Michaels Stores Still PINned beneath Payment Card Skimming Lawsuit

Posted on December 16, 2011 by Brendon Tavelli

In May 2011, Michaels Stores reported that “skimmers” using modified PIN pad devices in eighty Michaels stores across twenty states had gained unauthorized access to customers’ debit and credit card information. Not a pretty picture for Michaels. Lawsuits soon splattered on the specialty arts and crafts retailer, alleging a gallery of claims under the Stored Communications Act (“SCA”), the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”), and for negligence, negligence per se, and breach of implied contract.

Late last month, U.S. District Court Judge Charles Kocoras ruled on Michaels’s motion to dismiss. Some claims were dismissed, but others survived. The opinion presents a broad-brush survey of potential data security breach claims, with some fine detail and local color particular to this variety of criminal data security breach.

PIN pads aren’t a communications service under the SCA.

In dispensing with those claims that plaintiffs “artfully tailor[ed]” to the language of the SCA, the court ruled that Michaels’ provision of PIN pads enabling consumers to pay by credit or debit card did not amount to the provision of “electronic communications services” or “remote computing services” as contemplated by the SCA. According to the court, the plaintiffs failed to allege either that Michaels provided the underlying service that transported consumer credit and debit card data or that Michaels provided any off-site computer storage or processing services. Thus, the plaintiffs’ SCA claims failed.

Michaels didn’t deceive, but it may have been unfair.

The court next considered the plaintiffs’ claims under Illinois consumer law. The plaintiffs alleged that Michaels committed both a deceptive and an unfair trade practice by failing to take proper measures to secure access to PIN pad data.

The court rejected the plaintiffs’ deception theory because the plaintiffs failed to identify any communication by Michaels that contained a deceptive misrepresentation or omission. But the court went the other way on plaintiffs’ unfair trade practice claim, in part because Michaels is alleged to have failed to implement PCI PIN Security Requirements that might have thwarted the skimmers.

Relying principally on the First Circuit’s decision in In re TJX Cos. Retail Sec. Breach Litig., 564 F.3d 489 (1st Cir. 2009), but noting the potential relevance of the many decisions relating to Section 5(a) of the Federal Trade Commission Act, Judge Kocoras held that the plaintiffs’ assertion that Michaels’ failed to (a) implement industry standard data security safeguards and (b) promptly notify consumers of the resultant security breach sufficiently alleged a violation of the ICFA. (Without much analysis, the court allowed the latter to form the basis for an ICFA claim because “a disputed issue of fact exists” concerning both when Michaels first learned of the breach and whether Michaels permissibly notified individuals through substitute notice under the Illinois Personal Information Protection Act.) Specifically, the court explained that

Plaintiffs allege that the PCI PIN Security Requirements and the industry’s best practices obligated Michaels to implement procedures and practices to ensure that a legitimate device had not been substituted with a counterfeit device. Since Plaintiffs allege that the skimmers did, in fact, substitute legitimate devices with counterfeit devices, Plaintiffs’ allegations show that Michaels ignored its obligation to implement procedures and practices preventing the criminal conduct. Plaintiffs thus sufficiently allege that Michaels engaged in an unfair practice under the ICFA.

Although the court found that an unfair practice was sufficiently alleged, because ICFA claims require a showing of actual damages, the court went on to consider whether the harm plaintiffs claimed to have suffered (i.e., increased risk of identity theft, costs of credit monitoring and unauthorized charges on their accounts) supported their ICFA claims. Like other courts that have rejected similar claims, the court held that “Plaintiffs cannot rely on the increased risk of identity theft or the [voluntarily incurred] costs of credit monitoring to satisfy the ICFA’s injury requirement.” But the court nevertheless found that plaintiffs had adequately alleged a cognizable injury under the ICFA because they claimed that they lost money from unauthorized withdrawals and/or bank fees.

The economic loss rule bars the plaintiffs’ negligence claims.

As for the negligence and negligence per se claims, Michaels argued that these claims failed because the intervening acts of criminals severed the causal link between the retailer’s conduct and the plaintiffs’ injuries and because the economic loss rule barred the recovery of purely economic losses under a tort theory of negligence.

The court disagreed with Michaels as to the former theory because, in its view, Michaels’ failure to implement security measures that were specifically designed to minimize the risk to customer financial information created “a condition conducive to a foreseeable intervening criminal act.” As such, the skimmers’ reasonably foreseeable criminal actions did not sever the causal chain. Nevertheless, after considerable analysis, the court dismissed the plaintiffs’ negligence and negligence per se claims because the plaintiffs failed to show why the economic loss rule should not apply to bar these claims.

