Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

PIN pads aren’t a communications service under the SCA.

In dispensing with those claims that plaintiffs “artfully tailor[ed]” to the language of the SCA, the court ruled that Michaels’ provision of PIN pads enabling consumers to pay by credit or debit card did not amount to the provision of “electronic communications services” or “remote computing services” as contemplated by the SCA. According to the court, the plaintiffs failed to allege either that Michaels provided the underlying service that transported consumer credit and debit card data or that Michaels provided any off-site computer storage or processing services. Thus, the plaintiffs’ SCA claims failed.

Michaels didn’t deceive, but it may have been unfair.

The court next considered the plaintiffs’ claims under Illinois consumer law. The plaintiffs alleged that Michaels committed both a deceptive and an unfair trade practice by failing to take proper measures to secure access to PIN pad data.

The court rejected the plaintiffs’ deception theory because the plaintiffs failed to identify any communication by Michaels that contained a deceptive misrepresentation or omission. But the court went the other way on plaintiffs’ unfair trade practice claim, in part because Michaels is alleged to have failed to implement PCI PIN Security Requirements that might have thwarted the skimmers.

Relying principally on the First Circuit’s decision in In re TJX Cos. Retail Sec. Breach Litig., 564 F.3d 489 (1st Cir. 2009), but noting the potential relevance of the many decisions relating to Section 5(a) of the Federal Trade Commission Act, Judge Kocoras held that the plaintiffs’ assertion that Michaels’ failed to (a) implement industry standard data security safeguards and (b) promptly notify consumers of the resultant security breach sufficiently alleged a violation of the ICFA. (Without much analysis, the court allowed the latter to form the basis for an ICFA claim because “a disputed issue of fact exists” concerning both when Michaels first learned of the breach and whether Michaels permissibly notified individuals through substitute notice under the Illinois Personal Information Protection Act.) Specifically, the court explained that

Plaintiffs allege that the PCI PIN Security Requirements and the industry’s best practices obligated Michaels to implement procedures and practices to ensure that a legitimate device had not been substituted with a counterfeit device. Since Plaintiffs allege that the skimmers did, in fact, substitute legitimate devices with counterfeit devices, Plaintiffs’ allegations show that Michaels ignored its obligation to implement procedures and practices preventing the criminal conduct. Plaintiffs thus sufficiently allege that Michaels engaged in an unfair practice under the ICFA.

Although the court found that an unfair practice was sufficiently alleged, because ICFA claims require a showing of actual damages, the court went on to consider whether the harm plaintiffs claimed to have suffered (i.e., increased risk of identity theft, costs of credit monitoring and unauthorized charges on their accounts) supported their ICFA claims. Like other courts that have rejected similar claims, the court held that “Plaintiffs cannot rely on the increased risk of identity theft or the [voluntarily incurred] costs of credit monitoring to satisfy the ICFA’s injury requirement.” But the court nevertheless found that plaintiffs had adequately alleged a cognizable injury under the ICFA because they claimed that they lost money from unauthorized withdrawals and/or bank fees.

The economic loss rule bars the plaintiffs’ negligence claims.

As for the negligence and negligence per se claims, Michaels argued that these claims failed because the intervening acts of criminals severed the causal link between the retailer’s conduct and the plaintiffs’ injuries and because the economic loss rule barred the recovery of purely economic losses under a tort theory of negligence.

The court disagreed with Michaels as to the former theory because, in its view, Michaels’ failure to implement security measures that were specifically designed to minimize the risk to customer financial information created “a condition conducive to a foreseeable intervening criminal act.” As such, the skimmers’ reasonably foreseeable criminal actions did not sever the causal chain. Nevertheless, after considerable analysis, the court dismissed the plaintiffs’ negligence and negligence per se claims because the plaintiffs failed to show why the economic loss rule should not apply to bar these claims.

Michaels may have breached an implied contract to protect customers from a security breach.

