Privacy Class Action Dismissed for P.F. Chang’s

P.F. Chang’s has a reason to celebrate this holiday season: A judge recently dismissed a data breach class action lawsuit against the Chinese-inspired food restaurant chain citing the failure of the two plaintiffs in describing any injury for which relief could be granted. The ruling itself is available here.

In the action, the plaintiffs John Lewert and Lucas Kosner filed a class action complaint against P.F. Chang’s arising from a data breach involving theft of customers’ credit card and debit card data. The plaintiffs alleged that P.F. Chang’s had failed to comply with reasonable security standards arising from the data breach, which one report estimated that nearly seven million cards were compromised as a result of the breach, dating as far back as September 18, 2013.

Following the discovery by the U.S. Secret Service of the data compromise, it was confirmed by P.F. Chang’s that identity thieves had used personal identifying data to steal individual’s identities and open financial accounts and receive government benefits under those names, inter alia.

In the lawsuit, the plaintiffs had alleged that they incurred several types of damages in that they overpaid for products/services purchased from P.F. Chang’s, which included overpayment for putative compliance with industry standard measures for the collection and safeguarding of personally identifiable information. The plaintiffs also claimed that they had suffered actual damages from monetary losses arising from unauthorized bank account withdrawals and/or related bank fees. The plaintiffs further claimed damages arising from costs associated with identity theft and the increased risk of identity theft, and claimed opportunity cost and value of time spent monitoring financial and bank accounts, including the cost of obtaining replacement cards.

In ruling on P.F. Chang’s motion to dismiss, the court did not deny there was a theft of customers’ credit card information from the security breach. However, the court relied on authority that future injury regarding the release of data is not a current injury in fact. Accordingly the court ruled that the plaintiffs had suffered no injury and found unconvincing the argument that the plaintiffs had been overcharged since there was no indication that P.F. Chang’s had charged more for people who paid via credit/debit cards as compared to those who paid by cash.

The court also ruled that there was no economic injury involved with the time the plaintiffs incurred to replace any credit card and so no opportunity costs or damages arose from this aspect.  Finally, the court held that a party cannot manufacture standing unless they can show that the harm of identity theft is imminent. The court found that the potential threat of identity theft was eliminated after the customers in this case cancelled the cards that were involved in the security breach.

This ruling is being appealed to the Seventh Circuit. We will continue to monitor the impact of this ruling on future data breaches involving similar factual and legal issues.

Image courtesy of Flickr by Mark Crawley

Card Issuers Are Foreseeable Victim in Target Data Breach Cases

In an important decision on standing in data breach cases, the United States District Court in Minnesota issued an Order last week denying Target’s attempt to dismiss all claims brought by financial institutions.  The card issuing banks complaint alleges Target (1) was negligent in failing to have sufficient security in place to prevent hacking of customer data; was (2) violated and was negligent per se for violating Minnesota’s Plastic Security Card Act (the Act); and (3) is liable for negligent misrepresentation in failing to advise the plaintiffs of the insufficient security measures.

Target moved to dismiss the negligence claims on the grounds it had no duty and did not breach any duty to the plaintiffs because there was no special relationship between the parties, and the harm if any, was an unforeseeable result of a third party’s (the hackers’) conduct.  The court disagreed and found that plaintiffs had sufficiently alleged that, whether premised upon the hackers’ conduct or Target’s own alleged disabling of a security feature and failing to react to warning signs in its system, the harm to the card issuers was a foreseeable consequence.  In addition, the court found the existence of a duty was bolstered by legislative intent under the Act, which was designed to protect customer data associated with cards, such as those issued by plaintiffs.

With respect to the omission claim, i.e. Target’s purported failure to advise of security deficiencies and its disabling a security feature, the court found that plaintiffs had adequately pled Target’s knowledge of facts unknown to plaintiffs and specific claims that Target had misled the adequacy of its security in public representations (including Target’s online Privacy Policy and Target’s agreement to comply with Visa and MasterCard Operating Regulations).  However, the court noted that plaintiffs had failed to specifically allege reliance on the omissions, and, instead, only asserted they had suffered injury.  In light of the need to specifically plead the element of reliance, the court granted Target’s motion on this claim, with leave to for plaintiffs to amend their complaint to add facts/claims of reliance on the omissions.

