Cybersecurity: Litigation, Crime & Enforcement
Significant Case Developments
Target Breach Multidistrict Litigation Snowballs to 111 Suits
In re Target Corp. Customer Data Security Breach Litigation, No. 14-md-02522 (D. Minn.).
On December 19, 2013, Target publicly announced it had experienced a data security breach via malware installed on its point-of-sale network. Forty million customer credit and debit card numbers, encrypted PINs, and CVV codes and 70 million customer names, mailing addresses, email addresses, and phone numbers were stolen between November 27 and December 15, 2013.
The breach spawned dozens of putative class action suits. Because they involved common questions of fact, on April 2, 2014, the pending 33 cases and potential 71 tag-along cases that spanned 18 federal districts were consolidated in the District of Minnesota. The multidistrict litigation now includes a total of 111 suits.
The plaintiffs include both Target customers whose personal information was compromised by the breach and banks and credit unions that issued customers’ debit and credit cards. The most common claims are negligence, negligence per se, breach of contract, bailment, conversion, unlawful deceptive trade practices and unfair competition, unjust enrichment, unlawful retention of credit card information, breach of fiduciary duty, violations of consumer protection laws, fraudulent concealment, negligent performance of services, and negligent misrepresentation. The plaintiffs seek various types of relief, including mandatory payment of identity theft and credit monitoring services, imposed auditing requirements, injunctions to cease and desist improper retention of customer data, reimbursement of funds stolen and costs expended in issuing new cards, disgorgement of Target’s profits during the time of the breach, and forced adoption of certain security measures.
In addition to the class actions now comprising the multidistrict litigation, at least four shareholder suits have been filed against Target and its board of directors, alleging breach of fiduciary duty and waste of corporate assets.
Symantec Wins Dismissal of Suit Over Software Vulnerability
Haskins v. Symantec Corp, No. 13-01834, 2014 U.S. Dist. LEXIS 75348, 2014 WL 2450996 (N.D. Cal June 2, 2014).
In 2006, hackers stole the source code for several of Symantec’s antivirus programs. The breach was not publicized until 2012, when the hackers announced their theft. Kathleen Haskins brought a putative class action against Symantec on behalf of all purchasers of the affected software, claiming that Symantec’s failure to publicize the theft violated the California Consumer Legal Remedies Act and Unfair Competition Act and breached an implied contract, and also alleging a breach of money received.
On August 23, 2013, the Northern District of California dismissed Ms. Haskins’s first amended complaint without prejudice. 2013 U.S. Dist. LEXIS 120376, 2013 WL 4516179. On December 1, while holding that downloaded or otherwise purchased software is a chattel under the California Legal Remedies Act, the court dismissed Ms. Haskins’s second amended complaint, again allowing her to amend her pleading. 2013 U.S. Dist. LEXIS 169865, 2013 WL 6234610.
On June 2, the court dismissed Ms. Haskins’s third amended complaint with prejudice. The court found that both consumer protection claims failed because Ms. Haskins had not pleaded that she relied on a specific advertisement or had been exposed to a long-term advertising campaign. Ms. Haskins also did not adequately allege the facts necessary to establish the existence of an implied contract. And the existence of a software license agreement negated Ms. Haskins’s claim for money received.
Misuse of Data Not a Requirement for Data Breach Class Certification, At Least in West Virginia
Tabata v. Charleston Area Medical Center, Inc., No. 13-0766, --- S.E.2d ----, 2014 WL 2439961 (W. Va. May 28,, 2014).
In February 2011, two medical providers notified 3,655 patients that their names, contact details, Social Security numbers, dates of birth, and basic health information had accidentally been posted to the internet. Several of these patients sued in a putative class action, asserting claims for breach of the duty of confidentiality, invasion of privacy – “intrusion upon the seclusion of the petitioners,” invasion of privacy – “unreasonable publicity into the petitioners’ private lives,” and negligence. Both the trial and circuit courts found that the plaintiffs lacked standing because they did not allege that any personal information had actually been misused. In an opinion issued in May 2014, West Virginia’s highest court disagreed, explaining that damage to the legal interests of privacy and medical confidentiality are sufficient injuries to confer standing. The court also reversed the circuit court’s denial of certification and found that the plaintiffs did meet the commonality, typicality, and predominance requirement.
Michaels Stores Seeks Dismissal of Data Breach Class Action
Moyer v. Michaels Stores, Inc., Nos. 14-CV-00561; 14-CV-00648; 14-CV-1229 and 14-CV-1827 (N.D. Ill.).
