Published by Al Saikali

If you have noticed an increasing number of high profile problems for healthcare organizations with respect to privacy and security issues these last few weeks you’re not alone.  The issues have ranged from employee misuse of protected health information, web-based breaches, photocopier breaches, and theft of stolen computers that compromised millions of records containing unsecured protected health information (PHI).  These issues remind us that healthcare companies face significant risks in collecting, using, storing, and disposing of protected health information.

Pharmacy Hit With $1.4 Million Jury Verdict For Unlawful Disclosure of PHI

An Indiana jury recently awarded more than $1.4 million to an individual whose protected health information was allegedly disclosed unlawfully by a pharmacy.  The pharmacist, who was married to the plaintiff’s ex-boyfriend, allegedly looked up the plaintiff’s prescription history and shared it with the pharmacist’s husband and plaintiff’s ex-boyfriend.  The lawsuit alleged theories of negligent training and negligent supervision.  The pharmacy intends to appeal the judgment.

Health Insurer Fined $1.7 Million For Web-Based Database Breach

Meanwhile, the Department of Health and Human Services (HHS) recently fined a health insurer $1.7 million for engaging in conduct inconsistent with HIPAA’s privacy and security rules following a breach of protected health information belonging to more than 612,000 of its customers. The breach arose from an unsecured web-based database that allowed improper access to protected health information of its customers.

HHS’s investigation determined that the insurer:

(1) did not implement policies and procedures for authorizing access to electronic protected health information (ePHI) maintained in its web-based application database;

(2) did not perform an adequate technical evaluation in response to a software upgrade, an operational change affecting the security of ePHI maintained in its web-based application database that would establish the extent to which the configuration of the software providing authentication safeguards for its web-based application met the requirements of the Security Rule;

(3) did not adequately implement technology to verify that a person or entity seeking access to ePHI maintained in its web-based application database is the one claimed; and,

(4) impermissibly disclosed the ePHI, including the names, dates of birth, addresses, Social Security Numbers, telephone numbers and health information, of approximately 612,000 individuals whose ePHI was maintained in the web-based application database.

Health Plan Fined $1.2 Million For Photocopier Breach

In another example of privacy and security issues causing legal problems for a healthcare organization, HHS settled with a health plan for $1.2 million in a photocopier breach case.  The health plan was informed by CBS Evening News that CBS had purchased a photocopier previously leased by the health plan.  (Of all the companies to get the photocopier after the health plan, it had to be CBS News).  The copier’s hard drive contained protected health information belonging to approximately 345,000 individuals.  HHS fined the health plan for impermissibly disclosing the PHI of those individuals when it returned the photocopiers to the leasing agents without erasing the data contained on the copier hard drives.  HHS was also concerned that the health plan failed to include the existence of PHI on the photocopier hard drives as part of its analysis of risks and vulnerabilities required by HIPAA’s Security Rule, and it failed to implement policies and procedures when returning the photocopiers to its leasing agents.

blogged about photocopier data security issues last year, after the Federal Trade Commission issued a guide for businesses on the topic of photocopier data security.  Another resource I recommend to my clients on the topic of media sanitization is a document prepared by the National Institute of Standards and Technology, issued last fall.

Medical Group Breach May Affect Up To Four Million Patients

Lastly, a medical group recently suffered what is believed to be the second-largest loss of unsecured protected health information reported to HHS since mandatory reporting began in September 2009.  The cause?  Four unencrypted desktop computers were stolen from the company’s administrative office.  The computers contained protected health information of  more than 4 million patients.  As a result, the medical group is mapping all of its computer and software systems to identify where patient information is stored and ensuring it is secured.  The call center set up to handle inquiries following the notification of the patients is receiving approximately 2,000 calls each day.

The Takeaways 

So what are five lessons companies should take away from these developments?

  • Having policies that govern the proper use and disclosure of PHI is a first step, but it is important that companies audit whether their employees are complying with these policies and discipline  employees who don’t comply so that a message is sent to everyone in the company that non-compliance will not be tolerated.
  • As technology is upgraded or changed, it is important that companies continue to evaluate any potential new security risks associated with these changes.  An assumption should not be made that simply because the software is an “upgrade” the security risks remain the same.
  • There are hidden risks, such as photocopier hard drives.  Stay apprised of these potential risks, identify and assess them in your risk assessment (required by HIPAA), then implement administrative and technical safeguards to minimize these risks.  With respect to photocopiers, maybe this means ensuring that the hard drives are wiped clean or written over before they are returned to the leasing agent.
  • Encrypt sensitive information at rest and in motion where feasible, and to the extent it isn’t feasible, build in other technical safeguards to protect the information.
  • Train, train, train – having a fully informed legal department and management doesn’t do much good if employees don’t understand these risks and aren’t trained to avoid them. Do your employees know how seemingly simple and uneventful conduct like photocopying a medical record, leaving a laptop unaccompanied, clicking on a link in an email, or doing a favor to a friend who needs PHI about a loved one, can lead to very significant unintended consequences for your company (and, as a result, them)?  Train them in a way that brings these risks to life, update the training and require it annually, and audit that your employees are undertaking the training.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

 

Until recently, individuals whose information was compromised as a result of a company suffering a data breach faced an uphill battle when suing the company in a class action lawsuit.  Far more often than not, Courts dismissed the lawsuits or entered summary judgment in favor of defendants on grounds that the plaintiffs could not establish a cognizable injury, preemption by breach notification statutes, or lack of evidence that the data breach (as opposed to some other act of identity theft) caused the plaintiff’s damages.  I’m still convinced that the pro-defendant environment remains the norm.  Nevertheless, four recent cases are being used to support the argument that the tide may be turning in favor of plaintiffs.

Burrows v. Purchasing Power, 12-cv-22800-UU (S.D. Fla.)

The most recent example is a proposed settlement in a class action lawsuit against Winn-Dixie and one of its service providers arising from a breach of personally identifiable information of Winn-Dixie grocery store employees.  The employees’ personally identifiable information was allegedly compromised when an employee of a company that provided an employee benefit program to Winn-Dixie employees misused his access to the PII and filed fraudulent tax returns with it.

