Data Security

The First Circuit Court of Appeals ruled recently that plaintiffs in a data breach class action have standing based on money spent for card replacement fees and identity theft insurance, because such expenses were a reasonably foreseeable result of a significant data breach where there was evidence that a criminal enterprise was responsible for the breach and had actually used stolen credit card numbers hundreds of times. Anderson v. Hannaford Bros. Co., --- F.3d ----, NO. 10-2384, 10-2450, 2011 WL 5007175 (1st Cir. October 20, 2011).

On September 15, the Federal Trade Commission released the changes it is proposing to make to the Children’s Online Privacy Protection Rule (required by the Children’s Online Privacy Protection Act, or COPPA).  The Rule has been in effect since 2000.  To address technological developments in the last decade, the FTC is recommending a number of changes to the definitions and required procedures for compliance.

As of January 1, 2012, California will have specific requirements for the content of data breach notification letters, as well as a requirement to notify the attorney general.

The Florida Supreme Court has amended its state court rules and forms to "minimize the amount of unnecessary personal information included in documents filed with the courts" as a "necessary step in the Court's ongoing effort to provide the public with electronic access to non-confidential court records."   In Re: Implementation of Committee on Privacy and Court Records Recommendation [PDF].  The "linchpin" of the amendments was the new Rule of Judicial Administration Rule 2.425--the "Minimization of the Filing of Sensitive Information"--that governs the filing of sensitive personal information with the court and requires "both attorneys and pro se litigants [to] be vigilant to file only authorized documents."  The new rules provide for sanctions for violations, but the court noted that "continual education and a change in mindset for all those involved in the litigation process are necessary for these rules to work as intended."

Last week, the Ninth Circuit in United States v. Nosal, No. 10-10038 (Apr. 28, 2011) [PDF] reversed and remanded to the district court a criminal complaint under section 1030(a)(4) of the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030, because "an employee exceeds authorized access under [section] 1030 when he or she violates the employer's computer access restrictions--including use restrictions."  The district court, relying on the Ninth Circuit's decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009) [PDF], had held that an employee does not exceed authorized access to a computer by accessing information unless the employee has no authority to access the information under any circumstances. The Ninth Circuit clarified, however, that its Nosal decision was "simply an application of Brekka's reasoning" that an employer determines whether an employee is authorized--"as long as the employee has knowledge of the employer's limitations on … authorization, the employee 'exceeds authorized access' when the employee violates those limitations.  It is as simple as that."

On December 18, 2010, President Obama signed the Red Flag Program Clarification Act of 2010. Effective immediately, the act changes the definition of the word “creditor” in the FTC Red Flags Rule to exclude most professionals that take payment after rendering services.

Perkins Coie Partner Barry Reingold was quoted this week in an article published by BNA entitled, "'Cloud' Customers Facing Contracts With Huge Liability Risks, Attorneys Say."

A federal court in the Northern District of California dismissed Computer Fraud and Abuse Act (“CFAA”), California Penal Code Section 502, and trespass to chattel claims against Apple Computer, Inc. arising out of its transmission of a software update that caused iPhones, which had been unlocked so they could be used with other service providers, to become unusable.  In re Apple & ATTM Antitrust Litig. No. 07-05152 (N.D. Cal. July 8, 2010).  This complete disabling of the iPhone has been termed “bricking.”

While Apple scored a victory in getting these three claims dismissed, the Plaintiffs scored a larger victory as the court granted class certification for the remaining claims as to “[a]ll persons who purchased or acquired an iPhone in the United States and entered into a two-year agreement with Defendant AT&T Mobility, LLC for iPhone voice and data service any time from June 29, 2007, to the present."

Last Monday, Washington passed HB 1149 which holds payment processors, businesses, and vendors who fail to protect against unauthorized access to consumers' credit and debit card account information responsible for financial institutions' costs of reissuing credit and debit cards in the event of a breach. Payment processors, businesses, and vendors can, however, receive safe harbor under the statute if (1) the account information was encrypted at the time of the breach or (2) if the processor, business, or vendor was certified as PCI DSS compliant at the time of the breach. The law goes into effect July 1, 2010.

Last Monday, Washington passed HB 1149 which holds payment processors, businesses, and vendors who fail to protect against unauthorized access to consumers' credit and debit card account information responsible for financial institutions' costs of reissuing credit and debit cards in the event of a breach. Payment processors, businesses, and vendors can, however, receive safe harbor under the statute if (1) the account information was encrypted at the time of the breach or (2) if the processor, business, or vendor was certified as PCI DSS compliant at the time of the breach. The law goes into effect July 1, 2010.

