Archives: Privacy Litigation

In its recently-filed motion to dismiss claims of card-issuing banks arising from the September 2014 theft of payment card data from Home Depot point of sale terminals, Home Depot employs an approach typically used to respond to consumer claims.  In payment card data breach cases, defendants typically argue that consumers lack standing to sue because card issuers hold consumers harmless for any fraudulent charges on their credit or debit cards.  Such standing arguments are not ordinarily advanced against the claims of the card-issuing banks that end up paying those bogus charges.  Home Depot, however, argues that the card issuer plaintiffs do not allege sufficient injury to have standing to bring suit in federal court.  In particular, Home Depot maintains that the card issuers’ consolidated complaint, despite listing 68 separate named plaintiffs, does not contain any specific allegations that identify with particularity what losses, if any, those plaintiffs suffered. Only two of the complainants 285 paragraphs allege the harms suffered by card issuers, but both do so without identifying which particular harms alleged had been sustained by any named plaintiffs.  Home Depot argues that the failure to plead the existence of concrete injuries suffered by named plaintiffs is fatal to the card issuers’ complaint.

In addition, Home Depot asserts that alleged losses incurred to avoid potential future harms – such as the cost of issuing new cards – are not cognizable injuries under the Supreme Court’s ruling in Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013).  Clapper held that, to be sufficient to confer Article III standing, losses must be “fairly traceable” to a defendant’s purported wrongdoing.  Losses willingly incurred to protect against a possibility of future harm do not suffice.  See id. at 1152-53.  Quoting Clapper, 133 S. Ct. 151, Home Depot contends that the card issuers “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”   Thus, without conceding that other types of losses might confer standing, Home Depot argues that losses directed toward future harms, even if alleged with particularity, would be insufficient as a matter of law to confer Article III standing on the card issuer banks.

A second significant ground on which Home Depot seeks dismissal of the card issuers’ claims is lack of ripeness. This argument is premised on the complex and detailed rules governing the interrelationship between card issuing banks, banks that accept charges made on cards and the card brands that issue the cards.  Each of the card brands establishes a process for resolving claims relating to fraudulent charges made on their cards.  In its brief, Home Depot collectively refers to the ongoing adjudication of data breach claims under those roles as the “Card Brand Recovery Process.”  According to Home Depot, the Card Brand Recovery Process is ongoing and could substantially resolve card issuers’ claims.  At a minimum, Home Depot contends that card issuers would not be entitled to seek recovery in the consolidated federal court lawsuit that is duplicative of amounts awarded through the Card Brand Recovery Process.  Accordingly, Home Depot argues that the card issuers’ claims will not be ripe until the Card Brand Recovery Process has been completed and the extent of their injuries, if any, are then known.

The card brand claim adjudication process has already played a significant role in connection with card issuers’ claims in the consolidated data breach class action against Target.  In that case, Target attempted to obtain a global resolution of the claims of MasterCard-issuing banks through a settlement negotiated with MasterCard under its dispute resolution rubric.  The proposed settlement was conditioned on approval by issuers of at least 90% of the eligible accounts and failed due to lack of support by issuing banks.  Target’s lack of success in using the card brand dispute resolution process to dispose of card issuer claims casts some doubt on whether Home Depot’s ripeness argument, even if accepted, would facilitate a final resolution of claims outside of federal court.  Allowing the Card Brand Recovery Process to continue, however, could reduce the number of outstanding claims and yield more manageable proceedings in federal court.

The U.S. Office of Personnel Management (OPM) announced that hackers have stolen the personal information of approximately 4 million current and former federal employees, including names, birthdates and social security numbers.  OPM serves as the human resources department -and holds employee records – for the entire federal government, ranging from security clearances to the identities of covert CIA agents.  Every federal agency is potentially affected by this breach.  Notifications to affected employees will begin going out on Monday, June 8th, via email or US mail.  OPM will provide credit monitoring, identity theft insurance and recovery services for 18 months to affected individuals.

OPM is working with the Department of Homeland Security’s Computer Emergency Readiness Team – CERT – and the FBI to assess the full extent of the breach.  Early reports suggest that the breach originated in China.