Lastly, relying on the First Circuit’s “persuasive” reasoning in Anderson v. Hannaford Bros., 2011 WL 5007175 (1st Cir. Oct. 20, 2011), see our Anderson blog post, the court concluded that the plaintiffs’ allegations “demonstrate the existence of an implicit contractual relationship between Plaintiffs and Michaels, which obligated Michaels to take reasonable measures to protect Plaintiffs’ financial information and notify Plaintiffs of a security breach within a reasonable amount of time.” Notably, the notification obligation the court cites is nowhere to be found in the Anderson decision. But this is perhaps unsurprising since the obligation to notify individuals of a data breach is now a creature of statute in almost every U.S. state presumably because it is not an implied term of a relationship involving the exchange of information.

What does it all mean?

There’s a lot to digest here. The ultimate disposition of the case is not yet clear given the early stage of the proceedings. What is clear is that you don’t need to get creative to keep an identity exposure case afloat beyond the motion to dismiss stage – you just need some damages. This won’t surprise anyone who has been following this issue.

The plaintiffs’ allegations that they lost money through unauthorized charges got them over a hurdle that other data security breach plaintiffs have stumbled on. Indeed, they forced the court to confront some of the thorny issues that prior breach cases avoided due to the lack of any cognizable harm. The courts approach suggests, as the FTC has suggested many times in its Section 5(a) cases, that if you’re not implementing reasonable information security measures – including those mandated by applicable industry standards – you may be painting yourself into a corner where you’ll become the target of a government investigation or even a private lawsuit.

Think skimming can’t happen to you? In November, Lucky Supermarkets announced that hackers used devices called “sniffers” to record credit card numbers belonging to customers and employees who used the self-checkout kiosks in 20 stores in California.

If you’re not ready to thwart skimmers, then perhaps you should be ready for a lawsuit.

In April 2008, UniCare informed some members of its health insurance plans that some of their personal information was temporarily accessible to the public on the Internet. In response to UniCare’s notice, the plaintiff sued alleging that UniCare’s inadvertent disclosure of his personal information harmed him in the following ways: created anxiety and emotional distress, increased his risk of identity theft, forced him to spend time and money monitoring his credit, compromised his possessory rights in his information and invaded his privacy. UniCare then filed a motion to dismiss the complaint which focused chiefly on the plaintiff’s failure to allege that any unauthorized person actually viewed the inadvertently exposed information.

At the outset of the opinion, noting that at the motion to dismiss stage disclosure to a third party could be inferred from the plaintiff’s complaint, the court ruled that UniCare’s inadvertent disclosure might constitute a “communication” of consumer report information and thus refused to dismiss the plaintiff’s FCRA claims. The court then examined the plaintiff’s remaining claims – all of which, according to UniCare, required a showing of damages to state a valid cause of action – in relation to the various harms plaintiff claimed to have suffered due to the disclosure of his information. In each instance, the court found that even though the evidence might ultimately not support the plaintiff’s theories of damage, drawing all inferences in the plaintiff’s favor as the court must on a motion to dismiss, his complaint satisfied the liberal pleading standard set forth in the Federal Rules of Civil Procedure.

But Judge Hibbler did make clear that the Illinois Supreme Court’s decision in Williams v. Manchester, 229 Ill. 2d 404 (2008), ruled out the possibility that “the exposure of personal information might be the present injury providing the basis for recovery of damages for increased risk of future harm.” Rather, as Judge Hibbler stated, “Rowe may collect damages based on the increased risk of future harm he incurred, but only if he can show that he suffered from some present injury beyond the mere exposure of his information to the public.” Moreover, while the court did not find the Seventh Circuit’s reasoning in Pisciotta v. Old National Bancorp (see our blog post here) entirely persuasive, the court held that “the costs of credit monitoring services are not a present harm in and of themselves.”

Though some might view this decision as a victory for plaintiffs and their lawyers, it also further illustrates the level of judicial skepticism toward “identity theft exposure” claims and makes it even more difficult for plaintiffs to argue that an increased risk of harm based on the exposure of personal information, without more, is a harm that the law should recognize.
 

