Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

PIN pads aren’t a communications service under the SCA.

In dispensing with those claims that plaintiffs “artfully tailor[ed]” to the language of the SCA, the court ruled that Michaels’ provision of PIN pads enabling consumers to pay by credit or debit card did not amount to the provision of “electronic communications services” or “remote computing services” as contemplated by the SCA. According to the court, the plaintiffs failed to allege either that Michaels provided the underlying service that transported consumer credit and debit card data or that Michaels provided any off-site computer storage or processing services. Thus, the plaintiffs’ SCA claims failed.

Michaels didn’t deceive, but it may have been unfair.

The court next considered the plaintiffs’ claims under Illinois consumer law. The plaintiffs alleged that Michaels committed both a deceptive and an unfair trade practice by failing to take proper measures to secure access to PIN pad data.

The court rejected the plaintiffs’ deception theory because the plaintiffs failed to identify any communication by Michaels that contained a deceptive misrepresentation or omission. But the court went the other way on plaintiffs’ unfair trade practice claim, in part because Michaels is alleged to have failed to implement PCI PIN Security Requirements that might have thwarted the skimmers.

Relying principally on the First Circuit’s decision in In re TJX Cos. Retail Sec. Breach Litig., 564 F.3d 489 (1st Cir. 2009), but noting the potential relevance of the many decisions relating to Section 5(a) of the Federal Trade Commission Act, Judge Kocoras held that the plaintiffs’ assertion that Michaels’ failed to (a) implement industry standard data security safeguards and (b) promptly notify consumers of the resultant security breach sufficiently alleged a violation of the ICFA. (Without much analysis, the court allowed the latter to form the basis for an ICFA claim because “a disputed issue of fact exists” concerning both when Michaels first learned of the breach and whether Michaels permissibly notified individuals through substitute notice under the Illinois Personal Information Protection Act.) Specifically, the court explained that

Plaintiffs allege that the PCI PIN Security Requirements and the industry’s best practices obligated Michaels to implement procedures and practices to ensure that a legitimate device had not been substituted with a counterfeit device. Since Plaintiffs allege that the skimmers did, in fact, substitute legitimate devices with counterfeit devices, Plaintiffs’ allegations show that Michaels ignored its obligation to implement procedures and practices preventing the criminal conduct. Plaintiffs thus sufficiently allege that Michaels engaged in an unfair practice under the ICFA.

Although the court found that an unfair practice was sufficiently alleged, because ICFA claims require a showing of actual damages, the court went on to consider whether the harm plaintiffs claimed to have suffered (i.e., increased risk of identity theft, costs of credit monitoring and unauthorized charges on their accounts) supported their ICFA claims. Like other courts that have rejected similar claims, the court held that “Plaintiffs cannot rely on the increased risk of identity theft or the [voluntarily incurred] costs of credit monitoring to satisfy the ICFA’s injury requirement.” But the court nevertheless found that plaintiffs had adequately alleged a cognizable injury under the ICFA because they claimed that they lost money from unauthorized withdrawals and/or bank fees.

The economic loss rule bars the plaintiffs’ negligence claims.

As for the negligence and negligence per se claims, Michaels argued that these claims failed because the intervening acts of criminals severed the causal link between the retailer’s conduct and the plaintiffs’ injuries and because the economic loss rule barred the recovery of purely economic losses under a tort theory of negligence.

The court disagreed with Michaels as to the former theory because, in its view, Michaels’ failure to implement security measures that were specifically designed to minimize the risk to customer financial information created “a condition conducive to a foreseeable intervening criminal act.” As such, the skimmers’ reasonably foreseeable criminal actions did not sever the causal chain. Nevertheless, after considerable analysis, the court dismissed the plaintiffs’ negligence and negligence per se claims because the plaintiffs failed to show why the economic loss rule should not apply to bar these claims.

Michaels may have breached an implied contract to protect customers from a security breach.

Lastly, relying on the First Circuit’s “persuasive” reasoning in Anderson v. Hannaford Bros., 2011 WL 5007175 (1st Cir. Oct. 20, 2011), see our Anderson blog post, the court concluded that the plaintiffs’ allegations “demonstrate the existence of an implicit contractual relationship between Plaintiffs and Michaels, which obligated Michaels to take reasonable measures to protect Plaintiffs’ financial information and notify Plaintiffs of a security breach within a reasonable amount of time.” Notably, the notification obligation the court cites is nowhere to be found in the Anderson decision. But this is perhaps unsurprising since the obligation to notify individuals of a data breach is now a creature of statute in almost every U.S. state presumably because it is not an implied term of a relationship involving the exchange of information.

