Cybersecurity: Litigation, Crime & Enforcement

Michaels Wins Dismissal of Data Breach Class Action, Insurer Denies Coverage of Defense
Moyer v. Michaels Stores, Inc., No. 14-CV-00561 (N.D. Ill., dismissed Jul. 17, 2014).
Safety National Casualty Corp. v. Michaels Stores, Inc., No. 3:14-cv-02223 (N.D. Tex., filed June 18, 2014).

Last month, we reported that Michaels Stores sought dismissal of several, now consolidated, putative class actions regarding a January data breach that may have exposed customers’ credit and debit card information. The putative class brought claims for (i) breach of implied contract and (ii) violations of the Illinois Consumer Fraud Act and other state consumer protection laws. Michaels argued that the plaintiffs lacked standing because they had not suffered actual or imminent injuries and that the plaintiffs’ claims failed because they had not sufficiently alleged an injury. On July 17, 2014, the Northern District of Illinois granted Michaels’ motion. The court held that the plaintiffs’ increased risk of identity theft as a result of the data breach was sufficiently imminent to confer standing. However, the court found that the plaintiffs had failed to state a claim because they did not plead actual monetary damages. Purchases of credit monitoring services and general allegations regarding unauthorized bank withdrawals were insufficient to constitute actual damage.

Meanwhile, on June 18, Safety National Casualty Corp. filed an action for declaratory relief against Michaels, seeking a judgment that a general commercial liability insurance policy does not oblige Safety National to provide a defense and coverage to Michaels in the Illinois class actions. Safety National alleges that the policy provides a duty to defend and coverage for claims alleging “bodily injury,” “property damage,” and “personal or advertising injury.” According to Safety National, the putative class actions alleged none of those injuries and, therefore, the policy provides no coverage. Following the dismissal of the class actions, on July 22, Safety National stipulated to a dismissal without prejudice.

Also in July, an Illinois state court dismissed another putative class action data breach case but, contrary to the Michaels court, ruled that increased risk of future harm was not enough to confer standing, where there was “no actual or impending certainty of identity theft” arising from the data breach [Case No. 13-L-538].

Alabama Hospital Seeks Dismissal of Data Breach Class Action
Smith v. Triad of Alabama LLC, No. 14-cv-00324 (M.D. Ala.).

As detailed last month, Triad of Alabama (doing business as Flowers Hospital) was hit with a putative class action after notifying patients that a former hospital employee had stolen lab test records containing names, addresses, dates of birth, Social Security numbers and health plan policy numbers, and information about lab tests, but not test results. The complaint included claims for willful and negligent violations of the Fair Credit Reporting Act, negligence, negligence per se, invasion of privacy, and breach of contract. On July 7, Flowers Hospital moved to dismiss the claims. The hospital argued that the plaintiffs lack standing because the filing of fraudulent tax returns—without allegations that plaintiffs were deprived of their tax refunds—and an increased risk of identity theft were not actual injuries and that these alleged injuries were not “fairly traceable” to the data breach. The hospital also maintained that the plaintiffs failed to state their negligence per se, breach of contract, and invasion of privacy claims. The hospital argued (i) both the negligence and contract claims are impermissible attempts to create a private cause of action under HIPAA, (ii) plaintiffs cannot prove causation for their negligence claim, (iii) the hospital’s privacy notice did not constitute a contract because there was no consideration, and (iv) the plaintiffs failed to allege any basis for vicarious liability in their invasion of privacy claim. As of July 30, the motion has been fully briefed.

Cybercrime in the News

Hackers Find Way to Outwit Tough Security at Banking Sites, N.Y. Times (July 22, 2014).

Justice Department’s New Crime Chief Targets Cyber Cases, Wall Street Journal (Jul. 14, 2014).

Hackers Inc.: Cyber-Attackers Have Multiplied and Become Far More Professional, Economist (Jul. 12, 2014).

Mob-Busting Tools Emerge as a Weapon Against Cybercrime, Wall Street Journal (Jul. 8. 2014).

Cybercrime Scheme Uncovered in Brazil, N.Y. Times (Jul. 2, 2014).

Government Enforcement

Florida Information Protection Act Expands Breach Notification Requirements

Effective July 1, the Florida Information Protection Act (FIPA) replaced Florida’s existing breach notification statute. While the previous law imposed requirements only on companies that conducted business in Florida, the new law applies to any company experiencing a data breach that affects a Florida citizen and applies even when a third-party agent has experienced a breach. FIPA also imposes stricter requirements on businesses that experience data breaches. Upon discovering a breach that creates a greater risk of identity theft or financial harm, a company must notify affected individuals within 30 days (compared to 45 days previously). Companies may seek a 15-day extension on this requirement for good cause. A company must also notify the Florida Legal Affairs Department, whether or not the breach creates an increased risk of identity theft or financial harm. Breaches affecting a larger number of people trigger additional requirements. While the statute explicitly excludes a private cause of action, it imposes penalties starting at $1,000 per day and up to a maximum of $500,000.