Approximately 43,500 employees filed a class action lawsuit in the Southern District of Florida against Winn-Dixie and its employee benefits service provider.  The lawsuit includes counts of negligence, violation of Florida’s Deceptive and Unfair Trade Practice statute, and invasion of privacy.  Plaintiffs alleged that Defendants failed to adequately protect and secure the plaintiffs’ personally identifiable information, and that the defendants failed to provide the plaintiffs with prompt and sufficient notice of the breach.

The defendants’ attempts to defeat the plaintiffs lawsuit on the pleadings failed.  Winn-Dixie was subsequently voluntarily dismissed from the lawsuit and the case proceeded against the service provider, which ultimately entered into a proposed settlement with the plaintiffs, agreeing to pay approximately $430,000 ($225,000 towards a settlement fund, $200,000 in attorney’s fees and costs, and a $3,500 incentive aware to the named plaintiff).  The settlement states that it was entered into “for the purpose of avoiding the burden, expense, risk, and uncertainty of continuing to litigate the Action, . . . and without any admission of any liability or wrongdoing whatsoever.”

The settlement requires the service provider to maintain rigorous security safeguards to minimize the risk of a similar incident in the future.  The settlement fund will be divided into four groups:  (1) a tax refund fraud fund (class members who show they were victims of tax refund fraud can be compensated for a portion of lost interest); (2) a tax preparer loss fund (class members can be compensated for fees paid to tax preparers for notifying the IRS of a tax fraud claim or assisting in resolving issues arising from the tax refund fraud, not to exceed $100); (3) a credit card fraud fund (class members who show they were victims of identity theft other than tax refund fraud that resulted in fraudulent credit card charges that the credit card company did not waive, up to $500); and, (4) a credit monitoring fraud (class members who receive compensation in any of the previous three groups may receive credit monitoring services for one year).  To “prove” they were victims of fraud, plaintiffs must prepare a statement under penalty of perjury regarding the facts and circumstances of their stolen identity.

The settlement was preliminarily approved by the court on April 12, 2013, and a fairness hearing is scheduled for October 4, 2013.  The amount of money being paid to plaintiffs and their lawyers in this case should give corporate counsel monitoring these lawsuits pause for concern.  The District Court’s order allowing the case to proceed beyond the pleadings phase will likely be used as an instruction manual for plaintiffs in future data breach cases.

Resnick v. AvMed, Inc., 1:10-cv-24513-JLK (S.D. Fla.)

I previously blogged about the Eleventh U.S. Circuit Court of Appeal’s opinion that allowed a data breach class action to proceed where the plaintiffs claimed they were victims of identify theft arising from the theft of a laptop computer containing their personal information.  I encourage corporate counsel to read that post to learn more about the factors the Eleventh Circuit looked to in allowing that case to proceed beyond the pleadings phase. That lawsuit remains pending in the U.S. Southern District of Florida.

Harris v. comScore, Inc., No. 11-C-5807 (N.D. Ill. Apr. 2, 2013)

Another recent legal development considered by many to be favorable to plaintiffs was a decision by the U.S. District Court for the District of Chicago court certifying a class of possibly more than one million people who claim that the online data research company comScore, Inc. collected personal information from the individuals’ computers and sells it to media outlets without consent.  Although the lawsuit did not arise from a data breach, some of the arguments regarding lack of injury and whether class certification is appropriate are the same.  The plaintiffs allege violations of several federal statutes including the Electronic Communications Privacy Act and the Stored Communications Act. The court rejected comScore’s arguments challenging class certification, including its argument that the issue of whether each plaintiff suffered damages from comScore’s actions precludes certification.  The lawsuit remains pending.

Tyler v. Michaels Stores Inc., SJC-11145, 2013 WL 854097 (Mass. Mar. 11, 2013)

The Massachusetts Supreme Judicial Court broadened the definition of the term “personal information” to include ZIP codes.  The court held that because retailers can use ZIP codes to find other personal information, retailers where prohibited by Massachusetts law (the Song-Beverly Credit Card Act) from collecting ZIP codes.  The court also ruled that the plaintiffs did not have to prove identity theft to recover under the statute.  They could instead rely on the fact that they received unwanted marketing materials and that their data was sold to a third party.  The fact that plaintiffs can proceed with their lawsuit without having to show that their information was actually compromised will undoubtedly be used by plaintiffs in data breach litigation to argue that the threshold for injury in such cases is lower that in other cases.

What’s the Takeaway?

What should corporate counsel take from these cases? It is still too early to tell if these cases are outliers or if they mark a new trend in favor of plaintiffs in privacy and data breach cases that will embolden the plaintiffs’ bar.  The most important takeaway for corporate counsel at this stage is that they must, at a minimum, monitor the litigation risks associated with data breaches and other privacy violations so they can advise their companies about these risks, which can in turn consider these risks when building security and privacy into various products and services.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

The following Data Security Law Journal post was authored by Becky Schwartz, my law partner at Shook Hardy & Bacon.  Becky is an experienced class action litigator who has developed a specialty in privacy litigation.  In this post, Becky discusses a recent U.S. Supreme Court decision that may make it more difficult for consumers to sue companies that suffer data breaches.  Special thanks to Becky for writing about this recent development in the law:

On February 26, 2013, the United States Supreme Court in Clapper v. Amnesty International confirmed a demanding threshold showing for plaintiffs suing based on increased risk of harm in privacy-related litigation.  The decision effectively resolves a circuit split over the application of the Article III standing requirement in data breach cases.  Plaintiffs must show that the threatened harm that establishes their standing to sue is “certainly impending,” not merely “possible.”  Given that many consumers cannot plead or prove that exposure of their data has resulted, or will result, in identity theft or any other financial injury, the high court’s recent decision should prove very useful to companies seeking early dismissal of individual or class action data breach litigation.