Michaels may have breached an implied contract to protect customers from a security breach.

Lastly, relying on the First Circuit’s “persuasive” reasoning in Anderson v. Hannaford Bros., 2011 WL 5007175 (1st Cir. Oct. 20, 2011), see our Anderson blog post, the court concluded that the plaintiffs’ allegations “demonstrate the existence of an implicit contractual relationship between Plaintiffs and Michaels, which obligated Michaels to take reasonable measures to protect Plaintiffs’ financial information and notify Plaintiffs of a security breach within a reasonable amount of time.” Notably, the notification obligation the court cites is nowhere to be found in the Anderson decision. But this is perhaps unsurprising since the obligation to notify individuals of a data breach is now a creature of statute in almost every U.S. state presumably because it is not an implied term of a relationship involving the exchange of information.

What does it all mean?

There’s a lot to digest here. The ultimate disposition of the case is not yet clear given the early stage of the proceedings. What is clear is that you don’t need to get creative to keep an identity exposure case afloat beyond the motion to dismiss stage – you just need some damages. This won’t surprise anyone who has been following this issue.

The plaintiffs’ allegations that they lost money through unauthorized charges got them over a hurdle that other data security breach plaintiffs have stumbled on. Indeed, they forced the court to confront some of the thorny issues that prior breach cases avoided due to the lack of any cognizable harm. The courts approach suggests, as the FTC has suggested many times in its Section 5(a) cases, that if you’re not implementing reasonable information security measures – including those mandated by applicable industry standards – you may be painting yourself into a corner where you’ll become the target of a government investigation or even a private lawsuit.

Think skimming can’t happen to you? In November, Lucky Supermarkets announced that hackers used devices called “sniffers” to record credit card numbers belonging to customers and employees who used the self-checkout kiosks in 20 stores in California.

If you’re not ready to thwart skimmers, then perhaps you should be ready for a lawsuit.
Tags: , , , , , ,

"Houston's, We Have A Privacy Problem . . . ."

Posted on July 14, 2009 by Proskauer Rose LLP

On June 16, 2009, in Pietrylo v. Hillstone Restaurant Group, USDC D.N.J. Case No. 2:06-cv-5754-FSH-PS, a New Jersey federal jury found that the Houston’s restaurant chain violated the Stored Communications Act (SCA) and the New Jersey Wiretapping and Electronic Surveillance Control Act (NJWESCA) by allegedly requiring an employee to surrender to Houston’s managers login information that would allow access to an employee MySpace gripe group called “Spec-Tator.” Spec-Tator’s creators, Brian Pietrylo and Doreen Marino, were fired for violating Houston’s policies regarding professionalism and positivity. They sued for alleged violations of their common law right to privacy, freedom of speech, the SCA and the NJWESCA, and for wronful termination.

Liability hinged on whether access to Spec-Tator was unauthorized. When Pietrylo and Marino created the group, they invited a select group of Houston’s employees, but no managers. The SCA and the NJWESCA extend liability to parties that exceed authorization to access electronic communications. Thus, the jury form asked: “Did Houston’s knowingly or intentionally or purposefully access the Spectator without authorization from Karen St. Jean?” The jury answered in the affirmative and awarded to plaintiffs $17,000 in compensatory and punitive damages.

While employers with appropriately-worded policies may monitor employee communications using company equipment, the Hillstone verdict, as well as the court’s refusal to dismiss the SCA and NJWESCA claims on summary judgment, indicate that employers may be liable if they exceed their authorization by accessing protected sites not intended for them to see. However, there is extensive grey area yet to be explored. For example, the outcome of the case might have been different had a Spec-Tator user logged in using a work computer and failed to log herself out, or if Spec-Tator had dropped a cookie onto her computer permitting persistent login.

Summer Associate Todd Mobley contributed to this report.

