Key Developments in Privacy and Data Security
AA. Data Breach Litigation: Fighting the War on Multiple Fronts.
Litigation arising from data breaches comes in many different forms. In recent months, breached companies have faced traditional consumer class actions as well as less traditional shareholder derivative lawsuits and class actions by other entities, including financial institutions, signaling a significant expansion of data breach litigation.
I. Target Faces Suits from Consumers, Financial Institutions, and Shareholders Following 2013 Breach.
During the holiday shopping season of 2013, Target Corporation suffered one of the largest credit card breaches in history. Although the number of impacted cards has been eclipsed by the breach announced by Home Depot in September 2014, the Target breach is an excellent case study in the types of litigation that can arise following a data breach. The Target breach occurred when malware exposed the credit card information of 40 million customers and the personal information of 70 million more. More than 100 lawsuits were filed in the wake of the breach, the vast majority of which have subsequently been consolidated in federal court in the District of Minnesota, Target’s state of incorporation.
The lawsuits against Target take a variety of forms. Individuals whose personal information was compromised during the breach brought class action suits alleging, among other things, negligence in Target’s failure to prevent the breach and inappropriate delay in disclosing the breach. Financial institutions that issued affected cards (“issuing banks”) brought their own claims for the costs of fraudulent charges, notifying customers, closing affected accounts, and reissuing replacement cards. State and federal government entities are investigating the breach, and several Target shareholders brought derivative claims against Target’s directors alleging breach of fiduciary duty, gross mismanagement, waste of corporate assets, and abuse of control. These claims are discussed in turn.
Consumer Class Actions
Consumers who brought claims against Target face a major obstacle – they must plead and eventually prove actual injury. See Clapper v. Amnesty International USA, 133 S. Ct. 1138, 1143 (2013) (holding that plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending”). While 40 million Target customers’ card information was exposed, the majority of customers did not incur fraudulent charges. Even where fraudulent charges were incurred, the impacted customers were typically reimbursed by their banks and suffered little or no actual harm. Additionally, Target is offering free credit monitoring and identity theft protection to potentially affected customers which, along with most card issuers’ zero-liability policies for cardholders, will render the possibility of injury even more speculative.
Even if impacted customers can establish injury, they will likely have difficulty obtaining certification of nationwide classes for state law claims because there are material differences in state consumer protection laws.
Suits by Issuing Banks
In addition to the class action consumer cases, several issuing banks have filed suit against Target for the costs that they incurred as a result of the breach. Unlike consumers, the issuing banks have arguably suffered actual injury, bearing some of the costs of fraudulent charges and potentially spending hundreds of millions of dollars to cancel and reissue credit and debit cards.
New types of plaintiffs have joined the fray of data breach litigation.
Target has argued that lack of privity and the economic loss doctrine bar the issuing banks’ recovery. Target points out that the issuers do not have a direct contractual relationship with Target. Instead, they have contracts with Visa and MasterCard that allow them to issue branded payment cards to their customers. Target, on the other hand, has contracts with processing banks that allow it to process Visa and MasterCard transactions. Thus, the only relationship between the parties was their mutual involvement in the network of contractual relationships established by Visa and MasterCard. Target argues that because it had no contractual relationship with the plaintiff banks, it owed no special duty to them that may serve as the basis of liability. Furthermore, Target claims that the economic loss doctrine precludes tort recovery for purely economic losses and limits the issuing banks’ remedies to those provided by the Visa and MasterCard regulations that govern their participation in the payment card industry.
While some courts have been receptive to Target’s proposed defenses, e.g., Pennsylvania State Emps. Credit Union v. Fifth Third Bank, 398 F. Supp. 2d 317 (M.D. Penn. 2005), the Fifth Circuit in last year’s Lone Star National Bank NA, et al. v. Heartland Payment Systems, Inc., 729 F.3d 421 (5th Cir. 2013), considered and ultimately rejected similar arguments. There, the court acknowledged that the economic loss doctrine generally precludes tort recovery and limits a plaintiff’s recovery for purely economic damages to contractual remedies, but nonetheless found that under New Jersey law the doctrine “does not bar tort recovery where the defendant causes an identifiable class of plaintiffs to which it owes a duty of care to suffer economic loss that does not result in boundless liability,” if the plaintiffs otherwise “would be left with no remedy.”
The court found that the issuing banks were an “identifiable class” and that allowing them to recover against Heartland under tort theories would not expose Heartland to boundless liability. “The identities, nature, and number of victims are easily foreseeable,” the court held, because the issuing banks are “the very entities to which Heartland sends payment card information.” The court also found that “any contractual remedies the Issuer Banks have to recoup losses caused by Heartland are not evident. As such, it is not clear that the allocation of risk could have been the subject of
… negotiations between the Issuer Banks and Heartland.” The court allowed the plaintiff banks’ claims to proceed past the motion to dismiss stage because it found that “in the absence of a tort remedy, the Issuer Banks would be left with no remedy for Heartland’s negligence, defying notions of fairness, common sense and morality.”
The Heartland decision, if adopted by the District of Minnesota, could allow the issuing banks to proceed with their claims against Target. Such a decision could expand Target’s potential liability by several hundred million dollars and, more broadly, result in more lawsuits brought against merchants by issuing banks. It is unclear how these lawsuits will interact with the program established by the Payment Card Industry Security Standards Council to reimburse issuing banks’ breach-related expenses from funds collected from compromised entities through penalties and other financial responsibility assessments.
The Target data breach has also exposed Target’s directors and officers to derivative suits by shareholders on behalf of the company. These suits, which are new to data breach litigation, allege that Target directors and executives breached their fiduciary duties by failing to (1) exercise oversight in such a way as to ensure adequate cybersecurity controls and (2) take reasonable steps to protect customers’ financial information. The plaintiffs in the shareholder derivative suits also allege that Target’s directors and officers caused the company to mislead its customers about the scope and severity
Company directors and officers are increasingly on the hot seat for cybersecurity.
of the breach after it was discovered. Accordingly, the shareholders bring claims for breach of the fiduciary duties of loyalty and care, corporate waste, gross mismanagement, and abuse of control. As damages, plaintiffs reference the company’s exposure to millions of dollars of potential liability as a result of the breach, the cost of remedial measures (such as the provision of free credit monitoring services to at-risk customers), the decrease in the company’s sales, and reputational damage.
Target’s directors and officers have raised several defenses. First, they argue that plaintiffs’ failure to make a pre-suit demand warrants dismissal of the case. Second, the defendants argue that plaintiffs fail to state a claim and rely only on the occurrence of the data breach as support for the inference that individual directors breached their duties. Finally, the directors argue that they are shielded from liability by Target’s articles of incorporation, which preclude director liability “except with respect to breaches of a director’s duty of loyalty, or for acts or omissions not in good faith or that involve intentional misconduct or a knowing violation of law.”
In the end, even if Target prevails in many of the pending cases, the breach has already resulted in massive costs. Target’s legal fees alone will total tens of millions of dollars. The company has also been forced to spend millions of dollars improving its cybersecurity. And the costs are not all monetary: Target has spent significant personnel time implementing additional cybersecurity policies and procedures, and the breach has led to turnover at the highest levels of the corporation, including the CEO and CIO. Additionally, Institutional Shareholder Services, a prominent proxy adviser, recommended in May that the majority of Target’s board of directors be removed for their failure to prevent or mitigate the breach.
II. Litigation Following a Data Breach at Schnuck Markets Highlights Additional Categories of Litigation that May Follow a Data Breach.
Litigation arising from a breach at a grocery store chain based in the Midwest provides additional insight into the types of claims that follow a compromise. On March 15, 2013, Schnuck Markets discovered it had been the victim of a cyber attack. From December 2012 to March 2013, hackers breached its network and gained access to sensitive credit and debit card information. Schnucks disclosed the breach via an online press release on March 30, 2013.
Breached companies may choose to go on the offensive.
In response to the data breach, customers filed multiple class action suits against Schnucks for, among other things, failing to safeguard its customers’ private financial information and for failing to employ appropriate cybersecurity measures. In late 2013, a number of the federal suits were consolidated in the Eastern District of Missouri. A related
case, McGann et al v. Schnuck Markets, is pending in Missouri state court. In December 2013, the parties agreed to limited discovery during the pendency of the state-court claim.
In August 2013, Schnuck Markets’ insurance provider, Liberty Mutual, sought declaratory judgment that it was not obligated to provide coverage for the litigation associated with the data breach. Liberty Mutual argued that its insurance policy only extends to physical and property damage, not to intangible assets like data. The parties later agreed to a settlement.
In November 2013, Schnucks filed suit in Missouri district court against its credit card processors, First Data Merchant Service Corp. and Citicorp Payment Services Inc. for breach of contract. According to Schnucks, First Data and Citicorp created a reserve account to fund Schnucks’ potential indemnification obligations resulting from the breach, and Schnucks alleges that they were withholding more money than the contract permitted. Schnucks also seeks a “declaration that the liability limits in the agreement applies to the banks’ claimed losses.” This case is still pending.
III. Genesco, Inc. Lawsuit Against Visa Illustrates Specific Issues that Arise in Litigation Related to the Payment Card Industr y Data Security Standard.
In a rare case that is being followed closely by those in the payment card industry, Genesco, Inc. sued three Visa entities in March 2013 to recover $13.3 million in fines and assessments that Visa collected from Genesco’s acquiring banks in the wake of a data breach that exposed the payment card information of Genesco’s customers. Genesco, Inc. v. Visa U.S.A., Inc., et al., 296 F.R.D. 559, No. 3:13-cv-00202, 2014 U.S. Dist. LEXIS 6562, 2014 WL 199858
(M.D. Tenn. 2014). Genesco, an apparel retailer operating more than 2,400 stores, sued Visa for violations of California’s Unfair Competition Law (“UCL”) and for common law claims of unjust enrichment and restitution. Genesco also asserted claims for breach of contract and implied covenants of good faith and fair dealing. Genesco says it did not violate contractual terms regarding data security; therefore, Visa improperly imposed fines and assessments without factual support and contrary to the contract’s terms.