The Decision

Clapper involved issues of constitutional privacy arising out of a challenge to a 2008 amendment to the Foreign Intelligence Surveillance Act of 1978 (“FISA”), 50 U.S.C. §1881a.  FISA allows the federal government to conduct surveillance on the electronic communications of non-U.S. persons located outside the United States, but only after obtaining approval from a Foreign Intelligence Surveillance Court (“FISC”).  Plaintiffs in Clapper were several attorneys and human rights, labor, legal, and media organizations who sued to obtain a declaration that FISA is unconstitutional, and to obtain a prospective injunction against the surveillance on the grounds that it would encompass plaintiffs’ own sensitive international communications with individuals believed to be likely targets of the federal government.

Under the well-established Supreme Court precedent of Lujan v. Defenders of Wildlife, to establish Article III standing plaintiffs are required to show an “invasion of a legally protected interest” that is both “concrete and particularized” and “actual or imminent, not conjectural or hypothetical,” along with a causal connection between the injury alleged and the conduct complained of.  The district court dismissed the Clapper complaint upon concluding that plaintiffs had failed to show the requisite “injury in fact” necessary to confer Article III standing.  The Second Circuit reversed, holding that the injuries plaintiffs claimed were sufficiently concrete and imminent.

In the Supreme Court, the Clapper plaintiffs offered two arguments to support their claim of Article III standing.  First, they argued that there was an “objectively reasonable likelihood” that their communications would be monitored under §1881a at some point in the future, thus satisfying the imminent injury requirement.  Second, they claimed that in order to avoid having their confidential communications compromised by surveillance that might occur under §1881a, they had incurred actual harm by undertaking costly and burdensome measures, including international travel to conduct meetings in person, in order to avoid that surveillance.

The Supreme Court rejected both arguments.  First, the Court held that any threatened injury sufficient to confer Article III standing must be “certainly impending,” not merely “possible.”  It found that plaintiffs had not met this standard because their standing argument relied on a “speculative chain of possibilities,” including assumptions about the actions of an independent third party (in that case FISC) – actions that could not be predicted.  The Court expressly refused to “endorse standing theories that rest on speculation about the decisions of independent actors.”

Plaintiffs’ second argument was equally ill-fated.  The Court declined to accept the notion that plaintiffs could “manufacture standing by inflicting harm on themselves based on fear of hypothetical future harm that is not certainly impending.”  Were it to do so, it noted, “an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.”

Justice Alito wrote for the majority in this 5-4 decision.

Key Takeaways

Notwithstanding its particular focus on governmental intrusions into privacy, Clapper broadly reinforces a stringent Article III standing requirement applicable in every data breach case where plaintiffs purport to have standing based solely on an increased risk of future harm.

Companies facing data breach litigation can and should consider moving to dismiss the complaint on the grounds that plaintiffs lack Article III standing, and may rely on Clapper to argue that:

  • The mere possibility that a third party criminal might someday misuse information obtained in a data breach is too speculative to demonstrate the “imminent” harm required to establish standing;
  • The actions of third-party hackers and/or criminals are utterly unpredictable; any assertion of standing premised on the probable acts of such persons improperly assumes the existence of a criminal who has both the ability and the desire to act on information obtained by way of a security breach;
  • Consumers cannot be permitted to “manufacture” standing for purposes of data breach litigation by voluntarily incurring costs to monitor their credit or otherwise guard against the mere possibility of harm that has yet to—and may never—materialize.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali or Rebecca Schwartz and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Rebecca Schwartz, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Are you a victim of identity theft when your personally identifiable information is stolen?  Is the theft alone, and the risk that your information may be misused, sufficient?  Does your information have to be misused in some fraudulent manner before you can be considered a victim?

A federal appellate court recently weighed in on these issues and decided that the theft of personally identifiable information, and even the sale of personally identifiable information, are not enough for someone to be considered a “victim” under criminal sentencing guidelines.

In U.S. v. Hall, No. 11-14698 (11th Cir. Jan. 16, 2013), the United States Court of Appeals for the Eleventh Circuit addressed the issue of what it means to be an identity theft victim.  The criminal defendant in Hall was an office assistant at a gynecological and obstetric health care office.  As part of her job, she was authorized to access patient files and copy patient information to fulfill her job duties.  Sensitive information in the files included patient names, dates of birth, social security numbers, and medical information.  The defendant provided this information via text messages to unauthorized individuals who in turn provided the information to organizers of the criminal scheme.  The defendant was promised $200 for each individual’s information or $1,000 if the information was successfully used to create a fraudulent account.  In total, the defendant received only $200, but she provided information about 65 to 141 individuals.  The defendant pled guilty to conspiracy to commit bank fraud, conspiracy to commit identity theft and access device fraud, and wrongfully obtaining and transferring individually identifiable health information for personal gain.

At sentencing, the District Court increased the defendant’s sentence because it found that the offense involved more than 50 victims.  The court rejected the defendant’s argument that the mere transfer or sale of the identifying information did not equate to the actual “use” of the information, so there were only 12 victims.

On appeal, the Eleventh Circuit reversed the District Court and held that while the 12 individuals whose information was used to obtain fraudulent credit cards are victims, the remaining individuals whose information was merely transferred or sold but not actually used for fraudulent purposes were not victims.  The court recognized a “paucity of helpful case law” on the issue.  Nevertheless, the court interpreted the term “use” to require the type of “action and implementation” that did not occur in this case.  Here, the mere sale of the information to the co-conspirators did not implement the purpose of the conspiracy (to obtain cash advances and purchase items by using fraudulent credit cards).  Accordingly, the court ruled that “[t]he personal identifying information was not used, as that term is ordinarily understood, until [the defendant’s] co-conspirators secured the fraudulent credit cards.  At that point, the 12 individuals whose personal information was compromised became victims.”  The sentence imposed by the District Court was therefore reversed.

What Are The Takeaways?

