Cybersecurity Litigation Monthly Newsletter-December 2014
Significant Case Developments
Symantec Fights Third-Party Subpoena in Target Data Breach Class Action
In re Target Corp. Customer Data Security Breach Litigation, No. 0:14-md-02522 (D. Minn.).
In re Target Corp. Customer Data Security Breach Litigation, No. 3:14-mc-80302 (N.D. Cal.).
Symantec Corporation, the data security software provider, filed a motion to quash the plaintiffs’ third-party subpoena in the consolidated class action over Target Corporation’s massive customer data breach in late 2013. In the lawsuit pending in the District of Minnesota, the plaintiffs allege that Target used security software made by Symantec, that Symantec’s software detected and notified Target of the breach, but that Target took no action until after (1) the hackers began harvesting customer credit card information from Target’s cash registers, and (2) the Justice Department notified them of the breach.
In its October 30 motion, filed in federal court in San Francisco, Symantec argued that the subpoena was premature, served three weeks after the plaintiffs filed suit and before they had received any discovery from Target. Further, Symantec asserted, the plaintiffs’ subpoena was grossly overbroad in that it sought all information and communications concerning “every single product and service ever provided to Target by Symantec and all of Symantec’s interactions with Target on any subject connected thereto.” If the court did not quash the subpoena, Symantec argued that it should drastically narrow its scope to (i) whether Target used Symantec antivirus software in November 2013, (ii) whether that software detected any suspicious activity at the time of the breach, and (iii) the content and nature of any alert Symantec provided to Target. Symantec also argued that any cost of compliance with and costs of challenging the subpoena should be shifted to the plaintiffs.
The plaintiffs responded on November 17, arguing that Symantec’s motion should be transferred to the District of Minnesota or, in the alternative, that the court order the parties to continue to negotiate. The plaintiffs argued that the subpoena is necessary to “determine whether Symantec’s cybersecurity products and services provided Target with notices of harmful viruses or malware that could have caused the breach and whether Target disregarded Symantec’s warnings.” The plaintiffs also argued that Symantec had not shown what its costs of compliance would be or why a company of its stature could not bear them.
On November 24, Symantec replied that transferring the motion to quash to Minnesota would unfairly burden it as a nonparty and that the plaintiffs failed to point to any “extraordinary” circumstances that would warrant a change of venue. Symantec argued that cost-shifting would be appropriate where, as here, costs to comply with the subpoena would be more than $50,000, and that Symantec’s financial condition should be irrelevant to the analysis. (The parties’ briefs indicate that Symantec’s counsel asked to record the parties’ meet-and-confer using an iPhone when the plaintiffs’ counsel allegedly “became abusive.”)
The motion is scheduled to be heard before Judge James Donato of the U.S. District Court for the Northern District of California on December 19, 2014.
Cybercrime in the News
Data Breach Sets Off Upheaval at Sony Pictures, Wall Street Journal (Dec. 4, 2014).
London Police and NYC Prosecutors to Swap Staff in Cybercrime Fight, TIME (Nov. 19, 2014).
More than 800,000 Postal Service Employees Victims of Data Breach, NPR (Nov. 10, 2014).
Amici Weigh In on FTC’s Authority to Regulate Data Security
FTC v. Wyndham Hotels & Resorts, LLC, No. 14-3514 (3d Cir.).
Wyndham Worldwide Corporation’s battle with the Federal Trade Commission over the FTC’s authority to police data security practices under Section 5 of the FTC Act has caught the attention of cybersecurity experts and stakeholders nationwide. As we previously reported, the District of New Jersey found in favor of the FTC, but certified the issue of the FTC’s Section 5 authority for interlocutory appeal to the Third Circuit in June 2014. In the appeal, in addition to the parties’ briefs, six amici curiae briefs were filed, evenly split three-and-three for and against affirming the district court.
Three amici curiae briefs filed by the Washington Legal Foundation, the Allied Educational Foundation, the Electronic Transactions Association, the U.S. Chamber of Commerce, American Hotel & Lodging Association, and National Federation of Independent Business urged reversal. The briefs argued that the FTC’s interpretation of its authority to regulate data security practices under Section 5—expressed solely in the form of consent decrees and a business guidance brochure—was not entitled to Chevron deference, in part because Congress never delegated authority to the FTC to promulgate binding legal rules regarding data security. They further argued that the FTC’s actions contravene the FTC Amendments Act of 1994 limiting the FTC’s power under Section 5 and represent an attempt by the FTC to circumvent the legislative process. The Electronic Transactions Association argued that the FTC did not have authority to regulate data security under the 1994 Act as an “unfair trade practice” because, by statute, its members bear the monetary losses incurred by fraudulent charges.
The amici siding with Wyndham also argued that the FTC’s actions were unfair to businesses—particularly small businesses—because they provided insufficient notice of what could give rise to liability, especially given the evolving nature of cybersecurity risks. They also argued that the security-related actions brought by the FTC offered little guidance to businesses because the vast majority were settled by consent decrees that expressly did not constitute admissions of any violation of the law.