Genesco suffered a cyber attack that began in December 2009 and lasted until December 2010. Hackers breached Genesco’s computer network using a packet-sniffing malware that intercepted unencrypted credit and debit card data as it was being transmitted to two banks, Wells Fargo Bank, N.A. and Fifth Third Financial Corp. (the “Banks”). The breach allegedly led to fraudulent purchases using Visa cards.
The contractual arrangement among Genesco and Visa was typical of those in the payment card industry. The Banks had entered into agreements with Visa to process retail purchases, and pursuant to these agreements, the Banks were required to ensure that their merchants complied with Visa’s International Operating Regulations (“VIOR”) and the Payment Card Industry Data Security Standard (“PCI DSS”). The Banks had separate acquiring agreements with Genesco to process Visa card transactions at Genesco stores. Genesco’s agreements with the Banks required Genesco to 1) comply with Visa’s International Operating Regulations (“VIOR”) and the Payment Card Industry Data Security Standard (“PCI DSS”), and 2) potentially indemnify the Banks for losses incurred in processing Visa card transactions at Genesco stores. After the breach, Visa collected $13.3 million from the Banks for security non- compliance, consumer reimbursements, and operating expenses, which the Banks collected from Genesco pursuant to their apparent indemnity agreements. Genesco sued Visa to recover its $13.3 million indemnification of the Banks.
Genesco argues that Visa was not entitled to assess fines against the Banks, even if a breach occurred, because Genesco was in compliance with the VIOR and PCI DSS. Genesco contends that the VIOR and the PCI DSS permit it to transmit unencrypted card data. Genesco claims that since attackers stole the unencrypted data when it was in
transit, Genesco still met the security requirements and the breach did not result from a failure to comply with the PCI DSS or VIOR.
Genesco also asserts that, under the contract, Visa can only recover for fraud if an account is actually compromised. Following the breach, Genesco retained a forensic consultant who found that the breach did not compromise all customers’ information. Thus, Genesco alleges that it was improper for Visa to include all customer accounts used at Genesco in its damages calculation.
Payment card breach litigation gives rise
to unique discovery issues.
As a result of Genesco’s claims, Visa sought discovery from Genesco’s forensic consultant and Genesco’s general counsel regarding the consultant’s findings. Genesco sought a protective order, claiming privilege for a non-testifying expert, as well as the attorney-client and work-product privileges. Genesco claimed that the consultant’s investigation was privileged because Genesco’s general counsel ordered the investigation in anticipation of litigation, and because Genesco is not presenting the consultant’s findings in the case. Visa argued that Genesco waived privilege by voluntarily disclosing the consultant’s report before litigation and failing to file privilege logs during litigation.
In January 2014, the court held that the non-testifying expert privilege protected the consultant’s investigation because it was retained for its specialized knowledge in anticipation of litigation, and the consultant is not testifying at trial. Genesco, Inc. v. Visa U.S.A., Inc., et al., 296 F.R.D. 559 (M.D. Tenn. 2014). Visa failed to show that an exceptional circumstance existed to overcome the privilege, for example, by showing that Visa could not obtain equivalent information from another source. The court also protected Genesco’s general counsel from deposition. The court held that the attorney-client and work-product privileges attached to the general counsel and the consultant; the consultant and Genesco established their relationship to conduct a factual investigation and to render legal advice in anticipation of litigation. The court ruled that the failure to file privilege logs did not waive the privilege because Genesco filed sufficient affidavits. Genesco also did not waive its privilege when it responded, using the consultant’s investigation, to refute Visa’s pre-litigation allegations of PCI DSS violations.
In its January 2014 ruling, the court also addressed Visa’s motion to compel discovery of Genesco’s entire computer system as it related to all VIOR and PCI DSS requirements. The court denied the request as unreasonable and unnecessary. Visa originally alleged that it had imposed assessments and fines for specific violations of the VIOR and the PCI DSS. Therefore, the court reasoned that discovery should be limited to the VIOR and PCI DSS rules cited by Visa as the basis for its fines and reimbursements.
Genesco further argues that Visa failed to show injury because there was no evidence that the compromised cards suffered a higher level of fraud than what would normally be expected for uncompromised cards. To help prove this claim, in June 2014 Genesco filed a motion to compel production of Visa documents showing the extent of fraud reported on Visa payment accounts from Genesco transactions before and after the data breach. Genesco argues that the information is relevant to Visa’s claim that the $13.3 million fines imposed on the Banks are justifiable due to the unusually high amount of fraudulent transactions resulting from the breach. Genesco would like to assess this contention by comparing fraud reported on Visa-branded cards used at Genesco stores during the year-long breach with fraudulent transactions before and after the incident.
The Genesco contract dispute highlights a number of important issues, including: how a company may be PCI- compliant but still susceptible to data breaches (and what this says about the compliance standards); the factual
predicate required before a card brand can impose fines and assessments for a breach; the manner in which fines are calculated; and the scope and breadth of discovery and forensic evidence. This case is also noteworthy because it is one of the first instances in which a merchant has sued a major card brand and/or payment processor over PCI non-compliance fines and assessments.
IV. Shareholders Filed Derivative Suits Against Target and Wyndham.
As mentioned above, data breaches can also expose directors and executives to derivative claims from shareholders. A derivative claim is when a shareholder seeks, on behalf of the company, to assert claims that belong to the company (not the shareholder individually). This year, directors of both Target and Wyndham Worldwide Hotels have faced derivative suits following large data breaches, although the Wyndham suit was recently dismissed. (The Target derivative suit is also discussed in Section A.I.) In these suits, stockholders have alleged various breaches of fiduciary duty, waste of corporate assets, gross mismanagement, and abuse of control by the board of directors.
Cybersecurity is a board-level issue.
The two derivative suits share a variety of common features. The complaints against the Target board question the adequacy of its cybersecurity policies and of the preventative measures that were in place at the time of the breach, and also find fault with Target’s subsequent response, alleging that it failed to provide prompt and adequate notice of the breach to affected customers. Similarly, the Wyndham derivative litigation questioned the board’s conduct before, during, and after the breach. There, the company allegedly suffered three separate data breaches between 2008 and 2010 that cumulatively resulted in hackers gaining access to the credit card information of 619,000 customers. The plaintiff alleged that the Wyndham directors failed to take reasonable steps to secure customers’ personal and financial information and failed to timely disclose the breaches of payment card data in the company’s financial filings. The plaintiff alleged that this second claim is further supported by the fact that Wyndham did not disclose the breaches until more than two years after the final breach.
However, there are some important differences between the Target and Wyndham cases. As is typical in most derivative cases, the Target plaintiffs are attempting to plead demand futility: they are alleging that the members of the Target board cannot determine whether litigation is in the company’s best interest. Thus, they argue, the shareholder plaintiffs should be permitted to act on the company’s behalf. The Wyndham plaintiff, in contrast, made a demand that the board cause the company to initiate litigation and challenged the board’s rejection of that demand. The plaintiff alleged that the defendant directors failed to independently and in good faith consider a pre-suit demand that they investigate the data breaches and cause the company to file a lawsuit against company personnel allegedly responsible for allowing the breaches. The plaintiff relied on documents produced by the company in response to a books-and-records demand in an attempt to show that the directors’ investigation was inadequate. The details of those documents and the plaintiff’s criticisms of the board’s process have been redacted from the public version of the complaint. A New Jersey district court judge dismissed these claims with prejudice, finding that the plaintiff presented no evidence that the board’s refusal to bring suit constituted bad faith. The court also rejected the plaintiff’s contention that the company’s general counsel and board’s outside counsel had conflicts of interest that rendered their advice that the board not take action on the plaintiff’s demand inappropriate. Palkon v. Holmes, No. 2:14-cv-01234-SRC-CLW
(D.N.J. Oct. 20, 2014).
Although the Wyndham derivative suit has been dismissed and the outcome of the Target suit is uncertain, these cases represent a growing trend of seeking to hold directors and officers personally responsible for data breaches. Accordingly, directors and officers should educate themselves regarding effective cyber security and be aware of their responsibility to adequately oversee such efforts.
V. Article III Standing Is a Key Issue in Privacy and Data Breach Class Actions.
Article III Standing, which limits the jurisdiction of federal courts, requires, among other things, that the plaintiff plead an injury that is actual or imminent as well as concrete and reasonably traceable to a defendant’s alleged conduct. This requirement continues to be a hurdle for plaintiffs bringing class action claims against companies that suffer a data breach, although some courts (primarily in the Ninth Circuit) have recently breathed new life into claims that were once routinely dismissed.
Article III remains a significant hurdle for consumers in data breach class actions.
In In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig. (“In re SAIC”), No. 12-347, 2014 U.S. Dist. LEXIS 64125 (D.D.C. May 9, 2014), the U.S. District Court for the District of Columbia dismissed 31 of 33 plaintiffs from a consolidated class action against three government defendants and SAIC resulting from a September 2011 data breach for a lack of Article III standing. The data breach occurred when a thief broke into a car belonging to an SAIC employee and stole several data tapes containing the personal information and medical records of 4.7 million members of the U.S. military and their families enrolled in Tricare health care. The theft resulted in the largest HIPAA data breach in history. Although HIPAA does not create a private cause of action, the plaintiffs sued SAIC arguing that HIPAA helped to establish SAIC’s duty of care for tort law claims and that a failure to ensure HIPAA compliance supported their breach of an implied contract claim against SAIC. See Compl. ¶¶ 216, 239, Oct. 1, 2012, ECF No. 18. Citing Clapper v. Amnesty International USA, et al., 133 S. Ct. 1138 (2013), the court held that 31 of the plaintiffs in that case lacked standing because they were unable to show an actual injury or imminent harm from the data breach.
