2. Negligence – Plaintiffs claim the attorney-client relationship automatically created a duty to adopt industry standard data security measures, which was breached as evident by the alleged vulnerabilities.
  3. Unjust enrichment – Plaintiffs argue that a portion of the attorney’s fees they paid to the firm was for the administrative cost of data security to maintain the confidentiality of client information.  Plaintiffs seek return of that amount of the fees paid.
  4. Breach of fiduciary duty – Plaintiffs claim that the failure to implement industry standard data security measures and resulting vulnerabilities were breaches of the firm’s fiduciary duty to Plaintiffs.

What is the injury? Plaintiffs allege they were injured because the security vulnerabilities created (1) a diminished value of the services they received from the firm, and (2) a risk that their sensitive information may be compromised at some point in the future (which could result in damages from that theft).  Plaintiffs measure their damages as the portion of fees paid to the firm that were meant to be for the administrative cost of securing client information.  Plaintiffs have also asked the court to require an independent third-party security audit of the firm’s systems.

Is a Vulnerability by Itself Enough to Meet Standing Requirements?

In my opinion, the lawsuit is fatally flawed because there was no attack or attempted attack on Plaintiffs’ information, let alone actual unauthorized access or acquisition of the information.  The firm’s security system was analogous to an unlocked door to a home that nobody burglarized.  The plaintiffs indisputably suffered no financial damages as a result of the alleged vulnerabilities, and the vulnerabilities were identified (albeit by this lawsuit) and addressed before any actual harm occurred.

If the mere risk of harm at some point in the future is enough to allow a lawsuit to proceed, then every company in America should be concerned.  Most companies probably have similar unknown vulnerabilities in their systems.  The challenge with information security is that it is like a game of “Whack-A-Mole” — the fast-paced and constantly changing threats and defenses means that new vulnerabilities are always emerging so it is almost impossible to eliminate all vulnerabilities entirely.  The floodgates will be blown wide open if a lawsuit based only on the mere existence of a vulnerability is considered actionable.

That said, the Edelson firm is one of the most creative plaintiffs’ privacy and data security firms in the country.  They have made their name by doing things differently from their peers.  They are known for pushing the envelope and expanding the boundaries of liability in privacy and data security law.  For example, in Resnick v. AvMed they were the first firm to persuade a U.S. Circuit Court of Appeals to apply the unjust enrichment theory to data breach class actions.  Other courts have since applied that theory in allowing data breach class action lawsuits to proceed. The Resnick case subsequently settled for over $3 million.

In In re: LinkedIn User Privacy Litigation, No. 5:12-cv-03088 (N.D. Cal. 2012), at a time when other plaintiffs firms were pursuing data breach liability based on a failure to adopt reasonable security safeguards, they persuaded the court of a new theory:  that the gravamen was not the failure to adopt certain security safeguards, but the misrepresentations in consumer-facing statements about the safeguards that were actually in place.  The LinkedIn case settled for $1.25 million.

In Spokeo v. Robins, a case that was appealed all the way to the U.S. Supreme Court, the Edelson firm argued to the Court that the mere violation of a privacy statute without other damages or harm is sufficient to confer standing on a plaintiff.  The Court’s decision gave plaintiffs a roadmap for circumventing the standing problem.

But no case has gone this far – to hold that a mere vulnerability without a compromise of information, an attack, or an attempted attack, is actionable.  Doing so would essentially change the data security class action litigation “ball game” once again.

The Impact on Everyone Else

This lawsuit is important because of its potential impact to several key groups.  First, is other law firms.  Every firm should immediately determine whether it has the same vulnerabilities alleged in the Complaint.  Law firms should be concerned that similar vulnerabilities could lead to similar lawsuits, whether or not an actual attack has occurred.  They should be prepared to respond to client inquiries explaining what safeguards they have adopted to protect sensitive client information, consistent with their legal and ethical obligations. (For a discussion of these obligations, read my July 2013 blog post on the subject).  Firms should review and update their engagement letters for promises and disclaimers to their clients about information security.