A few important takeaways should be drawn from this decision:

  • The underlying facts are a reminder that employee misconduct continues to be a significant point of exposure for companies that maintain sensitive information.  The sale of personally identifiable information on the black market can be a lucrative incentive for some employees to misuse their access to sensitive information.  Shore up your administrative and technical safeguards!
  • The decision may be used to support the proposition that, at least within the Eleventh Circuit, the mere access, acquisition, transfer, or sale of your personally identifiable information does not make you an identity theft victim.  It is the use of the information for fraudulent purposes that makes you an identity theft victim.  Keep in mind, however, this interpretation is for the sole purpose of defining the term “identity theft victim” for sentencing guideline purposes.
  • Finally, it will be interesting to see what impact, if any, the Eleventh Circuit’s definition of identity theft victim has on the issue of what constitutes cognizable harm for civil litigation purposes?  (The Eleventh Circuit recently allowed this data breach class action to proceed).


DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

It is sometimes easy to forget with the increasing mobility of electronic information and our ability to “work from anywhere” that behind our office laptop, desktop, or tablet computing device is a network of servers that may be located anywhere in the world.  When we hit “send”, “save”, or “open”, we use the network to transmit, store, or obtain information that may be located outside our office building.  A recent U.S. Second Circuit Court of Appeals decision reminds us why it is a good idea for companies and their employees to know where and how data is stored.

In MacDermid, Inc. v. Deiter, No. 11-5388-cv (2d Cir. Dec. 26, 2012), the Second Circuit held that a Connecticut court can exercise jurisdiction over a defendant who, while domiciled in another country, allegedly accessed a computer server located in Connecticut to obtain confidential information belonging to her employer.

The plaintiff in MacDermid, Inc., a Connecticut-based company, sued the defendant, a former employee living and working in Canada, because the defendant allegedly forwarded confidential and proprietary company information to her personal email account from her work email account after she became aware of her impending termination from the company.  The U.S. District Court for the District of Connecticut dismissed the lawsuit, ruling that it lacked personal jurisdiction over the defendant.  The Second Circuit reversed.

In reversing the District Court, the Second Circuit applied a two-step analysis:  (1) did Connecticut’s long-arm statute provide jurisdiction over the defendant and, if so, (2) would such jurisdiction meet due process requirements of the Fourteenth Amendment.  Both questions would have to be answered affirmatively for the Connecticut court to exercise personal jurisdiction over the defendant.

Long-Arm Jurisdiction

Connecticut’s long-arm statute states that a “court may exercise personal jurisdiction over any nonresident individual . . . who in person or through an agent . . . uses a computer . . . or a computer network . . . located within [Connecticut].”  The long-arm statute adopts the definitions of a “computer” and a “computer network” set forth in the state’s computer crimes statute:

“Computer” means an electronic, magnetic or optical device or group of devices that, pursuant to a computer program, human instruction or permanent instructions contained in the device or group of devices, can automatically perform computer operations with or on computer data and can communicate the results to another computer or to a person.  “Computer” includes any connected or directly related device, equipment or facility that enables the computer to store, retrieve or communicate computer programs, computer data or the results of computer operations to or from a person, another computer or another device. . . . “Computer network” means a set of related, remotely connected devices and any communications facilities including more than one computer with the capability to transmit data among them through the communications facilities.

The District Court reasoned that the defendant had not used a Connecticut computer or computer network but had simply sent email from one computer in Canada (her work computer) to another computer in Canada (her personal computer).  The Second Circuit rejected this analysis, pointing to the fact that to use her work email and access work data, the defendant accessed computer servers located in the plaintiff’s Connecticut offices.

The court held that a “computer server” meets the Connecticut long-arm statute’s definition of a computer because it is:

An electronic . . . device . . . that, pursuant to . . . human instruction . . . can automatically perform computer operations with . . . computer data and can communicate the results to another computer or to a person [or is a] connected or directly related device . . . that enables the computer to store, retrieve or communicate . . . computer data . . . to or from a person, another computer or another device.

In short, the court noted, “[i]t is not material that [the defendant] was outside of Connecticut when she accessed the [Connecticut] servers.  The statute requires only that the computer or network, not the user, be located in Connecticut.  The statute reaches persons outside the state who remotely access computers within the state.

Due Process

Having concluded that jurisdiction over the defendant existed under the Connecticut long-arm statute, the court next turned to the second step in the analysis:  whether such jurisdiction meets the due process requirements of the Fourteenth Amendment.  To make this determination, the court had to decide that:  (1) there were minimum contacts between the defendant and Connecticut, and (2) the exercise of personal jurisdiction over the defendant was reasonable.

In determining whether minimum contacts existed between the defendant and Connecticut, the court looked to whether the defendant purposefully availed herself of the privilege of conducting activities within Connecticut, thus invoking the benefits and protections of its laws.  The court held that the defendant did purposefully avail herself because she:

was aware of the centralization and housing of the [plaintiff’s] email system and the storage of confidential, proprietary information and trade secrets in Waterbury, Connecticut, and she used that email system and its Connecticut servers in retrieving and emailing confidential files. . . . [The plaintiff alleged that the defendant] knew that the email servers she used and the confidential files she misappropriated were both located in Connecticut.  She used those servers to send an email which itself constituted the alleged tort.  And . . . she directed her allegedly tortious conduct towards [the plaintiff], a Connecticut corporation.

Next, the court determined that personal jurisdiction was reasonable, relying on factors such as the lack of burden on the defendant, the interests of Connecticut, and the plaintiff’s interest in obtaining relief.  The court held that although the defendant would have to travel to Connecticut to defend the lawsuit, that burden alone did not render the exercise of personal jurisdiction unreasonable.  The court also pointed to the fact that the plaintiff is based in Connecticut, the majority of corporate witnesses are located in Connecticut, and Connecticut has an interest in the proper interpretation of its laws.  The court ended its analysis by noting that “efficiency and social policies against computer-based theft are generally best served by adjudication in the state from which computer files have been misappropriated.”

Let’s Keep This Decision In Context . . .

Some may argue that the Second Circuit’s opinion will pave the way for plaintiffs to obtain personal jurisdiction over foreign defendants in cases involving electronic information, but it is important to keep this decision in context with the facts that may distinguish it from other situations.

