Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

Factual and Procedural Background

Anderson v. Hannaford Brothers, Co., which consolidated 26 separate law suits against the supermarket chain, stems from a 2007 breach where hackers stole up to 4.2 million credit and debit card numbers, expiration dates, and security codes (notably, they did not steal customers' names). Hannaford announced the breach in March 2008, noting that it had already received reports of approximately 1,800 cases of fraud resulting from the breach. Following Hannaford's announcement, some financial institutions canceled customers' credit and debit cards, and issued new cards, while others did not, indicating that they would monitor customer accounts for unusual activity. Some customers who requested that their cards be canceled were required to pay fees for replacement cards, and others purchased identity theft insurance and credit monitoring services to protect themselves against possible consequences of the breach.

The plaintiffs alleged seven causes of action, including breach of implied contract; breach of implied warranty; breach of duty of a confidential relationship; failure to advise customers of the theft of their data; strict liability; negligence; and violation of Maine's Unfair Trade Practices Act (UTPA). The District Court granted Hannaford's motion to dismiss as to 20 of the 21 plaintiffs. (One plaintiff was allowed to proceed because she was the only plaintiff to allege unreimbursed fraudulent charges to her account.) The District Court held that the other plaintiffs failed to state claims under Maine law for breach of fiduciary duty, breach of implied warranty, strict liability and failure to notify customers of the data breach. And although plaintiffs did adequately allege breach of implied contract, negligence and violation of UTPA, the plaintiffs' alleged injuries were "too remote, not reasonably foreseeable and/or speculative" to be recognized under Maine law. In addition, the district court determined that "there was no way to value or compensate the time and effort that customers spent to reverse or protect against losses, and that there was no allegation to justify the claim for identity theft insurance since no personally identifying information was alleged to have been stolen."

Following the District Court's decision, the plaintiffs moved to certify several questions to the Maine Supreme Judicial Court. The District Court certified two questions, and only one was answered by the Maine Supreme Judicial Court (the second was deemed moot based on the answer to the first question). The certified question read: "[i]n the absence of physical harm or economic loss or identity theft, do time and effort alone, spent in a reasonable effort to avoid or remediate reasonably foreseeable harm, constitute a cognizable injury for which damages may be recovered under Maine law of negligence and/or implied contract?"

The Maine Supreme Judicial Court answered the question in the negative, agreeing with the District Court that time and effort alone do not constitute a cognizable claim under Maine law. After ordering the parties to show cause why judgment should not be entered in favor of Hannaford on all claims, the District Court ordered judgment in favor of Hannaford.

The First Circuit Decision

Plaintiffs appealed the District Court's decision regarding the fiduciary duty, breach of implied contract, negligence and Maine UTPA claims. The First Circuit held that plaintiffs adequately alleged theories of negligence and breach of implied contract, and that those claims should survive Hannaford's motion to dismiss.

Negligence: The First Circuit adopted the Restatement (Second) of Torts sec. 919, which provides that "[o]ne whose legally protected interests have been endangered by the tortious conduct of another is entitled to recover for expenditures reasonably made or harm suffered in a reasonable effort to avert the harm threatened." The Court also noted that, as a matter of policy, Maine law encourages plaintiffs to take reasonable steps to minimize losses caused by a defendant's negligence. To recover mitigation damages, plaintiffs must show that efforts to mitigate were reasonable, and that those efforts constitute a legal injury, such as actual money lost, rather than time or effort expended.

After reviewing decisions of other jurisdictions that have adopted the Restatement (Second) of Torts sec. 919, the Court considered whether the plaintiffs' mitigation steps were reasonable, and stated that "[i]t was foreseeable, on these facts that a customer, knowing that her credit or debit card had been compromised and that thousands of fraudulent charges had resulted from the same security breach, would replace the card to mitigate against misuse of the card data." The court thus held that "[p]laintiffs' claims for identity theft and replacement card fees involve actual financial losses from credit and debit card misuse. Under Maine contract law, these financial losses are recoverable as mitigation damages as long as they are reasonable."

Implied Contract: The First Circuit held that a jury could reasonably find an implied contract between Hannaford and its customers that Hannaford (1) would not use the credit card for other people's purchases; (2) would not sell the data to others; and (3) would take reasonable measures to protect the information.