Mass. Attorney General Reaches Settlement in Cross-Border HIPAA and Breach Notice Enforcement Suit
Massachusetts v. Women & Infants Hospital of Rhode Island, No. 13-2332G (Mass. Sup. Ct.).

A Rhode Island hospital agreed to judgment on July 22 to pay $150,000, undertake an audit, and institute new security procedures to settle a breach notification suit filed by the Massachusetts Attorney General. In April 2012, Women & Infants Hospital discovered that it was missing unencrypted back-up tapes containing the personal information of about 14,000 patients, more than 12,000 of which were Massachusetts residents. The personal information included names, birth dates, Social Security numbers, and certain medical data. The hospital did not report the breach to patients or authorities until November 2012. The Massachusetts Attorney General filed an enforcement action on July 2, alleging that the hospital’s failure to secure the data and delayed notification violated HIPAA as well as chapter 93a of Massachusetts General Laws. Although the breach also affected more than 1,200 Rhode Island residents, the Rhode Island Attorney General’s Office stated to a news outlet that it was satisfied with the hospital’s breach notification. Neither Massachusetts nor Rhode Island law imposes a specific time period for notification. Rather, both require businesses to issue breach notices as soon as possible and “without unreasonable delay.”

Vermont Attorney General Settles Suit over Failure to Issue Breach Notice
In re Shelburne Country Store Website, No. 425-7-14-WNCV (Vt. Sup. Ct.).

In January 2014, the Shelburne Country Store learned that its website code had been modified and credit card information of 721 customers had been compromised. While the store immediately repaired the breach, it did not notify the affected customers or the Attorney General. After the Vermont Attorney General independently learned of the breach and contacted the store in March 2014, the business notified the customers, offered a year of credit monitoring, and moved to a hosted platform with the capability to monitor intrusions. However, Vermont law requires businesses to notify the Attorney General within 14 days of learning of a breach and to notify affected customers within 45 days. On July 9, the Attorney General reached a settlement with the store. In addition to paying a $3,000 fine, the store must “implement and maintain a comprehensive Information Security Program” and conduct a full audit of its policies and procedures to ensure that it is complying with Vermont law. The security program must comply with either the Payment Card Industry Data Security Standards or the data security standards in the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth. The settlement also provides the Attorney General permission to access the store’s records and institutes stiffer penalties for future violations. In September 2013, the Vermont AG reached a more stringent settlement with a health food store that failed to notify customers or correct its system vulnerability after a 2012 data breach.

International

French Data Protection Authority to Audit Compliance with Website Cookie Rules

On July 11, the French data protection authority, CNIL, announced that, following a mid-September “cookie sweep,” it will begin conducting audits in October to assess compliance with European Union and French rules requiring websites to obtain consent before installing or reading cookies. These rules include the 2009 EU e-Privacy Directive, France’s Law on Data Processing, Data Files and Individual Liberties, and several guidelines on cookies issued by the CNIL. Any company (European or otherwise) that collects personal information about European citizens through cookies or other tracking mechanisms may be targeted by the audit.

CNIL will examine the type and purpose of cookies and determine whether website operators understand the purpose of all cookies, whether they are third-party cookies or internal to the website. For cookies that require prior user consent, CNIL will also examine how websites obtain consent, the visibility, quality, and simplicity of the information provided to users about the cookies, the ability to retract consent to cookies, and the duration of cookies. CNIL will also examine the consequences of not consenting to a website’s cookie.

According to CNIL’s announcement, noncompliance with the laws could result in a warning or fine.

Russia Enacts Data Localization Law

On July 21, President Vladimir Putin signed into law Bill No. 553424-6, which bans the storage and processing of personal information about Russian citizens on servers located outside the country. The law is slated to take effect on September 1, 2016 and would allow Russia to block websites that do not comply. According to the BBC, while the Kremlin states that the purpose of the law is to protect its citizens, critics fear that the Russian government seeks easier access to the data.

New Filings

Green v. eBay, Inc., No. 2:14-cv-01688 (E.D. La., filed Jul. 23, 2014).

In May 2014, eBay reported that in February hackers had gained access to 145 million customer records including names, email addresses, birth dates, encrypted passwords, physical addresses and phone numbers. Credit and debit card numbers and Paypal account information were apparently not compromised. In this putative class action filed on July 23, Collin Green alleges eBay’s failure to safeguard customer information and delay in notifying customers constituted negligence, breach of contract, breach of implied contract, breach of fiduciary duty, bailment, and violations of the Federal Stored Communications Act, Louisiana’s breach notification statute (which provides for statutory damages), the Gramm-Leach-Bliley Act, various state privacy statutes, and the Fair Credit Reporting Act.