For example, Connecticut’s long-arm jurisdiction statute explicitly provides for jurisdiction based on the use of a computer or computer network in Connecticut.  Not all states provide such long arm jurisdiction or provide specific definitions of computers and computer networks.

Also, the court noted that the defendant purposefully availed herself of the privilege of conducting activities in Connecticut in part because she was informed ahead of time that her company’s email system and the storage of confidential information were in Connecticut.  If the defendant had not previously been informed of the location of those company servers, it is quite possible (perhaps even likely) that the outcome would have been different.

Finally, it is not clear from the facts presented in the opinion whether servers existed in states other than Connecticut.  If a company has servers in multiple jurisdictions and employees are not informed about the location of data/systems they might access (email, document management, etc.), the plaintiff will have a more difficult time persuading a court that the defendant purposefully availed herself of the privilege of conducting activities in that forum.

Despite these cautionary notes, the opinion is still an example of a U.S. court’s impressive jurisdictional reach where the underlying controversy involves electronic information.  The fact that a person and her computing device may be located in one jurisdiction does not mean that she is not subject to jurisdiction in another state (or country).  The court’s opinion reminds us that a computer is like the tip of an iceberg—beneath the surface is a much larger support system that facilitates the storage, transmission, and monitoring of an entire network of computers and electronic information.

The Takeaway

There are several important points that underlie this opinion, but if I were corporate counsel reading this opinion, one practical “next step” I might want to take is to ensure that my employees are informed (in writing) about the location of the company’s electronic information and computer servers, assuming that the information is stored in a jurisdiction where I may want to file a lawsuit to protect the company’s confidential and proprietary information in the future.  Another “next step” might also include researching the long arm jurisdiction statute where my company might want to invoke personal jurisdiction at some point in the future to see whether and under what circumstances they include the use of a computer or computer network.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Late last week, another Federal District Court (the Southern District of Florida) weighed in on the circumstances under which a plaintiff may sue a breached entity civilly for damages when the plaintiff’s personally identifiable information (PII) is inappropriately accessed or acquired.  The Court allowed the case to proceed with counts for violation of Florida’s Unfair and Deceptive Trade Practices Act and negligence (assuming Plaintiff can clarify the damages he is seeking).

In Burrows v. Purchasing Power, LLC, No. 1:12-cv-22800-UU (S.D. Fla. Oct. 18, 2012), the court denied a motion to dismiss a class action lawsuit arising from a data breach.  According to the allegations of the lawsuit, Defendant Winn-Dixie, allegedly shared Plaintiff’s PII (without his consent) with Defendant Purchasing Power, to help Purchasing Power implement a program that allowed Winn-Dixie’s employees to purchase merchandise via automatic payroll deductions.  In January 2012, Winn-Dixie notified Plaintiff that a Purchasing Power employee inappropriately accessed Winn-Dixie employees’ PII.  Plaintiff alleges that Winn-Dixie and Purchasing Power knew of this access three months earlier.  Plaintiff claims that his PII was used to file a fraudulent federal income tax return on his behalf, causing him to incur credit monitoring costs to protect against identity theft and continued exposure to damages from people stealing his identity because his PII has been accessed.

Defendants moved to dismiss the lawsuit on several grounds, which are discussed in turn below:

I.          Standing

The Court held that Plaintiff had standing to proceed.  Defendants argued that Plaintiff lacked standing because he has not suffered an injury in fact and because his injury is not “fairly traceable” to Defendants.  The Court rejected this argument, citing to the Eleventh U.S. Circuit Court’s recent decision in Resnick v. AvMed as support for the proposition that the alleged misuse of an individual’s PII amounts to an injury in fact.  The Southern District Court determined that Plaintiff suffered a monetary loss when he failed to obtain his tax refund due to fraud.  Defendants argued that Plaintiff’s injury was speculative because Plaintiff has not yet even challenged the denial of his tax refund with the IRS.  The Court rejected the argument, ruling that the allegation of actual identity theft alone gave Plaintiff standing independent of any economic damages he claimed to have suffered.  The Court also ruled that Plaintiff’s injury was “fairly traceable” to Defendants’ actions, in part relying on the allegation that Plaintiff’s PII was used within months of the breach.

II.        Negligence (Count I)

The Court dismissed Plaintiff’s negligence count without prejudice, ostensibly to clarify some of the damages Plaintiff is seeking.  Plaintiff alleged that Defendants were negligent in storing his personal data, causing him to suffer monetary loss for the use of his PII and identity theft, loss of privacy, lost monetary value of his PII, and out-of-pocket expenses.  The Court held that Plaintiff “sufficiently alleged facts to support his claims for damages resulting from the monetary loss from the use of this PII and identity theft.”  The Court did not, however, allow Plaintiff to recover damages for the “monetary value of his PII” (perhaps in contrast to the RockYou decision, the Court held that “[p]ersonal data does not have an apparent monetary value that fluctuates like the price of goods or services”).  The Court also required Plaintiff to clarify what “other economic damages” he suffered.  Finally, the Court rejected Plaintiff’s damages for loss of privacy because invasion of privacy is an intentional tort that cannot be pleaded as part of a negligence claim.

III.       Violation of the Federal Stored Communications Act (FSCA) (Count II)

The Court dismissed the FSCA count with prejudice.  Plaintiff claimed that Defendants violated the FSCA, which makes it unlawful for an entity providing an electronic communications service or a remote computing service to the public to knowingly divulge to any person or entity the contents of any communication that is carried or maintained on that service.  Defendants argued successfully that the count should be dismissed because they do not provide an electronic communications service or a remote computing service.

IV.       Florida’s Deceptive and Unfair Trade Practices Act (FDUTPA) (Count III)

The Court denied Defendants’ motion to dismiss Plaintiff’s FDUTPA claim.  Plaintiff alleged that Defendants violated FDUTPA by:  (1) failing to properly implement adequate, commercially reasonable security measures to protect Plaintiff’s PII; (2) failing to immediately notify Plaintiff of the nature and extent of the data breach, and; (3) representing their services to be of a particular standard and quality which they failed to adhere to.