The Supreme Court of the United States held in Clapper that even an objectively reasonable likelihood that plaintiffs’ communications would be acquired under the Foreign Intelligence Surveillance Act was an injury too speculative to satisfy Article III standing requirements. Analogizing to Clapper, the court in In re SAIC made clear that the loss of data itself was not enough to confer standing on the plaintiffs, nor was an increased risk of harm. The Court emphasized that the majority of the plaintiffs’ injuries were purely speculative—the identity of the thief is unknown, the location of the plaintiffs’ information is unknown, and it is unlikely that an average criminal would have the requisite technology to access the data given the format in which it was stored. Only two of the 31 plaintiffs were able to establish standing: one plaintiff allegedly received a letter about a loan he never applied for, while the other plaintiff claimed she received unsolicited telephone calls targeted at a specific condition in her medical records. Because the Court only addressed the issue of Article III standing, it did not reach the merits of the HIPAA-related claims. While this is not the first time that plaintiffs have relied on HIPAA to establish the standard of care in a tort claim, it demonstrates an interesting use of HIPAA that may arise more frequently in the future given the increasing number of high-profile data breaches. See e.g., R.K. v. St. Mary’s Med. Ctr., Inc., 735 S.E. 2d 715, 720-721 (W. Va. Nov. 14, 2012).
Similarly, a federal district court in Galaria v. Nationwide Mutual Ins. Co., No. 2:13-cv-118, 2014 U.S. Dist. LEXIS 23798 (S.D. Ohio Feb. 10, 2014), dismissed the plaintiffs’ claims for lack of standing when they alleged (1) increased risk of identity theft or fraud; (2) increased cost to mitigate increased risk; (3) loss of privacy; and (4) deprivation of the value of their personally identifiable information as the result of a data breach. The plaintiffs had provided their personal information to the defendant in the process of obtaining insurance, and their information was later compromised as a result of a breach suffered by the defendant. Nonetheless, the court held that the plaintiffs’ speculative injuries did not satisfy the requirements of Article III.
In contrast to In re SAIC and Galaria, the court in In re LinkedIn User Privacy Litigation, Case No. 5:12-cv-3088, 2014 U.S. Dist. LEXIS 42696 (N.D. Cal. Mar. 28, 2014), held that a putative class action plaintiff had standing to sue under California’s Unfair Competition Law following a 2012 breach
suffered by LinkedIn. The plaintiff alleged that she purchased a premium membership from LinkedIn, but did not receive the benefit of her bargain because LinkedIn promised to secure her personal information and failed to do so. The plaintiff further alleged that she relied on LinkedIn’s promise to secure her information when she purchased the premium membership and would not have purchased the membership had she known that LinkedIn would not protect her information. The court held that these allegations were sufficient to confer Article III standing on the plaintiff. A $1.25 million settlement is pending court approval.
But some courts are allowing consumer class actions to
More recently, a district court in In re Adobe Systems, Inc. Privacy Litigation allowed a putative class action to proceed despite the defendant’s argument that allegations of possible future injury are not sufficient to satisfy Article III standing. Case No. 5:13-cv-5226 (N.D. Cal. Sept. 4, 2014). In re Adobe arose from a data breach suffered by Adobe Systems, Inc. in 2013 that exposed 38 million customers’ names, login IDs, passwords, credit and debit card numbers, expiration dates, and mailing and email addresses to hackers. Adobe customers whose information had been compromised in the breach filed a putative class action claiming, among other things, that Adobe failed to comply with California laws requiring businesses to implement reasonable security measures to protect consumer data. The plaintiffs’ claimed injuries were (1) increased risk of future harm, (2) cost to mitigate the risk of future harm, and/or (3) loss of the value of their Adobe products.
Adobe moved to dismiss the plaintiffs’ claims asserting that the plaintiffs failed to allege actual injury as required by Article III, but the court disagreed. “Unlike in Clapper, where respondents’ claim that they would suffer future harm rested on a chain of events that was both ‘highly attenuated’ and ‘highly speculative,’ the risk that Plaintiffs’ personal data will be misused by the hackers who breached Adobe’s network is immediate and very real.” Because some of the plaintiffs’ data had already surfaced on the internet, the risk of injury to the plaintiffs was “certainly impending” and satisfied Article III. Accordingly, the court allowed the plaintiffs’ claims that Adobe failed to implement reasonable security measures to proceed.
With no expectation that data breaches will subside any time soon, consumers will continue to seek redress from the courts. Although the general trend is for courts to dismiss consumers’ claims absent evidence of actual harm resulting from a breach (such as identity theft or fraud), courts in recent months have been more willing to entertain consumers’ claims that increased risk of harm is sufficient to satisfy Article III standing requirements.
BB. New Types of Privacy Lawsuits Are Emerging.
- Google Fights Class Action Litigation Related to Intercepting, Reading, and Acquiring Users’ Emails.
Privacy concerns outside of the data breach context can also give rise to litigation. Plaintiffs in In re Google Inc. Gmail, for example, alleged that Google violated state and federal anti-wiretapping laws by intercepting, reading and acquiring the content of emails that were transmitted and received by users of Gmail and Google Apps services. The plaintiffs further alleged that Google used the information obtained through this screening process for its own profit, creating user profiles and providing targeted advertising to individual users based on the content of their emails.
In winning the battle over class certification, Google may have won the war. The higher costs and lower potential recovery associated with cases involving individual plaintiffs or small classes make litigation a much less enticing option, and many plaintiffs may decide not to pursue their claims further. For those that collect consumer information, the initial guidance by the U.S. District Court shows that clear, explicit and accurate disclosures are an important factor when defending against subsequent privacy challenges from consumers.
II. Hulu Faces a Class Action Alleging Violations of the Video Privacy Protection Act.
In 2011, a group of Hulu users brought a class-action lawsuit in the Northern District of California against internet video streaming company Hulu, alleging that Hulu violated the Video Privacy Protection Act (VPPA). The plaintiffs claimed that the violations occurred when Hulu shared users’ personal information and viewing histories with third parties engaged in marketing and social networking, specifically comScore and Facebook.
Hulu initially argued that (1) its data transmissions to comScore and Facebook were anonymous, and (2) the users could not prove actual injury. But the court was not persuaded on the second point, holding that the VPPA merely requires “injury in the form of a wrongful disclosure” to warrant damages. Then, in April of this year, the court granted Hulu’s motion for summary judgment regarding disclosures made to comScore, but allowed the plaintiffs’ claims regarding Hulu’s sharing of information with Facebook to proceed.
Between 2010 and 2012, certain information was transferred from Hulu to Facebook whenever a Hulu user pressed the Facebook “Like” button while viewing a program on hulu.com. When a user clicked “Like,” Hulu would send the title of the video displayed on the page where the user had clicked “Like,” the user’s IP address, and various “cookies”
associated with Facebook. Although Hulu did not send the user’s Hulu User ID, the cookies that were transmitted could have contained the user’s Facebook ID, which is generally a user’s personal name.
In denying summary judgment, the judge partially relied on the fact that Hulu prompted the interaction with Facebook (and any subsequent disclosures) by making the affirmative decision to incorporate the Facebook “Like” button on its viewing pages. The judge noted that it is “straightforward to develop a webpage that would not communicate information to Facebook.” Additionally, because the information sent in the cookies to Facebook was not a unique anonymous ID (like the Hulu User ID) but was “information that identifie[d] the Hulu user’s actual identity on Facebook[,]” the court held that it was possible that Hulu had transmitted information in violation of the VPPA.
In June 2014, the court held that the plaintiff’s proposed class was not ascertainable because membership in the class turned on whether the specific cookie was sent to Facebook, which itself depended on a number of variables. For example, that cookie would not have been sent to Facebook if, among other things, the user logged out of Facebook, cleared cookies, or used ad-blocking software.
Although class certification in this case has been denied, the district court’s determination that the VPPA does not require disclosure of a user’s actual name, but merely something “akin” to an actual name may spur additional suits by users of video streaming services based on the VPPA. Plaintiffs are now free to argue that other types of data may be considered personally identifiable information under the VPPA. Media companies that share user data with third- party advertisers and metrics compilers, or that incorporate Facebook “Like” buttons or other social media plug-ins, will want to reassess their data sharing practices in light of this decision.
III. The FTC Weighed in on Preemption of State Laws by the Children’s Online Privacy Protection Act.
A pending challenge to a settlement agreement may clear the way for parents to pursue enforcement of state laws related to teenagers’ privacy against social media companies. In March, the Federal Trade Commission (the “FTC”) filed an amicus brief in Batman v. Facebook, Inc., No. 13-16819, pending before the U.S. Court of Appeals for the Ninth Circuit, opposing a district court’s suggestion that the Children’s Online Privacy Protection Act (“COPPA”) preempts state law privacy protections for people outside of COPPA’s coverage, including teenagers. The amicus brief is particularly interesting because the FTC is the governmental entity charged with enforcing COPPA.
Many (primarily parents of teenagers) voiced concerns over the moral and legal ramifications of the parental consent language. Some of the unnamed class members objected to the class settlement agreement, arguing that it violates the laws of seven states, including California, which require valid parental consent to use the name or likeness of a
child under the age of 18 in any commercial manner. The district court rejected the objectors’ argument on the basis that it would require a decision on the merits (whether Facebook had, in fact, violated state or federal laws), which was inappropriate in assessing a settlement. The judge also opined COPPA “may well” preempt state laws like that of California. The judge reasoned that COPPA regulates the gathering and dissemination of personal information only of children under the age of 13 and may “expressly preempt” inconsistent state laws. Accordingly, the district court approved the agreement over the objections.
