Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

In February 2008, the archive vendor transporting back-up tapes associated with The Bank of New York Mellon Shareowner Services, a business unit of The Bank of New York Mellon (“BNY Mellon”), discovered that one of ten boxes was missing. Those tapes contained certain shareowner, plan participant, and payment information, including Social Security numbers and other personally identifying information. Customers of People’s United Bank, another financial institution and a client of Shareowner Services, were among the persons whose data was contained on the missing tapes. Shortly after the tape loss, BNY Mellon alerted affected individuals and offered them two years of credit monitoring, $25,000 in identity theft insurance, and a free credit freeze.

In May 2008, several individual plaintiffs brought a putative class action against People’s United Bank and BNY Mellon, claiming that the loss of the tapes compromised their personal information. They sought damages based on an alleged violation of the Connecticut Unfair Trade Practices Act (“CUTPA”), negligence, and breach of fiduciary duty. Notably, plaintiffs did not allege that any direct financial losses had occurred or that any member of the putative class had been the victim of identity theft as a result of the breach. Plaintiffs instead alleged that the increased risk of identity theft constituted cognizable harm because they would have to pay for future credit monitoring (beyond the two years offered by the defendants) and take other steps to protect against an increased risk of identity theft arising from the incident. Additionally, although not alleged in the complaint, Plaintiffs later argued that the fees paid to People’s United Bank represented additional actual harm (an argument which was roundly rejected by the court as an improper amendment of the pleadings in motion papers).

Judge Bryant rejected plaintiffs’ arguments and granted defendants’ motions to dismiss as to all claims. In dismissing the negligence claim, the court relied chiefly on two recent Southern District of New York decisions, Caudle v. Towers, Perrin, Forster & Crosby, Inc., 80 F. Supp. 2d 573 (S.D.N.Y. 2008) (dismissing claims for negligence and breach of fiduciary duty brought by plaintiffs whose identities had not been stolen), and Shafran v. Harley Davidson, Inc., 2008 WL 763177, at *3 (S.D.N.Y. Mar. 20, 2008) (“an increased risk of future identity theft is not, in itself, an injury that the law is prepared to remedy. Plaintiff’s alleged injuries are solely the result of a perceived and speculative risk of future injury that may never occur.”). As Judge Bryant explained in her opinion:

[T]he Plaintiffs have pointed to no case decided anywhere in the country where a court allowed a negligence claim to survive absent an allegation of actual identity theft . . . . The Court concludes that the courts of Connecticut, like those of New York, would not recognize a negligence claim founded solely on the fear, unsupported by any allegation of malfeasance, of identity theft . . . .

Judge Bryant followed similar reasoning in dismissing the CUTPA and breach of fiduciary duty claims, both of which require an actual, ascertainable loss or harm.

McLoughlin is the latest in a series of data loss cases that refuse to recognize damages stemming from mere “increased risk of harm” absent some evidence of actual fraud or identity theft. See, e.g., Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007); Stollenwerk v. Tri-West Health Care Alliance, No. 05-16990, 2007 U.S. App. LEXIS 27164 (9th Cir. Nov. 20, 2007); Willey v. J.P. Morgan Chase, N.A., No. 09 Civ. 1397 (CM), 2009 WL 1938987 (S.D.N.Y. July 7, 2009); Randolph v. ING Life Ins. & Annuity Co., No. 07-CV-791 (D.C. Jun. 18, 2009); Ruiz v. Gap, Inc., No. 07-5739 SC, 2009 WL 941162 (N.D. Cal. Apr. 6, 2009); Belle Chasse Auto. Care, Inc. v. Advanced Auto Parts, Inc., No. 08-1568, 2009 WL 799760 (E.D. La. Mar. 24, 2009); Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018 (D. Minn. 2006); Bell v. Acxiom Corp., 4:06CV00485-WRW, 2006 U.S. Dist. LEXIS 72477 (E.D. Ark. Oct. 3, 2006); Giordano v. Wachovia Sec., LLC, Civ. No. 06-476 (JBS), 2006 U.S. Dist. LEXIS 52266 (D.N.J. July 31, 2006).

Special thanks to this week’s guest author, Jason Gerstein, a member of Proskauer’s litigation team for the McLoughlin case, for preparing this post.