The Court held that Defendants’ alleged failure to adequately secure his PII was an unfair practice under FDUTPA because Winn-Dixie allegedly transferred to Purchasing Power the personal data of Winn-Dixie’s employees regardless of whether those employees had participated in the Purchasing Power program.

On Plaintiff’s second theory—Defendants’ alleged failure to immediately notify Plaintiff of the breach—the Court again agreed with Plaintiff that this was unfair.  The Court stated that by not “immediately” notifying Plaintiff that his PII had been compromised, Defendants did not afford Plaintiff the chance to take remedial measures such as credit monitoring or filing his federal tax return earlier.  As I read this portion of the opinion, I question whether the Court’s use of the term “immediately” unintentionally creates an obligation to notify affected individuals of a breach sooner than the “without unreasonable delay” standard currently set forth in section 817.5681(1)(a), Florida Statutes (2012) (Florida’s data breach notification law).

The Court did not appear to address Plaintiff’s third theory of FDUTPA violation—Defendants’ representation that their services were of a particular standard and quality that they failed to meet.

V.        Invasion of Right to Privacy (Count IV)

The Court dismissed Plaintiff’s count for invasion of right to privacy.  Plaintiff had relied on Florida’s constitutional right to privacy, which the Court dismissed with prejudice as Defendants were not acting on behalf of the government.  Plaintiff also relied on the common law right to privacy, which the Court also dismissed (though without prejudice) because any release of Plaintiff’s PII was not intentional.

Plaintiff must file an Amended Complaint no later than October 26th.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Last week, the United States Court of Appeals for the Eleventh Circuit decided Resnick v. AvMed, Inc., No. 11-13694 (11th Cir. Sep. 5, 2012).  The Court’s opinion addresses some important issues regarding an individual’s right to bring a private lawsuit when her personally identifiable information or protected health information is compromised.  In its decision, the Court reversed the dismissal of all but two counts in a class action lawsuit that arose from a data breach suffered by an integrated managed care organization.

Background

AvMed, Inc., an integrated managed care organization was the victim of a theft.  Two of AvMed’s unencrypted laptops containing PHI and PII for approximately 1.2 million current and former AvMed members (Plaintiffs) were stolen.  Plaintiffs alleged that an unknown third party used their information for fraudulent purposes 10 to 14 months after the theft.

The operative complaint alleged the following causes of action:  negligence, breach of implied and express contracts, unjust enrichment, negligence per se, breach of fiduciary duty, and breach of implied covenant of good faith and fair dealing.

The Southern District of Florida dismissed the lawsuit, in part because the complaint failed to allege cognizable injury.  The Eleventh Circuit has now reversed the trial court’s dismissal on all but two counts, holding that Plaintiffs had standing, alleged a cognizable injury, and adequately alleged causation.

Standing

The Court first addressed the issue of whether Plaintiffs had standing.  The Court held that Plaintiffs alleged all three elements necessary to meet the standing requirement:

  • Plaintiffs suffered an injury in fact – they were victims of identity theft and suffered monetary damages
  • Plaintiffs’ injuries were “fairly traceable to AvMed’s actions” – Plaintiffs had personal habits of securing their sensitive information yet became the victims of identity theft after the laptops containing their PHI were stolen
  • A favorable resolution of the case in Plaintiffs’ favor could redress their injuries – compensatory damages would redress their injuries.

Cognizable Injury

The Court next dealt with the issue of whether Plaintiffs suffered a cognizable injury. Plaintiffs alleged the following damages: money spent placing alerts with various credit reporting companies, money spent contesting fraudulent charges, money spent purchasing credit monitoring services, lost wages for missing work while filling out police reports, travel related costs, cell phone minutes, postage, and overdrawn amounts in their bank accounts.  The Court held that Plaintiffs’ allegations of monetary loss and financial injury were cognizable injuries under Florida law, though the Court did not address the validity of each one of these damages elements separately.

Causation

The Court then addressed causation – whether Plaintiffs had alleged sufficient facts showing that the theft of the AvMed computers caused Plaintiffs’ injuries.  The Court held that Plaintiffs’ allegations were sufficient to show that causation was “plausible”.  Specifically, the Court relied on three allegations:  (1) before the breach, Plaintiffs never had their identities stolen or sensitive information compromised; (2) before the breach, Plaintiffs took substantial precautions to protect themselves from identity theft; and, (3) Plaintiffs became the victims of identity theft for the first time in their lives 10 to 14 months after the laptops containing the PHI were stolen.

A key fact for the Eleventh Circuit was that the sensitive information on the stolen laptops was the same sensitive information used to steal Plaintiffs’ identity.

With respect to unjust enrichment (the one count that did not require causation), Plaintiffs alleged that a portion of Plaintiffs’ monthly premiums went towards AvMed’s data security administrative costs, and AvMed should not be permitted to retain that money because AvMed failed to implement proper security measures.  The Court allowed this count to proceed.

The Dismissed Counts

The Eleventh Circuit did, however, affirm the dismissal of Plaintiffs’ negligence per se and breach of covenant of good faith and fair dealing.  The negligence per se count was based on an allegation that AvMed violated Section 395.3025, Florida Statutes, by disclosing Plaintiffs’ health information without authorization.  The Court held that because AvMed is a managed-care organization and not a hospital, ambulatory surgical center, or mobile surgical facility, it was not subject to the statute.  The Court dismissed the breach of covenant of good faith and fair dealing count because any failure by AvMed to secure Plaintiffs’ data did not result from a “conscious and deliberate act” on AvMed’s part.

The Dissent

The opinion included a vigorous dissent that argued Plaintiffs had failed to allege a plausible basis for finding that AvMed caused Plaintiffs to suffer identity theft.  The dissenting judge observed that an obvious alternative explanation for the identity fraud existed – an unscrupulous third party that possessed the Plaintiffs’ sensitive information might have sold it to identity thieves who opened the fraudulent accounts, or a careless third party might have lost the information that then found its way into the hands of those thieves.