In February 2008, the archive vendor transporting back-up tapes associated with The Bank of New York Mellon Shareowner Services, a business unit of The Bank of New York Mellon (“BNY Mellon”), discovered that one of ten boxes was missing. Those tapes contained certain shareowner, plan participant, and payment information, including Social Security numbers and other personally identifying information. Customers of People’s United Bank, another financial institution and a client of Shareowner Services, were among the persons whose data was contained on the missing tapes. Shortly after the tape loss, BNY Mellon alerted affected individuals and offered them two years of credit monitoring, $25,000 in identity theft insurance, and a free credit freeze.

In May 2008, several individual plaintiffs brought a putative class action against People’s United Bank and BNY Mellon, claiming that the loss of the tapes compromised their personal information. They sought damages based on an alleged violation of the Connecticut Unfair Trade Practices Act (“CUTPA”), negligence, and breach of fiduciary duty. Notably, plaintiffs did not allege that any direct financial losses had occurred or that any member of the putative class had been the victim of identity theft as a result of the breach. Plaintiffs instead alleged that the increased risk of identity theft constituted cognizable harm because they would have to pay for future credit monitoring (beyond the two years offered by the defendants) and take other steps to protect against an increased risk of identity theft arising from the incident. Additionally, although not alleged in the complaint, Plaintiffs later argued that the fees paid to People’s United Bank represented additional actual harm (an argument which was roundly rejected by the court as an improper amendment of the pleadings in motion papers).

Judge Bryant rejected plaintiffs’ arguments and granted defendants’ motions to dismiss as to all claims. In dismissing the negligence claim, the court relied chiefly on two recent Southern District of New York decisions, Caudle v. Towers, Perrin, Forster & Crosby, Inc., 80 F. Supp. 2d 573 (S.D.N.Y. 2008) (dismissing claims for negligence and breach of fiduciary duty brought by plaintiffs whose identities had not been stolen), and Shafran v. Harley Davidson, Inc., 2008 WL 763177, at *3 (S.D.N.Y. Mar. 20, 2008) (“an increased risk of future identity theft is not, in itself, an injury that the law is prepared to remedy. Plaintiff’s alleged injuries are solely the result of a perceived and speculative risk of future injury that may never occur.”). As Judge Bryant explained in her opinion:

[T]he Plaintiffs have pointed to no case decided anywhere in the country where a court allowed a negligence claim to survive absent an allegation of actual identity theft . . . . The Court concludes that the courts of Connecticut, like those of New York, would not recognize a negligence claim founded solely on the fear, unsupported by any allegation of malfeasance, of identity theft . . . .

Judge Bryant followed similar reasoning in dismissing the CUTPA and breach of fiduciary duty claims, both of which require an actual, ascertainable loss or harm.

McLoughlin is the latest in a series of data loss cases that refuse to recognize damages stemming from mere “increased risk of harm” absent some evidence of actual fraud or identity theft. See, e.g., Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007); Stollenwerk v. Tri-West Health Care Alliance, No. 05-16990, 2007 U.S. App. LEXIS 27164 (9th Cir. Nov. 20, 2007); Willey v. J.P. Morgan Chase, N.A., No. 09 Civ. 1397 (CM), 2009 WL 1938987 (S.D.N.Y. July 7, 2009); Randolph v. ING Life Ins. & Annuity Co., No. 07-CV-791 (D.C. Jun. 18, 2009); Ruiz v. Gap, Inc., No. 07-5739 SC, 2009 WL 941162 (N.D. Cal. Apr. 6, 2009); Belle Chasse Auto. Care, Inc. v. Advanced Auto Parts, Inc., No. 08-1568, 2009 WL 799760 (E.D. La. Mar. 24, 2009); Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018 (D. Minn. 2006); Bell v. Acxiom Corp., 4:06CV00485-WRW, 2006 U.S. Dist. LEXIS 72477 (E.D. Ark. Oct. 3, 2006); Giordano v. Wachovia Sec., LLC, Civ. No. 06-476 (JBS), 2006 U.S. Dist. LEXIS 52266 (D.N.J. July 31, 2006).

Special thanks to this week’s guest author, Jason Gerstein, a member of Proskauer’s litigation team for the McLoughlin case, for preparing this post.