Editor's Note: Our initial report on the much anticipated demise of this Maine law was a bit premature. The bill is expected to pass but is a few weeks from its final demise. Our deepest apologies for this error. We are redoubling our strive for excellence. Corrected posting is below.

A controversial Maine law passed last year that banned the use of personal information about minors for marketing purposes is close to being repealed.  The new Maine law that would take its place is much more narrowly tailored to prohibit use of information collected online from minors for the purpose of marketing pharmaceuticals.

We often counsel our clients not to make absolute promises about security or data protection. Just like there is no ocean-front property in Arizona, there is no such thing as perfect security or safety. 

LifeLock, Inc. just learned this lesson the hard way when they promised consumers protection from all forms of identity theft.  As a result, they are now agreeing to pay $12 million in fines state and federal regulators.

The Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 CMR 17.00, go into effect today, March 1, 2010.  The regulations impose strict data security requirements on every business that owns or licenses “personal information” about a resident of Massachusetts, regardless of where the business is located or does business.

The Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 CMR 17.00, go into effect today, March 1, 2010. The regulations impose strict data security requirements on every business that owns or licenses “personal information” about a resident of Massachusetts, regardless of where the business is located or does business.

Attorney General Richard Blumenthal today sued Health Net of Connecticut, Inc. for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers endangered by the security breach. http://www.ct.gov/ag/cwp/view.asp?Q=453916&A=3869

Attorney General Richard Blumenthal today sued Health Net of Connecticut, Inc. for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers endangered by the security breach. http://www.ct.gov/ag/cwp/view.asp?Q=453916&A=3869

On Friday, October 30, 2009, the FTC announced that it was delaying enforcement of its Red Flags Rule until June 1, 2010.

Today, the Massachusetts Office of Consumer Affairs and Business Regulation ("OCABR") filed its final amendments to the state's data security regulations, which impose specific requirements on entities for safeguarding the personal information of Massachusetts residents. The OCABR will make its amendments public next Monday, but has already stated that it didn't make any major changes and only clarified language regarding contracts between persons who own or license personal information and third-party service providers. The updated regulations are scheduled to take effect on March 1, 2010.

Today, the Massachusetts Office of Consumer Affairs and Business Regulation ("OCABR") filed its final amendments to the state's data security regulations, which impose specific requirements on entities for safeguarding the personal information of Massachusetts residents. The OCABR will make its amendments public next Monday, but has already stated that it didn't make any major changes and only clarified language regarding contracts between persons who own or license personal information and third-party service providers. The updated regulations are scheduled to take effect on March 1, 2010.

Leading insurance broker Marsh is hosting two joint panel discussions with Perkins Coie, featuring Of Counsel Susan Lyon in Seattle and Associate Joseph Cutler in Portland, speaking on the latest updates in data security laws and enforcement.

On October 6, 2009, the FTC announced its second enforcement action under the EU Safe Harbor Program in four months. Six companies that had certified in the EU Safe Harbor Program allowed their certifications to lapse, but continued to represent to their users and to the public that they were "Safe Harbor Certified."  Under the proposed settlements, the companies are prohibited from misrepresenting the extent to which they participate in any privacy, security, or other compliance program sponsored by a government or any third party.

Before its first enforcement action, brought in July, 2009, the FTC had not enforced the EU Safe Harbor Program at all since its inception in 2000. While many commentators had heretofor suggested that the would not enforce it, these new actions suggest a renewed FTC interest in ensuring that Program particpants actually follow the rules.

Read the official FTC press release here.

Perkins Coie Of Counsel Susan Lyon was quoted in a recent story posted on CreditCards.com, a publisher of original consumer credit card related news.

Perkins Coie Of Counsel Susan Lyon was quoted extensively in a recent story posted on CreditCards.com, a publisher of original consumer credit card related news.

An Illinois federal district court has ruled that failure to comply with the Federal Financial Institutions Examination Council’s (“FFIEC”) Internet Banking standards for multifactor authentication may support a negligence claim.

Perkins Coie Of Counsel Susan Lyon was quoted this month in an Inside Counsel article entitled, "Watching Out for a National Cyberdisaster."  The article discusses how cyber-attacks are a danger to security of critical infrastructure systems in the U.S.

The Massachusetts Office of Consumer Affairs and Business Regulation announced amendments yesterday to its identity theft regulations, including an extension of the compliance deadline to March 1, 2010.

On Wednesday, July 29, 2009, the FTC extended the enforcement deadline for the Red Flags Rule until November 1, 2009.

Missouri has become the 45th state to enact data breach notification legislation. Governor Jay Nixon signed House Bill 62 into law on July 9, 2009. The new law goes into effect on August 28, 2009.