On January 25, 2014, Michaels Stores disclosed that it experienced a data breach that may have exposed customers’ credit and debit card information to hackers. Alleging that Michaels did not maintain adequate security measures and that they now face an increased risk of identity theft and must spend time and money protecting themselves, Michaels customers filed several, now consolidated, putative class actions on behalf of a nationwide class claiming: (i) breach of implied contract and (ii) violations of the Illinois Consumer Fraud Act and other state consumer protection laws. On June 3, 2014, Michaels filed a motion to dismiss, arguing that the plaintiffs lack standing because they did not allege that they suffered actual or imminent injuries (e.g., unauthorized activity or unreimbursed charges on their accounts). Michaels also argued that the plaintiffs failed to state claims due to their omission of an allegation of injury as well as other pleading deficiencies. A hearing on the motion is scheduled for July 17, 2014.
11th Circuit Refuses to Rule on LabMD’s Challenge to FTC’s Jurisdiction, but Congress Intervenes, Delaying Administrative Proceedings
In August 2013, after a document containing the personal information of about 9,300 patients was posted to a peer-to-peer file sharing network, the FTC filed an administrative action against LabMD alleging that its failure to safeguard its data constituted a violation of the Federal Trade Commission Act.
In November and December 2013, LabMD responded by: (1) moving to dismiss the administrative action, (2) filing suit for declaratory and injunctive relief in the District Court for the District of Columbia, and (3) moving to stay the administrative proceedings in the 11th Eleventh Circuit. In all three actions, LabMD argued that the FTC Act does not grant the FTC power to regulate data breaches and, as a HIPAA-covered entity, LabMD only must answer to the Department of Health and Human Services regarding its data security practices.
After the Eleventh Circuit declined to exercise jurisdiction over its motion to stay, LabMD voluntarily withdrew its suit in the District of Columbia and, in March 2014, filed an identical action in the Northern District of Georgia. On May 12, the Northern District of Georgia determined that, in the absence of final agency action, LabMD’s alleged injuries were not ripe for review and, on May 19, the Eleventh Circuit denied LabMD’s emergency motion to stay the administrative proceedings pending an appeal.
But it did not end there. While the FTC administrative proceedings resumed on May 20, the House Committee on Oversight and Government Reform launched an investigation into Tiversa, Inc., a company that provided the FTC with much of the information that formed the basis for its enforcement action against LabMD. When former Tiversa employee Rick Wallace, a key witness in the enforcement action, notified the administrative law judge that he would be pleading the Fifth Amendment, the proceedings were recessed until June 12. On June 11, the chair of the House panel, Darrell Issa, wrote a letter to FTC Chair Edith Ramirez stating that “the information provided to the FTC [by Tiversa] is incomplete and inaccurate.” On June 12, the administrative proceedings were stayed pending negotiations between Mr. Wallace and the House panel over a grant of immunity for his testimony. On June 17, Congressman Issa requested that the FTC Inspector General review the FTC’s relationship with Tiversa.
Wyndham Court Certifies Questions About FTC’s Data Breach Jurisdiction for Interlocutory Appeal
FTC v. Wyndham Worldwide Corp., No. 13-1887, 2014 U.S. Dist. LEXIS 84914, 2014 WL 2815356 (D.N.J. June 23, 2014).
In a motion to dismiss, Wyndham Hotel and Resorts challenged the FTC’s assertion of broad authority to regulate data security under the Federal Trade Commission Act. Although the court denied the motion to dismiss, on June 23 it granted Wyndham Hotel and Resorts’ motion to certify two issues for interlocutory appeal to the Third Circuit: (1) whether the FTC can bring an unfairness claim involving data security under Section 5 of the FTC Act, and (2) whether the FTC must formally promulgate regulations before bringing such a claim.
SEC Official Urges More Breach Disclosure, More Board Oversight of Cybersecurity
On June 10, during a speech with significant implications for corporate governance, SEC Commissioner Luis Aguilar urged corporate boards to exercise more oversight over cybersecurity by using the National Institute of Standards and Technology Cybersecurity Framework. He further recommended that boards lacking technical expertise either receive cyber-risk education or set up separate enterprise risk committees. The Commissioner also advocated increased disclosure of data breached, saying “I would encourage companies to go beyond the impact on the company and to also consider the impact on others.”