With respect to the statutory claims, the Act prohibits the retention of cardholder data by persons or businesses conducting business in Minnesota and, following a data breach involving violation of the statute, requires reimbursement of costs to the card issuer.  The court found Target’s argument that the Act only applies to Minnesota transactions to be without merit, stating “it applies equally to Minnesota companies’ data retention practices with respect to in-state and out-of-state transactions.”.

Target’s other arguments on the statute are more interesting and create a debate between the parties as to whether the hackers’ theft of data from the cards’ magnetic stripe (though allegedly stored by Target servers prior to transmission to the hackers) versus the theft of data maintained by Target itself result in a violation of the Act regarding retained data.  While the resolution of that issue will eventually be determined if the case is adjudicated on the merits, the court found that, for purposes of the present motion, plaintiffs allegation that Target stored the information for longer than permitted under the Act, which increased the scope of the breach, was sufficient to state a claim upon which relief can be granted.

In sum, the claims pass muster (at least at the pleading stage), and the financial institutions have standing to proceed.

Image courtesy of Flickr by Mike Mozart

20 Million Californians Impacted By Data Breaches in 2013

This week, California Attorney General Kamala Harris released the second annual Data Breach Report, which detailed the 167 data breaches reported to her office in 2013. These data breaches collectively impacted nearly 20 million Californians, reflecting the growing menace of cybercrime.

The AG’s Data Breach Report reflects an increase of over 600 percent in the number of affected Californians since the 2012 report. This was largely due to the high-profile Target and Living Social data breaches, which exposed more than 7.5 million Californians. More than half of the 2013 breaches (53 percent) were caused by computer intrusions, described in the report as “malware” and “hacking.” The remaining breaches resulted from the physical loss or theft of laptops (26 percent) or other devices containing unencrypted personal information as well as unintentional errors (18 percent) and intentional misuse by insiders (4 percent).

The AG’s office provides key recommendations to California retailers to prevent future data breaches. Retailers should:

  • update their point-of-sale systems to the safer “chip-enabled” technology;
  • implement appropriate encryption solutions to devalue payment card data; and
  • respond promptly to data breaches.

These recommendations are significant, as the AG report indicates that the retail sector is most heavily targeted by cybercriminals, with 88 percent of that sector’s data breaches the result of criminal enterprises.

Full details can be found in the AG’s report here at pages16-24.

Image courtesy of Wikipedia.

Update: Manuel Noriega, Lindsay Lohan Take Aim at “Call of Duty,” “Grand Theft Auto” Video Game Makers

The Superior Court of California has granted Activision’s motion to dismiss with prejudice Noriega v. Activision/Blizzard pursuant to California’s Anti-Slapp Statute.

In its October 27, 2014, decision, the court explained that the defendant’s use of former Panamanian dictator Manuel Noriega’s likeness in the video game “Call of Duty”  was de minimis and the character was transformative.  In this regard, the court determined the character created for the video game was more like “the defendant’s own expression rather than the celebrity’s likeness.”

The court also distinguished this lawsuit from the No Doubt v. Activision lawsuit, where the “characters” were really lifelike depictions of the rock band in the “Band Hero” video game.

We will continue to monitor case developments and courts’ treatment of anti-SLAPP, First Amendment and other defenses in these types of cases, including a watchful eye on Lindsay Lohan’s similar “Grand Theft Auto” suit in New York.

With Data Breach Class Actions on the Rise, Clapper Provides a Viable Defense

With recent data breaches at Home Depot, Target, Jimmy John’s, eBay, Neiman Marcus, P.F. Chang’s, Goodwill Industries, CNET, and others, there has been a resultant explosion of cybersecurity litigation.  Despite the rise in this area of litigation, data breach lawsuits still have to overcome a major hurdle – the standing requirement enunciated in Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138 (2013).

In Illinois, a number of such lawsuits were filed in the wake of Advocate Medical Group’s revelation that four laptops were stolen from its offices, containing the unencrypted personal health information of more than 4 million patients.  In one such putative class action, Vides v. Advocate Health and Hospitals Corp., the state court followed the rationale of Clapper in rejecting the plaintiffs’ argument that an increased risk of identity theft is sufficient in and of itself to satisfy the “injury-in-fact” requirement necessary to establish standing.

