Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

PIN pads aren’t a communications service under the SCA.

In dispensing with those claims that plaintiffs “artfully tailor[ed]” to the language of the SCA, the court ruled that Michaels’ provision of PIN pads enabling consumers to pay by credit or debit card did not amount to the provision of “electronic communications services” or “remote computing services” as contemplated by the SCA. According to the court, the plaintiffs failed to allege either that Michaels provided the underlying service that transported consumer credit and debit card data or that Michaels provided any off-site computer storage or processing services. Thus, the plaintiffs’ SCA claims failed.

Michaels didn’t deceive, but it may have been unfair.

The court next considered the plaintiffs’ claims under Illinois consumer law. The plaintiffs alleged that Michaels committed both a deceptive and an unfair trade practice by failing to take proper measures to secure access to PIN pad data.

The court rejected the plaintiffs’ deception theory because the plaintiffs failed to identify any communication by Michaels that contained a deceptive misrepresentation or omission. But the court went the other way on plaintiffs’ unfair trade practice claim, in part because Michaels is alleged to have failed to implement PCI PIN Security Requirements that might have thwarted the skimmers.

Relying principally on the First Circuit’s decision in In re TJX Cos. Retail Sec. Breach Litig., 564 F.3d 489 (1st Cir. 2009), but noting the potential relevance of the many decisions relating to Section 5(a) of the Federal Trade Commission Act, Judge Kocoras held that the plaintiffs’ assertion that Michaels’ failed to (a) implement industry standard data security safeguards and (b) promptly notify consumers of the resultant security breach sufficiently alleged a violation of the ICFA. (Without much analysis, the court allowed the latter to form the basis for an ICFA claim because “a disputed issue of fact exists” concerning both when Michaels first learned of the breach and whether Michaels permissibly notified individuals through substitute notice under the Illinois Personal Information Protection Act.) Specifically, the court explained that

Plaintiffs allege that the PCI PIN Security Requirements and the industry’s best practices obligated Michaels to implement procedures and practices to ensure that a legitimate device had not been substituted with a counterfeit device. Since Plaintiffs allege that the skimmers did, in fact, substitute legitimate devices with counterfeit devices, Plaintiffs’ allegations show that Michaels ignored its obligation to implement procedures and practices preventing the criminal conduct. Plaintiffs thus sufficiently allege that Michaels engaged in an unfair practice under the ICFA.

Although the court found that an unfair practice was sufficiently alleged, because ICFA claims require a showing of actual damages, the court went on to consider whether the harm plaintiffs claimed to have suffered (i.e., increased risk of identity theft, costs of credit monitoring and unauthorized charges on their accounts) supported their ICFA claims. Like other courts that have rejected similar claims, the court held that “Plaintiffs cannot rely on the increased risk of identity theft or the [voluntarily incurred] costs of credit monitoring to satisfy the ICFA’s injury requirement.” But the court nevertheless found that plaintiffs had adequately alleged a cognizable injury under the ICFA because they claimed that they lost money from unauthorized withdrawals and/or bank fees.

The economic loss rule bars the plaintiffs’ negligence claims.

As for the negligence and negligence per se claims, Michaels argued that these claims failed because the intervening acts of criminals severed the causal link between the retailer’s conduct and the plaintiffs’ injuries and because the economic loss rule barred the recovery of purely economic losses under a tort theory of negligence.

The court disagreed with Michaels as to the former theory because, in its view, Michaels’ failure to implement security measures that were specifically designed to minimize the risk to customer financial information created “a condition conducive to a foreseeable intervening criminal act.” As such, the skimmers’ reasonably foreseeable criminal actions did not sever the causal chain. Nevertheless, after considerable analysis, the court dismissed the plaintiffs’ negligence and negligence per se claims because the plaintiffs failed to show why the economic loss rule should not apply to bar these claims.

Michaels may have breached an implied contract to protect customers from a security breach.

Lastly, relying on the First Circuit’s “persuasive” reasoning in Anderson v. Hannaford Bros., 2011 WL 5007175 (1st Cir. Oct. 20, 2011), see our Anderson blog post, the court concluded that the plaintiffs’ allegations “demonstrate the existence of an implicit contractual relationship between Plaintiffs and Michaels, which obligated Michaels to take reasonable measures to protect Plaintiffs’ financial information and notify Plaintiffs of a security breach within a reasonable amount of time.” Notably, the notification obligation the court cites is nowhere to be found in the Anderson decision. But this is perhaps unsurprising since the obligation to notify individuals of a data breach is now a creature of statute in almost every U.S. state presumably because it is not an implied term of a relationship involving the exchange of information.