Compounding the pain for OPM and the affected individuals is the revelation in OPM’s website  notice that the agency recently implemented an “aggressive effort” to update its network security.  Unfortunately, this effort only revealed the hack, but was not implemented in time to prevent it.

OPM’s breach follows a highly publicized IRS data breach, in which hackers accessed the personal information of 100,000 taxpayers and used it to file false refund requests.  In 2014 alone, the US Postal Service, White House, National Weather Service and US Department of State were all victims of cyber-attacks, some of them suspected of originating in China.

As of now, federal data breach numbers pale in comparison to private sector breaches, but it will be interesting to see if these incidents create a credibility problem for federal regulators, who can’t seem to keep their own systems secure.  According to Mark Robinson, a former federal prosecutor and cyber defense litigator at Mintz Levin:

At a minimum, the government’s own inability to keep it’s cyber security house in order will be used defensively by private companies breach victims as a glowing example of how easily hackers can get in to even the most fortified government controlled computer systems.

It will also be interesting to see if this breach results in private litigation on behalf of affected employees, particularly those whose safety and ability to do their jobs depends on the secrecy of their identities.  According to Kevin McGinty, Mintz Levin privacy class action litigator:

As day follows night, class actions typically follow data breaches.  Here, most OPM employees would have a difficult time alleging any injury sufficient to confer standing to sue.  The most plausible harm that could flow from this data breach, identity theft, is addressed by the services already being offered by OPM.  Unless a would-be litigant could allege some additional and imminent risk of harm that would not be covered by the services that OPM is offering, a private lawsuit would be likely to face dismissal for lack of standing.

We will have more on this story as it evolves.

Home Depot has staked its defense of consumer claims arising from the 2014 theft of payment card data from the home improvement retailer on the asserted absence of injuries sufficient to confer standing to sue.  Because consumers rarely sustain out-of-pocket losses when their payment card numbers are stolen, lack of standing is typically the primary ground for seeking dismissal of consumer data breach claims.  While many courts have been receptive to arguments seeking dismissal of consumer data breach claims for lack of standing, decisions in recent cases – including, most significantly, the Target data breach case – have found that non-pecuniary harms constitute sufficient injury to confer standing.  The survival of the consumer claims will depend on which line of precedent the Home Depot court follows. Continue Reading Home Depot Moves to Dismiss Consumer Data Breach Claims for Lack of Standing

Happy June – the first day of meteorological summer!

In the last month, both a federal and state court denied coverage for claims relating to an insured’s handling of electronic data.  In the first case, a federal court held that there was no coverage under a cyber insurance policy for a claim alleging that the insured had intentionally refused to return electronic financial data.  In the second, a state supreme court held that there was no coverage under a general liability policy for a claim alleging that the insured had lost computer tapes storing personal information.   Both of these decisions illustrate the importance of the specific language contained in an insurance policy as that language determines the scope and breadth of the coverage actually afforded under that policy. Continue Reading Privacy Monday – June 1, 2015 – Courts Affirm Insurers’ Denial of Coverage for Electronic Data Claims  

Target’s attempt to resolve claims of MasterCard-issuing banks through a $19 million private settlement with MasterCard has been terminated for failure of issuers of 90% of the affected cards to accept the settlement by the Wednesday, May 20 acceptance deadline.  Press reports on Friday, May 22 indicated that both Target and MasterCard had confirmed that failure to meet the 90% requirement had voided the settlement.  The termination of the settlement means that MasterCard issuing banks no longer have the option to accept a portion of the proposed $19 million MasterCard settlement pool to settle their claims against Target.

For now, the claims that would have been resolved in the MasterCard settlement continue to be the subject of the consolidated class action pending in federal court in Minnesota.  It remains to be seen whether Target and MasterCard will go back to the drawing board to craft a new and richer settlement, or if Target will abandon its attempt to obtain a private settlement and pursue resolution of the MasterCard claims through the federal court lawsuit.

Key takeaway:   The insurance applications and underwriting questionnaires prepared in connection with cyber insurance do matter.