The FTC has created a template to help "low risk" entities comply with the new Red Flags rules. "Low risk" entities are  those whose business practices are such that it would be hard to use a false identity, such as working with customers known to the employees personally or providing services at customers' homes.

Earlier this month, Senators Rockefeller, Snowe, and Nelson introduced S.773, the "Cybersecurity Act of 2009." The bill is primarily designed to address cybersecurity in the federal government, but various provisions could impact you or your business, particularly if you are designated as a "critical infrastructure information system or network," provide cybersecurity to the federal government, are a small- or medium-sized business, or are an institution of higher learning. The bill would (1) create new government agencies, work forces, and tasks; (2) create new priorities for existing federal agencies; and (3) implement new Presidential powers to address cybersecurity on a national scale.

The Payment Card Industry (PCI) Security Standards Council has issued a guideline that groups the requirements of PCI Data Security Standards 1.2 into six key milestones for merchants to consider in their card data security strategy.

https://www.pcisecuritystandards.org/education/prioritized.shtml

In California, proposed legislation (SB 20) would significantly update the state's data breach notification statute. The bill would (1) delineate standard information that agencies, businesses, and individuals must include in any data breach notification and (2) require centralized reporting of certain breaches to the state's Attorney General. In 2003, California became the first state to pass a data breach notification statute. That statute then served as a model for more than 40 other similar statutes. Given the impact of California's initial statute, these changes, if adopted, could prompt similar updates in numerous other states across the country.

A recent case has identified a potential path for plaintiffs to receive post-breach damages. In the past, such claims have usually failed due to a lack of standing or the insufficiency of the plaintiffs' damages claims. The court in Pinero v. Jackson Hewitt Tax Service, Inc., however, not only conferred standing but also allowed three of the plaintiff's substantive claims--fraudulent inducement, unfair trade practices, and invasion of privacy--to survive a motion to dismiss.

The Massachusetts Office of Consumer Affairs announced today that it is again revising 201 CMR 17. The new regulation revisions do not resolve the ambiguities regarding the definition of Financial Account; but they do move all compliance deadlines to January 1, 2010, and significantly scale back the compliance requirements for third-party service providers that were causing such headaches for businesses. Instead of requiring that entities bind third parties by express contract to comply with the regulations, the revised regulation merely requires that the entity take reasonable steps to ensure that the third-party service provider protects the data in accordance with the demands of the regulation.

Here is a link to the revised regulation:

http://www.mass.gov/Eoca/docs/idtheft/201CMR17amended.pdf.

The Ponemon Institute has published its fourth annual survey of the costs of Data Breaches. The 2008 Annual Study: Cost of Data Breach key findings include:

• Costs of response and impacts of data breaches continue to rise. Total average costs increased to $202 per record compromised, compared to $197 per record in 2007.
• Cost of lost business and customer churn continue to account for the largest impact or some 69 percent of total breach costs.
• Data breaches from third-parties account for 44% of the data losses.
• Insider negligence accounted for over 88% of the data breaches.

 Lost laptops (35 percent) and system failure (33 percent) are the main causes of data breaches.

In an order issued on January 7, 2009, U.S. District Judge Clay Land held that lost revenue caused by the misappropriation of proprietary information and intellectual property from an employer’s computer is not recoverable under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (CFAA). Andritz, Inc. v. Southern Maintenance Contractor, LLC, et al., Case No. 3:08-CV-44 (CDL), 2009 WL 48187 (M.D. Ga. Jan. 7, 2009).

The New York Times recently reported on a sophisticated phishing scheme that targets executives by sending them what appears to be an official subpoena. The email includes an embedded link that purports to offer a copy of the entire subpoena, but which, when clicked, actually downloads keylogger software as well as software that permits remote control of the compromised computer. The New York Times article can be found here. A related article from SC Magazine can be found here. While the scheme is a sophisticated example of social engineering, all employees and particularly executives should be informed that (1) subpoenas are not served by email and (2) all suspect emails should be forwarded to IT before clicking an any links.

The Ponemon Institute has released the “Consumer's Report Card on Data Breach Notification.” This study of 1,795 people indicated that 31 percent said they terminated their relationship with the organization after learning that their personal information may have been released as a result of a data breach. 26 percent of respondents took no action after being notified and 57 percent said they lost trust and confidence in the organization.