The First Circuit held that other arguments asserted by plaintiffs must fail.

Fiduciary/Confidential Relationship: Plaintiffs argued that a fiduciary relationship arises in the context of credit and debit card use because the customer trusts the merchant to safeguard her credit or debit card information. The First Circuit agreed with the District Court that the plaintiffs' argument must fail, and that Hannaford does not owe a fiduciary duty to its customers. The First Circuit reasoned that (1) the plaintiffs have not shown the trust and confidence contemplated by Maine confidential relationship cases; (2) the plaintiffs have not plead facts demonstrating disparate bargaining power between the plaintiffs and Hannaford; and (3) the plaintiffs fail to allege facts demonstrating that Hannaford abused a position of trust.

Maine UTPA: After a lengthy discussion of the availability of a private right of action under UTPA, the First Circuit rejected plaintiff's UTPA claim, stating that "[i]t seems unlikely to us that Maine would permit plaintiffs, in cases also pleading that the same acts constitute negligence and breach of implied contract, to use the right of private action provision of the UTPA to recover types of damages which Maine has decided are not reasonably foreseeable or barred for policy reasons when asserted under implied contract, negligence or other theories."

Implications

While it will likely be quite some time before we know how this case will ultimately be resolved, Anderson v. Hannaford should put companies on notice that out-of-pocket costs incurred to mitigate losses resulting from a data breach may result in viable damages claims.

The data breach out of which the Attorney General’s investigation, lawsuit, and ultimate settlement arose occurred between October 2009 and March 2010. During that time, personal information submitted in connection with applications for individual insurance policies was made publicly accessible via the company’s online application tracker website. The exposed information included Social Security numbers, financial account information, and health records. WellPoint immediately secured the application tracker site in early March 2010 after being told by a consumer, a second time, that records containing personal information were potentially accessible on the site.

WellPoint notified affected consumers of the breach beginning in June 2010, but did not also notify the Attorney General’s office as required by Indiana law. When Zoeller’s office learned of the breach through news reports in late July, it launched an investigation and in October filed suit against the company seeking an injunction and civil penalties for violations of the Indiana Disclosure of Security Breach Act. The parties’ recent settlement makes the Attorney General’s lawsuit disappear, but not without significant costs to WellPoint. The settlement mandates that WellPoint pay $100,000 into the Attorney General’s Consumer Assistance Fund; comply with the Disclosure of Security Breach Act in the future and admit that it failed to do so in this instance; provide affected consumers with up to two years of credit monitoring; and reimburse affected consumers up to $50,000 for any losses that result from identity theft stemming from the breach.

Although WellPoint is currently the public face of improper breach notification in Indiana, it is apparently not alone. Attorney General Zoeller’s office has issued warning letters to 47 other companies that delayed issuing appropriate security breach notifications. Perhaps it should go without saying, but according to Zoeller, “[t]he requirement to notify the Attorney General ‘without unreasonable delay’ is not fulfilled by having me read about the breach in the newspaper.” Sounds simple enough, but are you faster than the reporters? We certainly hope so.

The Administration’s proposal sets forth two principal “consumer-facing” updates to the current cybersecurity landscape: (1) a federal information security breach notification requirement and (2) enhanced penalties for cyber criminals.