What Are The Takeaways?

First, it is important to note that as of the date of this alert, the opinion is not yet final.  That said, the opinion in its current form could lead to a dramatic uptick in data security litigation within the Eleventh Circuit, as plaintiffs will likely use the opinion to argue that the bar for causation in such cases is low and cognizable damages can be extensive (and arguably speculative).

Companies maintaining personally identifiable information and protected health information about residents in the Southeast United States would be well served to ensure that they are taking proactive steps to implement reasonable data security measures in an effort to avoid a data breach.  In this instance, for example, encryption of the subject laptops might have prevented the subject lawsuits.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Another court has weighed in on the issue of what constitutes a cognizable injury in a data breach case. In a lengthy opinion, the U.S. District Court for the Western District of Kentucky in Holmes v. Countrywide Financial Corp. dismissed a lawsuit against Countrywide by plaintiffs who claimed that their personal information had been compromised as a result of the criminal activity of a Countrywide employee. The court ruled that although Plaintiffs had standing, they did not suffer a cognizable injury, and they could not prove the elements of the causes of action pled in their complaint. The opinion is significant for at least two reasons: (1) it lends further support for the position that plaintiffs in data breach cases must show actual, measurable, direct harm to recover, and (2) the degree of analysis and the amount of authority cited by the court could make this a frequently cited opinion in the future.

Background

In 2008, the FBI discovered that a Countrywide employee had stolen sensitive personal and financial information from millions of Countrywide’s customers. The employee then sold that data to a third party, but there was little evidence that the information was actually misused. Countrywide notified the affected individuals and offered two years of free credit monitoring. The lawsuit was filed by two sets of plaintiffs – the first set (the Holmes) purchased credit monitoring services because someone had unsuccessfully sought credit under their names; the second set (the Stiers) spent money to cancel their telephone service as a result of increased solicitations and time spent researching the hazards of identity theft. Neither set suffered actual monetary damages from fraud or identity theft.

Standing

The court first addressed the issue of whether Plaintiffs had standing to sue Countrywide. The court noted that while several other courts have held that plaintiffs who have only suffered an increased risk of identity theft do not have standing, the Sixth Circuit’s opinion in Lambert v. Hartman, 517 F.3d 433 (6th Cir. 2008), compelled the court to conclude that an increased risk of identity theft and credit monitoring satisfied the requisite injury necessary for standing.

Injury

Just because Plaintiffs had standing, however, did not mean that they suffered recompensable injuries. The court concluded that Plaintiffs injuries as alleged were not cognizable or recompensable.

First, the court rejected Plaintiffs argument that the risk of future identity theft was a cognizable injury. It concluded that such damages were too speculative and might never materialize. The court stated that no lawsuit based on risk of future identity theft has ever proceeded past a motion to dismiss.

The court next considered whether Plaintiffs could recover for credit monitoring services. Plaintiffs attempted to analogize credit monitoring to medical monitoring in a personal injury case where a plaintiff is exposed to a substance that causes no harm at the time but creates an increased risk of future physical harm. The court rejected these damages, too. It first cited a number of cases where expenses for credit monitoring were not considered a cognizable injury. With respect to the medical monitoring analogy, the court cited Kentucky law requiring a plaintiff seeking damages for medical monitoring to have also suffered a present injury. The court rejected Plaintiffs' argument that the fact someone had attempted unsuccessfully to obtain credit using their personal information meant they were at risk for identity theft. The court also rejected Plaintiffs’ reliance on Anderson, which allowed the plaintiffs in a data breach case to recover for the mitigation expenses of card replacement and credit monitoring services because they had suffered “financial injuries that exhibited actual misuse and identity theft.” Here, Plaintiffs suffered no unauthorized charges and there were no attempts to take funds. In other words, according to the court, “the victims in Anderson were faced with a much graver threat to their personal information and resources.” Accordingly, credit monitoring expenses were not compensable injuries.

Next, the court considered whether telephone cancellation fees incurred to avoid the bombardment of telemarketers constituted a cognizable injury. The court rejected these damages, relying on cases where the courts held that no cognizable injury occurred where the only harm is an increase in junk mail and unwanted telephonic/electronic correspondences.

Finally, the court considered whether time spent by Plaintiffs monitoring their credit was a compensable injury. In rejecting those damages, the court relied on decisions in other jurisdictions that refused to recognize such damages as recompensable.

Causes of Action

After rejecting all of Plaintiffs' damages, the court nevertheless proceeded to address whether Plaintiffs' causes of action were applicable theories of recovery in a data breach case such as this one.

Plaintiffs sued Countrywide for unjust enrichment, arguing that Countrywide collected application and processing fees relating to applications for mortgages, as well as fees for credit monitoring services being offered by Countrywide and its subsidiary. The court dismissed this cause of action because an explicit contract existed between the parties, requiring Plaintiffs to make monthly mortgage payments and obligating Countrywide to protect Plaintiffs’ personal information.

Plaintiffs also sued Countrywide for common law fraud, contending that Countrywide made material misrepresentations about the storage of their personal information and the severity of the breach. The court dismissed this count because the only financial damages suffered “were self inflicted.”

Plaintiffs sued Countrywide for breach of contract, covenant of good faith, and covenant of fair dealing. They alleged that Countrywide agreed, but failed, to safeguard their personal information. The court dismissed these counts based on the fact that each cause of action required a cognizable injury as an element, which Plaintiffs had not pled.

Plaintiffs also included a count for “state security notification” (the data breach notification laws of New Jersey, where some of Plaintiffs resided). They claimed that Countrywide failed to abide by the data breach notification requirements set forth under New Jersey law. The court dismissed this cause of action on the ground that, under the court’s interpretation, the statute did not create a private right of action and Plaintiffs had not provided precedent proving otherwise.

Next, Plaintiffs' operative complaint included counts for violation of state consumer fraud laws (deceptive business practices). The court dismissed those counts on the ground that Plaintiffs had not shown that they suffered an ascertainable loss.