Tags: , , , , ,

The Sixth Circuit Affirms Individual Expectation of Privacy in Emails

Posted on June 29, 2007 by Proskauer Rose LLP

In a decision that will significantly impact the ability of the government to access electronic communications, the United States Court of Appeals for the Sixth Circuit on June 18, 2007, affirmed a district court’s issuance of a preliminary injunction prohibiting governmental entities from obtaining Internet Service Providers’ (“ISP”) subscribers’ e-mail communications unless the subscriber first receives prior notice and an opportunity to be heard.  Warshak v. United States, No. 06-4092 (6th Cir. 2007). The Court found unconstitutional the Stored Communications Act (“SCA”) provisions allowing Government seizure of such communications without prior subscriber notice, because the court order could be issued without a showing of probable cause that the subscriber had committed a crime. The Sixth Circuit found that individuals have an expectation of privacy regarding the contents of emails sent or stored through an Internet Service Provider (ISP).

The SCA, passed in 1986 as an amendment to the Electronic Communications Privacy Act, contains various provisions regarding “stored wire and electronic communications and transactional records” impacting ISPs’ subscribers’ records and communications. The specific provisions of the SCA at issue in Warshak were sections 2703(b) and (d) and 2705(a). Sections 2703(b) and 2705(a), in pertinent part, allow a governmental entity to obtain the contents of electronic communications that have been stored by an ISP for more than 180 days without notice to the subscriber if obtained by a warrant (which is subject to the usual probable cause standard) and with delayed notice to the subscriber if the governmental entity obtains a court order and the court finds there may be an adverse result from providing notice. Section 2703(d) allows the issuance of court orders when the government has “reasonable grounds to believe” that the communications are pertinent to an active criminal investigation, a less rigorous standard then probable cause. 

In Warshak, the U.S. Government directed its order to Plaintiff Steven Warshak’s ISPs to obtain, among other things, his stored e-mail communications in support of its criminal investigation of wire and mail fraud. The Government did not seek e-mails in electronic storage less than 180 days old (which can only be obtained with a warrant). The court order approved delayed notice. After the Government provided the delayed notice, Warshak filed a complaint seeking a preliminary injunction and alleging that the disclosure of his emails without a warrant or notice violated the Fourth Amendment and the SCA. The U.S. District Court for the Southern District of Ohio held that individuals sending emails have an expectation of privacy, and preliminarily enjoined the seizure of emails from an ISP account when an account holder was not given notice and a hearing. The government appealed the district court’s decision.  

On appeal, the Government argued that an SCA court order is akin to a subpoena and therefore  probable cause is unnecessary. The Sixth Circuit acknowledged that, for a subpoena to issue, the Government must meet only the lower “reasonableness standard.” However, in reviewing the case law, the court concluded that individuals may challenge a third party subpoena before disclosure is compelled if they have a “legitimate expectation of privacy” regarding the records at issue. The Warshak court therefore reasoned that, where an email user has an expectation of privacy regarding the email content, the government must meet the more rigorous “probable cause” standard. The court found an expectation of privacy in e-mail communications by analogizing the emails to the surveillance of telephone conversations at issue in Katz v. United States, 389 U.S. 347 (1967). In Katz, the Supreme Court of the United States held that the government interception of telephone conversations was a search for Fourth Amendment purposes, and that individuals have a legitimate expectation of privacy regarding the conversations.   

The Sixth Circuit made only one modification to the district court’s injunction, adding that, “if the government can show, based on specific facts, that an e-mail account holder has waived his expectation of privacy via-a-vis the ISP, compelled disclosure of e-mails through notice to the ISP alone would be appropriate.” The Court explained such a waiver requires more than the ISP having some level of monitoring policies in place. For example, an ISP’s terms of use reserving a right of access to e-mail communications for specific, limited purposes or its use of technological monitoring of e-mails to identify child pornography, would not constitute a waiver by the subscriber. Rather, for a subscriber to waive his expectation of privacy in e-mail communications, the ISP would have to have clear terms of service apparent to the user allowing it to regularly audit, inspect, or monitor subscriber e-mails. The Court analogized the recent Ninth Circuit decision in United States v. Heckenkamp, Nos. 05-10322, 10323, 2007 U.S. App. LEXIS 7806 (9th Cir. Apr. 5, 2007), where a student who connected his computer to the university’s network was held to have a legitimate expectation of privacy regarding his computer files because the university’s monitoring policy was limited in scope. See our discussion of Heckenkamp here. The Court distinguished workplace privacy where an employer explicitly notifies employees of its right to monitor and access e-mail.              

The Sixth Circuit’s decision does not effect other provisions of the SCA, including the government’s ability to obtain, without notice, e-mail communications with a warrant and subscriber account information with a warrant, court order or subpoena.
Tags: , , , , , , , , ,