This leads to the second group of impacted individuals:  the law firms’ clients.  Every company should have in place a vendor management program that incorporates information security as part of the due diligence process, and law firms are service providers like the rest of the companies’ vendors.  Companies should be asking their outside counsel as part of the due diligence process how they protect client data:  what administrative, technical, and physical safeguards are in place?  Has the firm obtained an independent third-party certification (like ISO 27001) or performed a risk assessment by an information security expert?  (I was pleasantly surprised to see the Complaint refer to Shook, Hardy & Bacon’s ISO 27001 certification as an example of what law firms should be doing).

Beyond asking questions, clients need to identify what they expect from their law firms in terms of specific security requirements and communication about vulnerabilities or notifications of data incidents.  This lawsuit may have been avoided if the engagement letter had required notice of material vulnerabilities.  The questions clients should be asking their law firms can (and will) be the focus of an entirely separate blog post.

The third group impacted by this lawsuit will be the service providers law firms use for information security services.  Small firms commonly outsource most or all of their information security to these providers.  Even large firms use service providers for information security services that include threat detection, data loss prevention, firewall implementation, and cloud storage.

Firms also purchase licenses for applications that may present security risks, similar to the alleged vulnerability in the Webtime service. These applications require a separate security vetting by the law firm before they can be used.

I suspect this is the first of what will be a series of lawsuits relating to law firm security brought by the Edelson firm and plaintiffs’ firms that follow their lead.  It will be interesting to see whether courts allow a lawsuit based on a security vulnerability alone to proceed or dismiss it for lack of standing.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Plaintiffs’ lawyers were falling over themselves last week in a race to the courthouse to sue Target as a result of its recent data breach.  By at least one report, over 40 lawsuits have already been filed against Target, the first of which was filed the day after the breach became public.  This post will provide an overview of the lawsuits, analyze their merits, identify potential concerns for Target, and address some of the larger public policy implications raised by the lawsuits.  My next post will provide more specific details about a sample of the lawsuits.

A (Coordinated) Race to the Courthouse

The lawsuits were filed in Federal courts all over the country, including Alabama, California, Florida, Illinois, Minnesota, Oregon, and Rhode Island.  At least four of them were the result of coordinated efforts between plaintiffs’ firms that filed the lawsuits in California, Illinois, and Oregon, given the similarity of language and structure used in  those complaints.  (That’s not particularly unusual, but let’s not pretend that there isn’t a coordinated effort involved here).  The lawsuits will likely be consolidated or become part of a multidistrict litigation panel, and there will be an internal battle between the plaintiffs’ lawyers as to whom will serve as class counsel.

Also interesting is when the lawsuits were filed.  All of these lawsuits were filed within a few days of the data breach becoming public.  They were filed before knowing what caused the breach, before knowing when Target learned of the breach, and before knowing what Target did to prevent the breach from occurring in the first place.  The developing data breach legal landscape has shown us that liability from a data breach arises not from the breach itself (almost every company suffers a breach), but from what the company did before or after the breach to prevent it and notify affected individuals.  So the fact that these lawsuits were filed before we know much about what led to the breach and how Target responded should raise initial skepticism about the merits of the lawsuits.

On to the Merits . . .

Generally speaking, the lawsuits are not only premature, but weak for at least two reasons: their legal theories are not sufficiently specific, and almost none of them allege cognizable harm.

The lawsuits contain numerous causes of action (negligence, statutory violations, breach of implied and express contracts, invasion of privacy, bailment, etc.), but the causes of action are based primarily on two legal theories:  (1) Target failed to act reasonably in adopting safeguards that would have prevented the breach from happening; and/or, (2) Target didn’t notify affected consumers quickly enough.  Let’s evaluate these theories and other weaknesses in the lawsuits separately.

“Failure to Adopt Reasonable Safeguards”

Plaintiffs allege that Target failed to act reasonably to adopt safeguards to prevent the breach from occurring, but there are no allegations as to what specifically Target did wrong.  In the LinkedIn lawsuit, for example, there were allegations that LinkedIn failed to salt or hash sensitive information, and that LinkedIn’s conduct contradicted a specific provision of its consumer-facing privacy policy.  The LinkedIn complaint was dismissed because the court held that the plaintiffs lacked standing, but you knew upon reading it what the plaintiffs were claiming LinkedIn did (or failed to do) wrong.