• Data Breach Notification. The proposal calls for the implementation of a federal notification standard to displace the approximately forty-seven such laws at the state level, which generally require notification to individuals (and others) when the security of their personal information is compromised. The data breach notification proposal borrows extensively from the various state-level laws, for example, with respect to the acceptable forms of notice to individuals and the content of such notices, but sets a higher bar for breach notification than many states by introducing a risk of harm threshold for notification. Specifically, the proposal recommends a safe harbor from notification in the event the breached entity’s risk assessment demonstrates that there is no reasonable risk of harm to the affected individuals. The breached entity is required to report the results of any such risk assessment to the Federal Trade Commission (“FTC”) within 45 days. In addition to reporting to individuals, the proposal requires that breached entities report a breach to the Department of Homeland Security (“DHS”), which will in turn report the same to the U.S. Secret Service, the Federal Bureau of Investigation, and the FTC. Perhaps not surprisingly, the proposal identifies the FTC as the primary agency in charge of enforcing compliance with the law’s requirements. The proposal expressly states that the federal breach notification law would supersede any state or local law except to the extent such laws require notifications to include information about victim assistance available from the state.
• Punishments for Cyber Crimes. The proposal also seeks to expand the scope of existing criminal laws pertaining to computer-based offenses and provide more severe penalties for violations of such laws. For example, the proposal creates a mandatory minimum penalty for cyber attacks under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, which currently gives courts considerable latitude to impose substantial penalties (or no penalty at all) for certain attacks on the confidentiality, integrity, or availability of computers. In the Administration’s view, the mandatory minimum penalty eliminates some of that discretion for the sake of deterring attacks that may not actually cause substantial disruption (e.g., because they are thwarted before they are completed), but still pose a serious threat to critical computer systems or networks. For much the same reason, the proposal also makes clear that both conspiracy and attempt to commit a computer hacking offense are subject to the same penalties as completed offenses.

For purposes of protecting the Nation’s critical infrastructure, the proposal identifies three key areas where legislation is needed: (1) laws that facilitate Federal Government assistance to the private-sector as well as state and local governments, (2) laws that pave the way for stakeholders in the private and public sectors to share information about cyber threats, incidents, and preventative measures, and (3) the identification of so-called “critical-infrastructure operators” so that resources (and regulations) can be appropriately directed toward such operators.

• Voluntary Government Assistance. While the Federal Government is often asked to be involved in responses to cyber attacks on others’ computers and networks, there is currently no clear statutory framework for providing such assistance to the private-sector or state and local governments. The Administration’s proposal would change this by authorizing the Secretary of DHS (and his or her designees) to intervene in the event of a cyber attack and offer assistance prior to an identified cyber attack. The proposal specifies the types of assistance that may, or shall, be provided by the Federal Government, including, among other things, the potential establishment of a consolidated intrusion prevention system to protect federal systems from cyber threats, risk assessment tools and testing, and on-site technical support to federal system owners and operators.
• Information Sharing. Protecting America’s digital infrastructure is a shared responsibility among the public and private sectors. The Administration’s proposal acknowledges this, and makes clear that cooperation and information sharing among the various stakeholders, including Federal Government agencies, industry, academia, and our international partners, is an important (and permissible) component of the country’s cybersecurity program. To that end, the proposal encourages sharing by and among stakeholders through, for example, establishing certain immunities for those who agree to provide information to the government. Information obtained for purposes of defending against cyber threats must, however, generally be used and retained for this limited purpose in order to protect individuals’ privacy and civil liberties. In this regard, the Secretary of DHS is required to, among other things, develop and periodically review, with input from the Attorney General and privacy and civil liberties experts, standards relating to the acquisition, interception, retention, use and disclosure of the information obtained in furtherance of this objective.
• Critical Infrastructure Defense. The proposal outlines a system for identifying and protecting the nation’s “critical infrastructure.” The proposal, in many respects, calls upon the operators of identified critical infrastructure to satisfy heightened cybersecurity standards, and authorizes DHS and other federal regulators to review these operators’ cybersecurity plans, monitor compliance with such plans, and take other actions to ensure that critical infrastructure operators are sufficiently addressing identified cybersecurity risks. The proposal also authorizes DHS, through rulemaking, to require annual certifications (in SEC filings or otherwise) of compliance by covered critical infrastructure operators and public disclosure of certain information about the operators’ cybersecurity efforts. The proposal does, however, provide exemptions from public disclosure for certain security and vulnerability information developed or collected in furtherance of the agencies’ covered critical infrastructure reviews.

The Administration’s proposal acknowledges that the Federal Government itself is heavily reliant on computers and computer networks (its own and those of its many civilian contractors) – computers and networks that are continually at risk of cyber attack. For this reason, the proposal highlights three areas for improving the security of Federal Government systems: (1) formalizing DHS’s role as manager of cybersecurity for the Federal Government’s computers and networks, (2) recruitment and retention of cybersecurity professionals to help shrink the government’s learning curve in this critical area, and (3) adopting standards to promote the use of cloud computing vendors where appropriate to meet the government’s needs.