Plaintiffs also alleged that Countrywide violated the Fair Credit Reporting Act; namely, that Countrywide is a “consumer credit reporting agency” under the FCRA, that it failed to maintain reasonable procedures to “furnish” consumer reports, and that consumer reports were released in violation of the statute’s provisions. The court dismissed this cause of action on the ground that Countrywide did not “furnish” any consumer reports a third party in violation of the statute. The court relied on Plaintiffs’ allegation that Countrywide’s employee (“a ne’er-do-well who independently stole Countrywide’s customer information and engaged in a scheme to sell it to his criminal associates”) transmitted Plaintiffs’ information to a third party without Countrywide’s permission.

Finally, Plaintiffs’ operative complaint included a claim for civil conspiracy. The court dismissed that count because Plaintiffs failed to establish an injury.

Conclusion

The Holmes opinion is another example of a court that is skeptical of a plaintiff’s ability to recover from a defendant who suffers a data breach that potentially exposes the plaintiff’s personal information to a third party. Courts like the one in Holmes are requiring actual, measurable monetary damages as a result of the data breach for a plaintiff to proceed with a lawsuit; a risk of harm is not enough. Even if a plaintiff can show that her personal information was misused, without evidence that the misuse resulted in fraudulent charges or other similar loss, the plaintiff would ostensibly have no cause of action under Holmes. The opinion is also of interest for the level of supportive authority it cites, demonstrating that data security law is quickly maturing and the issues arising in those cases are being addressed and written about all over the country.

 

DISCLAIMER: The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients. Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients. All of the data and information provided on this site is for informational purposes only. It is not legal advice nor should it be relied on as legal advice.

 

Following my post on the subject last week, I had the chance to speak with Colin O’Keefe of LXBN regarding the class action suit filed against LinkedIn following their recent high-profile data breach. In the brief interview, I explain the background of the case, what damages the plaintiffs are alleging and why it’s too early to tell which way the case is going to go.

Well THAT didn’t take long!  Less than 10 days after LinkedIn announced that it suffered a data breach of approximately 6.5 million user passwords, a class action lawsuit was filed against it in California federal court seeking in excess of $5 million.  The lawsuit alleges that, contrary to its Privacy Policy, LinkedIn failed to comply with long standing industry standard encryption protocols, thereby jeopardizing its users’ personal information.  Specifically, the plaintiffs contend that LinkedIn failed to “salt” its users’ passwords and store them in hashed format.  Salting is the process of adding random values to a password before it is stored.  Hashing is a format in which at least a portion of the password is made unreadable and encrypted.  The plaintiffs also claim that LinkedIn should have stored the passwords on a separate, secure server, apart from all other user information.

Who are the plaintiffs?  The plaintiffs are two classes – (1) all individuals and entities in the U.S. who had a LinkedIn account on or before June 6, 2012, and (2) everyone in the previous class who paid a monthly fee for an upgraded account.

What is the essence of the plaintiffs’ allegations?  The plaintiffs claim that LinkedIn’s data breach was a result of an “SQL injection”, a hacking technique that makes use of a web form to exploit a vulnerability in the LinkedIn website software.  The plaintiffs imply that it would have been easy for LinkedIn to adopt security measures that would have avoided SQL injection vulnerabilities.  Perhaps hoping that their class action complaint will gain the attention of the FTC, the plaintiffs draw a comparison to an FTC action against a different company for claiming to secure customer data while remaining vulnerable to SQL injection attacks.

What are the legal causes of action?  The lawsuit is based on several different causes of action:

  • Violation of California’s Unfair Competition Law – that LinkedIn failed to expend the resources necessary to protect its users’ data and created a perception that it followed industry standard protocols for security when in fact it did not.
  • Violation of California’s Consumers Legal Remedies Act – that LinkedIn deceptively induced the plaintiffs to register with LinkedIn based upon deceptive and misleading representations that it would take reasonable steps to safeguard its users’ sensitive personal information.
  • Breach of Contract (all-users class) – that LinkedIn failed to comply with the portion of its User Agreement and Privacy Policy in which it promised to protect its users’ personal information by implementing industry standard protocols and technology.
  • Breach of Contract (premium users class) – same allegation of the previous breach of contract claim, but here the plaintiffs paid actual money for upgraded services.
  • Breach of Implied Covenant of Good Faith and Fair Dealing – that LinkedIn breached the implied covenant of good faith and fair dealing by failing to safeguard and secure sensitive personal information from unauthorized access and theft.  Instinctually I wonder how this count can stand when it is precisely the same as the breach of express contract count, but again, I’m sure this is something the parties will litigate.
  • Breach of Implied Contract – that pursuant to implied contracts with Plaintiffs, LinkedIn was obligated to take commercially reasonable steps to secure and safeguard the plaintiffs’ information.
  • Negligence – that LinkedIn had a duty to exercise reasonable care to secure the plaintiffs’ information and to use industry standard protocols and technology to do so, but it failed to do that.
  • Negligence per se – that LinkedIn’s violation of California’s Unfair Competition Law  (see first count) is automatically negligence.

So what are the class members’ damages?  The plaintiffs contend that they paid for LinkedIn’s services with actual dollars (in the case of premium services) and with their personal information (first name, last name, email address, and password).  Remember, the plaintiffs are divided into two classes.  With respect to the first class (all LinkedIn users), those plaintiffs claim to “have lost money and/or property”, but their specific explanation of money lost is “money in the form of the value of their personal data.”  (I’m skeptical that such damages will be cognizable with the court, as money is money, not personal data, but this is not totally out of left field, as the RockYou decision demonstrates).  Their lost property is “in the form of their breached personal data.”   With respect to the second class (premium members), those plaintiffs claim to have lost money in the form of monthly membership fees.

In sum, damages, standing, and the proper causes of action are all interesting issues that the court is sure to address at some point, depending on how long this litigation proceeds.  No matter how the litigation proceeds, however, it is yet another example of consumers and their lawyers rushing to the courthouse to file lawsuits soon after a high-profile data breach.  It will be interesting to see how  this one unfolds . . . .

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.