There are no similarly specific allegations in the lawsuits against Target, probably because the plaintiffs don’t know enough about the facts to plead anything with the requisite specificity.  They don’t know yet what Target did wrong, or even if it did anything wrong.  The highly ambiguous pleading now puts Target in the position of trying to defend itself against a “moving target” (no pun intended) that plaintiffs will interpret differently to best suit their needs as the lawsuit progresses.

“Failure to Timely Notify Affected Consumers”

The plaintiffs also claim that Target failed to timely notify affected consumers of the breach, but there are currently  no facts that support this theory.  According to all accounts, the breach occurred between November 27th and December 15th, and Target notified potentially affected customers a few days thereafter by email and by creating a special web page (linked to Target.com) with regularly updated information about the breach and Target’s response.

As anyone with breach response experience will tell you, there are a number of time-consuming steps in the breach response process before notification can take place.  First, you need to identify and understand the nature of the compromise, and you have to be reasonably sure that the compromise has been contained and remediated so it is no longer a threat.  This step alone can take days or weeks to complete depending on the level of sophistication of the attack.  Further complicating this step is the coordination with  law enforcement, who may be concerned that acting too quickly will inhibit their ability to identify the perpetrators.  After the integrity of your system has been restored, you need to identify what information was affected by the breach.  If you learn that personal information was potentially compromised as a result of the breach, you need to know whose information was affected so you can quickly inform them and regulatory authorities in compliance with applicable legal requirements.  Undertaking this entire process can often take weeks.  Target appears to have done it within a few days.

There is another factor that must be considered in determining whether Target complied with any legal obligation to notify consumers – the various data breach notification laws. 46 states have their own data breach notification laws and they are triggered by the location of the individual whose information is compromised, not by the location of the company that suffered the breach (meaning that they’re all in play with a breach this size).  Most require notification within a “reasonable” period of time, and for some that means the breached entity may have as long as 30 to 45 days to undertake notification.  These laws usually do not “start the clock running” on notification until the company reasonably believes that it has identified the full scope of the breach and has contained it.  This makes sense because you wouldn’t want to tip off the hackers that you are on to them by issuing a public notification when your systems are still compromised.  Additionally, it is very difficult to undertake notification until you know who you need to notify (i.e., whose information was compromised, where do they live, how can I contact them, etc.), which can take some time to determine.  Finally, almost all of these laws allow for a delay in notification where law enforcement believes that such notification would impede their ability to identify and investigate the hackers. We do not know whether such a “law enforcement hold” was in place in this breach.  (Some of the plaintiffs allege in their complaints that no law enforcement hold was in place, but they couldn’t possibly know that yet).

It is possible that facts could emerge at a later date showing that Target knew of the compromise much earlier but chose not to notify affected consumers, but for the time being, the fact that Target notified affected consumers within a few days of the compromise becoming known easily disposes of the allegation that Target delayed notifying consumers.

Cognizable Harm

The plaintiffs will also have a very difficult time proving that they suffered cognizable harm, as evident by the difficulty they have in pleading it.  Almost half of the lawsuits allege that they suffered “compensatory damages” or “harm” generally, but fail to describe their damages with any specificity.  They likely cannot identify any cognizable harm at this point, further demonstrating the premature nature of these lawsuits.  Some of the lawsuits seek damages for a “risk” of harm at some unforeseeable point in the future, or for fraudulent charges that were almost certainly reimbursed or will be reimbursed by the consumers’ financial institutions, or for potential damage to their credit scores.  None of these types of damages have been recognized as cognizable in a data breach lawsuit.

This is not to say that all damages are not cognizable.  In a few jurisdictions, courts have held that plaintiffs can proceed in pursuing certain damages.  In the First Circuit, for example, consumers are allowed to pursue “mitigation expenses” (e.g., the unreimbursed cost of replacing their cards, obtaining credit reports and credit insurance, etc.).  In the Eleventh Circuit, consumers have been allowed to pursue the portion of their service fees/premiums to a company that was used for securing the consumers’ personal information.  To the extent the plaintiffs have filed lawsuits in these jurisdictions and are seeking these types of damages, their allegations of damages may be stronger.