What does it all mean?

There’s a lot to digest here. The ultimate disposition of the case is not yet clear given the early stage of the proceedings. What is clear is that you don’t need to get creative to keep an identity exposure case afloat beyond the motion to dismiss stage – you just need some damages. This won’t surprise anyone who has been following this issue.

The plaintiffs’ allegations that they lost money through unauthorized charges got them over a hurdle that other data security breach plaintiffs have stumbled on. Indeed, they forced the court to confront some of the thorny issues that prior breach cases avoided due to the lack of any cognizable harm. The courts approach suggests, as the FTC has suggested many times in its Section 5(a) cases, that if you’re not implementing reasonable information security measures – including those mandated by applicable industry standards – you may be painting yourself into a corner where you’ll become the target of a government investigation or even a private lawsuit.

Think skimming can’t happen to you? In November, Lucky Supermarkets announced that hackers used devices called “sniffers” to record credit card numbers belonging to customers and employees who used the self-checkout kiosks in 20 stores in California.

If you’re not ready to thwart skimmers, then perhaps you should be ready for a lawsuit.

Judge Berman’s dismissal represents yet another in a long, and still growing, line of cases standing for the proposition that without more, the mere exposure of personal information is not an adequate basis for a lawsuit. Indeed, Judge Berman’s written opinion cited similar dismissals in over twenty such decisions in the opening paragraph.

The Hammond decision is not unique on account of its central themes because the law in this area, except with respect to whether such plaintiffs have standing, is clear at this point. But the decision is noteworthy for the following reasons:

• The opinion demonstrates that the lack of standing argument is still alive and well (and potentially trending toward the victorious) after being vigorously debated and variously decided in nearly every identity exposure case;
• In addition to the lack of damages, the court rejected the plaintiffs’ negligence, breach of fiduciary duty and breach of implied contract claims in large part due to the lack of direct dealings between The Bank of New York Mellon and the plaintiffs, which negated the plaintiffs’ claims of any duty or relationship between the parties;
• Although several plaintiffs experienced unauthorized credit transactions after the tapes were lost, they acknowledged during discovery that they had not suffered identity theft or any fraud as a result of the tape loss thereby dooming their claims; and
• This second victory on behalf of The Bank of New York Mellon further demonstrates Proskauer’s depth of experience and expertise in this area.

It will likely only be a matter of time before another court evaluating the merits of an identity exposure case looks to the Hammond decision for guidance, and we’ll report on that case too. In the meantime, stay tuned, and remember that mere disclosure of personal information, without more, does not a lawsuit make.
 

On appeal, the Ninth Circuit agreed with the district court’s dismissal of each of the plaintiff’s causes of action, including claims for negligence, breach of contract, unfair competition, invasion of privacy and violation of California’s Social Security number protection law (Cal. Civ. Code § 1798.85). The Court’s relatively brief opinion went a little something like this:

• Negligence. Requires Plaintiff to show actual damages. He failed to do that because even if time and money spent on credit monitoring are sufficient, Plaintiff failed to provide any evidence of the time and money he spent on credit monitoring. AFFIRMED.
• Breach of contract. Similarly requires Plaintiff to show actual damages. Plaintiff failed to show any appreciable harm, and nominal damages will not suffice according to binding Ninth Circuit precedent. AFFIRMED.
• Unfair competition. Another claim that requires Plaintiff to show actual damages. Actual damages mean loss of money or property, and there is no evidence to support such a loss. AFFIRMED.
• Invasion of privacy. California courts have yet to extend this cause of action to accidental or negligent conduct. In addition, it is not clear that an increased risk of a privacy invasion, rather than an actual privacy invasion, suffices. AFFIRMED.
• Violation of Cal. Civ. Code § 1798.85. The law prohibiting requiring an individual to use his Social Security number to access a Web site absent some additional authentication mechanism is not directed at subsequent requests for information once a user enters the Web site. AFFIRMED.

The Ninth Circuit’s decision echoes those issued in every “identity exposure” lawsuit to date: an increased risk of identity theft does not a lawsuit make! This decision hopefully will also allow Gap and friends to relax (a little) after a prolonged litigation battle.
 