The objectors appealed the approval of the settlement to the Ninth Circuit, and the FTC filed an amicus brief arguing that while COPPA applies to children under the age of 13 (which happens to be the minimum age to obtain a Facebook account), COPPA does not prevent states from enforcing privacy protections for those not covered by COPPA, including teenagers. The FTC reasoned that COPPA’s express preemption clause only applies to state laws in the same field as COPPA, and does not preempt laws outside of COPPA’s scope, such as state regulations related to minors between the ages of 13 and 18.
The scope of COPPA’s preemption is unclear.
It is unclear when or whether the Ninth Circuit will rule on the matter, as the FTC took no substantive position on the merits of the case and the Ninth Circuit may affirm or reverse the settlement agreement without ruling on the question of preemption. However, businesses that collect information from teenagers should take note of the FTC’s position. Should the FTC’s view be adopted, states may be allowed to impose additional compliance requirements on social media sites, internet advertisers, and other businesses that gather and use personal information from minors on the internet.
C The Department of Justice, Securities and Exchange Commission, and State Regulators Are Increasingly Active in Cybersecurity Enforcement.
Regulators across the board are stepping up their efforts to combat cybercrime and protect sensitive information belonging to American businesses and residents. This section recounts the efforts of the U.S. Department of Justice (“DOJ”), the U.S. Securities and Exchange Commission (“SEC”), the Financial Industry Regulatory Authority (“FINRA”), and state regulators. Later sections outline the efforts of the U.S. Federal Trade Commission (“FTC”) and the U.S. Department of Health and Human Services (“HHS”).
I. The DOJ Disrupted Zeus Malware and Cr yptolocker.
In June, the DOJ announced that the FBI – with the cooperation of domestic and foreign law enforcement, technology firms, and universities – had successfully disrupted the GameOver Zeus botnet and the Cryptolocker ransomware. Law enforcement and others estimate that GameOver Zeus and Cryptolocker have caused losses in excess of $100 million.
GameOver Zeus is a sophisticated 2011 variant of the Zeus malware that first appeared in 2007 and is believed to have infected between 500,000 and 1 million computers. The malware allows an attacker to intercept victims’ communications with their banks, allowing the attacker to steal login credentials and transfer funds out of a victim’s account. It also caused the infected computers to become part of a ‘botnet,’ a network of compromised computers. The DOJ disrupted the malware by redirecting victim computers’ automated requests for instructions from criminal
operators to servers established pursuant to court order. The DOJ also announced an indictment against Evgeniy Mikhailovich Bogachev, a Russian hacker alleged to be an administrator of the GameOver Zeus botnet.
Cryptolocker is a malware program first identified in September 2013 that uses sophisticated cryptography to encrypt a victim’s files. Attackers demand a ransom from victims in exchange for the key needed to decrypt their data. If victims do not comply, the attackers delete the decryption key, making it impossible to decrypt the files. The DOJ estimated that there were more than $27 million in ransom payments made in just two months.
II. The DOJ Indicted Chinese Militar y Officers for Allegedly Hacking U.S. Firms.
In May, a Pennsylvania grand jury indicted five Chinese military officers for allegedly hacking U.S. industrial firms and a labor union and stealing trade secrets for the benefit of Chinese state-owned commercial enterprises. According to Attorney General Eric Holder, the indictments “represent the first ever charges against a state actor for this type of hacking.”
The DOJ contends that the officers – none of whom have been arrested because they reside in China – were indicted because they were stealing trade secrets to benefit Chinese state-owned business enterprises, and were not engaging in traditional intelligence efforts. The indictment alleged that the hackers, among other things, stole technical information regarding power plants Westinghouse was building in China and internal emails from senior Westinghouse leaders. The attackers used “spearfishing” emails in some attacks, tricking U.S. employees into clicking on malicious links that installed malware on the victim firms’ computers. In at least one such instance, a Chinese military officer allegedly posed as the CEO of U.S. Steel in an effort to trick U.S. Steel employees into clicking on malicious links.
The DOJ characterized the hacking as “21st century burglary” and argued that “cyber thieves” should not be immune from prosecution “just because they hack under the shadow of their country’s flag.” The U.S. insists that it does not engage in the sort of espionage that was outlined in its indictment, pointing out that U.S. intelligence agencies do not share what they find with U.S. private enterprises. It appears that some other countries have not embraced the distinction the U.S. has tried to draw between legitimate intelligence efforts and illegitimate economic espionage. China issued public statements in response to the indictment asserting that it does not steal trade secrets.
III. The DOJ Obtained its First RICO Conviction in a Cyber Case.
In December 2013, the DOJ obtained the conviction of 22-year-old David Ray Camez, a member of a “carder” website, who purchased counterfeit identification cards and was in possession of equipment to make access devices. (A “carder” website is an online forum consisting of thousands of members who buy and sell counterfeit identification cards, credit and debit cards, credit card dumps, botnets for rent, and the materials needed to manufacture counterfeit access devices.) The DOJ convicted Camez under the Racketeering Influenced and Corrupt Organizations Act (“RICO”) and touted the conviction as the first RICO conviction arising from computer-related crimes. In May, Camez was sentenced to 20 years in prison for his conduct. Other alleged co-conspirators, including Russian national Roman Seleznev, have since been arrested and face similar charges.
RICO is a powerful tool for prosecutors because, among other things, it provides stiffer penalties than traditional computer crime statutes, provides for forfeiture of proceeds of racketeering activity on a joint and several basis, provides for pre-trial restraining orders preserving assets that may be subject to forfeiture following conviction, and provides more flexibility with regard to the statute of limitations. Private businesses may also pursue a RICO claim when seeking to recover losses from cyber thieves, provided that the facts of the case support the pleading of a RICO predicate offense. The statute provides a private right of action to “any person injured in his business or property
by reason of a violation of [RICO]” and allows recovery of treble damages, costs, and attorney’s fees. If it survives appeal, the Camez conviction may open the door to RICO being used more frequently to combat large cyber crime enterprises, although many see the Camez case as an outlier and do not view it as part of a trend.
IV. Despite Broad Success, The DOJ Has Experienced Some Setbacks in Prosecuting Cybercrime.
Federal prosecutors suffered a small setback in their aggressive stance against computer crime when the Third Circuit Court of Appeals held that venue was not proper in the District of New Jersey for a case against a defendant who allegedly exploited AT&T’s network and captured the email addresses of over 114,000 iPad users. In United States v. Auernheimer, 748 F.3d 525 (3d Cir. 2014), prosecutors alleged that the defendant and a co-conspirator discovered the vulnerability on AT&T’s website. They created a program to automatically collect the email addresses and provided some of those addresses to a reporter, who published some of them. They were not residents of New Jersey, and the indictment did not charge that their misconduct occurred in that district. Auernheimer was in Arkansas the entire time, none of the data banks or computers he accessed were in New Jersey, and the reporter did not receive or publish the information in New Jersey. Nonetheless, prosecutors tried the case in New Jersey, where approximately 4,000 victim iPad users resided.
Auernheimer was convicted under the CFAA and 18 U.S.C. § 1028 (fraud in connection with identification documents, authentication features, and information), and he appealed his conviction for improper venue. The Third Circuit Court of Appeals agreed, re-affirming that a defendant cannot be tried in a jurisdiction where no “essential conduct elements” of the crime took place. Notably, the court rejected the government’s arguments that the effects of a CFAA violation may establish venue, and that improper venue is harmless error.
V. The SEC and FINRA Announced Cybersecurity Sweeps.
FINRA announced in January that it would begin assessing securities firms’ cybersecurity efforts through targeted examination letters. Through these examinations, FINRA is assessing, among other things, firms’ approaches to information technology risk assessment, business continuity plans in case of a cyber attack, assessment of the impact of cyber attacks on the firm over the past twelve months, and training programs.
In April, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) followed FINRA’s lead by announcing that it would be conducting examinations of more than 50 broker-dealers and investment advisers to learn more about those organizations’ cybersecurity efforts. More specifically, OCIE will be analyzing organizations’ “cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.”
A roundtable hosted by the SEC on March 26, 2014 – amidst the announcements of increased examination activity
- further highlighted regulators’ increased attention on ensuring that organizations in the financial sector are focused on cybersecurity. In opening comments, Commissioner Luis A. Aguilar noted the SEC’s commitment to increasing its role in addressing cybersecurity issues and outlined his expectation that the SEC will take additional steps to combat cyber threats, including establishing a new Cybersecurity Task Force. During the roundtable, panelists discussed the appropriate format of any new federal rules or regulations regarding cybersecurity, many asserting that any new rules should be principles and standards rather than particularized rules that would quickly become outdated. Panelists
also discussed the specificity with which public companies should disclose cybersecurity risks and events in their public filings. The SEC panelists continued to discourage boilerplate disclosures, but there was general concern that disclosing too many details would leave companies vulnerable to attack.
VI. State Regulators Also Stepped Up Cybersecurity Enforcement.
Not to be outdone, state regulators have also stepped up their role in preventing cybercrime, announcing several high-profile enforcement efforts and cybersecurity initiatives.
- Manhattan DA Indicted StubHub Hackers.
In July, the Manhattan District Attorney announced the indictment of a group of hackers who allegedly broke into StubHub.com (an online ticket seller) accounts and made unauthorized ticket purchases for resale. According to prosecutors, the hackers gathered users’ log-in credentials from other unrelated breaches and through the use of malware installed on users’ personal computers. The defendants allegedly made purchases using either pre-existing credit card information associated with the stolen accounts or credit card information from stolen credit cards.
- Kaiser Settled with California AG Following Delayed Notice of Breach.