What does it all mean?

There’s a lot to digest here. The ultimate disposition of the case is not yet clear given the early stage of the proceedings. What is clear is that you don’t need to get creative to keep an identity exposure case afloat beyond the motion to dismiss stage – you just need some damages. This won’t surprise anyone who has been following this issue.

The plaintiffs’ allegations that they lost money through unauthorized charges got them over a hurdle that other data security breach plaintiffs have stumbled on. Indeed, they forced the court to confront some of the thorny issues that prior breach cases avoided due to the lack of any cognizable harm. The courts approach suggests, as the FTC has suggested many times in its Section 5(a) cases, that if you’re not implementing reasonable information security measures – including those mandated by applicable industry standards – you may be painting yourself into a corner where you’ll become the target of a government investigation or even a private lawsuit.

Think skimming can’t happen to you? In November, Lucky Supermarkets announced that hackers used devices called “sniffers” to record credit card numbers belonging to customers and employees who used the self-checkout kiosks in 20 stores in California.

If you’re not ready to thwart skimmers, then perhaps you should be ready for a lawsuit.

In December 2009, hackers accessed a RockYou database containing customers’ personally identifiable information (“PII”), including Alan Claridge’s. Claridge’s sued RockYou for claims such as negligence, breach of contract and violation of various federal and California state laws.

While many plaintiffs in data breach cases (unsuccessfully) allege harm suffered based on an increased risk of identity theft as well as inconvenience and out-of-pocket expenses associated with credit monitoring, Plaintiff employed a unique argument. As the court described, “Plaintiff generally alleges that defendant’s customers, including plaintiff, ‘pay’ for the products and services they ‘buy’ from defendant by providing their PII, and that the PII constitutes valuable property that is exchanged not only for defendant’s products and services, but also in exchange for defendant’s promise to employ commercially reasonable methods to safeguard the PII that is exchanged. As a result, defendant’s role in allegedly contributing to the breach of plaintiff’s PII caused plaintiff to lose the ‘value’ of their PII, in the form of their breached personal data.”

According to the court, the alleged was enough for purposes of standing. “On balance, the court declines to hold at this juncture that, as a matter of law, plaintiff has failed to allege an injury in fact sufficient to support Article III standing . . . [T]he court finds plaintiff’s allegations of harm sufficient at this stage to allege a generalized injury in fact.” 

The court, however, did note that it “has doubts about plaintiff’s ultimate ability to prove his damages theory in this case,” and that “[i]f it becomes apparent, through discovery, that no basis exists upon which plaintiff could legally demonstrate tangible harm via the unauthorized disclosure of personal information, the court will dismiss plaintiff’s claims for lack of standing at the dispositive motion stage.”  So, while this may have been a small victory for data breach plaintiffs, the viability of the argument that PII has value and that data breaches may cause harm to that value remains uncertain.

Judge Berman’s dismissal represents yet another in a long, and still growing, line of cases standing for the proposition that without more, the mere exposure of personal information is not an adequate basis for a lawsuit. Indeed, Judge Berman’s written opinion cited similar dismissals in over twenty such decisions in the opening paragraph.

The Hammond decision is not unique on account of its central themes because the law in this area, except with respect to whether such plaintiffs have standing, is clear at this point. But the decision is noteworthy for the following reasons:

• The opinion demonstrates that the lack of standing argument is still alive and well (and potentially trending toward the victorious) after being vigorously debated and variously decided in nearly every identity exposure case;
• In addition to the lack of damages, the court rejected the plaintiffs’ negligence, breach of fiduciary duty and breach of implied contract claims in large part due to the lack of direct dealings between The Bank of New York Mellon and the plaintiffs, which negated the plaintiffs’ claims of any duty or relationship between the parties;
• Although several plaintiffs experienced unauthorized credit transactions after the tapes were lost, they acknowledged during discovery that they had not suffered identity theft or any fraud as a result of the tape loss thereby dooming their claims; and
• This second victory on behalf of The Bank of New York Mellon further demonstrates Proskauer’s depth of experience and expertise in this area.