• Cybersecurity Management. The proposal formally establishes DHS as the agency responsible for executive branch information security. Such responsibility includes the authority to implement binding policies and directives relating to information security, review compliance with such policies and directives, and designate an entity to receive reports about cyber threats, incidents, and vulnerabilities.
• Recruitment and Retention of Cybersecurity Professionals. The proposal gives DHS the authority to establish cybersecurity-related positions and set up a scholarship program to ensure that these positions are filled with top-flight talent that is well-schooled in the field of cybersecurity.
• Data Center Locations. Except where expressly authorized by federal law, the proposal bars U.S. states from requiring that private-sector data centers be located in that state as a condition of doing business.

Like the recent spate of privacy and information security related enforcement actions by the FTC and others, the release of the Administration’s legislative proposal underscores the need to be proactive about privacy and information security. There is no question that this is a hot topic for the Administration and the Congress.

In December 2009, hackers accessed a RockYou database containing customers’ personally identifiable information (“PII”), including Alan Claridge’s. Claridge’s sued RockYou for claims such as negligence, breach of contract and violation of various federal and California state laws.

While many plaintiffs in data breach cases (unsuccessfully) allege harm suffered based on an increased risk of identity theft as well as inconvenience and out-of-pocket expenses associated with credit monitoring, Plaintiff employed a unique argument. As the court described, “Plaintiff generally alleges that defendant’s customers, including plaintiff, ‘pay’ for the products and services they ‘buy’ from defendant by providing their PII, and that the PII constitutes valuable property that is exchanged not only for defendant’s products and services, but also in exchange for defendant’s promise to employ commercially reasonable methods to safeguard the PII that is exchanged. As a result, defendant’s role in allegedly contributing to the breach of plaintiff’s PII caused plaintiff to lose the ‘value’ of their PII, in the form of their breached personal data.”

According to the court, the alleged was enough for purposes of standing. “On balance, the court declines to hold at this juncture that, as a matter of law, plaintiff has failed to allege an injury in fact sufficient to support Article III standing . . . [T]he court finds plaintiff’s allegations of harm sufficient at this stage to allege a generalized injury in fact.” 

The court, however, did note that it “has doubts about plaintiff’s ultimate ability to prove his damages theory in this case,” and that “[i]f it becomes apparent, through discovery, that no basis exists upon which plaintiff could legally demonstrate tangible harm via the unauthorized disclosure of personal information, the court will dismiss plaintiff’s claims for lack of standing at the dispositive motion stage.”  So, while this may have been a small victory for data breach plaintiffs, the viability of the argument that PII has value and that data breaches may cause harm to that value remains uncertain.

Effective July 1, 2011, H.B. 583 will require any person who conducts business in Mississippi and who, in the ordinary course of the person’s business, functions, owns, licenses or maintains personal information of any Mississippi resident to notify certain individuals when the security of their unencrypted personal information may be at risk.Mississippi's new law is consistent with other states’ security breach notification laws in many respects, but deviates in at least one potentially significant way.Specifically, the law only requires notice to “affected individuals,” which are defined to mean residents of Mississippi whose personal information was, or is reasonably believed to have been, intentionally acquired by an unauthorized person through a breach of security. Like it or not (and the business community ought to like it), this qualification may allow a covered entity to avoid providing notice when electronic media containing personal information is simply lost, or when such information is inadvertently sent to the wrong person. (However, when the compromised information belongs to another business, there is still a requirement to notify that business.) H.B. 583 also does not require notification if a covered entity determines, after an appropriate investigation, that the security breach “will not likely result in harm to the affected individuals.” This latter provision, however, is not unlike provisions in other states’ laws that require a so-called material risk of harm” to trigger a notification obligation.

The enactment of H.B. 583 in Mississippi means only Alabama, Kentucky, New Mexico, and South Dakota have yet to adopt such a law. But as the saying goes, better late than never!

The 2009 U.S. study surveyed 45 U.S. companies covering 15 various industry sectors, with the top represented industries including the financial, retail, services and healthcare industries. The size of the breaches experienced by companies surveyed ranged from approximately 5,000 compromised records to approximately 101,000 compromised records, with a cost range of approximately $750,000 up to nearly $31 million.