Earlier in the year, Kaiser Foundation Health Plan, Inc. (“Kaiser”) agreed to pay $150,000 to settle claims by the California Attorney General (the “AG”) that Kaiser’s notification to California residents regarding a breach of their personal information was unreasonably delayed because Kaiser failed to make any notifications until after it completed its forensic investigation. The case was the first time that a state AG pursued a company for failing to issue notifications on a rolling basis during the pendency of an investigation.
According to the AG, Kaiser learned in September 2011 that an external hard drive containing employees’ personal information had been sold at a thrift shop to a person unaffiliated with Kaiser. Kaiser recovered the drive, and its initial analysis identified approximately 30,000 potentially affected individuals. However, Kaiser completed its four-month long forensic investigation before notifying anyone impacted by the breach. The AG alleged that this delay violated Section 1798.82 of the California Civil Code (the “Notification Law”), which – like many state breach notification laws – requires owners of computerized data to notify residents of any breach that exposes their personal information “in the most expedient time possible and without unreasonable delay . . . .”
Companies may face consequences if they do not timely disclose breaches.
Kaiser settled the AG’s claims without admitting liability. Pursuant to the settlement agreement, Kaiser agreed to pay
$30,000 in civil penalties and $120,000 in attorney’s fees and costs of investigation and prosecution and agreed to an injunction against further violations of the Notification Law with respect to personal information of current or former employees. The injunction specifically required Kaiser to provide notification of any future breaches of employees’ personal information on a “rolling basis” where “feasible and appropriate,” meaning Kaiser must provide notice “as soon as reasonably possible after identifying a portion of the total individuals affected by a breach, even if Kaiser’s investigation of the breach is ongoing” and must “continue to notify individuals as soon as they are identified, throughout and until completion of Kaiser’s investigation of the breach.”
The Kaiser settlement may have far-reaching implications for companies responding to a data breach. For multiple reasons, companies often prefer to complete a forensic investigation before notifying impacted individuals or alerting the public, but this approach carries more risk in light of the California AG’s settlement with Kaiser, particularly where employees’ information is involved.
- NY Regulators Announced Broker-Dealer Cyber Examinations.
State regulators are also revamping their regulatory examination practices to include a review of organizations’ cybersecurity. The New York State Department of Financial Services (“DFS”) announced in May that future bank examinations in that state will include a cybersecurity assessment. The DFS made the announcement in conjunction with the release of a report on bank cybersecurity, which provides specific suggestions to banks regarding best practices and thus serves as a useful guide for preparing for DFS examinations.
The DFS report stated that it will examine banks’ “IT management and governance, incident response and event management, access controls, network security, vendor management, and disaster recovery.” The new examination procedures will be “tailored to reflect each institution’s unique risk profile” and will take a “holistic view of an institution’s cyber readiness . . . .”
Among other recommendations, the DFS report suggested that banks:
- consider the security practices of external vendors as a part of their own cybersecurity efforts;
- join the Financial Services Information Sharing and Analysis Center (“FS-ISAC”), a non-profit industry group that the U.S. Department of Treasury and the U.S. Department of Homeland Security use to disseminate information to the industry in an emergency; and
- include all levels of bank management (including general counsel and insurance managers) in cybersecurity efforts.
Banks in all states should take note of the DFS report and the new examination procedures because they may become a model for other states.
The DFS also announced in October that it is considering whether to require banks chartered in New York to step up cybersecurity measures by, among other things, appointing chief information security officers and conducting quarterly network vulnerability scans and annual penetration tests. (Penetration tests or “pentests” are simulated attacks used to identify security weaknesses in a computer system or network.) The proposed new requirements would be modeled after the DFS’s controversial BitLicense proposal, which, if adopted, would set cybersecurity standards for virtual currency businesses.
web sites and online services). Among other things, the Attorney General’s May 2014 guidance advised companies to:
- Describe how the company responds to a browser’s Do Not Track signal or to other such mechanisms;
- State whether other parties are or may be collecting personally identifiable information of consumers while they are on the company’s site or service; and
- Describe the choices a consumer has regarding the collection, use and sharing of his or her personal information.
Whether federal or state, there is no sign that law enforcement and other regulators intend to relax their efforts to combat cybercrime and enforce privacy protections.
DD. The FTC is Testing the Limits of its Section 5 Power to Regulate Cybersecurity.
The FTC is playing an increasingly prominent role in cybersecurity enforcement, both because the FTC is testing the limits of its police powers in this area and because many companies that face FTC enforcement are protesting the arguable expansion of that power. The early months of 2014 saw more traditional privacy enforcement actions by the FTC as well.
I. Wyndham and LabMD Challenged the FTC’s Authority to Regulate Cybersecurity Practices.
In two landmark cases this year, the FTC’s authority to regulate data security practices came under attack. The FTC has been enforcing consumers’ privacy rights through enforcement actions under Section 5 of the FTC Act, which prohibits “unfair” or “deceptive” trade practices, since the 1990s, but it has been increasingly active in the data security area in recent years. Recently, companies have begun to challenge the FTC’s authority to regulate cybersecurity under Section 5. In the first notable challenge of its kind, hotel chain Wyndham Worldwide (“Wyndham”) argued that the FTC lacked the authority to regulate data security practices and that it was seeking
The FTC’s authority to regulate cybersecurity is under fire.
to hold victim companies responsible for the actions of criminal hackers. A federal judge in the District of New Jersey rejected Wyndham’s argument and refused to “carve out a data-security exception to the FTC’s authority” to protect consumers. Wyndham has appealed this ruling to the Third Circuit. See FTC v. Wyndham Worldwide Corp., No. 12- 1887 (ES), 2014 U.S. Dist. LEXIS 47622 (D.N.J. Apr. 7, 2014)
The FTC relied on Wyndham in seeking to dismiss what it characterized as a similar argument in a case brought by LabMD, Inc. (“LabMD”), a clinical testing laboratory. See LabMD, Inc. v. FTC, No. 1:14-cv-00810-WSD, 2014 U.S. Dist. LEXIS 65090 (N.D. Ga. May 12, 2014). LabMD was the subject of an FTC administrative proceeding, which it had moved to dismiss. When the FTC denied the motion, LabMD filed suit in district court challenging the FTC’s authority to regulate LabMD. The FTC relied on the Wyndham decision in filing a motion to dismiss.
In response, LabMD distinguished Wyndham, which questioned whether the FTC had any authority to regulate corporate data security practices, and argued more narrowly that an entity regulated by HIPAA should be exempt
from the FTC’s additional and conflicting requirements. According to LabMD, “Congress never intended FTC to have such sweeping and overriding authority to intervene and impose new and additional
Can FTC regulate cybersecurity at HIPAA- regulated entities?
requirements on entities regulated by expert sister agencies.” However, LabMD’s case was dismissed for lack of jurisdiction, without reaching the merits, because the FTC’s denial of LabMD’s motion to dismiss the administrative proceeding did not constitute a final agency action. LabMD appealed this decision, and the Eleventh Circuit recently agreed to hear oral arguments regarding that appeal.
Meanwhile, the administrative proceeding has caught the attention of Congress. Cybersecurity firm Triversa, Inc. (“Triversa”) initially reported the LabMD breach to the FTC, and the U.S. House Oversight and Government Reform Committee is currently investigating the circumstances under which Triversa obtained the information it reported. Triversa notified the FTC after it discovered a file with insurance billing records belonging to LabMD patients on LimeWire, a peer-to-peer sharing network.
II. Snapchat Settled with the FTC Following Allegedly Deceptive Representations and Failure to Protect User Data.
The FTC filed a complaint against Snapchat, Inc. on May 8, 2014, for deceptively representing its wireless communication platform to users and for failing to take reasonable measures to secure user data. The FTC and Snapchat quickly reached a settlement agreement on May 14, 2014, pending final approval after a period for public comment. Under the terms of this agreement, Snapchat agreed to truthfully represent and maintain “the privacy, security, and confidentiality” of users’ data. It also agreed to outside monitoring by a “qualified, objective, independent third-party professional.”
Companies must take “reasonable security measures” – and must accurately represent those measures.
Snapchat settled this complaint by consenting to the FTC demands that it refrain from misrepresenting the extent to which its products protect the privacy, security and confidentiality of its users. Specifically, Snapchat may not misrepresent the extent to which a message is deleted, the capabilities of Snapchat to detect and notify a user of a screenshot, the type and extent of data collected, and the steps taken to prevent the unauthorized disclosure of private information. Additionally, Snapchat agreed to establish an internal privacy program, and – as is common in FTC settlements – Snapchat agreed to have a “qualified, objective, independent third-party professional” evaluate and publicly report on the effectiveness of its privacy program every two years.
Companies that handle personal data should take note of the standard the FTC sought to enforce against Snapchat. Snapchat allegedly failed to take “reasonable security measures” to secure users’ data, the implication being that Snapchat was well aware of the problems and vulnerabilities of its software, but failed to implement effective solutions to those problems. Companies need to ensure that the representations they make to users about their products and services, including privacy policies, are consistent with the actual functions of their products. To stay off the FTC’s radar, companies should avoid misleading users by overstating technical functionality or data security.
E. The U.S. Department of Health and Human Services Stepped Up its HIPAA Enforcement Efforts.
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations provide federal protections for the privacy and security of protected health information (“PHI”) held by covered entities and their business associates. The responsibility for HIPAA oversight and enforcement efforts rests with the U.S. Department of Health & Human Services Office for Civil Rights (“HHS-OCR”). In 2014, HIPAA has garnered significant attention in the data security and privacy world, with the largest-ever HIPAA settlement and a new security risk assessment tool.
I. HHS-OCR Announced Several Notable Enforcement Actions and Settlements.
With impermissible uses and disclosures of PHI remaining at the top of HHS-OCR’s list of most frequently investigated compliance issues, it should come as no surprise that 2014 has already seen several noteworthy settlements involving HIPAA breaches. And while punitive measures are still rare, HHS-OCR’s enforcement activity this year sends a message that HIPAA compliance should not be taken lightly.