It will likely only be a matter of time before another court evaluating the merits of an identity exposure case looks to the Hammond decision for guidance, and we’ll report on that case too. In the meantime, stay tuned, and remember that mere disclosure of personal information, without more, does not a lawsuit make.
 

On appeal, the Ninth Circuit agreed with the district court’s dismissal of each of the plaintiff’s causes of action, including claims for negligence, breach of contract, unfair competition, invasion of privacy and violation of California’s Social Security number protection law (Cal. Civ. Code § 1798.85). The Court’s relatively brief opinion went a little something like this:

• Negligence. Requires Plaintiff to show actual damages. He failed to do that because even if time and money spent on credit monitoring are sufficient, Plaintiff failed to provide any evidence of the time and money he spent on credit monitoring. AFFIRMED.
• Breach of contract. Similarly requires Plaintiff to show actual damages. Plaintiff failed to show any appreciable harm, and nominal damages will not suffice according to binding Ninth Circuit precedent. AFFIRMED.
• Unfair competition. Another claim that requires Plaintiff to show actual damages. Actual damages mean loss of money or property, and there is no evidence to support such a loss. AFFIRMED.
• Invasion of privacy. California courts have yet to extend this cause of action to accidental or negligent conduct. In addition, it is not clear that an increased risk of a privacy invasion, rather than an actual privacy invasion, suffices. AFFIRMED.
• Violation of Cal. Civ. Code § 1798.85. The law prohibiting requiring an individual to use his Social Security number to access a Web site absent some additional authentication mechanism is not directed at subsequent requests for information once a user enters the Web site. AFFIRMED.

The Ninth Circuit’s decision echoes those issued in every “identity exposure” lawsuit to date: an increased risk of identity theft does not a lawsuit make! This decision hopefully will also allow Gap and friends to relax (a little) after a prolonged litigation battle.
 

In April 2008, UniCare informed some members of its health insurance plans that some of their personal information was temporarily accessible to the public on the Internet. In response to UniCare’s notice, the plaintiff sued alleging that UniCare’s inadvertent disclosure of his personal information harmed him in the following ways: created anxiety and emotional distress, increased his risk of identity theft, forced him to spend time and money monitoring his credit, compromised his possessory rights in his information and invaded his privacy. UniCare then filed a motion to dismiss the complaint which focused chiefly on the plaintiff’s failure to allege that any unauthorized person actually viewed the inadvertently exposed information.

At the outset of the opinion, noting that at the motion to dismiss stage disclosure to a third party could be inferred from the plaintiff’s complaint, the court ruled that UniCare’s inadvertent disclosure might constitute a “communication” of consumer report information and thus refused to dismiss the plaintiff’s FCRA claims. The court then examined the plaintiff’s remaining claims – all of which, according to UniCare, required a showing of damages to state a valid cause of action – in relation to the various harms plaintiff claimed to have suffered due to the disclosure of his information. In each instance, the court found that even though the evidence might ultimately not support the plaintiff’s theories of damage, drawing all inferences in the plaintiff’s favor as the court must on a motion to dismiss, his complaint satisfied the liberal pleading standard set forth in the Federal Rules of Civil Procedure.

But Judge Hibbler did make clear that the Illinois Supreme Court’s decision in Williams v. Manchester, 229 Ill. 2d 404 (2008), ruled out the possibility that “the exposure of personal information might be the present injury providing the basis for recovery of damages for increased risk of future harm.” Rather, as Judge Hibbler stated, “Rowe may collect damages based on the increased risk of future harm he incurred, but only if he can show that he suffered from some present injury beyond the mere exposure of his information to the public.” Moreover, while the court did not find the Seventh Circuit’s reasoning in Pisciotta v. Old National Bancorp (see our blog post here) entirely persuasive, the court held that “the costs of credit monitoring services are not a present harm in and of themselves.”

Though some might view this decision as a victory for plaintiffs and their lawyers, it also further illustrates the level of judicial skepticism toward “identity theft exposure” claims and makes it even more difficult for plaintiffs to argue that an increased risk of harm based on the exposure of personal information, without more, is a harm that the law should recognize.
 