This year’s study revealed that the average per-record cost of the data breaches experienced by the surveyed organizations was in 2009 $204, which is just $2 more than the average per-record cost in 2008 (click here for the Privacy Blog’s posting on the Ponemon Institute’s 2008 Study), but represented a $66 dollar overall increase since 2005, the first year the Ponemon Institute conducted this same study, when the average per-record cost was $138.  

The costs of a data breach include both direct costs (such as communications costs, investigations and forensics costs and legal costs) and indirect costs (such as lost business, public relations costs and new customer acquisition costs), and the study found that some industries experience a higher customer churn rate (i.e., lost business) than others. The industries with the highest customer churn rates in 2009 were the pharmaceutical, healthcare, communications, financial services and services industries.

The study also revealed a variety of primary causes of data breaches experienced by the surveyed companies, including, for example, that:

• 42% of all breaches studied involved errors made by, or compromises otherwise incurred while a company’s data is in the possession or control of, a third party. 
• 36% of all breaches studied involved lost, misplaced or stolen laptops or other mobile computing devices. Interestingly, the study found that the per-record cost of a data breach involving a stolen laptop or mobile device was just over $224, whereas the per-record cost of a data breach not involving a stolen laptop or mobile device was only around $192.
• 24% of all breaches studied involved some sort of criminal or other malicious attack or act (as opposed to mere negligence).
• 82% of all breaches studied involved organizations that had experienced more than one data breach involving the compromise of more than 1,000 records containing personal information.

This study can serve as an incredibly useful tool for companies to understand the full scope of potential costs of a data breach (including both direct and indirect costs) and in performing a cost-benefit analysis of the costs of implementing pre-breach, prophylactic measures (such as policies, training, encryption of sensitive information and other security), versus the potential costs of experiencing and dealing with the aftermath of a breach that could have been avoided, or at least mitigated.

Back in December 2007, hackers attacked Heartland’s computer network – specifically the company’s payroll manager system. During 2008, Heartland worked to prevent theft of data from that system. Unbeknownst to Heartland’s personnel, however, the attack spread to the payroll processing system, from which hackers stole data regarding approximately 130 million credit and debit cards. It was not until January 2009 that Heartland discovered and publicly disclosed the breach, ultimately causing Heartland’s stock to suffer a significant decline in value.    

Plaintiffs in In re Heartland Payments Systems, Inc. Securities Litigation claimed that Heartland and two of its executives made misleading statements about the breach and the nature of Heartland’s data security measures in violation of the Securities Exchange Act. In particular, plaintiffs alleged that during a February 13, 2008 earnings conference call, Heartland executives concealed the attack by indicating that large fourth quarter data security expenditures were not prompted by any particular security incident. As to that statement, the court found that the attack occurred “far too late in the quarter to have been the cause for the million-plus expenditure” and, thus, was not misleading. Also, during that February 2008 call, Heartland’s CFO stated that the company did not experience a security incident “that would put [Heartland] in a TJ Maxx position,” referencing the then-largest credit card data breach. Plaintiffs argued that this statement was false and misleading given the attack on Heartland’s systems; however, the court judged that, as of February 2008, hackers had not stolen any credit card information as was the case with TJ Maxx. Accordingly, the court ruled that the CFO’s statement was truthful. 

In addition, turning to Heartland’s 2007 annual report and a November 2008 earnings call, plaintiffs alleged that Heartland misrepresented the condition of Heartland’s data security.  According to plaintiffs, the annual report misrepresented that Heartland placed “significant emphasis on maintaining a high level of security.” And, during the November 2008 call, Heartland’s CEO allegedly made misleading statements when he discussed a rise in encryption standards and talked about the company’s need to improve its data security measures. The federal district court, however, disagreed with plaintiffs. The court found that the statements made in Heartland’s annual report and during the November 2008 call were not inconsistent with the fact that the company was the victim of hackers. Moreover, the court held that Heartland was not obligated to disclose the initial December 2007 attack. While plaintiffs may not have purchased Heartland shares had they known of the attack, “there is no general duty on the part of issuers to disclose every material fact to investors.” 

You can read the court’s entire opinion here.