Cyber security, and cyber insurance, have dominated the industry headlines for several years now, but even as companies, brokers and insurers work to develop these products, there has been a dearth of case law interpreting key provisions.  This is beginning to change as disputes arise and make through way through the judicial system.

One such suit came last week when CNA filed a declaratory judgment action against its insured Cottage Health System, seeking reimbursement of both defense costs and a $4.125 million settlement it had paid out on a claim made under Cottage’s cyber policy.  In January 2014, Cottage was sued in a class action in California state court, where it was alleged that the records of more than 30,000 of Cottage’s patients had been disclosed to the public via the internet.  Cottage allegedly stored such records on an internet-accessible system but failed to install encryption or use other safeguards.  The California court granted approval of the $4.125 million settlement fund in December 2014.  CNA, which had reserved rights, filed this action. You can read more about the underlying lawsuit here.

In it, CNA invokes the exclusion for “failure to follow minimum required practices” which precludes coverage if the insured does not “continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance.”  In its application Cottage had indicated that it regularly re-assessed its exposure to information security and privacy threats, among other, more specific, data-protection procedures.  CNA asserts that this representation in the application was false.

Insureds and insurers in the cyber space would do well to watch this matter unfold.  The exclusion invoked, and the application questions it relies on, are broadly worded and may leave room for strong arguments on both sides.  Regardless of the outcome, we can be sure that this is only the beginning of judicial interpretation of the key terms of cyber-related policies.  Interested readers can also review one of the first cyber-related decisions in the country, which came out of the District Court of Utah last week, here.

 

Another federal agency has weighed in with “guidance” on cybersecurity preparation and breach response.  The Department of Justice (DOJ) is the latest to issue guidance on how companies should respond to data breaches.   The guidance is not perfect, and in some respects is simply a recitation of existing best practices, but it is still valuable because it signals the government’s increased willingness to foster public-private cooperation against cybercrime, and it sets out the DOJ’s latest thinking on responding to cyberattacks.  images

Common Sense Advice

Embracing much of NIST’s recently published Cybersecurity Framework, the DOJ guidance provides several useful tips and some common sense advice to businesses as they prepare for cyberattacks. The guidance also has a useful check-list that many smaller businesses or start-ups may find useful as they develop their privacy and data-security infrastructure.

The DOJ’s first recommendation is that companies develop robust incident response plans prior to a breach (i.e. now). Such plans should identify key corporate assets, clearly establish lines of control and communication, inventory available technical resources and ensure their availability during an attack, have identified and retained experienced counsel with knowledge of relevant laws and practices, and have a working relationship with the FBI, Secret Service, and industry cyber intelligence sharing organizations.

Second, the guidance outlines a four step process for responding to a cyberattack.

  • The first step is making an initial assessment of the scope and nature of the incident.
  • Next, a business should implement measures to wall off the attack through rerouting network traffic, filtering, and enhanced segmentation of compromised systems.
  • Third, business should record and collect evidence of the attack, and take steps to preserve such evidence prior to undertaking remediation efforts.
  • Finally, and unsurprisingly, the guidance advises businesses to always notify law enforcement of an attack (more on this below).

Finally, the guidance sets out what companies should not do in the event of a cyberattack. A key warning here is that businesses should not “hack-back” or attempt to penetrate or damage an attacker’s systems.   This warning is well taken—penetrating another system, even one believed to be involved in maliciously compromising a network, may expose individuals or business to criminal liability under the Federal Computer Fraud and Abuse Act, or to civil damages and penalties.

Limitations of the DOJ’s Guidance

Any pre-scripted guidance, even guidance from the DOJ, should be taken in context. Cybercriminals target and exploit gaps in a company’s security and compliance controls. This means that even the best organized companies, with the best laid plans, can struggle to respond to a cyberattack that exploits a loophole, a gap, or an unchallenged assumption. To address this reality, companies should—as the DOJ recommends—engage experienced counsel, but they should also develop a relationship with cybersecurity and forensic experts—like Cylance, Mandiant, or KPMG—who can not only provide pre-breach intelligence and planning assistance, but can also be quickly available to help respond to a breach.