In April 2008, UniCare informed some members of its health insurance plans that some of their personal information was temporarily accessible to the public on the Internet. In response to UniCare’s notice, the plaintiff sued alleging that UniCare’s inadvertent disclosure of his personal information harmed him in the following ways: created anxiety and emotional distress, increased his risk of identity theft, forced him to spend time and money monitoring his credit, compromised his possessory rights in his information and invaded his privacy. UniCare then filed a motion to dismiss the complaint which focused chiefly on the plaintiff’s failure to allege that any unauthorized person actually viewed the inadvertently exposed information.

At the outset of the opinion, noting that at the motion to dismiss stage disclosure to a third party could be inferred from the plaintiff’s complaint, the court ruled that UniCare’s inadvertent disclosure might constitute a “communication” of consumer report information and thus refused to dismiss the plaintiff’s FCRA claims. The court then examined the plaintiff’s remaining claims – all of which, according to UniCare, required a showing of damages to state a valid cause of action – in relation to the various harms plaintiff claimed to have suffered due to the disclosure of his information. In each instance, the court found that even though the evidence might ultimately not support the plaintiff’s theories of damage, drawing all inferences in the plaintiff’s favor as the court must on a motion to dismiss, his complaint satisfied the liberal pleading standard set forth in the Federal Rules of Civil Procedure.

But Judge Hibbler did make clear that the Illinois Supreme Court’s decision in Williams v. Manchester, 229 Ill. 2d 404 (2008), ruled out the possibility that “the exposure of personal information might be the present injury providing the basis for recovery of damages for increased risk of future harm.” Rather, as Judge Hibbler stated, “Rowe may collect damages based on the increased risk of future harm he incurred, but only if he can show that he suffered from some present injury beyond the mere exposure of his information to the public.” Moreover, while the court did not find the Seventh Circuit’s reasoning in Pisciotta v. Old National Bancorp (see our blog post here) entirely persuasive, the court held that “the costs of credit monitoring services are not a present harm in and of themselves.”

Though some might view this decision as a victory for plaintiffs and their lawyers, it also further illustrates the level of judicial skepticism toward “identity theft exposure” claims and makes it even more difficult for plaintiffs to argue that an increased risk of harm based on the exposure of personal information, without more, is a harm that the law should recognize.
 

In February 2008, the archive vendor transporting back-up tapes associated with The Bank of New York Mellon Shareowner Services, a business unit of The Bank of New York Mellon (“BNY Mellon”), discovered that one of ten boxes was missing. Those tapes contained certain shareowner, plan participant, and payment information, including Social Security numbers and other personally identifying information. Customers of People’s United Bank, another financial institution and a client of Shareowner Services, were among the persons whose data was contained on the missing tapes. Shortly after the tape loss, BNY Mellon alerted affected individuals and offered them two years of credit monitoring, $25,000 in identity theft insurance, and a free credit freeze.

In May 2008, several individual plaintiffs brought a putative class action against People’s United Bank and BNY Mellon, claiming that the loss of the tapes compromised their personal information. They sought damages based on an alleged violation of the Connecticut Unfair Trade Practices Act (“CUTPA”), negligence, and breach of fiduciary duty. Notably, plaintiffs did not allege that any direct financial losses had occurred or that any member of the putative class had been the victim of identity theft as a result of the breach. Plaintiffs instead alleged that the increased risk of identity theft constituted cognizable harm because they would have to pay for future credit monitoring (beyond the two years offered by the defendants) and take other steps to protect against an increased risk of identity theft arising from the incident. Additionally, although not alleged in the complaint, Plaintiffs later argued that the fees paid to People’s United Bank represented additional actual harm (an argument which was roundly rejected by the court as an improper amendment of the pleadings in motion papers).

Judge Bryant rejected plaintiffs’ arguments and granted defendants’ motions to dismiss as to all claims. In dismissing the negligence claim, the court relied chiefly on two recent Southern District of New York decisions, Caudle v. Towers, Perrin, Forster & Crosby, Inc., 80 F. Supp. 2d 573 (S.D.N.Y. 2008) (dismissing claims for negligence and breach of fiduciary duty brought by plaintiffs whose identities had not been stolen), and Shafran v. Harley Davidson, Inc., 2008 WL 763177, at *3 (S.D.N.Y. Mar. 20, 2008) (“an increased risk of future identity theft is not, in itself, an injury that the law is prepared to remedy. Plaintiff’s alleged injuries are solely the result of a perceived and speculative risk of future injury that may never occur.”). As Judge Bryant explained in her opinion:

[T]he Plaintiffs have pointed to no case decided anywhere in the country where a court allowed a negligence claim to survive absent an allegation of actual identity theft . . . . The Court concludes that the courts of Connecticut, like those of New York, would not recognize a negligence claim founded solely on the fear, unsupported by any allegation of malfeasance, of identity theft . . . .