Prior to the Court’s decision in Amburgy, the trend in lost data cases had been in favor of finding subject matter jurisdiction, even where the plaintiff's allegations failed to state a valid cause of action. (See our post regarding McLoughlin v. People’s United Bank, Inc. here.) Indeed, as Judge Buckles observed in his opinion, subsequent to the Seventh Circuit’s decision in Pisciotta v. Old Nat’l Bancorp, “district courts have consistently determined that claims of increased risk of identity theft resulting from security breaches sufficiently allege an injury-in-fact to confer Article III standing.” After noting the Seventh Circuit’s lack of discussion in Pisciotta about applying the U.S. Supreme Court’s recognized standards for determining standing under Article III, Judge Buckles engaged in a thorough analysis of the plaintiff’s standing to sue. Relying principally on the Supreme Court’s opinion in Whitmore v. Arkansas, the Court concluded that the plaintiff lacked standing because he “cannot show that he has suffered or will immediately suffer a concrete injury-in-fact.”

In addition to dismissing all of plaintiff’s claims for lack of subject matter jurisdiction, the Court explained that the claims for negligence, violations of state data breach notification laws and violations of Missouri’s MPA also should be dismissed under Rule 12(b)(6) of the Federal Rules of Civil Procedure for failing to state a viable cause of action. The Court pointed out that Plaintiff’s breach of contract allegations stated a claim for at least nominal damages under Missouri law, but the Court lacked subject matter jurisdiction to entertain the matter.

In February 2008, the archive vendor transporting back-up tapes associated with The Bank of New York Mellon Shareowner Services, a business unit of The Bank of New York Mellon (“BNY Mellon”), discovered that one of ten boxes was missing. Those tapes contained certain shareowner, plan participant, and payment information, including Social Security numbers and other personally identifying information. Customers of People’s United Bank, another financial institution and a client of Shareowner Services, were among the persons whose data was contained on the missing tapes. Shortly after the tape loss, BNY Mellon alerted affected individuals and offered them two years of credit monitoring, $25,000 in identity theft insurance, and a free credit freeze.

In May 2008, several individual plaintiffs brought a putative class action against People’s United Bank and BNY Mellon, claiming that the loss of the tapes compromised their personal information. They sought damages based on an alleged violation of the Connecticut Unfair Trade Practices Act (“CUTPA”), negligence, and breach of fiduciary duty. Notably, plaintiffs did not allege that any direct financial losses had occurred or that any member of the putative class had been the victim of identity theft as a result of the breach. Plaintiffs instead alleged that the increased risk of identity theft constituted cognizable harm because they would have to pay for future credit monitoring (beyond the two years offered by the defendants) and take other steps to protect against an increased risk of identity theft arising from the incident. Additionally, although not alleged in the complaint, Plaintiffs later argued that the fees paid to People’s United Bank represented additional actual harm (an argument which was roundly rejected by the court as an improper amendment of the pleadings in motion papers).

Judge Bryant rejected plaintiffs’ arguments and granted defendants’ motions to dismiss as to all claims. In dismissing the negligence claim, the court relied chiefly on two recent Southern District of New York decisions, Caudle v. Towers, Perrin, Forster & Crosby, Inc., 80 F. Supp. 2d 573 (S.D.N.Y. 2008) (dismissing claims for negligence and breach of fiduciary duty brought by plaintiffs whose identities had not been stolen), and Shafran v. Harley Davidson, Inc., 2008 WL 763177, at *3 (S.D.N.Y. Mar. 20, 2008) (“an increased risk of future identity theft is not, in itself, an injury that the law is prepared to remedy. Plaintiff’s alleged injuries are solely the result of a perceived and speculative risk of future injury that may never occur.”). As Judge Bryant explained in her opinion:

[T]he Plaintiffs have pointed to no case decided anywhere in the country where a court allowed a negligence claim to survive absent an allegation of actual identity theft . . . . The Court concludes that the courts of Connecticut, like those of New York, would not recognize a negligence claim founded solely on the fear, unsupported by any allegation of malfeasance, of identity theft . . . .

Judge Bryant followed similar reasoning in dismissing the CUTPA and breach of fiduciary duty claims, both of which require an actual, ascertainable loss or harm.