On May 7, 2014, HHS-OCR announced a record $4.8 million settlement with New York Presbyterian Hospital and Columbia University stemming from a breach involving a data network shared by the two entities. The breach occurred in September 2010 when a Columbia physician attempted to deactivate a personally owned server. During the deactivation attempt, the physician inadvertently made the medical information of 6,800 patients accessible via public internet search engines. The HHS-OCR’s investigation revealed that neither organization had conducted an accurate and thorough risk analysis or developed a satisfactory risk management plan.
HIPAA-regulated entities increasingly face significant fines for breaches of PHI.
Although the $4.8 million settlement was the largest ever in HHS-OCR history, the Puerto Rico Health Insurance Administration (“PRHIA”) imposed the largest ever civil monetary penalty – $6.8 million – this year for HIPAA violations by Triple-S Salud, Inc. (“Triple-S”). Triple-S, a prominent Puerto Rican health insurance contractor, mailed a pamphlet to 70,000 Medicare Advantage beneficiaries and inadvertently displayed the recipients’ Medicare Health Insurance Claim Number on the pamphlets. The penalty imposed by the PRHIA resulted from a contract between Triple-S and
PRHIA which allowed PRHIA to impose fines for HIPAA violations. Civil monetary penalties arising from HIPAA violations are uncommon. HHS-OCR has imposed civil monetary penalties only once – a $4.3 million penalty in 2011 against Cignet Health (due largely to Cignet’s failure to cooperate with the HHS-OCR investigation).
In another landmark enforcement action, HHS-OCR announced the first settlement with a county government. Skagit County, Washington (“County”) agreed to pay $215,000 after a breach involving the PHI of 1,581 individuals. The County inadvertently moved the electronic PHI – which included payment receipts and other sensitive information, including testing information and information related to treatment of infectious diseases – to a publicly accessible server maintained by the County.
HHS-OCR also highlighted the importance of encryption this year in its settlements with a clinic chain operator and Arkansas-based health insurer QCA Health Plan, Inc. (“QCA”). The clinic chain operator’s $1.73 million settlement involved a stolen laptop containing unencrypted health information of 870 individuals. In a similar case, QCA agreed to pay $250,000 after a laptop containing unencrypted medical records of 148 patients was stolen from a staff member’s car. In both cases, the organizations did not have sufficient security management processes in place and failed to implement alternative measures to encryption.
Although HHS-OCR continues to focus on electronic PHI, it also reminded covered entities and business associates that PHI must be securely transferred and disposed of, regardless of form. HHS-OCR announced an $800,000 settlement in June with Parkview Health System, Inc. (“Parkview”) after Parkview employees left 71 cardboard boxes of medical records in the driveway of a physician’s home.
After years of being criticized for not enforcing HIPAA, the HHS-OCR is making a definitive statement that those who violate HIPAA (particularly if the violation is egregious) may face significant fines.
II. HHS-OCR Provides a New Risk Assessment Tool.
Like many other federal and state regulators, the HHS-OCR is coupling increased enforcement efforts with improved tools and guidance regarding compliance. On March 28, 2014, HHS-OCR released a free security risk assessment (“SRA”) tool to help small- to medium-size providers in their HIPAA compliance efforts. The SRA tool is a software application that allows covered entities to conduct and document their risk assessments in an organized manner. While the HIPAA Security Rule requires covered entities and their business associates to conduct a security risk assessment, it does not specify the methodology to be used. The SRA tool is therefore one of many possibilities for conducting a risk analysis, and ultimately serves as an alternative to hiring a third-party vendor.
The SRA tool is the latest of several guidance documents related to compliance with the HIPAA Security Rule, including HHS-OCR’s HIPAA Security Series, HHS-OCR’s Guidance on Risk Analysis Requirements under the HIPAA Security Rule, and NIST Special Publication 800-66 entitled “An Introductory Resource Guide for Implementing the HIPAA Security Rule.”
The SRA tool can be downloaded from the healthit.gov website, which also contains a user guide and tutorial videos to help health care providers use the tool.
With HHS-OCR making it easier for HIPAA covered entities to conduct a comprehensive risk analysis, the failure to perform such an analysis will increase the chances of financial penalties in the case of a data breach or security audit.
F. Government Agencies’ Cybersecurity Efforts Are Increasingly Scrutinized.
The data security practices of federal and state government agencies also came under scrutiny this year. In March 2014, the U.S. Government Accountability Office (“GAO”) released a report finding significant data security issues at the U.S. Department of Veterans Affairs (“VA”). The report stated that the VA “continues to face long-standing challenges” and “has consistently had weaknesses in key information security control areas.”
The VA maintains the largest health care system in the nation (with over 6 million patients) and provides benefits to over 4 million veterans and beneficiaries. The GAO report stated that the number of information security incidents reported by the VA to the U.S. Computer Emergency Readiness Team (“U.S. CERT”) has more than doubled in recent years, increasing from 4,834 in 2007 to 11,382 in 2013. The incidents included unauthorized access, denial-of- service attacks, installation of malicious code, improper usage of computing resources, and scans, probes, and attempted access, among others. The report comes on the heels of a GAO report released in January 2014 that scrutinized the policies and procedures of eight government agencies relating to data breaches involving personally identifiable information, including VA, the U.S. Army and the U.S. Securities and Exchange Commission.
In July, the U.S. Department of Health & Human Services Office of Inspector General (“OIG”) released a report finding deficiencies in the ten Medicare contractor information security programs audited for fiscal year 2012. Federal law requires that Medicare contractors evaluate their information security programs annually through the use of an independent entity. The evaluations must address the requirements enumerated in the Federal Information Security Management Act of 2002 (“FISMA”), as well as requirements from the Centers for Medicare & Medicaid Services (“CMS”). The OIG must submit annual reports on the results of these evaluations to Congress. While the number of gaps in the information security programs of the Medicare contractors increased by forty-five percent (as compared to fiscal year 2011), the OIG noted that the increase was due to new and expanded testing procedures. The OIG concluded that deficiencies remain in the FISMA control areas tested and called for CMS to ensure that all gaps are remediated by the Medicare contractors.
In August 2014, the OIG issued an audit report finding that the Office of the National Coordinator for Health Information Technology’s (“ONC”) oversight of authorized testing and certification bodies for electronic health records (“EHRs”) did not adequately protect the privacy and security of patient information. According to the OIG, the ONC did not ensure that the authorized testing and certification bodies (i) developed procedures to periodically evaluate whether certified EHRs continued to meet federal standards and (ii) developed a training program to ensure personnel were competent to test and certify EHRs. Although the testing and certification process met the National Institute of Standards and Technology (“NIST”) test procedure requirements, the OIG determined that the NIST procedures were insufficient. For example, the NIST procedures did not address common security issues, such as password complexity. Health care providers can receive incentive payments if they attest to the “meaningful use” of EHRs, however, the EHR applications must be certified by an authorized testing and certification body in accordance with federal standards. The ONC oversees the testing and certification process for EHRs.
State agencies have also been under the microscope for their data security shortcomings. An OIG report entitled “High- Risk Security Vulnerabilities Identified during Reviews of Information Technology General Controls at State Medicaid Agencies” issued in March 2014 revealed significant vulnerabilities in Medicaid information system general controls in 10 states. The report classified information system general controls as “the structure, policies, and procedures that apply to an entity’s overall computer operations, ensure proper operations of information systems, and create a secure environment for application systems.” The OIG conducted the investigation after identifying high-risk security
vulnerabilities in previous reviews of information system general controls at 10 unnamed Medicaid state agencies between 2010 and 2012. The report stated that the “OIG has identified the security of health information systems as a top challenge facing the Department and State agencies.” In June 2012, HHS-OCR announced its first HIPAA enforcement action against a state agency, settling with Alaska’s Medicaid agency for $1.7 million after a USB hard drive possibly containing electronic PHI was stolen from the vehicle of the agency’s employee.
GG. Privacy Issues Are Not Just a Domestic Concern.
As foreign governments continue to step up privacy and cybersecurity enforcement efforts, companies that manage data belonging to foreign citizens or store data abroad must take note of developments that impact their international operations.
I. The EU Court of Justice Moves Toward a Right to be Forgotten.
In a step towards the recognition of a full “right to be forgotten” on the internet, the European Court of Justice (“ECJ”) recently held that Google’s search engine operations legally constitute “the processing of personal data.” This ruling subjects Google and similar companies that crawl and index the web to the full spectrum of European Union (“EU”) data privacy laws. It also demonstrates the ECJ’s willingness to extend EU privacy law requirements to cover operations taking place within EU Member States over the internet.
First, the ECJ confirmed that crawling and indexing the web to return search results is considered to be the “processing of personal data” and that search engine companies like Google are “controllers” of such processing. As controllers, Google had the obligation to comply with the general requirements of EU data privacy law, which include an obligation to respect individual privacy rights, to use personal data “fairly,” and to limit its use to “specified, explicit and legitimate purposes.”
Processors of personal data in Europe must balance individual privacy against public interest in information.
Next, the ECJ ruled that search engine operators have an obligation to respond to individual requests that search results be removed when those results are returned by a search for the individual’s name. This removal requirement includes results that are merely links to lawfully published postings on third-party sites. There is also no prerequisite that the search results contain information that is prejudicial to the individual. The individual requesting removal of the results need only show the information to be “inadequate, irrelevant . . . or excessive.”
The ECJ’s ruling does not, however, create an absolute right to be forgotten from search engines. The ECJ made clear that companies responding to requests for removal from search results must balance the interest of the general public in having searchable access to information against the interest of an individual’s privacy. Exactly how these interests are to be balanced is not yet clear. In its own effort to strike a balance, Google recently established an eight-member advisory council to take input from the public and examine future decisions from data-protection authorities and courts in the EU.