Three amici curiae briefs filed by Public Citizen, Inc., the Center for Digital Democracy, Consumer Action, Center for Democracy & Technology, the Electronic Frontier Foundation, the Electronic Privacy Information Center, and thirty-three technical and legal experts urged the Third Circuit to affirm the district court. Their briefs argued that measuring the “substantial injury” of data breaches to consumers solely in terms of fraudulent credit card charges ignores other significant harms, such as lost employment opportunities due to poor credit, the time, effort, and emotional distress of disputing identity theft, fraudulent tax refunds, and the lucrative black market for stolen credit card numbers. Citing the rise of “mega breaches” in 2013, they argued that the FTC plays a critical role in ensuring that businesses take proper precautions to protect consumer data to avoid preventable damage in the face of a growing threat. Further, the amici siding with the FTC argued that formal rulemaking regarding data security standards would become outdated too quickly to be effective, and that business interests had represented to the court that data security standards and industry best practices were more unpredictable and opaque than they actually are.
In the meantime, the district court action remains stayed pending appeal, but on November 17, 2014, the court ordered the parties to mediation. The parties have fully briefed the appeal as of December 8, 2014, and await a date for oral argument.
The Right to be Forgotten, Clarified
As we previously reported, the Court of Justice of the European Union held in May that two provisions of Directive 95/46 encompass a “right to be forgotten” requiring search engine operators to remove web pages published by third parties from the search results for a person’s name upon that person’s request even if the information was lawfully published on the indexed webpage. On November 26, the European Union’s Article 29 Data Protection Working Party (“WP29”) released guidelines on the implementation of that right to be forgotten.
In the guidelines (and accompanying press release), the WP29 reiterates the Court of Justice’s finding that search engines need only delete links from search results based on a person’s name. Search results based on other search terms are unaffected by the right to be forgotten.
Because users do not necessarily use the national domain of their search engine (e.g., google.es for Spain), the WP29 maintains that search engines must remove contested links from “all relevant domains, including .com.” But while the WP29 states that “everyone has a right to data protection,” data protection authorities will only focus on enforcing this right “where there is a clear link between the data subject and the EU, for instance where the data subject is a citizen or resident of an EU Member State.”
Coca-Cola Faces Class Action Over Unencrypted Stolen Laptops
Enslin v. The Coca-Cola Company, No. 2:14-cv-06476 (E.D. Pa., filed Nov. 12, 2014)
In January, Coca-Cola Co. announced that over 50 unencrypted laptops containing the personal information of as many as 74,000 employees, contractors, and suppliers were stolen by a (now former) employee. On November 12, a former service technician filed suit on behalf of a putative class of the affected employees, contractors, and suppliers alleging that Coca-Cola’s failure to secure the data and failure to promptly notify the affected parties gives rise to claims for negligence, negligent misrepresentation/fraud, breach of express and implied contract, breach of covenant of good faith and fair dealing, unjust enrichment, bailment, conspiracy, and violations of the Drivers Privacy Protection Act. The plaintiff claims that he has been harmed by the breach when unknown parties used his information to access his credit and bank accounts and to obtain employment in his name. (The lawsuit also names these unknown parties as “Doe defendants.”) The plaintiff also alleges that his credit score was negatively impacted by the fraud on his accounts.
Class Action Filed Against Jimmy John’s For Point-of-Sale Data Breach
Irwin v. Jimmy John’s Franchise LLC, No. 2:14-cv-02275 (C.D. Ill., filed Nov. 6, 2014)
In September, Jimmy John’s announced that an intruder stole log-in credentials from its point-of-sale vendor and used these stolen credentials to remotely access the point-of-sale systems at about 216 stores, compromising the credit card information of customers of those stores for nearly three months. On November 6, Barbara Irwin, a customer, filed suit on behalf of a putative class of affected customers in 39 states and the District of Columbia. Ms. Irwin claims that Jimmy John’s failure to secure its point-of-sale system and failure to notify the customers gave rise to claims for violations of state data breach statutes, breach of implied contract, bailment, unjust enrichment, and violations of the Arizona and Illinois consumer fraud statutes. Ms. Irwin claims that she and the class suffered harm through fraudulent credit card charges and the risk of future identity theft.
Sixth Data Breach Class Action Filed Against Community Health
Veciana v. Community Health Systems, Inc., No. 8:14-cv-02893 (M.D. Fla., filed Nov. 19, 2014)
In September and October, we reported that five putative class actions had been filed against hospital operator Community Health Systems and various local hospitals following a data breach affecting 4.5 million patients. Four of the suits, filed in Alabama, Mississippi, New Mexico, and West Virginia followed the same model, with many identical paragraphs. The plaintiffs in these suits claim that they suffered damages because a portion of their payments to the hospitals was “intended to pay for the administrative costs of data security” and the data security was allegedly inadequate. In addition, the plaintiffs claim that they suffered damages because they will be forced to incur the cost of credit monitoring.
On November 19, a sixth suit was filed in Florida, modeled on the Alabama, Mississippi, New Mexico and West Virginia complaints. Like those complaints, the Florida complaint alleges claims for breach of express and implied contract, breach of implied covenant of good faith and fair dealing, unjust enrichment, money had and received, negligence, negligence per se, wantonness, invasion of privacy, and violations of the Fair Credit Reporting Act.