NY Cybersecurity Regs Could Spur Legal Work Nationwide

Orange County Partner Scott Lyon was recently quoted in Corporate Counsel’s article “NY Cybersecurity Regs Could Spur Legal Work Nationwide.” The article examines New York’s new proposed cybersecurity for financial institutions and insurers. Please click here to read the full article. (Subscription required)

Article III Standing is Not the Only Hurdle in Data Breach Litigation – So Says the Seventh Circuit Courts

In the past week, two different Illinois federal courts have given financial institutions and merchants a second chance to try to allege claims arising from data breaches that can withstand the rigors of a motion to dismiss under Federal Rule 12 (b) (6).

In Community Bank of Trenton et al. v. Schnuck Markets Inc., case number 3:15-cv-01125, in the U.S. District Court for the Southern District of Illinois, the Court distinguished this case (“Schnuck’s Market”) from other Seventh Circuit cases, namely Remijas v.Neiman Marcus Group, LLC,794 F.3d 688 (7th Cir. 2015) and Lewert v.P.F. Chang’s China Bistro, Inc.,819 F.3d. 963 (7th Cir. 2016), as well as, Irwin v. Jimmy Johns Franchise, LLC, 2016 WL 1355570 (C.D. Ill. 2016) and In re Barnes and Noble Pin Pad Litigation, 2013 WL 47595888 (N.D. Ill. 2013) noting that there is a “critical distinction” between claims brought by the financial institutions as opposed to by the merchant’s customers. The Court reasoned that there is a distinction between consumer actions identifying “tangible harms” such as fraudulent charges, fees, and costs incurred in theft monitoring services, and general allegations of harm.  While the financial institutions alleged that they incurred “and will continue to incur costs to: cancel and reissue cards; close and reopen accounts; notify customers; and, investigate and monitor for fraud” the Court found those allegations of harm to be general.

With the exception of two claims under Illinois law (which were dismissed with prejudice), it was the “generalities” that led to the dismissal without prejudice of the remaining claims and not the merits of the purported claims.   Thus, unlike many of the consumer data breach lawsuits, where the courts are asked to address whether the plaintiffs can establish Article III standing, it is important to note that the court in Schnuck Market did not address this issue.  Thus, making Schnuck Market distinguishable from the recent Home Depot decision (In re Home Depot, Inc., Customer Data Security Breach Litigation, 2016 WL 2897520 (N.D. Ga. 2016)) where the court denied Home Depot’s motion to dismiss on Article III standing, as well as other grounds, as to the financial institutions’ claims. Home Depot is seeking an interlocutory appeal from that decision.  It remains to be seen whether the financial institutions in Schnuck Market will be able to convince Judge Reagan to let them proceed with their claims against the merchant once they file their amended complaint.  As such, this case warrants further monitoring to see how any future rulings compare with those in the Home Depot case.  As it stands, the Schnuck Market decision serves as guide to financial institutions about how to plead their case if they want it to stand in federal court.

In Barnes & Noble Pin Pad Litigation, No. 1:12-cv-08617, the U.S. District Court for the Northern District of Illinois  followed Remijas v. Neiman Marcus Group, 794 F.3d 688 (7th Cir. 2015) and found that Plaintiffs met their burden in pleading an injury in fact under Seventh Circuit precedent and denied defendant’s rule 12(b)(1) motion to dismiss.  However, the district court granted defendant’s 12(b)(6) motion to dismiss, which is also consistent with Seventh Circuit precedent.  In Lewert v.P.F. Chang’s China Bistro, Inc.,819 F.3d. 963 (7th Cir. 2016), the Seventh Circuit noted at oral argument on January 13, 2016, that “there is a big difference between whether there is Article III standing on the one side and whether a claim has been stated on the other side [and] the Neiman Marcus case makes that very clear. So maybe there is standing but you may just fail to state a claim on which relief can be granted.”  In the P.F. Chang case, the Seventh Circuit did not address defendant’s rule 12(b)(6) motion because that issue was not raised on appeal.

