Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

“Who Do You Trust” was a 1950’s game show that required players to decide whether they could rely upon the information provided by their partners to win cash prizes of $25, $50 and $75. In today’s increasingly networked environment, there’s a lot more at risk in trusting another’s information about cybersecurity. Corporations and industries complain that they can’t trust the timeliness and accuracy of government information about cybersecurity. And cybersecurity experts point to distrust over the motives of the government and competitors as a bar to information sharing among private entities. But despite that, everyone agrees that information sharing would inure to the general benefit of all involved.

Rep. Daniel Lungren of California,Chair of the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the House Committee on Homeland Security, is aiming at impediments to cybersecurity data sharing in a bill introduced on Dec. 15, 2011. S. 3674, the ‘‘Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2011’’ or the “PRECISE Act of 2011,” contains, among other things, a provision that would encourage corporate and industry participation in government sponsored cybersecurity programs by including legal exemptions and protections for private entity information-sharing.  A copy of the bill as introduced is available here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In May 2011, Michaels Stores reported that “skimmers” using modified PIN pad devices in eighty Michaels stores across twenty states had gained unauthorized access to customers’ debit and credit card information. Not a pretty picture for Michaels. Lawsuits soon splattered on the specialty arts and crafts retailer, alleging a gallery of claims under the Stored Communications Act (“SCA”), the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”), and for negligence, negligence per se, and breach of implied contract.

Late last month, U.S. District Court Judge Charles Kocoras ruled on Michaels’s motion to dismiss. Some claims were dismissed, but others survived. The opinion presents a broad-brush survey of potential data security breach claims, with some fine detail and local color particular to this variety of criminal data security breach.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Plaintiff customers in litigation stemming from Hannaford Brothers, Co.'s 2007 data breach were handed a partial victory by the First Circuit on October 20th. The Court held that plaintiffs' claims for negligence and implied contract should survive Hannaford's motion to dismiss because plaintiffs' reasonably foreseeable mitigation costs constitute a cognizable claim for damages under Maine law. While this case, Anderson v. Hannaford Brothers, Co., may be read narrowly to apply only to circumstances involving actual theft and misuse of customers' data, plaintiffs' lawyers, who for years have made unsuccessful claims for damages following data security breaches, will likely attempt to broaden this holding to apply at least to other mitigation costs incurred by plaintiffs.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On December 17, 2008, Wellpoint Companies terminated the employment of one of its enrollment and billing department managers for a failure to report a suspected violation of the company’s privacy policy for information protected under HIPAA, and on July 19, 2011, the Connecticut Court of Appeals released an opinion that supported the denial of unemployment benefits to that individual for failure to report.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On July 5, 2011, Indiana Attorney General Greg Zoeller announced a settlement with health insurer WellPoint, Inc. The settlement resolves allegations that the company failed to promptly notify the Attorney General’s office of a data breach as is required by the Indiana Disclosure of Security Breach Act. As part of the settlement, WellPoint will pay a fine of $100,000 and provide certain identity-theft-prevention assistance to consumers affected by the breach. Interestingly, the settlement includes an admission by WellPoint that the company failed to comply with the law by not notifying Zoeller’s office “without unreasonable delay.”

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Where others have failed, Alan Claridge did not. Recently, a Federal judge in the Northern District of California declined to dismiss Plaintiff Claridge’s claims arising from a data breach involving the social entertainment site RockYou. Arguing that the data breach harmed the value of his personal information, Plaintiff convinced the court not to dismiss his action for lack of standing.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On March 28, 2011, the Massachusetts Superior Court issued a Final Judgment by Consent between the Commonwealth and Briar Group, LLC that resolves allegations that Briar Group failed to take measures to protect consumer credit and debit card information. The Final Judgment stems from an April 2009 information security breach in which outside hackers used malware to gain access to Briar Group’s computer systems and extract payment card information about the company’s restaurant and bar customers. Pursuant to the Final Judgment, Briar Group must pay $110,000 to the Commonwealth, establish a written information security program (“WISP”), and implement a number of other information security measures to help protect customer data.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On January 18, 2011, Vermont Attorney General William Sorrell announced a settlement with HealthNet, Inc. and Health Net of the Northeast, Inc. over allegations that the company violated the state’s data breach notification law when the company waited over six months to notify state residents of the loss of a portable hard drive that contained their unencrypted personal information. The Attorney General’s settlement, the first under Vermont’s Security Breach Notice Act, demonstrates that, in the opinion of the Vermont Attorney General, even in the frozen North a six-month gap between the discovery of a breach and notice to individuals cannot be reconciled with the Act’s requirement to notify individuals “in the most expedient time possible and without unreasonable delay.”

