If you walked down the street during the past week, you probably saw more people than usual staring at their phones trying to “catch” Pokemon characters. An estimated 7.5 million people have downloaded the Pokemon Go mobile app since its launch during the first week of July.
We know how important data privacy and security is to your business. We also know how the legal requirements in this area are constantly evolving. To keep you up to date on the latest data breach notification laws across the United States, we’ve summarized the updates for the first half of 2016 below.
It is easy to spin a legal decision, and the spinning commenced the moment the United States Supreme Court’s Spokeo v. Robins decision came down. Some hailed the decision as a massive win for corporate defendants, while others believe that the decision represents a win for plaintiffs in ongoing privacy battles. While both outlooks have their merits, a closer reading of the Spokeo v. Robins decision shows that it is actually a big win for data privacy defendants.
A recent federal court of appeals decision, The Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC, No. 14-1944 (4th Cir. Apr. 11, 2016), found data breach coverage under a commercial general liability policy (CGL policy). However, this decision should not have a large impact on the future of cyber insurance litigation or the cyber insurance marketplace.
In Lewert v. P.F. Chang’s China Bistro, Inc., No. 14-3700 (7th Cir. 2016), the Seventh Circuit Court of Appeals found that plaintiffs, customers of P.F. Chang’s restaurants, had standing to pursue their claims against P.F. Chang’s, following a data breach of the restaurant’s computer system that compromised customers’ credit card data. The Court overturned the district court’s decision and held that plaintiffs’ allegations were sufficient to satisfy Article III standing requirements. Similar to its ruling in Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015), the Court determined that plaintiffs’ present and future injuries were sufficiently concrete. Specifically, the Court identified plaintiffs’ present injuries in the form of fraudulent charges and the purchase of credit monitoring services, and future injuries in the form of the increased risk of fraudulent charges and identity theft. It was generally believed that the U.S. Supreme Court’s decision in Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138 (2013), would severely limit the ability of data breach plaintiffs to satisfy Article III standing requirements. However, the Seventh Circuit’s recent decisions, such as its decision in Lewert, have identified the factual situation, and necessary injuries, that will allow these cases to proceed.
A full copy of the Court’s opinion can be found here.
The Video Privacy Protection Act (“VPPA”) was originally drafted to protect an individual from the release of his personal information by his local video store, but developments in technology have forced courts to apply the VPPA in different scenarios. Recent VPPA decisions have frequently addressed what constitutes “personally identifiable information” (“PII”). In a recent New York case (Robinson v. Disney Online d/b/a Disney Interactive, 14-CV-4146), the court determined that information is PII only if the disclosed information alone can be used to identify a specific individual.
Illinois Governor Bruce Rauner recently issued an amendatory veto of Senate Bill 1833 (SB 1833), the proposed amendment to Illinois’ Personal Information Protection Act. As previously discussed in this blog, SB 1833 seeks to strengthen Illinois’ data breach notification law by expanding the types of information that trigger breach notifications, and by placing additional requirements on covered entities that handle personal information.
SB 1833 was sent to Governor Rauner on June 29, 2015, and the Governor had sixty days to sign, veto or amendatorily veto the bill. On August 21, 2015, Governor Rauner issued an amendatory veto sending the bill back to the legislature with suggested changes. Governor Rauner determined that SB1833, as presented to him, imposed duplicative and burdensome requirements that would hurt Illinois economic competitiveness without providing commensurate benefit to Illinois’ consumers and residents.
Governor Rauner’s veto statement, including his suggested changes to SB1833, can be found here. The Illinois Legislature can now vote to override his veto, concur with the suggested changes, or take no action. We will continue to monitor the status of this bill and report on future developments.
The United States Court of Appeals for the Seventh Circuit reversed the district court and found that plaintiffs, customers of Neiman Marcus, have standing to pursue claims resulting from a 2013 data breach of Neiman Marcus’ computer system. Remijas v. Neiman Marcus Group, No. 14-3122 (7th Cir. 2015). As discussed previously in this blog, Article III standing is a key issue in every data breach litigation case. The Seventh Circuit’s decision is a victory for future data breach victims as more courts apply the Supreme Court’s decision in Clapper v. Amnesty International, USA to data breach cases.
In 2013, hackers stole credit card numbers from the computer system of luxury department store Neiman Marcus. Neiman Marcus confirmed that between July 2013 and October 2013, approximately 350,000 credit cards had been exposed to hackers’ malware. Numerous class-action complaints were filed, which were consolidated into one action in the Northern District of Illinois. Neiman Marcus moved to dismiss the complaint for lack of standing and for failure to state a claim. The district court granted the motion exclusively on standing grounds.