Precedent

Finally, Plaintiffs will have to deal with the majority of case law in data breach lawsuits that, with some limited exceptions, has not allowed the lawsuits to proceed.  Two of the most important decisions will be the U.S. Supreme Court’s decision in Clapper v. Amnesty International and the Northern District of Illinois’s decision in In re Barnes & Noble Pin Pad Litigation.  Clapper raised the bar for demonstrating cognizable harm and standing in privacy violation cases such as this one.  The Clapper decision was relied on by the Northern District of Illinois in dismissing a data breach lawsuit against Barnes & Noble that arose from an almost identical set of facts — the compromise of consumers’ personal information stolen from PIN pads at a major retailer.  The court held that the plaintiffs lacked standing because they could not allege that a threatened injury was “certainly impending” as a result of the breach.

I expect the plaintiffs to rely on the recent decisions by the Eleventh Circuit, the First Circuit, and the Southern District of Florida that allowed data breach lawsuits to proceed.  Therefore, I would closely monitor what happens in the two Florida lawsuits and the Rhode Island lawsuit, or any others that are subsequently filed in the Eleventh or First U.S. Circuits.

Should Target Still Be Worried?

Despite the premature nature and overall weaknesses of the lawsuits as filed, Target still has cause for concern. First, even though legal precedent is heavily in its favor (this blog post cites only a few of the many opinions dismissing data breach lawsuits), the development of the law is still in its early phases, and as evident from the previous paragraph, some courts where lawsuits against Target are pending have allowed data breach lawsuits to proceed.

Another concern is how the facts emerge.  For example, if it turns out that Target knew about the breach long before it was disclosed publicly, knew that personal information had been compromised, knew whose information had been compromised, knew that the information was not encrypted, and was under a legal obligation to notify affected individuals, then the plaintiffs’ “failure to timely notify” will strengthen.

Target also has to be concerned about trying to keep the focus where the law requires it.  The plaintiffs’ lawyers are going to try to shift the focus from what Target did (the sophisticated and complex information security program Target likely had in place) to what Target could have done (the one “error” Target made that could have prevented the breach).  According to one study, 97% of breaches are avoidable (in hindsight) through simple or intermediate controls.  Why is that important?  Because I have little doubt that the plaintiffs’ lawyers will be able to find a cybersecurity “expert” somewhere willing to testify that Target could have done something that would have prevented the breach from occurring, thereby trying to create an issue of fact as to the reasonableness of Target’s conduct.  Target will need to try hard to keep the focus on the correct legal standard.  The legal standard isn’t whether Target could have done something to prevent the breach, but whether it acted reasonably to prevent the breach.  In other words, the plaintiffs’ lawyers will try to persuade the courts that liability should be determined by whether the breach was preventable, and Target will try to keep the focus on the fact that it adopted a highly sophisticated, expensive, and (for the most part) very effective information security program and made the security of its consumers’ information the highest priority.  If plaintiffs succeed in shifting the focus away from the legal standard, every company should be very concerned, because so many data breaches are, in hindsight, preventable, which means that almost every company could face potential liability if they suffer a breach.

So why should EVERY Company Care About These Lawsuits . . .

The lawsuits are premature, not well supported by precedent, and based heavily on rank speculation as to the safeguards Target had in place and how quickly it responded.  Despite these weaknesses, however, every company should care about what happens to these lawsuits.  Target is a very large company that undoubtedly had in place complex and sophisticated safeguards to protect against this type of a data breach, and from what we know so far, they notified affected individuals very quickly.  If there is anything less than a dismissal or summary judgment entered in all of these cases, then the proverbial blood will be in the water and we can expect the floodgates of data breach litigation to open.  Almost every company that suffers a data breach could be held liable because few are going to have the level of security and response efforts that an organization like Target has in place.

The public policy consequences of Target being held liable are significant.  Companies will be less inclined to reveal breaches due to potential liability exposure, so consumers will be less likely to know when their information has been accessed, precluding them from responding adequately to protect themselves.  Instead of investing resources into physical, technical, and administrative safeguards that could improve the security of consumers’ information, companies will be forced to spend their resources on litigation costs, settlements, and awards to plaintiffs.  The individuals who will benefit most won’t be the consumers (who could each receive nominal awards for mitigation expenses), but the attorneys who will reap significant attorney’s fees awards in class action lawsuits.  So what happens to these lawsuits will be important to any company that collects, stores, uses, and disposes of sensitive consumer information, which is almost every company doing business in this modern economy.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

A client recently asked me to identify the next wave of data privacy litigation.  I said that with so much attention on lawsuits arising from data breaches, particularly in light of some recent successes for the plaintiffs in those lawsuits, the way in which companies collect information and disclose what they are collecting is flying under the radar.  This “failure to match” what is actually being collected with what companies are saying they’re collecting and doing with that information could lead to the next wave of data privacy class action litigation.