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Want to know how you can protect your company from Wikileaks debacles the likes of which have been faced by the U.S. government as well as private companies.  Check out this recent article by Proskauer's Dan Winslow and Kristen Mathews. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On June 25, 2010, Judge Richard Berman of the U.S. District Court of the Southern District of New York granted summary judgment to The Bank of New York Mellon Corp. in Hammond v. The Bank of New York Mellon Corp., dismissing in its entirety a putative class action lawsuit arising from the loss of backup tapes containing personal information in the spring of 2008. In coming to his decision, Judge Berman rejected the plaintiffs’ arguments that they had standing to pursue their claims for negligence, negligence per se, breach of implied contract, breach of fiduciary duty as well as for violations of certain state consumer protection laws. He held that “Plaintiffs lack standing because their claims are future-oriented, hypothetical and conjectural.” The court also held that even assuming, arguendo, that plaintiffs could be said to have standing to pursue such claims, each of their claims would fail because the plaintiffs failed to show that they suffered any actual harm as a result of the tape loss incident.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On May 28, 2010, in an unpublished decision, the U.S. Court of Appeals for the Ninth Circuit affirmed the California district court’s dismissal of a class action lawsuit against retailer Gap, Inc. because, among other things, the plaintiff failed to show that the loss of his personal information harmed him in a legally cognizable way. We previously wrote about the district court’s dismissal here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Nearly two years after Heartland Payment Systems, Inc. (“Heartland”) experienced one of the largest customer data security breaches in history, it entered into its third settlement agreement with a card company.  (In addition to its settlements with card companies, on April 30, 2010 Heartland received preliminary approval for a consumer class-action settlement that could cost it up to $2.4 million.) Having already entered into settlement agreements with Visa for up to $60 million and American Express for up to $3.6 million, Heartland announced on May 19, 2010 that it entered into a settlement agreement with MasterCard that could result in as much as $41.1 million being paid to eligible MasterCard card issuers for losses resulting from the breach.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On April 7, 2010, Mississippi Governor Haley Barbour signed H.B. 583, making his state the forty-sixth state with a security breach notification law on the books.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Calling an alleged data breach victim’s assertion of injury-in-fact as “far too speculative,” a Pennsylvania federal district court recently dismissed a class action suit filed against Aetna, Inc. for lack of standing. In Allison v. Aetna, the court indicated that while a plaintiff in a data breach case may assert an increased risk of harm to satisfy the injury-in-fact requirement for standing, the threat of harm must be credible rather than a mere possibility of future harm.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This past week, the Ponemon Institute announced their publication of the results of their fifth annual study on the costs of data breaches for U.S.-based companies. The study was sponsored by the PGP Corporation. A similar report for U.K.-based companies was also released. This year's report, entitled 2009 Annual Study: Cost of a Data Breach, displays the results of the Ponemon Institute's research of data breach incidents occurring in 2009.  

Overall, as with previous years, the study found that U.S. organizations continue to experience increased costs associated with the data breaches they experience.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On January 5, 2010, Judge William Hibbler of the U.S. District Court for the Northern District of Illinois became the latest federal district judge to share his views about whether an increased risk of future harm based on the inadvertent exposure of personal information is a legally cognizable harm. In Rowe v. UniCare Life & Health Insurance Co., No. 1:09-cv-2286 (N.D. Ill. Jan. 5, 2010), Judge Hibbler denied the defendant’s motion to dismiss for failure to state a claim because, in his view, after drawing all reasonable inferences in the plaintiff’s favor, the plaintiff’s complaint satisfied the minimal pleading standard required to survive a motion to dismiss. Nevertheless, in his written opinion, Judge Hibbler hinted that the plaintiff’s claims for violations of the Fair Credit Reporting Act (“FCRA”) and the Illinois Insurance Information and Privacy Act, as well as his common law claims of invasion of privacy, negligence and breach of implied contract, may ultimately be dismissed if the plaintiff failed to show a basis for damages other than his alleged increased risk of future harm, such as identity theft.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On December 7, 2009, a federal district court sitting in New Jersey dismissed a securities fraud class action lawsuit against Heartland Payment Systems arising from a massive breach of credit and debit card information and, in doing so, reinforced the difficulties private plaintiffs face in bringing data breach lawsuits under the federal securities laws.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On November 23, 2009, a federal court in Missouri bucked the recent trend in identity exposure lawsuits and refused to recognize Article III standing in a class action lawsuit that alleged simply an increased risk of identity theft resulting from a data breach. In Amburgy v. Express Scripts, Inc., Magistrate Judge Frederick R. Buckles of the U.S. District Court for the Eastern District of Missouri held that “plaintiff’s asserted claim of ‘increased-risk-of-harm’ fails to meet the constitutional requirement that a plaintiff demonstrate harm that is ‘actual or imminent, not conjectural or hypothetical.’ Plaintiff has therefore failed to carry his burden of demonstrating that he has standing to bring this suit.” Consequently, the Court dismissed the plaintiff’s action – which included claims for negligence, breach of contract, violations of state data breach notification laws and violations of Missouri’s Merchandising Practices Act ("MPA”) – in its entirety for lack of subject matter jurisdiction pursuant to Rule 12(b)(1) of the Federal Rules of Civil Procedure. In doing so, the court breathed new life into the lack of standing argument that had begun to fall out of favor in identity exposure cases.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A typical corporate data security policy classifies consumer contact information as confidential, but not “highly confidential” or “sensitive.”  Should mere contact information be afforded greater protection?