The Seventh Circuit reversed that decision finding that the plaintiffs satisfied the requirements for Article III standing, which include alleging a particularized injury, that defendant caused the injury, and that a judicial decision can provide redress for that injury. First, the Court found that the plaintiffs suffered sufficient present and future injuries. Approximately, 9,200 customers already experienced fraudulent charges, and although they were reimbursed for these charges, the Court determined that the cost associated with sorting out the charges represented a sufficient injury. Additionally, the Court determined that there is a concrete risk of future injury for the members of the class that had not yet experienced fraudulent charges or identity theft. The Court noted that, contrary to the district court’s thinking, Clapper does not foreclose any use of future injuries to support Article III standing. In data breach cases, a substantial risk of future harm may be sufficient to support Article III standing. The Court found that following a data breach there is an objectively reasonable likelihood that credit card fraud and identity theft will occur, especially in cases where fraudulent charges have already been documented. Also, the Court noted that Neiman Marcus’ offer of credit monitoring and identity protection would not have been necessary if the risk of harm was so minimal that it can be disregarded.
Second, the Court found that, for the purposes of determining standing, the plaintiffs’ injuries were caused by the Neiman Marcus data breach. The Court stated that while it may be possible that plaintiffs’ private information may have been exposed through a different source, it is plausible for pleading purposes that plaintiffs’ injuries are fairly traceable to the data breach at Neiman Marcus. The fact that Neiman Marcus admitted that 350,000 cards were exposed, and contacted members of the class to tell them they were at risk, was further support for plaintiffs’ position. Finally, the Court rejected Neiman Marcus’ argument that plaintiffs’ injuries could not be redressed by a judicial decision. The Court found that a favorable judicial decision could redress any injuries caused by less than full reimbursement of unauthorized charges.
This decision represents a victory for data breach victims in their ongoing struggle to satisfy Article III standing requirements in data breach litigation, especially in cases alleging risk of future harm. The Seventh Circuit’s determination that the purpose of any hack into a store’s database is to eventually make fraudulent charges or assume the consumers’ identities would result in a finding of sufficient injury in almost every data breach case involving the theft of consumer information. Additionally, the Seventh Circuit’s use of Neiman Marcus’ own remedial actions against it may have a chilling effect on the actions of corporations dealing with future data breaches. Neiman Marcus’ offer of credit monitoring and identity protection to its customers was interpreted by the Court as evidence of the seriousness of the risk of future harm. Offering these types of services has become standard practice following a data breach, but is now a practice that companies may want to reevaluate going forward.
The FCC entered into a $3.5 million settlement with TerraCom, Inc. (TerraCom) and YourTel America (YourTel). The settlement reduces the initial $10 million fine, and concludes the investigation into whether the companies failed to properly protect the confidentiality of personal information they received from more than 300,000 consumers.
The Enforcement Bureau of the FCC initiated its investigation in June 2013 following notification by TerraCom and YourTel of a data breach. The Enforcement Bureau found that customers provided TerraCom and YourTel with personal information including their name, address, date of birth, full or partial social security number and copies of their driver’s license or state ID card. TerraCom and YourTel relied on a third-party vendor to store this information. The third-party vendor inadvertently failed to implement password protection for some of the stored data while updating its servers and the personal information of more than 300,000 customers was accessible over the public internet. As a result of the data breach, the FCC charged both TerraCom and YourTel with violating Section 222(a) and 201(b) of the Communications Act.
The companies will pay a $3.5 million fine to settle the Enforcement Bureau’s investigation. In addition to the fine, TerraCom and YourTel agreed to notify all consumers whose information was subject to unauthorized access, provide complimentary credit monitoring services for all affected individuals, and commit to improve their privacy and data security practices in the future. To improve their privacy and security practices, TerraCom and YourTel agreed to conduct an assessment of other privacy risks, implement a security program to protect written information, maintain strict oversight of their vendors, and assure that a senior corporate manager is a certified privacy professional. Additionally, TerraCom and YourTel agreed to implement a data breach response plan, train their employees on privacy and security awareness, and file regular compliance reports with the FCC.
This case is the FCC’s first data security action. It demonstrates the FCC’s willingness to investigate and impose significant fines on companies that do not protect the personal information of their customers. Additionally, the security steps required under the settlement agreement provide a roadmap for companies seeking to protect themselves from potential liability. The additional security measures are actions that companies can and should take to avoid data breach liability in the future.
Following a data breach, a company may find itself the subject of regulatory proceedings, which can include fines, brought by the Federal Trade Commission (FTC). In the past 15 years, the FTC has brought more than fifty law enforcement actions related to data security.
Using lessons learned from these enforcement actions, the FTC compiled and released, “Start with Security: A Guide for Businesses.” Some of the lessons highlighted in the guide include:
Reviewing and applying the lessons outlined in this guide can help businesses avoid future FTC enforcement actions.
A copy of the guide can be found here.