Here’s an example.  A privacy policy in a mobile app might state that the app collects the user’s name, mailing address, and purchasing behavior.  In fact, and often unbeknownst to the person who drafted the privacy policy, the app is also collecting information like the user’s geolocation and mobile device identification number, but that collection is not disclosed to the user in the privacy policy.  The collection of the additional information isn’t what gets the company into trouble.  It’s the failure to fully and accurately disclose the collection practice and how that information is used and disclosed to others that creates the legal risk.

What is the source of this problem?  In an effort to minimize costs, small companies often slap together a privacy policy by cutting-and-pasting from a form provided by a website designer or found on the Internet.  Little care is given to the accuracy and depth of the policy because there is little awareness of the potential risk.  Larger companies face a different problem: the left hand sometimes doesn’t know what the right hand is doing.  Legal, privacy, and compliance departments often do not ask the right questions of IT, web/app developers, and marketing, and the latter may not do a sufficiently good job of volunteering more than what is asked of them.  This problem is can be further exacerbated where the app/website development and maintenance is outsourced.  This failure to communicate can, unintentionally, result in a “failure to match” a company’s words with its actions when it comes to information collection.

We have already seen state and federal regulators become active in this area.  The Federal Trade Commission has brought a significant number of enforcement actions against organizations seeking to make sure that companies live up to the promises they make to consumers about how they collect and use their information.  Similarly, the Office of the California Attorney General recently brought a lawsuit against Delta Air Lines alleging a violation of California’s Online Privacy Protection Act for failure to provide a reasonably accessible privacy policy in its mobile app. Additionally, the California Attorney General’s Office has issued a guidance on how mobile apps can better protect consumer privacy, which includes the conspicuous placement and fulsome disclosure of information collection, sharing, and disclosure practices.  As the use of mobile apps and collection of electronic information about consumers increase, we can expect to see a ramping up of these enforcement actions.

What sort of civil class action liability could companies face for “failure to match”?  Based on what we’ve seen in privacy and security litigation thus far, if the failure to match a policy with a practice is intentional or reckless, companies could face exposure under theories of fraud or deceptive trade practice statutes that provide a private right of action (e.g., state “Little FTC Acts”).  Even if the failure to disclose is unintentional, the company could still face a lawsuit alleging negligent misrepresentation, breach of contract, and statutory violations that include violations of Gramm Leach Bliley, HIPAA’s privacy rule, or California’s Online Privacy Protection Act. Without weighing in on the merits of these lawsuits, I would venture to guess that the class actions that will have the greatest chances of success will be those where the plaintiffs can show some financial harm (e.g., they paid for the apps in which the deficient privacy policy was contained) or there is a statute that provides set monetary relief as damages (e.g., $1,000 per violation/download).

What can companies do to minimize this risk?  To minimize the risks, companies should begin by evaluating whether their privacy policies match their collection, use, and sharing practices.  This process starts with the formation of a task force under the direction of counsel that is comprised of representatives from legal, compliance, IT, and marketing and that is dedicated to identifying: (1) all company statements about what information is collected (on company websites, in mobile apps, in written documents, etc.); (2) what information is actually being collected by the company’s website, mobile app, and other information collection processes; and (3) how the information is being used and shared.  The second part requires a really deep dive, perhaps even an independent forensic analysis, to ensure that the company’s statements about what information is being collected are correct.  It’s important that the “tech guys” (the individuals responsible for developing the app/website) understand the significance of full disclosure.  Companies should also ask, “do we really need everything we’re collecting?”  If not, why are you taking on the additional risk?  Also remember that this is not a static process.  Companies should regularly evaluate their privacy policies and monitor the information they collect.  A system must be in place to quickly identify when these collection, use, and sharing practices change, so the policies can be updated promptly where necessary.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Just when you thought it might be safe to go back into the water, another significant data breach lawsuit may be settling.  Last week, I wrote about the proposed settlement in the AvMed lawsuit.  The motion for a preliminary proposed settlement in that case was granted on Friday, and a Final Hearing is set for February 28, 2014.