In particular, FINRA found that between April 2006 and July 2007, Centaurus failed to safeguard customer information because it maintained an improperly configured firewall and an ineffective user name and password system on its computer facsimile server. These failures resulted in unauthorized persons accessing stored images of faxes that contained confidential information, including social security numbers, account numbers, and dates of birth. Moreover, on July 15, 2007, Centaurus’s fax server was used by an unauthorized third party to host a phishing scam. Phishing is is the fraudulent process of attempting to acquire confidential personal information (like usernames, passwords and account numbers) by masquerading as a trustworthy entity in an electronic communication.

To make matters worse, after Centaurus discovered the phishing scam, it sent some 1,400 customers and their brokers a misleading letter, which indicated that the unauthorized access was limited to one person and that the information on the fax server was not openly available. The letter did not tell the customers and their brokers that other unauthorized log-ins had occurred or that the unauthorized access was possible because of the inadequate security protections on the fax server.

FINRA concluded that Centaurus’s conduct violated 17 C.F.R. Part 248 (Regulation S-P) and FINRA Rules. Regulation S-P “governs the treatment of nonpublic personal information about consumers” by certain covered financial institutions. 17 C.F.R. Part 248.1. Among other things, the Regulation requires brokers, dealers, and investment companies to provide an initial privacy notice to new customers, an annual privacy notice to existing customers, and a revised privacy notice under certain circumstances. See 17 C.F.R. Parts 248.4, 248.5, and 248.8. Further, brokers, dealers, and investment companies “must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” 17 C.F.R. Part 248.30. 

FINRA is the largest independent regulator for all securities firms doing business in the United States. FINRA performs a broad array of functions, from registering industry participants to examining securities firms to writing and enforcing rules to providing trade reporting and other industry utilities. It also performs market regulation under contract for The NASDAQ Stock Market, the American Stock Exchange, the International Securities Exchange and the Chicago Climate Exchange. FINRA oversees nearly 4,900 brokerage firms, about 172,000 branch offices and approximately 660,000 registered securities representatives. FINRA was created in July 2007 through the consolidation of NASD and the member regulation, enforcement and arbitration functions of the New York Stock Exchange.

Kahle did not place a fraud alert on her credit report after the theft, and had no knowledge of unauthorized use of her personal information. There was some evidence to suggest that Kahle had purchased credit monitoring services before the theft. Kahle claimed she would need credit monitoring for many years, at great financial expense to her, as a result of the Litton incident.

The Court relied heavily on Key v. DSW, Inc., 454 F.Supp.2d 684 (D. Ohio 2006), and Forbes v. Wells Fargo Bank, N.A., 420 F.Supp.2d 1018 (D. Minn. 2006), in granting Litton's motion for summary judgment. In Key, unauthorized persons obtained access to DSW’s confidential financial information. The plaintiff alleged negligence, breach of contract, conversion and breach of fiduciary duty. The Key court dismissed the plaintiff’s claims for lack of standing, finding that the plaintiff had presented no evidence that anyone planned on using her financial information or identity, and that any potential injury depended on the plaintiff’s information being accessed and used for unlawful purposes. The Forbes Court ruled against the plaintiffs because, like Kahle, they did not show a present injury or a reasonably certain future injury to support damages for alleged increased risk of harm.

Kahle claimed her case was different from Key and Forbes. She pointed out that, in those cases, the defendant had offered free credit monitoring, and that the Forbes plaintiffs were notified immediately of the breach, whereas Litton took four weeks to issue notifications. The Court rejected these arguments, noting that Forbes did not consider whether credit monitoring was offered when it granted summary judgment to the defendant, and that Key was silent on the issue.

The court concluded that “any injury of Plaintiff is purely speculative. It is Plaintiff’s choice to obtain credit monitoring in this situation; however, without direct evidence that the information was accessed or specific evidence of identity fraud this Court can not find the cost of obtaining that credit monitoring to amount to damages in a negligence claim.”

Thus, district courts continue to reject attempts by consumers to impose tort liability on businesses experiencing data breaches. However, as explained in our May 29 post here, legislators in a number of states are considering bills – and Minnesota has already passed legislation – that would transfer the risk of such incidents to merchants by allowing card-issuing financial institutions to recover for the “costs of reasonable actions” to protect its cardholders’ information and continue to provide services to its cardholders after a breach.