The DOJ’s guidance is also silent on a key element of pre-breach planning: war-gaming. Companies developing incident response plans should routinely test those plans in simulated war-games and table top exercises with all stakeholders. This process helps companies identify issues and ensure all stakeholders understand their respective roles and responsibilities. The Mintz Privacy team has been recommending that for a while.  You test your disaster response plan; if you have an incident response plan, you should test it.

Finally, the DOJ’s recommendation that law enforcement should be contacted immediately if criminal activity is suspected is open for debate. While we applaud the DOJ, and the FBI and Secret Service, for taking steps to minimize business disruptions and liability concerns, and we appreciate the need for enhanced public-private cybersecurity cooperation, any decision to provide notice to law enforcement should only be taken after a company has consulted counsel and carefully assessed its notification requirements under existing state data breach notification laws. To be clear, we believe that companies should cooperate with law enforcement; however,  such cooperation should be carefully considered.

In the wake of Target’s April 15 announcement of a private $19 million settlement of the data breach claims of MasterCard-issuing banks, counsel representing the putative card issuer class in the consolidated Target data breach litigation moved to enjoin the proposed settlement, arguing that it is an improper end-run around the Minnesota federal court’s adjudication of card issuer claims.  Target has responded that the settlement appropriately uses dispute resolution processes in MasterCard’s operating agreements to address breach-related losses, and employs a process that has been endorsed by other federal courts in prior data breach cases.  The motion awaits action by Judge Magnuson, who is presiding over the consolidated cases pending against Target. Continue Reading Target and Card Issuers Dispute Use of MasterCard Settlement to Resolve Data Breach Claims

Target confirmed a report in the Wednesday edition of The Wall Street Journal of a settlement with MasterCard concerning claims of card-issuers arising from Target’s 2013 data breach.  The data breach, which occurred during the post-Thanksgiving holiday shopping season, compromised over 40 million credit and debit cards used to make purchases at Target stores. The settlement has not been presented to the court for approval but was described in a press release issued by Target after the close of business on Wednesday.  The settlement proposes payment of up to $19 million (previous reports had indicated a fund of $20 million) to reimburse issuers of MasterCard-branded payment cards for costs arising from reissuance of cards compromised by the data breach.  Target’s obligation to proceed with the settlement is conditioned on acceptance by issuers of at least 90% of the eligible payment card accounts.  Target indicates in its press release that it intends to “defend itself vigorously against any assessments made by MasterCard on behalf of MasterCard issuers that do not accept their offers.”  In order to accept Target’s offer, settling issuers must agree to release all claims that they may have against Target arising from the data breach.  The press release also states that the potential $19 million cost of the MasterCard settlement is included in the total cost of the data breach disclosed Target’s public securities filings (reported at 2014 year end to be $252 million before insurance offsets).

According to Target’s Wednesday press release, issuers that accept the MasterCard settlement are expected to be paid “by the end of the second quarter of 2015.”  Based on the description of the settlement and the expected timing, it appears that the MasterCard settlement will take place entirely outside of the card issuer class action that is still pending in federal court in Minnesota, although any releases given in connection with the MasterCard settlement would finally resolve claims of settling issuers as to MasterCard payment cards compromised by the breach.  The proposed settlement would not affect outstanding claims on behalf of issuers of other types of payment cards (including Visa, Discovery and American Express cards).

According to a report published today in The Wall Street Journal, Target and MasterCard are close to reaching a settlement of the claims of MasterCard-issuing institutions in connection with Target’s 2013 data breach.  The settlement would reimburse the cost of reissuing debit and credit cards compromised by the breach, as well as a portion of the resulting fraudulent charges made using stolen payment card numbers.  A $20 million settlement would be comparable to the amount paid by TJX Cos. to MasterCard in connection with the 2008 TJX data breach.  News of a potential card issuer settlement comes less than one month after Target and class counsel filed papers seeking court approval of a proposed class settlement of consumer claims arising from that same data breach.  Sources informed the Wall Street Journal that a definitive MasterCard settlement could be announced as soon as this week.