Other key findings are:

§                         63 percent of survey respondents said notification letters they received offered no direction on the steps the consumer should take to protect their personal information;

§                         55 percent of respondents had been notified of two or more data breaches in the previous 24 months;

§                         More than 55 percent of respondents state that the notification about the data breach occurred more than one month after the incident;

§                         More than 50 percent of respondents rated the timeliness, clarity, and quality of the notification as either fair or poor;

§                         Less than one-third of respondents said that the organization offered services to protect them from further harms; of those who opted into such services, 97 percent rated them good to excellent; and

Two percent of respondents that had been notified of a data breach experienced identity theft as a result of the breach, while 64 percent were unsure if they were a victim of identity theft.

Perkins Coie presented a complimentary breakfast seminar March 26, 2008, in Seattle on computer security breaches and data losses. The PowerPoint for the seminar can be found at this link.

On March 24, 2008, Indiana Governor Mitch Daniels signed House Bill 1197, an amendment to Indiana's security breach notification statute, into law. The new version of the law, which goes into effect July 1, 2008, has a higher threshold for exclusion than the prior version.

Perkins Coie Partners Al Gidari and Jill Chasson spoke in Phoenix, Arizona, on February 19 on "Computer Security Breaches and Data Losses: Preparing for and Responding to the Inevitable."  The event was sponsored by the Association of Corporate Counsel - Arizona. The PowerPoint presentation for the event can be found by clicking here.

A national survey conducted by the Ponemon Institute reveals remarkably widespread employee non-compliance with corporate data security policies. The independent survey, entitled Data Security Policies Are Not Enforced, found that a significant percentage of the IT professionals surveyed have failed to comply with simple data security procedures in seven high-risk areas. The study reveals that noncompliance among IT practitioners is common even though IT professionals consider malicious or negligent insiders to pose the greatest threat to an organization's information assets. The underlying cause of noncompliance, according to the survey, is employers' lax enforcement of data security policies and employees' lack of "security awareness".

In Diamond Power International, Inc. v. Davidson, No. 1:04-cv-0091-RWS-CCH, (N.D. Ga. Oct. 1, 2007), the Northern District of Georgia became the latest federal court to weigh in on the nettlesome issue of the scope of an employee’s “authorization” to access an employer-provided computer under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030.

This case stemmed from criminals hacking into the computer systems of TJX and compromising the security of at lest 45,700,000 customer credit and debit accounts. Financial institutions brought suit seeking to recover their costs arising out of the resulting fraudulent transactions and the need to replace the compromised cards.

The 7th Circuit held that individuals who had been notified of a security breach involving their personal information were not entitled to recover compensation for subsequent credit monitoring to guard against identity theft. Pisciotta v. Old Nat. Bancorp, 499 F.3d 629 (7^th Cir. 2007). The Court concluded that the harm caused by identity information exposure, coupled with the attendant costs to guard against identity theft, does not constitute an existing compensable injury and consequent damages required to state a claim for negligence or breach of contract as a matter of Indiana law.

In Kahle v. Litton Loan Servicing LP, 486 F.Supp.2d 705 (S.D. Ohio 2007), computer equipment containing personal customer information was stolen from the defendant’s office. Following the burglary, one customer brought suit, alleging that the defendant was negligent in its protection of her personal information. The court ultimately dismissed the complaint because the plaintiff could not prove that any unauthorized use of her information had occurred and, thus, any injury was purely speculative. Id. at 712.

Two very recent district court decisions from New Jersey and Louisiana emphasize just how limited the term "loss" is under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”). See L-3 Communications Westwood Corp. v. Joseph Emile Robicharux, Jr. et al., 2:06-cv-00279-MVL-SS, slip op. (E.D. La. Mar. 8, 2007); P.C. of Yonkers, Inc. v. Celebrations! The Party and Seasonal Superstore, L.L.C., 2:04-cv-04554-JAG-MCA, slip op. (D.N.J. Mar. 2, 2007). Taken together these cases demonstrate the great care that parties to a CFAA action must take in assessing whether a “loss” has been adequately pled within the meaning of the statute.

With the advent of 2007, five new state security breach notification laws -- in Hawaii, Kansas, New Hampshire, Utah and Vermont -- have come into effect. Additionally, the Michigan legislature has passed security breach notification legislation that, as of this writing, awaits the governor's signature.

Pending approval of the Michigan law, thirty-four states and Puerto Rico require notification to individuals whose personally identifiable information is compromised. For summaries of these laws, please refer to the chart that we maintain at www.perkinscoie.com/statebreachchart/chart.pdf.

Key v. DSW, Inc., No. 2:06-cv-459 (S.D. Ohio, dismissed 9/27/06).

 

Another federal district court has dismissed a suit against a data controller for a  failure to adequately secure personally identifiable information maintained by the data control. As have other courts, the Southern District of Ohio reasoned that an increased risk of identity theft alone is not a cognizable harm that suffices for purposes of standing.