The ruling has implications not only for Google, but for other tech companies that have relied on a limited physical presence in EU Member States to avoid the obligations imposed on data processors under EU privacy law. Before this ruling, EU data privacy laws were thought to be enforceable only where the data controller carried out the data processing “in the context of the activities of an establishment of the controller” located in an EU Member State.
Now, any crawling and indexing operation with a search feature may be subject to EU privacy laws even if the operator has no more than an advertising arm in an EU member State. Within a few weeks of the ruling, Google and Microsoft both created mechanisms for EU citizens to submit requests to have links removed from their search engines.
II. Courts’ Privacy Rulings Can Impact a Business’s Foreign Operations.
Domestic court rulings have also impacted companies’ data processing activities that take place abroad. In April, a federal magistrate court in New York upheld a search warrant obtained by law enforcement under the federal Stored Communications Act (the “SCA”), 18 U.S.C. § 2703, that required Microsoft Corp. to provide the contents of a user’s email account stored in Dublin, Ireland. In the Matter of a Warrant
to Search a Certain Email Account Controlled and Maintained by Microsoft Corp., 13 Mag. 2814, 2014 WL 1661004 (S.D.N.Y.
Apr. 25, 2014). Microsoft objected to the warrant asserting that courts in the United States are not authorized to issue warrants for the search and seizure of property outside the territorial limits of the United States. However, the court disagreed that the warrant raised extraterritorial concerns.
The debate over the
discoverability of digital information stored abroad continues.
The court held that a warrant obtained under the SCA is a “hybrid: part search warrant and part subpoena” because it is obtained like a search warrant, but executed like a subpoena. Because subpoenas order recipients such as Microsoft to produce information within their possession, custody, or control – regardless of location and without the involvement of law enforcement – the warrant does not give rise to issues of extraterritorial search and seizure. A federal district court later affirmed the magistrate’s ruling, but Microsoft has not yet complied with the warrant. The company recently agreed to a contempt holding for non-compliance in order to facilitate its appeal of the district court’s order.
These proceedings are important for companies with global operations, and there will likely be more courts addressing this issue in the coming years. Spurred in part by this case, the Senate has recently introduced legislation that would require courts to deny a warrant if an email services provider can show the warrant requires the service provider to violate the privacy laws of a foreign country.
H. Privacy and Data Security Legislation Remains Primarily a State Issue.
Although Congress has been considering a number of bills relating to cybersecurity, it has yet to pass anything substantive. However, the White House and many state legislatures have taken steps to address cyber concerns.
I. Federal Congress Has Made Several Attempts to Pass Cybersecurity Legislation with No Success.
In July, the Cyber Information Sharing Act (“CISA”) was approved by the U.S. Senate Intelligence Committee. The bill’s stated purpose is to open avenues for information-sharing between companies and the government to combat malicious actors in a consolidated defense. While proponents say the bill plays an essential role in preventing dangerous cyber attacks, detractors say the bill does not protect citizens’ privacy and are concerned about the potential for abuse. The bill includes features such as authorizing individuals and companies to monitor their own computer networks and those of their consenting customers for cyber threats and to implement countermeasures to block those threats. In order for the bill to proceed, it must pass a full vote in the Senate.
Similar cybersecurity bills have failed in the past, such as the Cyber Information Sharing and Protection Act (“CISPA”) that passed the U.S. House of Representatives but was not passed in the U.S. Senate due to its lack of privacy and civil liberty protections (and a presidential veto threat). Proponents argue there is a need for a structured system to facilitate the sharing of information regarding security incidents and threats, but detractors argue that any legislation should protect consumers’ rights and ensure the security of commercial interests.
Also in July, the House passed several cybersecurity-related bills, the most prominent being the National Cybersecurity and Critical Infrastructure Protection Act (“NCCIPA”). The NCCIPA allows the U.S. Department of Homeland Security to coordinate and share cybersecurity information with federal, state, and local government entities as well as private entities and the critical infrastructure sector through the U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center. The House also passed the Critical Infrastructure Research and Development Act – designed to promote cybersecurity research and development – and the Homeland Security Cybersecurity Boots- on-the-Ground Act – designed to improve and evaluate the workforce performing cybersecurity-related duties. These bills must now go to the Senate.
II. The NIST Issued its Long-Awaited Cybersecurity Framework.
In early 2013, President Obama signed an executive order calling for increased information sharing between the federal government and the private sector regarding cybersecurity threats and policies. The order also called for the development of a voluntary cybersecurity program for owners and operators of critical infrastructure organizations (such as telecommunications, financial, and energy companies), and the National Institute for Standards and Technology (“NIST”) was required to oversee the development of the framework, which would include a “set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.”
NIST released its long-awaited Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”) in February 2014. The Framework has three major focal points: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles.
The NIST Framework provides a practical approach to cybersecurity.
First, the Framework Core identifies five cybersecurity functions: identify, protect, detect, respond, and recover. The Framework breaks these general functions into categories and subcategories which contain specific, narrow cybersecurity objectives based on pre-existing policies, practices, and industry standards. Next, the Framework Implementation Tiers classify organizations (according to their cybersecurity sophistication) into four tiers ranging from those organizations with informal, reactive cybersecurity programs
to those with systematic programs that are proactive and risk-informed. NIST recognized that not all organizations will be optimally served by the highest tier of cybersecurity program. For some organizations, for example, the additional protection will not justify the expense. Finally, the Framework outlines cybersecurity Profiles, which companies can use to understand their own current cybersecurity profile and to create a target profile. The Framework Profiles reference back to the Framework Core and therefore permit an organization to compare its policies and procedures to relevant industry standards.
Plaintiffs may try to use the NIST Framework
to establish a standard of ‘reasonableness’ in litigation.
The Framework, along with its supporting programs, constitutes a major step in the progression toward a unified approach to cybersecurity analysis. Although the Framework is currently voluntary, government officials are already contemplating the possibility that the Framework could become mandatory for government contractors. At a minimum, the Framework is expected by many to serve as a benchmark to determine the adequacy of an organization’s cybersecurity efforts, either in litigation arising from a cybersecurity incident or otherwise. The White House has also issued a report that
outlined potential incentives that may become available to companies that adopt the Framework. Those incentives could be so enticing as to make failure to adopt the Framework impractical.
III. The White House Issued a Report on Big Data and an Executive Order on Cybersecurity.
In May 2014, the White House released its big data report, Big Data: Seizing Opportunities, Preserving Values. The report is the product of a 90-day comprehensive review of the current and future impact of big data on the public and private sectors, and offers policy recommendations for dealing with the challenges presented by big data. Although difficult to encompass in a single definition, big data can be characterized as data generated from digital sources that is so large in volume, diverse in variety, and moving with such velocity that traditional tools of data analysis are inadequate.
The report focuses on finding the proper balance between realizing the benefits of big data without compromising individual privacy. Regarding the public sector, the report highlights the benefits of big data in creating a more efficient and more responsive government, while acknowledging the potential abuses of big data and the possible expansion of the government’s power over its citizens. In its analysis of the private sector, the report emphasizes the importance of big data as a vehicle for economic growth and innovation, but also highlights the privacy risks to consumers. The report offers recommendations for legislation dealing with the use of big data and consumer privacy, a national data breach notification standard, and antidiscrimination efforts to be led by civil rights and consumer protection agencies. In anticipation of potential policy changes spurred by the report, it is important for businesses that collect and use big data to ensure that their uses do not have discriminatory effects and to be vigilant about protecting consumer privacy.
In October 2014, President Obama signed an executive order, “Improving the Security of Consumer Financial Transactions,” aimed at improving cybersecurity and protecting victims of identity theft. Pursuant to the order, government-issued credit and debit cards must be equipped with chip-and-PIN technology – and payment processing terminals at government agencies must accept this technology – beginning in January 2015. (The private sector has already been moving toward chip-and-PIN technology because, beginning in October 2015, the credit card industry will impose heightened liability on breached merchants that have not adopted it. Indeed, Target, Home Depot, Walgreens, and Wal-Mart recently announced that they will be rolling out the technology over the new few months.) The order also requires government agencies to adopt measures that will make it easier for consumers to report and remediate identity theft, and mandates the creation of a plan to “ensure that all agencies making personal data accessible to citizens through digital applications require the use of multiple factors of authentication and an effective identity proofing process, as appropriate.”
IV. States Added and Amended Breach Notification Laws.
Kentucky enacted a breach notification law this year (becoming the 47th state to do so), and Florida and California revised their existing notification laws to broaden coverage and strengthen existing notification requirements.
- Kentucky Adopted a Breach Notification Law.
Kentucky’s law – H.B. 232 – went into effect on July 15, 2014 and is substantially similar to statutes existing in other states. In general terms, the statute requires disclosure of an unauthorized acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information (as that term is defined in the statute) maintained by the information holder that actually causes, or leads the information
47 states now have breach notification laws.
holder to reasonably believe it has caused or will cause identity theft or fraud against a Kentucky resident. Following the passage of this law, Alabama, New Mexico, and South Dakota are the only states in the nation that do not have a general data breach notification law.
- Florida Adopted Sweeping Changes to its Breach Notification Law.
Florida made substantial changes to its breach notification law with the Florida Information Protection Act of 2014 (“FIPA”). The law, which went into effect on July 1, 2014, expanded the definition of personal information under the previous law to include an individual’s first name or first initial and last name in combination with (i) medical information or (ii) health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual, as well as user names or email addresses in combination with a password or security question and answer that would permit access to an online account. Fl. Stat. § 501.171.