By way of background, on June 6, 2008, then-President George W. Bush signed Executive Order 13,465, which instructs that “Executive departments and agencies that enter into contracts shall re-quire, as a condition of each contract, that the contractor agree to use an electronic employment eligibility verification system designated by the Secretary of Homeland Security to verify the employment eligibility of: (i) all persons hired during the contract term by the contractor to perform employment duties within the United States; and (ii) all persons assigned by the contractor to perform work within the United States on the Federal contract.” President Bush also commanded that the Federal Acquisition Regulation (“FAR”), which governs the acquisition of supplies and services by all federal agencies, be amended to incorporate the foregoing requirement. Three days later, then-Secretary of Homeland Security Michael Chertoff signed a notice designating E-Verify as the electronic employment eligibility verification system to be used by federal contractors and subcontractors.

On June 12, 2008, the agencies responsible for issuing the FAR published a proposed rule to implement Executive Order 13,465 and solicited comments on the proposed rule’s text. On November 14, 2008, a final rule was published in the Federal Register with an effective date of January 15, 2009.

In addition to responding to numerous comments attacking the legality of Executive Order 13,465 and the proposed rule, the final rule explained that “[s]everal commenters suggested that E-Verify has ongoing system security problems that jeopardize the privacy and security of individuals’ personal information.” The final rule also explained that “[m]any commenters stated a concern that E-Verify’s inability to prevent identity theft leaves employers that use E-Verify vulnerable to sanctions.” Ultimately, however, the final rule rejected these privacy-related concerns. For example, the final rule asserted that “security measures in place [to protect employees’ personal information transmitted though E-Verify] include among other things both strong and limited access controls, transmission encryption, and extensive audit logging.”

On December 23, 2008, the Chamber of Commerce of the United States of America—joined by the Associated Builders and Contractors, Inc.; the Society for Human Resource Management; the American Council on International Personnel; and the HR Policy Association—filed a Complaint for Declaratory and Injunctive Relief in the United States District Court for the District of Maryland. In addition to challenging the substance of the final rule, the plaintiffs contested the Executive Order, claiming it was unconstitutional and that it was an unlawful attempt to circumvent existing immigration laws. The plaintiffs also challenged the expansion of E-Verify to require the re-authorization of existing workers.

Shortly after the plaintiffs filed their complaint, the parties reached an agreement to delay implementation of the final rule until February 20, 2009, in order to allow expedited briefing on cross-motions for summary judgment. The plaintiffs’ motion for summary judgment was filed on January 14, 2009, the same day that a notice appeared in the Federal Register delaying the final rule’s enforcement until February 20, 2009.

On January 27, 2009—one day before the Federal Government’s deadline for responding to the plaintiffs’ motion for summary judgment—the parties reached an agreement delaying the applicability date of the final rule until May 21, 2009. A notice to this effect is scheduled to be published in the Federal Register on January 30, 2009. In addition, the Federal Government filed an emergency motion with the district court asking it to stay judicial proceedings for 90 days “in order to allow the newly-inaugurated Administration of President Barack Obama to review the [regulations] at issue in this case.” On January 28, 2009, the district court issued an order granting the Federal Government’s emergency motion.

Given the significant burdens the final rule would have imposed on federal contractors and subcontractors, this most recent delay in the final rule’s enforcement represents another intermediate victory for federal contractors and subcontractors throughout the United States. In addition, the Obama Administration’s pledge to review the final rule may mean that privacy concerns raised by commenters will be given greater weight.

Connecticut is at least the third state to do so (after Michigan and Texas). In addition to the requirements that have become common among state laws (e.g., requirements to safeguard SSNs and to dispose of them in a secure fashion), Connecticut’s new law also requires that companies create, and publish to the public, a policy that protects the confidentiality of SSNs, prohibits their unlawful disclosure, and limits access to them. According to the Act, one way that the policy may be published is by posting it on an Internet Web page.

A company that intentionally violates Connecticut’s new law is subject to a civil penalty of $500 per violation, not to exceed $500,000 for any single event. In addition, if a company publishes a policy and then does not comply with it, the company could be subject to an action by the Federal Trade Commission, a state attorney general, or even an individual or class of individuals, for deceptive trade practices, consumer protection violations, and/or fraud.

Many states have Social Security Number protection laws that require companies to take measures to protect the Social Security Numbers that they possess in the course of their business. For example, many states prohibit companies from including full Social Security Numbers in mailings and from transmitting Social Security Numbers, unencrypted, over a public network (such as via unencrypted e-mail). Increasingly more states are adopting Social Security Number protection laws at a rapid pace. 

All companies should have Social Security Number protection policies that are designed to bring about compliance with these laws and the protection of Social Security Numbers from compromise. In the few states where these policies are required to be published, companies must do so, and should appreciate the additional legal exposure that goes along with publishing its policy to the world. In many cases (as in the case of Web site privacy policies), published policies are legally construed as enforceable commitments as to the company’s practices.

Connecticut’s Act becomes effective on October 1, 2008.