McLoughlin is the latest in a series of data loss cases that refuse to recognize damages stemming from mere “increased risk of harm” absent some evidence of actual fraud or identity theft. See, e.g., Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007); Stollenwerk v. Tri-West Health Care Alliance, No. 05-16990, 2007 U.S. App. LEXIS 27164 (9th Cir. Nov. 20, 2007); Willey v. J.P. Morgan Chase, N.A., No. 09 Civ. 1397 (CM), 2009 WL 1938987 (S.D.N.Y. July 7, 2009); Randolph v. ING Life Ins. & Annuity Co., No. 07-CV-791 (D.C. Jun. 18, 2009); Ruiz v. Gap, Inc., No. 07-5739 SC, 2009 WL 941162 (N.D. Cal. Apr. 6, 2009); Belle Chasse Auto. Care, Inc. v. Advanced Auto Parts, Inc., No. 08-1568, 2009 WL 799760 (E.D. La. Mar. 24, 2009); Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018 (D. Minn. 2006); Bell v. Acxiom Corp., 4:06CV00485-WRW, 2006 U.S. Dist. LEXIS 72477 (E.D. Ark. Oct. 3, 2006); Giordano v. Wachovia Sec., LLC, Civ. No. 06-476 (JBS), 2006 U.S. Dist. LEXIS 52266 (D.N.J. July 31, 2006).

Special thanks to this week’s guest author, Jason Gerstein, a member of Proskauer’s litigation team for the McLoughlin case, for preparing this post.

Missouri: HB 62 includes many provisions that are similar to other state laws requiring notice to individuals when the security of their personal information has been compromised. For example, HB 62 includes a “material risk of harm” trigger. In other words, a business is not required to notify Missouri residents if, after an appropriate investigation or consultation with relevant law enforcement authorities, the business determines that identity theft is not likely to result from the breach. In addition, a business is not required to notify state residents if the personal information compromised was encrypted. Like some other state laws, HB 62 also requires notice to the Missouri Attorney General and national consumer reporting agencies if more than 1,000 Missouri residents are notified, and allows the Attorney General to seek actual damages or civil penalties from persons that fail to comply with the law.

HB 62 applies to the “typical” categories of personal information, including Social Security numbers, driver’s license numbers and information that would permit access to an individual’s financial accounts. But unlike most other state data breach notification laws, HB 62 also applies to medical and health insurance information, including an individual’s medical history, mental or physical condition, treatment or diagnosis, health insurance policy number and any other unique identifier used by a health insurer. Previously, only laws in California, Arkansas and Texas (see below) applied to this kind of information.

Texas:  On June 19, 2009, Texas Governor Rick Perry signed House Bill 2004 (“HB 2004”), which expanded the scope of Texas’ data breach notification law to include public sector entities and health information. Specifically, HB 2004 amends the definition of “sensitive personal information” to include health care information, such as information about an individual’s physical or mental health or payment for health care services. The bill also amends the definition of “breach of system security” to reach breaches of encrypted information “if the person accessing the data has the key required to decrypt the data.” Finally, HB 2004 makes the state’s breach notice obligations applicable to public sector entities and nonprofit athletic and sports associations.

North Carolina: As of October 1, 2009, entities doing business in North Carolina will be required to both provide more detailed data breach notices to individuals and be more forthcoming with the state’s attorney general. North Carolina Senate Bill 1017 (“SB 1017”), signed by Governor Bev Perdue on July 27, 2009, amends North Carolina’s data breach notification law in two significant ways. First, SB 1017 requires notice to the attorney general anytime a business notifies North Carolina residents of a breach. Previously, such notice had been required only for breaches affecting more than 1,000 people. Second, notices to individuals affected by a breach will now be required to include a telephone number for the business providing the notice; toll-free numbers and addresses for the national credit reporting agencies; and toll-free numbers, addresses and web site addresses for the Federal Trade Commission and the North Carolina Attorney General’s Office along with a statement that individuals can learn about preventing identity theft from these sources. These new requirements build on top of existing mandates to (1) describe the incident, the type(s) of personal information unlawfully obtained and the actions being taken to prevent further unauthorized access; (2) provide a telephone number that the recipient may call for further information and assistance; and (3) advise affected individuals to remain vigilant by reviewing account statements and monitoring free credit reports.