State and Federal Authorities Investigate eBay Breach
After eBay announced in late May that hackers had gained access to the personal information—including names, birth dates, encrypted passwords, email and physical addresses, and phone numbers—of 145 million customers, both state and federal officials launched investigations. Attorneys general from Connecticut, Florida, Illinois, and reportedly California, are coordinating an inquiry into eBay’s data protection and response measures. Congressmen Joe Barton and Bobby Rush, members of the Congressional Bi-Partisan Privacy Caucus, sent a letter to eBay asking for more information about the scope of the breach and the data protection measures that were in place. Meanwhile, the data protection authority in Luxembourg, eBay’s European base, has launched its own investigation into eBay’s data protection practices.
The Right to be Forgotten
Google Spain SL v. Agencia Española de Protección de Datos, Judgment (May 13, 2014).
Mario Costeja Gonzálezdiscovered that the Google search results for his own name included two 1998 newspaper announcements about real estate auctions resulting from attachment proceedings against him. González complained to a Spanish agency, which held that the paper did not have an obligation to remove the article but that European Union data protection laws required Google and its Spanish subsidiary to remove the offending links. Google appealed the agency’s decision was to the National High Court of Spain, which referred several questions to the Court of Justice of the European Union.
The court determined that search engines, by finding, indexing, storing, and making available information on websites, engage in the “processing of personal data” and are “controllers” of that data within the meaning of Directive 95/46 of the European Parliament. A search engine’s European subsidiary—even if set up to promote and sell advertising space—is also a data processor under Directive 95/46. The court held that two provisions of the directive encompass a “right to be forgotten” requiring search engine operators to remove web pages published by third parties from the search results for a person’s name upon that person’s request even if the information was lawfully published on the indexed webpage.
British Columbia Privacy Act Trumps Facebook’s Jurisdiction Selection Clause
Douez v. Facebook, Inc., 2014 BCSC 953 (Can. BC).
In 2011, Facebook launched Sponsored Stories, a product that used names and images of Facebook users to display advertisements to users’ contacts. Deborah Douez filed a class action suit on behalf of all British Columbia Facebook users alleging that Facebook’s Sponsored Stories violated the British Columbia Privacy Act by using their names or likenesses without consent.
Class Actions Against P.F. Chang’s
Lewert v. P.F. Chang’s China Bistro, Inc., No. 14-cv-04787 (N.D. Ill., filed Jun. 25, 2014).
Kosner v. P.F. Chang’s China Bistro, Inc., No. 14-cv-04923 (N.D. Ill,, filed June 30, 2014).
On June 10, 2014, the U.S. Secret Service informed P.F. Chang’s that credit and debit cards had been stolen from some of its restaurants. News broke of the breach on June 11, and the company publicly acknowledged the breach on June 12. The extent of the breach has not been announced but some reports estimate that more than 7 million cards could have been compromised over a period of approximately nine months. The restaurant has not yet notified affected customers. John Lewert, a P.F. Chang’s customer, filed a putative class action on behalf of customers nationwide alleging that by failing to safeguard credit and debit card data, the restaurant breached an implied contract and violated various consumer protection statutes. Lucas Kosner filed a competing identical action two weeks later.
Smith v. Triad of Alabama LLC, No. 14-cv-00324-MEF-CSC (M.D. Ala.).
Flowers Hospital notified patients by letter on April 15 that between June 2013 and February 2014, a former hospital employee, Kamarian Millender, stole lab test records containing names, addresses, dates of birth, Social Security numbers and health plan policy numbers, and information about lab tests, but not test results. The letter stated that Mr. Millender may have used the information to file false tax returns and offered a year of free credit monitoring. In this putative class action, filed on May 5 and amended June 20, the plaintiffs, all hospital patients, allege that Triad of Alabama (doing business as Flowers Hospital) failed to properly safeguard their personal information and that, as a result, Mr. Millender used their Social Security numbers to file fraudulent false tax returns and put them a greater risk for future identity theft. The complaint included claims for willful and negligent violations of the Fair Credit Reporting Act, negligence, negligence per se, and invasion of privacy.
Perea v. AvMed, Inc., No. 2014-01362-CA-01 (Fla. Cir. Ct.).
In March 2014, health insurance provider AvMed settled a nationwide class action stemming from the theft of two unencrypted laptops holding the personal information of 1.2 million customers. However, the class included only customers who had not experienced identity theft as a result of the breach. In this individual action, Joseph Perea alleges that as a result of the AvMed data breach, someone filed a fraudulent tax return under his name and two others made unauthorized purchases with his check card. He brings claims for negligence, breach of contract, breach of implied contract, and unjust enrichment.