Unlike a rule 12(b)(1) motion, which addresses a court’s subject matter jurisdiction, a rule 12(b)(6) motion is a factual challenge to a plaintiff’s claim. Also, under Iqbal, while the court should assume the truthfulness of a plaintiff’s factual allegations, in a rule 12(b)(6) motion the court need not accept plaintiff’s legal conclusions as true.

In a nutshell, the Barnes & Noble court rejected 4 of the 5 counts in the complaint based on the court’s finding that plaintiffs failed to plead “any economic damages whatsoever,” (i.e. injuries or actual damages), which the court deemed  fatal to their cause of action.  Notably, the court rejected plaintiffs’ arguments that overpayment for goods at Barnes & Nobles, or the loss of the value of Plaintiffs’ personally identifiable information (“PII”), represent actual recoverable economic damages to state a sufficient claim under 12(b)(6).  The court also highlighted that Plaintiffs did not allege that they had lost money from unauthorized withdrawals or bank fees.

On the invasion of privacy claim, the court noted that plaintiffs failed to allege that there was a public disclosure within the meaning of the common law cause of action under Illinois law. In particular, the complaint did not contain allegations that the exposed PII was widely published (“in fact, even reading the Amended Complaint broadly, the only people who would have had access to the stolen PII would be the skimmers, and potentially whatever third parties to which they sold the PII.”)

Thus, the significance of this ruling is that it echoes what the Seventh Circuit echoed in the Neiman Marcus and P.F. Chang cases:  while Plaintiffs may get around the standing hurdles, they many nonetheless fail to meet the rule 12(b)(6) pleading standards where they still face factual pleading challenges to their claims, particularly relating to sufficiently pleading economic damages.

Both Schnuck’s and Barnes & Noble warrant further monitoring to see whether the plaintiffs in those cases can file amended pleadings which can survive a dispositive motion to dismiss.

Bankruptcy Attorney Has No Standing to Bring Class Action Discrimination Suit Against Card Processor

A recent decision by the United States District Court in Robert E. White v. Square, Inc., (N.D. Cal. 2016) provides an interesting discussion of the standing requirements for the assertion of discrimination claims against online businesses pursuant to the California Unruh Civil Rights Act.

Key Facts

The defendant provided point of sale processing of debit and credit card transactions on smartphones and computer tablets. The service allowed individuals and businesses to accept electronic payments without directly creating and maintaining merchant accounts. In order to subscribe to these services, users were required to create an online account pursuant to a seller agreement, which required specific confirmation that no payments would be processed for certain business activities, including transactions with bankruptcy attorneys or collection agencies engaged in the collection of debt.

The plaintiff, a bankruptcy attorney, filed a class action suit against the card processor for unlawful discrimination after learning of the specific prohibition against bankruptcy attorney transactions. The class action complaint was brought under California’s Unruh Civil Rights Act, which generally prohibits arbitrary occupational discrimination.

The bankruptcy attorney did not attempt to subscribe to the service by creating an online account, nor was he denied the service after attempting to process payments for his bankruptcy services. Instead, the attorney alleged that he was dissuaded from seeking to become a customer based on his awareness of the card processor’s prohibition against the processing of payments to bankruptcy attorneys.

Procedural History

The suit was filed after the court had dismissed an earlier suit brought by a different bankruptcy law firm. In that earlier suit, the law firm had signed up for the card processing service, but the account was terminated after the card processor learned that the firm was violating the service agreement. The court dismissed that suit and sent the parties to arbitration because the online subscriber agreement contained an arbitration clause requiring the parties to arbitrate their dispute.

In the new suit, the bankruptcy attorney alleged that he was a personal friend and colleague of the two partners of the law firm that had commenced the first action. He further alleged that he had read the court’s file for the first action and learned of the card processor’s allegedly discriminatory practices. He also alleged that he had visited the processor’s website on several occasions with the intent of subscribing, but refused to click on the link to open an account based on his knowledge of the processor’s prohibition against bankruptcy attorney transactions..