At the end of last week, however, the St. Louis Post-Dispatch reported that Schnuck Markets has agreed to settle a proposed class action arising from a breach of its systems (a cyber attack in which a computer code was inserted into Schnucks’ payment system, allowing the capture of magnetic strip data from approximately 2.4 million customers’ payment cards between December 2012 and March 2013).

The Legal Theories

The lawsuit, which is pending before a St. Louis Circuit Court, alleges that Schucks: (1) failed to secure customers’ personal financial information, and (2) did not notify customers in a clear and timely manner that their information had been stolen.

The “failure to secure” theory is based on an argument that Schnucks did not abide by “best practices and industry standards concerning the security of its computer and payment processing systems.”  This allegation should scare every corporate entity.  Why?  Because the phrase “best practices and industry standards” is so ambiguous and can be defined so differently depending on who you ask.  For example, is the standard best measured by the Payment Card Industry’s Data Security Standards?  Perhaps it’s measured by NIST?  How about ISO?  Should you use some amorphous common law standard that has developed in the case law or laws that may not directly apply to you (e.g., HIPAA if you’re not a Covered Entity or Business Associate)?  Regardless of what standard you choose, it’s a moving target and changes as technology changes.  In other words, compliance with the “reasonableness” standard can be both expensive and very difficult to determine.

The second legal theory (that Schnucks failed to timely and adequately notify consumers) should also cause some concern to organizations that maintain sensitive information.  How did Schnucks notify its customers?  According to the plaintiffs, Schnucks, issued a national press release within two weeks of learning that its systems had been compromised, though they claim that no “individual notification” to class members occurred.  With respect when the notice took place, anyone who is experienced in breach response will tell you that notification within two weeks of learning of an incident involving a cyber attack is prompt.  It takes time to identify the affected systems, determine the source and scope of the intrusion, identify what information was affected, learn where the individuals whose personal information was affected are located (assuming the incident even affected personal information), and confirm that the compromise has been contained so there is no threat of a live hacker moving to other areas of your information systems while you’re undertaking notification.  With respect to how the notice took place, it is not clear whether Schnucks was perhaps trying to provide substitute notice under the applicable state data breach notification laws, which would have obviated the need for individual notice.

The causes of action in the Second Amended Class Action Petition are as follows:

(1) Breach of implied contract – plaintiffs claim that in providing financial data to Schnucks, plaintiffs entered into an implied contract with Schnucks obligating it to reasonably safeguard plaintiffs’ information and notify plaintiffs if the information was accessed without authorization.

(2)  Violation of Missouri’s Merchandizing Practices Act – plaintiffs claim that Schnucks engaged in “unfair conduct” by failing to properly implement adequate, commercially reasonable security measures to protect their personal information while shopping at Schnucks.  Plaintiffs also contend that Schnucks’ failure to provide timely and sufficient notice of the breach of its computer systems was an “unfair practice.”

(3) Invasion of Privacy by Public Disclosure of Private Facts – plaintiffs also allege that the breach resulted in a public disclosure of the plaintiffs’ private information.

Plaintiffs do not claim violation of any state data breach notification law as a cause of action, despite their factual allegations that Schnucks’ notification was inadequate and untimely.

Damages Sought

The plaintiffs seek damages for:  (1) out of pocket expenses incurred to mitigate the increased risk of identity theft, (2) the value of their time spent mitigating identity theft and the risk of identity theft, (3) the increased risk of identity theft, (4) the deprivation of the value of their personal information, and (5) anxiety and emotional distress.  These damages, for the most part, fall into the “weaker” side of the cognizable damages spectrum based on existing case law.  The proposed settlement, however, attempts to limit recovery to those plaintiffs who suffered cognizable damages.