One case on point has dragged on since late 2007, when Ameritrade reported that a database of its customers’ contact information (including names, physical addresses, email addresses and phone numbers) had been compromised. A class action law suit quickly followed, and the third settlement attempt was rejected just recently by the court on the grounds that, in the judge’s view, it provided an inadequate remedy for the affected consumers.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On August 24 and 25, 2009, the Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”), respectively published rules on when and how covered entities regulated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and vendors of personal health records (“PHR”) must notify individuals of security breaches concerning their unsecured protected health information (“PHI”). With its rule, HHS also provided guidance on securing PHI through “encryption” and “destruction” measures. While compliance with these security measures is not required, conformance to the guidance offers a relative safe harbor for covered entities and vendors in the event of a security breach.  See September 1, 2009 client alert from Proskauer's Health Care Department for additional information.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Where the only harm alleged is mere “speculation as to a possible risk of injury,” a claim cannot survive a 12(b)(6) motion to dismiss, according to a District of Connecticut decision issued on August 31, 2009. McLoughlin v. People’s United Bank, Inc., and Bank of New York Mellon, Inc., No. 3:08-cv-00944-VLB (D. Conn. Aug. 31, 2009), thus follows a long and growing line of cases which simply hold that where there is no actual harm, there can be no case. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In the context of wireless network security, we hear a lot about WEP vs WPA, but these technologies are not widely understood, especially among attorneys. 

WEP and WPA are two alternative ways to secure a wireless network from unauthorized interception, and WPA is more secure than WEP. In fact, researchers have reported consistently for several years that it is relatively easy to break into a WEP-secured wireless network. For that reason, as discussed further below, industry standards as well as regulators require that WPA (instead of WEP) be used to secure wireless networks that are used to transmit sensitive information such as credit card numbers. Nonetheless, many companies are still using WEP.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

On July 7, 2009, the U.S. District Court for the Southern District of New York ruled that the Federal Fair Credit Reporting Act (“FCRA”) preempted an identity exposure plaintiff’s state law claims for, among other things, negligence, breach of contract, and violation of the New York Deceptive Trade Practices Act (“DTPA”).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Monday, the Northern District of California granted Gap, Inc.'s Motion for Summary Judgment in Ruiz v. Gap, Inc., et al., Case No. 07-5739 SC, holding that Ruiz's allegations of an increased risk of identity theft "do[] not rise to the level of appreciable harm necessary to assert a negligence claim under California law."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A new benchmark study released by the Ponemon Institute indicates that the costs associated with data breaches in the U.S. continue to rise. The Fourth Annual U.S. Cost of Data Breach Study (“Study”) found that the average cost of a data breach has risen to $202 per customer record lost or stolen, up from $138 per customer record lost of stolen in 2005, the first year that the study was conducted. According to the Privacy Rights Clearinghouse, since 2005, more than 250 million customer records containing confidential personal information have been lost or stolen.

The Study surveyed 43 U.S. companies that experienced a breach involving the loss or theft of customer or consumer data over the past year. The surveyed companies experienced breach events involving loss or theft of 4,200 to 113,000 records. The cost of individual breach incidents ranged from a minimum of $613,000 to a maximum of $32 million, and averaged $6.65 million per company. The Study concluded that the cost of a breach is proportional to the size of a breach in terms of the number of customer/consumer records lost or stolen. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link