California Unruh Civil Rights Act

The suit was filed pursuant to the California Unruh Civil Rights Act, which guarantees “full and equal accommodations, advantages, facilities, privileges, or services in all business establishments” regardless of race, color, religion, ancestry, national origin, disability, medical condition, marital status or sexual orientation. The Act also specifically provides that no business establishment shall discriminate against or refuse to contract with persons who have one or more of these characteristics. Courts have interpreted this Act as also generally prohibiting any arbitrary occupational discrimination.

The Act imposes actual damages for each offense, along with possible treble damages, but not less than $4,000 for each violation, plus attorney’s fees.

Key Arguments

The processor moved to dismiss the new suit arguing that the attorney was a mere bystander who had not suffered any asserted discrimination because he had not attempted to create an online account, and thus was never rejected or terminated pursuant to the allegedly discriminatory policy. The processor also alleged that the suit was an improper attempt to sidestep the arbitration requirement which was a stated term of the subscriber agreement that must be executed as a condition to creating the online account.

The bankruptcy attorney urged the court to reject the processor’s “no click/no standing” defense asserting that he had at least attempted to subscribe to the card processor’s service within the meaning of the law. The attorney also argued that that he should not be required to engage in the “futile gesture” of subjecting himself to the actual discrimination, i.e. refusal of service or termination of the online account, as a condition to bringing the suit.

Court’s Ruling

The court dismissed the suit for lack of standing after finding that the attorney had not suffered a cognizable injury under the statute because he had not tendered the purchase price to the processor and was not refused service. The court followed a California state appellate decision upholding the dismissal of discrimination claims by a male plaintiff against an internet dating service that offered certain free services to woman, but not to men, after finding that the male plaintiff lacked to standing to sue because he had never subscribed to the dating service.

The court also rejected application of the “futile gesture rule” to California’s Unruh Act.

The bankruptcy attorney has recently moved for reconsideration based on certain newly discovered evidence.

Social Engineering Cons: Which Insurance Policy Pays?

New York partner Laurie Kamaiko was published in the article, “Social Engineering Cons: Which Insurance Policy Pays?” published September 25, 2016, in Carrier Management. Ms. Kamaiko provides an overview of the coverage debate and court rulings to date, which include coverage for cyber crimes, creating cyber policies and covering the gaps in coverage with the increase of these types of crimes.

Snowden, The Espionage Act and The Media

Concurrent with the release of Oliver Stone’s film starring Joseph Gordon-Levy have come a number of calls for President Obama to pardon Edward Snowden for his violations of the Espionage Act. There has been a good deal of editorializing on the issue by various media outlets.  The New York Times, for example published an op ed calling for a pardon.  The Washington Post editorial board, on the other hand, while acknowledging that Snowden’s actions have produced some public benefits, has taken the position that Snowden should stand trial on espionage charges or, as a “second-best solution,” accept “a measure of criminal responsibility for his excesses and the U.S. government offers a measure of leniency.”  The Post’s position was not lost on Glenn Greenwald (played in the movie by Zachary Quinto), who wrote in The Intercept that the Post “has achieved an ignominious feat in U.S. media history: the first-ever paper to explicitly editorialize for the criminal prosecution of its own source.”  So, why is Snowden, who gave this information to several media entities likely facing the choice of a long term residency in Moscow or trial for violation of the Espionage Act, and the Post, which published much of this information to a worldwide audience, the recipient of a Pulitzer Prize?

The issue of prosecution of a media entity on espionage charges for publishing classified information has never been squarely addressed. The Espionage Act was directly invoked against the press by the Nixon Administration in an effort to obtain an injunction to prevent publication of what are now known as the Pentagon Papers — classified documents relating to Vietnam policy leaked by defense analyst Daniel Ellsberg that showed material inconsistencies between the government’s public assertions and private misgivings regarding a successful conclusion of the war.  The government’s lawsuit invoked as statutory authority for injunctive relief section 793(e) of the Espionage Act, which makes it unlawful for anyone who has “unauthorized possession of” information “relating to the national defense” with “reason to believe [it] could be used to the injury of the United States or to the advantage of any foreign nation” to “willfully communicate” the information to persons not entitled to receive it.  Accordingly, when the case reached the Supreme Court, the issue was not whether the press could be criminally prosecuted under the Espionage Act but, rather, whether the government was entitled to a prior restraint on publication.  The Court, in a very brief, per curium order, ruled that the government had not met its burden of showing that it was entitled to an injunction against publication of newsworthy information.