Terms of the Proposed Settlement

The terms of the proposed settlement are set forth in the parties’ motion for preliminary approval of class action settlement.  Schnucks denies any wrongdoing as a term of the proposed settlement.  The proposed settlement fund would provide the plaintiffs with the following relief:

  • Fraudulent Charges – up to $10 for each credit or debit card that was compromised and had fraudulent charges posted on it, even if the charges were later reversed.
  • Out-of-Pocket Expenses – unreimbursed out-of-pocket expenses (bank fees, overdraft and late fees), and $10 per hour for up to three hours of time spent dealing with the security breach.  There would be a $175 per person cap on these expenses.
  • There is an aggregate cap of $1.6 million for the above two categories.  If the total claims exceed that amount, customers are guaranteed $5 for each compromised card.
  • Identity Theft – up to $10,000 for each related identity theft loss, with a cap of $300,000 in total
  • Attorney’s Fees – up to $635,000 for the plaintiffs’ attorney’s fees
  • Incentive Awards – $500 to each of the nine named plaintiffs in the lawsuit

It would be interesting to know how many members of the class can actually demonstrate the type of quantifiable and specific damages for which the settlement provides relief.

The Fat Lady Isn’t Singing Just Yet . . .

Before the case can settle, however, the court must first consider a motion to intervene that was filed by an individual pursuing a related federal lawsuit against Schnucks elsewhere.  She argues that there are four pending federal class action lawsuits that arise from the same operative facts as the state court case, and the proposed settlement risks releasing Schnucks from the federal lawsuit.  Ostensibly, the intervening party believes she can obtain greater relief in federal court.

Whether the intervening party succeeds, the proposed settlement still has value because it is another example of the types and extent of damages some defendants are willing to agree to in data breach lawsuits.  It is also a glimpse into what the plaintiffs individually are being awarded as damages, and how much their lawyers are being awarded as fees. But the bigger lessons to be learned from all of this are:  (1) there appears to be a standard of “reasonableness” developing in data breach cases that is amorphous and therefore difficult to comply with, and (2) when and how you notify affected individuals can be a source of potential liability in a data breach class action.

A case review is scheduled in this case for December 25, 2013.  Merry Christmas.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.    

How much of a headache can a couple of stolen laptops cause your organization?  How about a $3 million headache??  That is the amount of a settlement proposed in an Unopposed Motion in Support of Preliminary Approval of Class Action Settlement in Resnick/Curry v. AvMed, Inc., No. 1:10-cv-24513-JLK (S.D. Fla.), a data breach lawsuit pending in the Southern District of Florida.

Background

Resnick involved the theft of two unencrypted laptops from a conference room in the defendant’s corporate office.  Unfortunately, the laptops contained personal information of approximately 1.2 million customers/insureds (“the plaintiffs”).  The plaintiffs filed a class action lawsuit claiming that AvMed failed to adequately secure the plaintiffs’ personal information.

The District Court dismissed the lawsuit in July 2011, finding that the plaintiffs had failed to show any cognizable injury.  The 11th Circuit, however, reversed the trial court, holding that the plaintiffs had in fact suffered cognizable injuries.

Of particular note was the portion of the 11th Circuit’s opinion addressing the plaintiffs’  unjust enrichment count.  The plaintiffs had argued that a portion of their insurance premiums was ostensibly for the defendant’s administrative costs in implementing safeguards that protected the plaintiffs’ information.  The plaintiffs contended that, as evident by the stolen unencrypted laptops, a portion of those costs should be returned because their information was ultimately compromised and the defendant had not adopted reasonable security measures to protect their information.  The 11th Circuit agreed, and held that the unjust enrichment count (among other counts) could proceed on remand.

The Settlement Terms

The $3 million settlement fund is to be disbursed as follows:

(1) approved premium overpayment claims — class members can receive up to $10 per year for each year they paid the defendant for insurance before the data breach, subject to a $30 limit.  These are the unjust enrichment damages.

(2) approved identity theft claims — class members who suffered any unreimbursed monetary losses as a result of identity theft related to the breach are eligible to have those amounts reimbursed.

(3) settlement administration expenses — these are the costs for providing notice to the settlement classes and the costs of administering the settlement.  At first blush these may seem small, but remember that there are potentially 1.2 million individuals involved.

(4) class counsel’s attorney’s fees and costs — $750,000 to class counsel (Edelson LLC, one of the few plaintiffs’ firms that has demonstrated a pattern of success in privacy and data security litigation).

(5) plaintiff’s incentive awards — $10,000 to be split evenly amongst the class representatives.