Judge Bryant followed similar reasoning in dismissing the CUTPA and breach of fiduciary duty claims, both of which require an actual, ascertainable loss or harm.

McLoughlin is the latest in a series of data loss cases that refuse to recognize damages stemming from mere “increased risk of harm” absent some evidence of actual fraud or identity theft. See, e.g., Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007); Stollenwerk v. Tri-West Health Care Alliance, No. 05-16990, 2007 U.S. App. LEXIS 27164 (9th Cir. Nov. 20, 2007); Willey v. J.P. Morgan Chase, N.A., No. 09 Civ. 1397 (CM), 2009 WL 1938987 (S.D.N.Y. July 7, 2009); Randolph v. ING Life Ins. & Annuity Co., No. 07-CV-791 (D.C. Jun. 18, 2009); Ruiz v. Gap, Inc., No. 07-5739 SC, 2009 WL 941162 (N.D. Cal. Apr. 6, 2009); Belle Chasse Auto. Care, Inc. v. Advanced Auto Parts, Inc., No. 08-1568, 2009 WL 799760 (E.D. La. Mar. 24, 2009); Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018 (D. Minn. 2006); Bell v. Acxiom Corp., 4:06CV00485-WRW, 2006 U.S. Dist. LEXIS 72477 (E.D. Ark. Oct. 3, 2006); Giordano v. Wachovia Sec., LLC, Civ. No. 06-476 (JBS), 2006 U.S. Dist. LEXIS 52266 (D.N.J. July 31, 2006).

Special thanks to this week’s guest author, Jason Gerstein, a member of Proskauer’s litigation team for the McLoughlin case, for preparing this post.

In Willey v. J.P. Morgan Chase, N.A., No. 09 Civ. 1397 (CM), 2009 WL 1938987 (S.D.N.Y. July 7, 2009), the plaintiff sued J.P. Morgan Chase, N.A. (“Chase”) after Chase issued a press release announcing that the personal information of approximately 2.6 million current and former holders of a Chase-Circuit City credit card had been mistakenly identified as trash and thrown out. The plaintiff brought eight causes of action against Chase on behalf of himself and all persons whose personal information was thrown out. These causes of action included both willful and negligent violations of the FCRA, negligence and negligence per se, breach of implied contract, breach of contract, violation of the DTPA and breach of bailment. Chase filed a motion to dismiss under Fed. R. Civ. P 12(b)(6) for failure to state a claim.

With respect to the plaintiff’s FCRA claims, the Court held that the plaintiff’s complaint fell well short under pleading standards articulated in Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007), and Ashcroft v. Iqbal, 129 S. Ct. 1937 (2009), because the plaintiff failed to “make factual allegations with enough specificity to plausibly allege that Chase violated OCC regulations.” Accordingly, the Court dismissed these claims as formulaic recitations of the elements of the plaintiff’s cause of action. The Court also noted that even if the plaintiff could amend his complaint to satisfactorily plead these causes of action, they would be barred by the FCRA’s statute of limitations.

With respect to the plaintiff’s state law claims, the Court found that the FCRA preempts the claims. Specifically, the Court noted that Chase was regulated by the Office of the Comptroller of the Currency (“OCC”) and that the OCC’s Interagency Guidelines Establishing Information Security Standards, promulgated pursuant to FCRA, touch on precisely the conduct about which the plaintiff was complaining. The Court stated that “Willey’s . . . claims boil down to a rephrasing of the allegation that Chase failed to follow the OCC Guidelines in violation of the FCRA.” As such, the Court ruled that the FCRA preempted all of the plaintiff's state law claims. In addition, relying on Pisciotta v. Old National Bancorp (see our blog post here), Shafran v. Harley Davidson and Caudle v. Towers, Perrin, Forster & Crosby, Inc., the Court found that the plaintiff failed to show any actual damages sufficient to support his claims. Consequently, the Court granted Chase’s motion to dismiss in its entirety.