Case

Attorney General Richard Blumenthal today sued Health Net of Connecticut, Inc. for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers endangered by the security breach. http://www.ct.gov/ag/cwp/view.asp?Q=453916&A=3869

On October 6, 2009, the FTC announced its second enforcement action under the EU Safe Harbor Program in four months. Six companies that had certified in the EU Safe Harbor Program allowed their certifications to lapse, but continued to represent to their users and to the public that they were "Safe Harbor Certified."  Under the proposed settlements, the companies are prohibited from misrepresenting the extent to which they participate in any privacy, security, or other compliance program sponsored by a government or any third party.

Before its first enforcement action, brought in July, 2009, the FTC had not enforced the EU Safe Harbor Program at all since its inception in 2000. While many commentators had heretofor suggested that the would not enforce it, these new actions suggest a renewed FTC interest in ensuring that Program particpants actually follow the rules.

Read the official FTC press release here.

An Illinois federal district court has ruled that failure to comply with the Federal Financial Institutions Examination Council’s (“FFIEC”) Internet Banking standards for multifactor authentication may support a negligence claim.

A recent case has identified a potential path for plaintiffs to receive post-breach damages. In the past, such claims have usually failed due to a lack of standing or the insufficiency of the plaintiffs' damages claims. The court in Pinero v. Jackson Hewitt Tax Service, Inc., however, not only conferred standing but also allowed three of the plaintiff's substantive claims--fraudulent inducement, unfair trade practices, and invasion of privacy--to survive a motion to dismiss.

In an order issued on January 7, 2009, U.S. District Judge Clay Land held that lost revenue caused by the misappropriation of proprietary information and intellectual property from an employer’s computer is not recoverable under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (CFAA). Andritz, Inc. v. Southern Maintenance Contractor, LLC, et al., Case No. 3:08-CV-44 (CDL), 2009 WL 48187 (M.D. Ga. Jan. 7, 2009).

In Diamond Power International, Inc. v. Davidson, No. 1:04-cv-0091-RWS-CCH, (N.D. Ga. Oct. 1, 2007), the Northern District of Georgia became the latest federal court to weigh in on the nettlesome issue of the scope of an employee’s “authorization” to access an employer-provided computer under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030.

This case stemmed from criminals hacking into the computer systems of TJX and compromising the security of at lest 45,700,000 customer credit and debit accounts. Financial institutions brought suit seeking to recover their costs arising out of the resulting fraudulent transactions and the need to replace the compromised cards.

The 7th Circuit held that individuals who had been notified of a security breach involving their personal information were not entitled to recover compensation for subsequent credit monitoring to guard against identity theft. Pisciotta v. Old Nat. Bancorp, 499 F.3d 629 (7^th Cir. 2007). The Court concluded that the harm caused by identity information exposure, coupled with the attendant costs to guard against identity theft, does not constitute an existing compensable injury and consequent damages required to state a claim for negligence or breach of contract as a matter of Indiana law.

In Kahle v. Litton Loan Servicing LP, 486 F.Supp.2d 705 (S.D. Ohio 2007), computer equipment containing personal customer information was stolen from the defendant’s office. Following the burglary, one customer brought suit, alleging that the defendant was negligent in its protection of her personal information. The court ultimately dismissed the complaint because the plaintiff could not prove that any unauthorized use of her information had occurred and, thus, any injury was purely speculative. Id. at 712.

Two very recent district court decisions from New Jersey and Louisiana emphasize just how limited the term "loss" is under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”). See L-3 Communications Westwood Corp. v. Joseph Emile Robicharux, Jr. et al., 2:06-cv-00279-MVL-SS, slip op. (E.D. La. Mar. 8, 2007); P.C. of Yonkers, Inc. v. Celebrations! The Party and Seasonal Superstore, L.L.C., 2:04-cv-04554-JAG-MCA, slip op. (D.N.J. Mar. 2, 2007). Taken together these cases demonstrate the great care that parties to a CFAA action must take in assessing whether a “loss” has been adequately pled within the meaning of the statute.

Key v. DSW, Inc., No. 2:06-cv-459 (S.D. Ohio, dismissed 9/27/06).

 

Another federal district court has dismissed a suit against a data controller for a  failure to adequately secure personally identifiable information maintained by the data control. As have other courts, the Southern District of Ohio reasoned that an increased risk of identity theft alone is not a cognizable harm that suffices for purposes of standing.