FIPA also changed the definition of a “breach” from “unauthorized acquisition” to “unauthorized access” of data in electronic form containing personal information, a change which arguably broadens the applicability of the statute. The law also imposed a 30-day requirement to notify individuals of a breach, creating one of the strictest timing requirements in the nation. The law does, however, incorporate a risk of harm analysis. If a breach will not likely result in identity theft or financial harm to affected individuals, notification is not required. This determination must be documented in writing, maintained for 5 years, and provided to the attorney general within 30 days.
Under a new Florida law, companies must disclose breaches within 30 days.
FIPA also requires notification to the State Department of Legal Affairs of the attorney general if a breach affects 500 or more individuals in Florida. The notification has specific requirements, such as a synopsis of the events surrounding the breach and the number of individuals in the state who were affected. Upon request, the reporting entity must provide additional documentation, such as a police report, incident report, or computer forensics report and copies of its internal policies regarding breaches. Notification must be made to consumer reporting agencies if the entity discovers circumstances requiring notice of more than 1,000 Florida residents
- California Amended its Data Breach Law.
In early October, California’s Governor signed into law an amendment to the state’s breach notification law. The amendment expands the law to apply to entities that maintain personal information about California residents, instead of only to those entities that own or license the information. Although the language is somewhat ambiguous, the amendment also may require the person or business that was the source of the breach to provide appropriate identity theft prevention and mitigation services to affected persons at no cost for at least 12 months. Further, the amendments prohibit the sale, advertisement for sale, or offer to sell an individual’s social security number, except as specified. These amendments are important because California was the first state to adopt a breach notification law, and that law quickly became the model for laws adopted in nearly all 50 states.
Insurance Coverage for Cyber Incidents Is Increasingly Debated.
One of the best defenses against the financial impact of a data breach is an effective risk transfer mechanism such as insurance. In early 2014, insurance companies, policy holders, and courts continued to struggle with coverage issues related to cybersecurity and privacy. Meanwhile, insurance carriers continue to market new policy forms aimed specifically at cyber incidents while also issuing new policy endorsements to exclude such coverage under traditional policy forms.
I. Cyber Fraud Claims under Coverage B of a General Liability Policy.
- Publication Requires an Act or Conduct by the Policy Holder.
In Zurich American Insurance Co. v. Sony Corporation of America, No. 651982/2011 (N.Y. Sup. Ct. Feb. 21, 2014), a New York trial court ruled that Zurich American Insurance Company (“Zurich”) had no duty to defend Sony Corporation of America (“Sony”) in over 50 class action lawsuits arising from a data breach in 2011. Coverage B (Personal and Advertising Injury) in Zurich’s policy protected the insured from liability arising out of the “oral or written publication, in any manner, of material that violates a
person’s right of privacy.” While the court acknowledged that a “publication” occurred when hackers penetrated Sony’s secured sites and accessed private customer information, the court concluded that Zurich’s policy required “an act or some kind of act or conduct by the policyholder in order for coverage to be present.” Because the “publication” of private information was perpetrated by third-party hackers, and not Sony, Judge Oing ruled that Zurich had no duty to defend. The case is currently on appeal.
It is increasingly difficult to recover cyber losses
under traditional insurance policies.
- No Publication Occurs When There Is No Evidence that Information was Accessed.
In Recall Total Information Management, Inc. v. Federal Insurance Company, 83 A.3d 664 (Conn. App. Ct. 2014), a Connecticut court of appeals held that the loss of private information is not a “publication” where there is no evidence that the information was accessed by third parties or the public. The case involved Recall Total Information Management, Inc. (“Recall”), a data storage company hired by IBM to transport sensitive employee information. The information was stored on tapes, which were lost when they fell off a van near a highway exit ramp. IBM sued Recall for expenses IBM incurred in mitigating the effects of the loss, including free credit monitoring and credit restoration
for its employees. When Recall sought coverage for its liability arising out of the publication of private information, Federal Insurance Company (“Federal”) denied coverage.
Federal prevailed at trial and on appeal, largely because Recall presented no evidence that any third-parties ever accessed the information or that any identity theft could be traced to the loss. Recall’s commercial liability policy covered “personal injury” liability arising out of the “publication of material that … violates a person’s right to privacy.” The court of appeals reasoned that, since there was no evidence that anyone accessed the lost tapes, no “publication” occurred. Additionally, the court determined that, even assuming the mere loss of confidential employee information constitutes a “publication,” IBM is not a “person” for purposes of privacy rights and thus cannot have suffered any “personal injury” as required by the policy’s terms.
- There May be Coverage Despite Policy Exclusion for Violation of Privacy Rights.
A federal district court in California dismissed a suit by Hartford Casualty Insurance Company (“Hartford”), which was seeking to deny defense to and avoid indemnifying its insured, Corcino & Associates (“Corcino”), in connection with two privacy suits involving the online publication of medical records, notwithstanding a policy exclusion denying liability for “violation of a person’s right of privacy created by any state or federal act.” See Hartford Cas. Ins. Co. v. Corcino & Assocs., No. CV 13-3728 GAF (JCx), 2013 U.S. Dist. LEXIS 152836 (C.D. Cal. Oct. 7, 2013).
Corcino provided a job applicant with the confidential medical information of almost 20,000 individuals to test the applicant’s ability to perform certain employment-related tasks with the data. The applicant posted the information on a public website seeking assistance with the test. Plaintiffs later discovered the information and named Corcino in two lawsuits alleging violations of constitutional and common law privacy rights and claims under California’s Confidentiality of Medical Information Act (“CMIA”) and the Lanterman Petris Short Act (“LPSA”).
Hartford’s commercial general liability policy insured against liability for Personal and Advertising Injury, including liability arising out of the “electronic publication of material that violates a person’s right of privacy.” The policy excluded liability for “violation of a person’s right of privacy created by any state or federal act.”
The district court dismissed Hartford’s declaratory judgment action, finding that even though the plaintiffs’ claims were made under the CMIA and LPSA, the CMIA and LPSA merely codify existing health information privacy rights granted under California’s common law and constitution. Thus, the court concluded, any relief awarded to the plaintiffs was covered, rather than excluded, under the insurance policy.
II. New TDI ISO Endorsement Largely Excludes Coverage for Data Breach Liability.
Effective May 1, 2014, in many jurisdictions, commercial general liability policies include a new ISO form endorsement (CG 21 06 05 14) that largely excludes coverage for data breach liability. The endorsement expands the existing Electronic Data exclusion to encompass all damages arising out of the “access or disclosure of any person’s or organization’s personal information including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.” The endorsement states that it applies even if damages are for notification costs, credit monitoring expenses, forensic expenses and public relations expense.
JJ. Individual Businesses and Industries are Fighting Back.
With major breaches being announced on a regular basis, industry leaders are taking steps to arm themselves, and the government is increasingly focused on offering companies the weapons, information, and guidance they need to fight cybercrime.
I. Retail and Oil Industries Announced New Information Sharing and Analysis Centers.
The retail industry and the oil and natural gas industry have responded to the recent wave of cyber attacks by launching Information Sharing and Analysis Centers (“ISAC”), which will aggregate, analyze and distribute information regarding cyber threats to their respective industries. ISACs enable members to share cyber threat information with each other and also provide anonymous tips to federal agencies, including the U.S. Department of Homeland Security, U.S. Secret Service, and the Federal Bureau of Investigation. There are now seventeen industry-specific ISACs, including centers for financial services, defense, and electric firms.
Companies are arming themselves against cyber threats.
II. Target Announced its Own Cybersecurity Initiative.
Since announcing an extensive breach of its payment card system during the holiday season of 2013, Target, Inc. has promised to invest $5 million in a multi-year campaign to “educate the public on the dangers of consumer scams.” The company has also promised to “accelerate the conversation–among customers, retailers, the financial community, regulators and others–on adopting newer, more secure technologies that protect consumers and push for stronger protections against data breaches.”
III. FBI Developed a Malware Analysis System.
The Federal Bureau of Investigation (“FBI”) has launched a malware analysis system – called Malware Investigator
- that allows companies to report malware attacks, upload malware samples for analysis, and rapidly receive “customizable technical reports” on the threats posed by those samples. Companies can find the system, which is not yet available to all users, at malwareinvestigator.gov.
IV. Federal Financial Institutions Examination Council Launched a Webpage Dedicated to Cybersecurity.
The Federal Financial Institutions Examination Council (“FFIEC”) recently launched a web page that is intended to create a repository of cybersecurity documents and guidance. The web page is a joint effort with the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Consumer Financial Protection Bureau. The FFIEC has also indicated that member agencies will begin incorporating cybersecurity assessments into the examination process by the end of 2014.
V. The DOJ and FTC Issued a Joint Statement Regarding Information Sharing.
In a joint policy statement released on April 10, 2014, the DOJ and the FTC officially encouraged companies, including direct competitors, to share cyber threat information with one another, taking the position that “properly designed sharing of cyber threat information should not raise
antitrust concerns.” The joint statement dovetails with the approach
of President Obama’s 2013 Executive Order on Improving Critical Infrastructure Cybersecurity, which also encouraged the sharing of information regarding cyber threats. The DOJ/FTC statement also highlights the increasing private and public concern over cyber threat vulnerability, which is quickly becoming what the White House has called “one of the most serious economic and national security challenges we face as a nation.”
Properly designed sharing
of cyber threat information should not raise antitrust concerns.
In early October, the DOJ announced in a business review letter to CyberPoint International LLC that it would not challenge CyberPoint’s development of a cyber intelligence data-sharing platform known as TruSTAR. According to a DOJ press release, TruSTAR is designed to collect “specific and highly technical cyber-threat information, including current attack actors, targets of attack, contextual information regarding threats, and remediation solutions” and provide “a community forum for members to anonymously collaborate with their peers on cyber threats and techniques for responding to them.”