In Vides, the plaintiffs’ theories of liability included common law negligence, violation of the Illinois Consumer Fraud and Deceptive Business Practices Act, violation of the Illinois Personal Information Protection Act, public disclosure of private facts, and intentional infliction of emotional distress.  The court found that none, including the purported statutory violations, were adequate to confer plaintiffs standing, and that the damages asserted were too speculative to establish an injury in fact.  In coming to that conclusion, Judge Mitchell Hoffman reasoned that there are a number of variables that would have to be answered in the affirmative to establish an injury in fact, such as whether a person’s data was actually taken, whether that data was sold or transferred, whether anyone attempted to use the person’s data, and whether they succeeded in using it.  Because the plaintiffs could not allege that a threatened injury was certain as a result of the breach, the suit was dismissed in its entirety.

In coming to this ruling, the court noted that courts across the country had rejected the argument that risk of harm could equate to an injury in fact sufficient to satisfy Article III of the U.S. Constitution.  In its survey of law on data breach class actions across the country, the court also distinguished Seventh U.S. Circuit Court of Appeals decisions holding that the mere increased risk of identity theft was sufficient to confer standing, since these decisions predated Clapper.  Therefore, Clapper remains a tenuous obstacle for data breach lawsuits to overcome.

While the Clapper decision provides an excellent defense to data breach lawsuits, cybersecurity litigation remains on the rise.  As such, companies should continue to be proactive in assessing their internal systems and procedures to prevent any data breaches from occurring.

Image courtesy of Flickr by Mike Mozart

Dropbox Accounts Exposed

Business Insider and many others are reporting that hackers have acquired nearly 7 million account usernames and passwords. News coverage of the recent breach of Dropbox account security reveals that hackers have provided a “teaser” of 400 accounts and associated passwords on pastebin.com, which as of this writing shows that there have been more than 171,976 views.

Dropbox has explained that its services are fully encrypted, and denies responsibility for the leak of emails and passwords, pointing to third-party services that exposed the credentials. Dropbox also claims that all of the passwords that were hacked are expired. Dropbox, for its part, encourages users to enable two-step verification, which should harden account security.  In fact, the nice folks at Business Insider prepared a slideshow to assist in how to implement two-step verification security here.

Professionals who use cloud servers to provide medical, legal and financial services should understand that doing so may be at their own risk, as a cloud server provider or host may not provide indemnification or other recourse in the event of privacy and data breaches. Be sure to carefully read server or cloud provider contracts to assess the scope of any limitation of liability (typically a monetary limit and consequential damages disclaimer) that may be inadequate for a customer’s potential losses in the wake of a breach or other unauthorized disclosure of information.  As with all gathering, storage and use of personal and confidential information, there must be safeguards and risk assessment at each level to avoid being hit with the full liability of a data breach.

Image courtesy of Flickr by Dropbox In 30 Minutes

California Supreme Court Denies Petition for Review in $4 Billion Sutter Health Data Breach Cases

With the California Supreme Court denying a petition for review in Sutter Health v. Superior Court (Atkins), in California a health care provider is not liable for the nominal damages set forth in the state’s Confidentiality of Medical Information Act (CMIA) when password-protected but unencrypted information is stored on a computer and the device is stolen, absent evidence the data was actually viewed.

After the California Court of Appeal, Third Appellate District, dismissed 13 coordinated lawsuits, the plaintiffs’ attorneys in the data theft action filed their petition for review with the California Supreme Court on August 29, 2014.  The plaintiffs claimed whether the data was viewed, Sutter had a duty to protect the confidential information, such as through encryption, and failed to meet its duty.  On October 15, 2014, the court denied the petition.

Sutter Health maintained medical records concerning the plaintiffs on a desktop computer that was stolen from an office after someone broke in. The medical records of more than 4 million patients were stored on the computer’s hard drive in password-protected but unencrypted format.  The plaintiffs did not allege that any unauthorized persons had actually viewed the records, but claimed potential misuses of the information may not manifest for years.  The plaintiffs sought the $1,000 nominal damages set forth in the CMIA for each class member, or roughly $4.24 billion in damages.