Perhaps the most valuable part of the settlement for those of us who advise clients about privacy and data security legal matters is the portion relating to what the defendant has agreed to do in the future, which reads a little like an FTC consent order:

(1) mandatory security awareness and training programs for all company employees;

(2) mandatory training on appropriate laptop use and security for all company; employees whose employment responsibilities include accessing information stored on company laptop computers;

(3) upgrading of all company laptop computers with additional security mechanisms, including GPS tracking technology (this latter part seems a bit much, its usefulness is questionable, and it could lead to other privacy issues related to employee location tracking);

(4) new password protocols and full disk encryption technology on all company desktops and laptops so that electronic data stored on such devices would be encrypted at rest;

(5) physical security upgrades at company facilities and offices to further safeguard workstations from theft; and,

(6) the review and revision of written policies and procedures to enhance information security.

Lessons To Be Learned

Why are the prospective measures so important? They provide a roadmap for what companies should do to minimize the risk of similar litigation. They also make good business sense and are likely compatible with the expectations of a company’s consumers. They are safeguards all companies should consider. Had the two laptops in Resnick been encrypted, one has to wonder whether a lawsuit would have been filed at all.

Another lesson — what are you saying in your consumer-facing policies and notices about the security safeguards your company has adopted to protect consumer information?  Such statements, though useful and sometimes required, could expose your organization to the same unjust enrichment argument that the plaintiffs made in Resnick.

Finally, this is the second data breach lawsuit that has resulted in a substantial settlement for the plaintiffs and both were filed in the Southern District of Florida.  (The other was Burrows v. Purchasing Power, which I blogged about here, and resulted in a settlement of approximately $430,000).  The settlements are in sharp contrast to the vast majority of cases that have been dismissed for lack of standing and damages. It will be interesting to see what impact these recent settlements will have on future data security and privacy litigation.

10/26/13 UPDATE:  The Southern District of Florida wasted no time considering the unopposed motion seeking preliminary approval of the class action settlement.  On October 25th, just four days after the motion was filed, the court granted it and set the Final Approval Hearing for February 28, 2014.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.    

Plaintiffs in data breach lawsuits around the country have had a difficult time surviving motions to dismiss and for summary judgment.  A number of courts have rejected these lawsuits because they failed to allege or demonstrate cognizable injuries, standing, causation, and the requisite elements to withstand an economic loss rule defense.  It is dangerous, however, to paint an overly broad brush.  Two  federal class action data breach lawsuits have now resulted in proposed settlements.  Both of those lawsuits are pending in the Southern District of Florida, raising the question of whether the plaintiff’s bar will perceive the Southern District of Florida as a Plaintiff-friendly jurisdiction for data breach lawsuits, resulting in even more lawsuits being filed there.

In April 2013, the Southern District of Florida preliminarily approved a proposed settlement in Burrows v. Winn Dixie, No. 1:12-CV-22800-UU (S.D. Fla.), a case in which a third-party service provider’s employee allegedly misused his access to personal information of thousands of individuals.  The plaintiffs filed a class action lawsuit and survived a motion to dismiss that argued, among other things, that the plaintiffs lacked a cognizable injury.  I previously wrote about the Burrows litigation here, if you’d like to read more about the underlying arguments.  The settlement fund, attorney’s fees, costs, and an incentive award total approximately $430,000.  A fairness hearing is scheduled next month.

Last week, a joint notice of settlement was filed in a different class action data breach lawsuit that is also pending in the Southern District of Florida.  That case, Resnick/Curry v. AvMed, Inc, No. 1:10-cv-24513-JLK (S.D. Fla.), arose from the theft of two unencrypted laptops containing the personal information of as many as 1.2 individuals.  The District Court dismissed the lawsuit in July 2011, finding that the plaintiffs had failed to show any cognizable injury, but the 11th Circuit reversed the trial court’s decision.  The joint notice of settlement does not provide the terms of the settlement, though we can expect the court to hold a fairness hearing where the fairness of the terms of settlement will be considered and may become public.

As stated above, these settlements are significant because they are two of the only publicly known settlements in class action lawsuits arising from data breaches, and they both occurred in the same court – the Southern District of Florida.  Given the lack of the number of data breach lawsuits that have proceeded to a public settlement, it will be interesting to see whether more of these lawsuits will be filed in the Southern District of Florida as a result of these recent developments.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.