Back in December 2007, hackers attacked Heartland’s computer network – specifically the company’s payroll manager system. During 2008, Heartland worked to prevent theft of data from that system. Unbeknownst to Heartland’s personnel, however, the attack spread to the payroll processing system, from which hackers stole data regarding approximately 130 million credit and debit cards. It was not until January 2009 that Heartland discovered and publicly disclosed the breach, ultimately causing Heartland’s stock to suffer a significant decline in value.    

Plaintiffs in In re Heartland Payments Systems, Inc. Securities Litigation claimed that Heartland and two of its executives made misleading statements about the breach and the nature of Heartland’s data security measures in violation of the Securities Exchange Act. In particular, plaintiffs alleged that during a February 13, 2008 earnings conference call, Heartland executives concealed the attack by indicating that large fourth quarter data security expenditures were not prompted by any particular security incident. As to that statement, the court found that the attack occurred “far too late in the quarter to have been the cause for the million-plus expenditure” and, thus, was not misleading. Also, during that February 2008 call, Heartland’s CFO stated that the company did not experience a security incident “that would put [Heartland] in a TJ Maxx position,” referencing the then-largest credit card data breach. Plaintiffs argued that this statement was false and misleading given the attack on Heartland’s systems; however, the court judged that, as of February 2008, hackers had not stolen any credit card information as was the case with TJ Maxx. Accordingly, the court ruled that the CFO’s statement was truthful. 

In addition, turning to Heartland’s 2007 annual report and a November 2008 earnings call, plaintiffs alleged that Heartland misrepresented the condition of Heartland’s data security.  According to plaintiffs, the annual report misrepresented that Heartland placed “significant emphasis on maintaining a high level of security.” And, during the November 2008 call, Heartland’s CEO allegedly made misleading statements when he discussed a rise in encryption standards and talked about the company’s need to improve its data security measures. The federal district court, however, disagreed with plaintiffs. The court found that the statements made in Heartland’s annual report and during the November 2008 call were not inconsistent with the fact that the company was the victim of hackers. Moreover, the court held that Heartland was not obligated to disclose the initial December 2007 attack. While plaintiffs may not have purchased Heartland shares had they known of the attack, “there is no general duty on the part of issuers to disclose every material fact to investors.” 

You can read the court’s entire opinion here.

In Willey v. J.P. Morgan Chase, N.A., No. 09 Civ. 1397 (CM), 2009 WL 1938987 (S.D.N.Y. July 7, 2009), the plaintiff sued J.P. Morgan Chase, N.A. (“Chase”) after Chase issued a press release announcing that the personal information of approximately 2.6 million current and former holders of a Chase-Circuit City credit card had been mistakenly identified as trash and thrown out. The plaintiff brought eight causes of action against Chase on behalf of himself and all persons whose personal information was thrown out. These causes of action included both willful and negligent violations of the FCRA, negligence and negligence per se, breach of implied contract, breach of contract, violation of the DTPA and breach of bailment. Chase filed a motion to dismiss under Fed. R. Civ. P 12(b)(6) for failure to state a claim.

With respect to the plaintiff’s FCRA claims, the Court held that the plaintiff’s complaint fell well short under pleading standards articulated in Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007), and Ashcroft v. Iqbal, 129 S. Ct. 1937 (2009), because the plaintiff failed to “make factual allegations with enough specificity to plausibly allege that Chase violated OCC regulations.” Accordingly, the Court dismissed these claims as formulaic recitations of the elements of the plaintiff’s cause of action. The Court also noted that even if the plaintiff could amend his complaint to satisfactorily plead these causes of action, they would be barred by the FCRA’s statute of limitations.

With respect to the plaintiff’s state law claims, the Court found that the FCRA preempts the claims. Specifically, the Court noted that Chase was regulated by the Office of the Comptroller of the Currency (“OCC”) and that the OCC’s Interagency Guidelines Establishing Information Security Standards, promulgated pursuant to FCRA, touch on precisely the conduct about which the plaintiff was complaining. The Court stated that “Willey’s . . . claims boil down to a rephrasing of the allegation that Chase failed to follow the OCC Guidelines in violation of the FCRA.” As such, the Court ruled that the FCRA preempted all of the plaintiff's state law claims. In addition, relying on Pisciotta v. Old National Bancorp (see our blog post here), Shafran v. Harley Davidson and Caudle v. Towers, Perrin, Forster & Crosby, Inc., the Court found that the plaintiff failed to show any actual damages sufficient to support his claims. Consequently, the Court granted Chase’s motion to dismiss in its entirety.