The Sixth Circuit Court of Appeals recently held that a computer fraud rider to a “Blanket Crime Policy” covers losses from a hacker’s theft of customer credit card and checking account data.
On the heels of Vermont’s recent amendment to its data breach notification law, Connecticut’s legislature recently amended its own data breach notification law. The amended law will take effect on October 1, 2012.
On May 8th, Vermont became the most recent state to amend its security breach notification law. Among the many changes, companies that are affected by a data breach are now required to notify the Attorney General of Vermont within 45 days after the discovery or notification of the breach.
Plaintiff customers in litigation stemming from Hannaford Brothers, Co.’s 2007 data breach were handed a partial victory by the First Circuit on October 20th. The Court held that plaintiffs’ claims for negligence and implied contract should survive Hannaford’s motion to dismiss because plaintiffs’ reasonably foreseeable mitigation costs constitute a cognizable claim for damages under Maine… Continue Reading
On July 5, 2011, Indiana Attorney General Greg Zoeller announced a settlement with health insurer WellPoint, Inc. The settlement resolves allegations that the company failed to promptly notify the Attorney General’s office of a data breach as is required by the Indiana Disclosure of Security Breach Act. As part of the settlement, WellPoint must pay a fine of $100,000, provide certain identity-theft-prevention assistance to consumers affected by the breach, and admit that it failed to comply with the law by not notifying Zoeller’s office “without unreasonable delay.”
On May 12, 2011, the Obama Administration released its legislative proposal concerning cybersecurity. The stated focus of the proposal is to shore up cybersecurity measures to protect the American people, the Nation’s critical infrastructure, and the Federal Government’s networks and computers while providing a framework for safeguarding individual privacy and civil liberties.
Where others have failed, Alan Claridge did not. Recently, a Federal judge in the Northern District of California declined to dismiss Plaintiff Claridge’s claims arising from a data breach involving the social entertainment site RockYou. Arguing that the data breach harmed the value of his personal information, Plaintiff convinced the court not to dismiss his action for… Continue Reading
Mississippi’s new law is consistent with other states’ security breach notification laws in many respects, but deviates in at least one potentially significant way.
This past week, the Ponemon Institute announced their publication of the results of their fifth annual study on the costs of data breaches for U.S.-based companies. The study was sponsored by the PGP Corporation. A similar report for U.K.-based companies was also released. This year’s report, entitled 2009 Annual Study: Cost of a Data Breach, displays the results of the Ponemon Institute’s research of data breach incidents occurring in 2009.
Overall, as with previous years, the study found that U.S. organizations continue to experience increased costs associated with the data breaches they experience.
On December 7, 2009, a federal district court sitting in New Jersey dismissed a securities fraud class action lawsuit against Heartland Payment Systems arising from a massive breach of credit and debit card information and, in doing so, reinforced the difficulties private plaintiffs face in bringing data breach lawsuits under the federal securities laws.
In Amburgy v. Express Scripts, Inc., Magistrate Judge Frederick R. Buckles of the U.S. District Court for the Eastern District of Missouri held that “plaintiff’s asserted claim of ‘increased-risk-of-harm’ fails to meet the constitutional requirement that a plaintiff demonstrate harm that is ‘actual or imminent, not conjectural or hypothetical.’ Plaintiff has therefore failed to carry his burden of demonstrating that he has standing to bring this suit.”
Where the only harm alleged is mere “speculation as to a possible risk of injury,” a claim cannot survive a 12(b)(6) motion to dismiss, according to a District of Connecticut decision issued on August 31, 2009. McLoughlin v. People’s United Bank, Inc., and Bank of New York Mellon, Inc., No. 3:08-cv-00944-VLB (D. Conn. Aug. 31, 2009), thus follows a long and growing line of cases which simply hold that where there is no actual harm, there can be no case.
Missouri: HB 62 includes many provisions that are similar to other state laws requiring notice to individuals when the security of their personal information has been compromised. For example, HB 62 includes a “material risk of harm” trigger. In other words, a business is not required to notify Missouri residents if, after an appropriate investigation or consultation with relevant law enforcement authorities, the business determines that identity theft is not likely to result from the breach. In addition, a business is not required to notify state residents if the personal information compromised was encrypted. Like some other state laws, HB 62 also requires notice to the Missouri Attorney General and national consumer reporting agencies if more than 1,000 Missouri residents are notified, and allows the Attorney General to seek actual damages or civil penalties from persons that fail to comply with the law.
the Federal Fair Credit Reporting Act preempted an identity exposure plaintiff’s state law claims for, among other things, negligence, breach of contract, and violation of the New York Deceptive Trade Practices Act
As our readers know, many of the 44 state data breach notification laws allow for (and may even require) a brief delay in notifying affected individuals of the breach if that notification would interfere with or impede a law enforcement investigation. Last week, the governor of Maine amended that state’s data breach notification law. The amendment clarifies that notification may be delayed for no longer than 7 business days after a law enforcement agency determines that the notification will not compromise a criminal investigation.
Early this month I discussed recent developments in data breach litigation at a webinar hosted by Debix.