In their complaint, the plaintiffs alleged Sutter Health violated two different sections of the CMIA (§§ 56.10 and 56.101), which invoked the remedy provision of §56.36.  The plaintiffs first argued there was a prohibited unconsented-to disclosure, but the court responded that the statute required an affirmative act of disclosure by the defendant, which was not satisfied by a theft.  The second provision argued provides, “Every provider of health care … who creates, maintains, preserves, stores, abandons, destroys or disposes of medical information shall do so in a manner that preserves the confidentiality of the information contained therein. Any provider … who negligently maintains … [or] stores … medical information shall be subject to the remedies and penalties provided under … Section 56.36.”  That section allows anyone whose confidential information has been negligently released to bring an action for $1,000 nominal damages. “In order to recover under this paragraph it shall not be necessary that the plaintiff suffered or was threatened with actual damages.”

The appellate court held there was no breach of confidentiality absent actual viewing of the information; mere possession of medical information or records by unauthorized persons was insufficient to establish breach of confidentiality. The court agreed with, in part, but differentiated its ruling from Regents of University of California v. Superior Court (2013) 220 Cal.App.4th 549, stating it agrees what is required is pleading and proving the confidential nature of the information was breached as a result of the health care provider’s negligence, but the court arrived at its conclusion differently than Regents.  In Sutter, the court found that without an actual confidentiality breach, a health care provider has not violated § 56.101 and therefore does not invoke the remedy provided in § 56.36. In Regents, the provider did not dispute the allegation it violated § 56.101, and the court’s decision was based on § 56.36.

The case is good news for health care providers, making it clear that a breach under § 56.101 means a breach in the protection of what is being held in confidence – the actual health information. A change of possession of the vehicle holding the confidence does not trigger liability.  Under Sutter, a health care provider is not subject to liability just because possession of a record or computer is lost. There must be an actual breach of the confidential information – that is, confidential information must be accessed.

A Brief Summary of “Risk Management for Replication Devices” (Draft NISTIR 8023) by the NIST Computer Security Division

Last month, the Computer Security Division of the National Institute of Standards and Technology (NIST) released a draft publication titled “Risk Management for Replication Devices” (Draft NISTIR 8023). The full draft publication is here (with an excellent security risk assessment table and flowchart at the end).  The draft is of particular interest to individuals who are responsible for the purchase, installation, configuration, maintenance, disposition, and security of replication devices (RDs), including acquisitions; system administration; information system and security control assessment and monitoring; and information security implementation and operations.

Here is a summary of the key provisions of the draft:

  • RDs include copiers, printers, three-dimensional (3D) printers, scanners, 3D scanners, and multifunction machines when used as a copier, printer, or scanner. Even today, many organizations may not have an accurate inventory of RDs or recognize what functionality each device possesses, especially with respect to information (data) storage, processing, and transmission. This publication provides guidance on protecting the confidentiality, integrity, and availability of information processed, stored, or transmitted on RDs.  RDs are often connected to organizational networks, have central processing units that run common commercial operating systems, store information internally on nonvolatile storage media, and may even have internal servers or routers.
  • The publication advises that before placing RDs into operation, configure each RD securely and implement appropriate security controls. There are numerous secure installation and configuration practices to consider and implement. Each device may have unique capabilities and security options.

Some practices to consider (with associated NIST SP 800-53 security controls in parentheses) include:

  • Disable unused physical and network ports (CM-7).
    • Implement physical security, e.g., locks (PE-3).
    • Whitelist/blacklist specific MAC addresses, IP addresses/address ranges, or email addresses
      (AC-18, SC-7).
  • Disable unused physical and network ports (CM-7).
    • Implement physical security, e.g., locks (PE-3).
    • Whitelist/blacklist specific MAC addresses, IP addresses/address ranges, or email addresses
      (AC-18, SC-7).
  • Configure image overwrite capability.
    • Enable immediate image overwrite (MP-6).
    • Schedule regular off-hours overwrite with three-pass minimum (MP-6).

As for disposal of the RDs, sanitize RDs when they are no longer needed by an organization or will be repurposed or stored by doing the following (with associated NIST SP 800-53 security controls in parentheses):

  • Wipe/purge or destroy nonvolatile storage media (MP-6).
  • Change or reset passwords and other authentication information, e.g., user pins (IA-5).
  • Reset configurations to factory default settings (CM-6).

Organizations are encouraged to review the draft publication during the public comment period and to provide feedback to NIST no later than Oct. 17. Email comments to sec-cert@nist.gov, or mail the National Institute of Standards and Technology, Attn: Computer Security Division, Information Technology Laboratory, 100 Bureau Drive (Mail Stop 8930), Gaithersburg, MD 20899-8930.