Maine: For information about the recent amendment to Maine’s breach notification law, soon to become effective, see our prior blog post.

Since Missouri’s new law and these important updates need to be added to the smorgasbord of state data breach notification laws, it is probably a good time to revisit “The List” of such laws. Here it is!

Alaska (ALASKA STAT. § 45.48.010 et seq.)

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h))

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (D.C. CODE § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (HAW. REV. STAT. §§ 487N-1 et seq.)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 24-4.9)

Iowa (IOWA CODE § 715C.1 et seq.)

Kansas (KAN. STAT. ANN. § 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §1346 et seq.; see also L.D. 970)

Maryland (MD. CODE ANN., COM. LAW § 14-3501 et seq.)

Massachusetts (MASS. GEN. LAWS ANN. ch. 93H, § 1 et seq.)

Michigan (MICH. COMP. LAWS ANN. § 445.72)

Minnesota (MINN. STAT. § 325E.61)

Missouri (HB 62, tentatively codified at MO. REV. STAT. § 407.1500)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT. § 75-65; see also SB 1017)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oklahoma (OKLA. STAT. § 74-3113.1)

Oregon (OR. REV. STAT. § 646A.600 et seq.)

Pennsylvania (73 PA. STAT. § 2303)

Puerto Rico (P.R. LAWS ANN. tit. 10, § 4051)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3)

South Carolina (S.C. CODE ANN. § 39-1-90)

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COM. CODE ANN. § 521.001 et seq.; see also HB 2004)

Utah (UTAH CODE ANN. § 13-44-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Virginia (Va. Code Ann. § 18.2-186.6)

U.S. Virgin Islands (V.I. CODE ANN. tit. 14, § 2209)

Washington (WASH. REV. CODE § 19.255.010)

West Virginia (W. Va. Code § 46A-2A-101 et seq.)

Wisconsin (WIS. STAT. § 134.98)

Wyoming (WYO. STAT. ANN. § 40-12-501 et seq.)

In Willey v. J.P. Morgan Chase, N.A., No. 09 Civ. 1397 (CM), 2009 WL 1938987 (S.D.N.Y. July 7, 2009), the plaintiff sued J.P. Morgan Chase, N.A. (“Chase”) after Chase issued a press release announcing that the personal information of approximately 2.6 million current and former holders of a Chase-Circuit City credit card had been mistakenly identified as trash and thrown out. The plaintiff brought eight causes of action against Chase on behalf of himself and all persons whose personal information was thrown out. These causes of action included both willful and negligent violations of the FCRA, negligence and negligence per se, breach of implied contract, breach of contract, violation of the DTPA and breach of bailment. Chase filed a motion to dismiss under Fed. R. Civ. P 12(b)(6) for failure to state a claim.

With respect to the plaintiff’s FCRA claims, the Court held that the plaintiff’s complaint fell well short under pleading standards articulated in Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007), and Ashcroft v. Iqbal, 129 S. Ct. 1937 (2009), because the plaintiff failed to “make factual allegations with enough specificity to plausibly allege that Chase violated OCC regulations.” Accordingly, the Court dismissed these claims as formulaic recitations of the elements of the plaintiff’s cause of action. The Court also noted that even if the plaintiff could amend his complaint to satisfactorily plead these causes of action, they would be barred by the FCRA’s statute of limitations.

With respect to the plaintiff’s state law claims, the Court found that the FCRA preempts the claims. Specifically, the Court noted that Chase was regulated by the Office of the Comptroller of the Currency (“OCC”) and that the OCC’s Interagency Guidelines Establishing Information Security Standards, promulgated pursuant to FCRA, touch on precisely the conduct about which the plaintiff was complaining. The Court stated that “Willey’s . . . claims boil down to a rephrasing of the allegation that Chase failed to follow the OCC Guidelines in violation of the FCRA.” As such, the Court ruled that the FCRA preempted all of the plaintiff's state law claims. In addition, relying on Pisciotta v. Old National Bancorp (see our blog post here), Shafran v. Harley Davidson and Caudle v. Towers, Perrin, Forster & Crosby, Inc., the Court found that the plaintiff failed to show any actual damages sufficient to support his claims. Consequently, the Court granted Chase’s motion to dismiss in its entirety.