Manuel Noriega, Lindsay Lohan Take Aim at “Call of Duty,” “Grand Theft Auto” Video Game Makers

Recent high-profile case filings demonstrate the trend of using traditional privacy laws in the context of today’s high-tech world.  A lesson learned from such filings, and to be learned as the cases progress, is that to avoid potentially costly litigation one must exercise an abundance of caution before using a person’s likeness, or even a close parody, in commercial activities.

In July, former Panamanian dictator Manuel Noriega sued Activision Blizzard, the maker of the popular game “Call of Duty,” in a California Superior Court.  In the complaint, Noriega claims Activision misappropriated his likeness and portrayed him as “a kidnapper, murderer and enemy of the state.” While Noriega resides in a Panamanian prison for, among other things, money laundering and murder, the game suggests he is “the culprit of numerous fictional heinous crimes.”  The complaint also lists violations of the right of publicity, unjust enrichment, and unfair business practices and seeks unspecified damages.

Under California Civil Code §3344, it is a violation to use a person’s likeness in products without consent.  Violators are liable for actual damages sustained and “any profits from the unauthorized use that are attributable to the use.”

Former New York Mayor Rudy Giuliani is one of the attorneys representing Activision and, on September 22, the defense filed a special motion to strike under California’s Ant-SLAPP statute – California Code of Civil Procedure §425.16, which insulates a defendant who has been sued for free speech.  In particular, the defense maintains that were Noriega to succeed, it would hinder numerous artists and writers from being able to utilize historical figures in their creative works.

Noriega’s suit comes on the heels of an action Lindsay Lohan filed in New York against Take-Two Interactive and Rockstar Games, the makers of “Grand Theft Auto V.”  In the June complaint, Lohan alleges the defendants used “her image, likeness, clothing, [and] outfits” and that the “Lacey Jonas” character plot line tracks Lohan’s real life events.  Portions of the game take place at Chateau Marmont, an LA hotspot Lohan and other celebrities frequent – though Lohan was banned for failing to pay a $46,000 bill.

Based on these alleged similarities, Lohan sued for violation of her right of privacy under New York Civil Rights Law § 51.  (In New York, there is no common law right of publicity.)  To prevail, Lohan must prove the defendants used her name, picture, or voice for advertising purposes within the state of New York without consent.  In August, the game makers filed a motion to dismiss and requested sanctions asserting Lohan’s claims are frivolous.

These are not the first instances of “celebrities” suing a video game maker for using his or her image without permission.  In 2012, No Doubt, a popular rock bank, settled with Activision when the company allegedly used its likeness in the video game “Band Hero.”  Earlier this year, Electronic Arts, another video game maker, settled two lawsuits with former NCAA athletes for $60 million following an appeals court determination that a video game maker has no right to use their likeness without permission or compensation.  More than 100,000 athletes were estimated to share in the proceeds.

Given these trends that push the boundaries of privacy, there are surely more cases to come and we will keep a watch and report on new developments.

Does the Attorney-Client Privilege Shield Data Breach Investigations?

Whenever a privacy breach occurs at a company, time is of the essence. The theft could involve stolen sensitive financial data, credit card information, health data, Social Security information or other personal identifying information relating to customers and/or employees of the company.

Remember the attorney-client privilege is important when engaging with investigatory service providers that will create documentation such as “incident” reports or “computer forensics” reports. Since hiring outside counsel can help ensure that the investigation of the breach is protected by the attorney-client privilege, it also is important to know the limits of this protection.

The attorney-client privilege protects communications concerning the breach investigation; the privilege does not protect the fact that the breach occurred.  Furthermore, the attorney-client privilege cannot be used as a shield to void any applicable notification requirements under state and federal law.  Utilize your company’s outside counsel as a part of your data breach team to analyze the type of data breach at issue.  If required, the notification itself should be sent to all parties affected and should be issued in a clear, succinct, and precise manner.

Finally, if you hire a forensics examiner, have outside counsel engage the forensics team so that such investigation can also be protected by the attorney-client privilege.  Bear in mind that the forensics team should ideally have your top information technology team members, your in-house counsel, if any, your outside counsel and any key members of your public relations team.  Being prepared before a data breach will minimize the level of business disruption and your potential damages.