The concurring and dissenting opinions showed a wide divergence on the underlying issues, however, and Justices Stewart, White and Marshall suggested (in dicta) that the press could be prosecuted after-the-fact. As Justice White put it, “failure by the Government to justify prior restraints does not measure its constitutional entitlement to a conviction for criminal publication. That the Government mistakenly chose to proceed by injunction does not mean that it could not successfully proceed in another way. . . . I would have no difficulty in sustaining convictions under these sections on facts that would not justify the intervention of equity and the imposition of a prior restraint.”

The legal terrain of this issue has been further formed by the cases of Steven J. Rosen and Keith Weissman, officials with the lobbying group American Israel Public Affairs Committee (“AIPAC”) who were charged under Espionage Act sections 793(d) (unauthorized possession of national defense information transmitted to unauthorized recipients) and 793(g) (conspiracy). The leaker was Lawrence Franklin, an official working in the office of Secretary of Defense, who orally transmitted the information to Rosen and Weissman.  Franklin pleaded guilty under these same sections.  U.S. District Court Judge T.S. Ellis denied Rosen’s and Weissman’s motion to dismiss the indictment, holding the Espionage Act was constitutional on its face and as applied to Rosen and Weissman.  However, Judge Ellis rejected the government’s argument that no First Amendment issue was presented by such an indictment holding  that “the mere invocation” of national security or government secrecy’ does not foreclose a First Amendment inquiry, and that the analysis was dependent upon the circumstances in which the act was done. He held that (1) the term “information related to the national defense” was limited to information “closely held” by the government, (2) that the Espionage Act applies only to disclosures, and (3) the government must prove that the defendant acted with the specific intent to violate the statute.  Further, where a prosecution rests on the catch-all phrase “other information related to the national defense” and involves intangible information (here, orally transmitted information as opposed to specific documents), the government must prove that the defendant subjectively intended “to either harm the United States or to aid a foreign government.”  The government, on the basis of these heightened intent requirements, eventually had the cases against Rosen and Weissman dismissed.

Rosen and Weissman, as mentioned, were lobbyists. Closer to the issue of potential media liability under the Espionage Act are the releases of classified documents by Wikileaks.  While Julian Assange, the founder and “editor in chief” of Wikileaks, like Snowden, has passionate supporters and detractors, unlike Snowden, Assange himself was not the leaker – that was largely done by Chelsea (fka Bradley) Manning who is currently serving time in Fort Leavenworth for (among other things) violation of the Espionage Act.  To date, Assange has not been indicted with violations of the Espionage Act, despite calls to label Wikipedia a “terrorist organization” and rumors of a secret grand jury.

While one might justly refuse to put Wikileaks and the Washington Post in the same category, in the current media environment it is increasingly difficult to draw a line between “the press” and any number of online blogs and other disseminators of information and opinion — a difficulty which has impacted many legal issues notably including “shield laws” that give qualified protection to “the media” from having to testify and/or disclose sources to prosecutors and law enforcement.

In terms of applicability of the Espionage Act, both Wikileaks and the Washington Post have put copies of the leaked documents online where they can be viewed by anybody, including hostile powers. Thus both appear to have intended to and did disseminate to people not entitled to receive or possess them, tangible documents related to the national defense, and that at least some of these documents were both secret and objectively of a kind the disclosure of which had the potential to harm the security of the United States, and that both entities were aware of the secret nature of the documents. If this could be proven, then under Judge Ellis’ formulation, the only remaining element under the government’s burden would be whether they, respectively,  knew that disclosure of the documents “was illegal, but proceeded nonetheless”—that they acted with a purpose either to disobey or to disregard the law.

The Washington Post and the Guardian, the New York Times, and The Intercept, the four news organs that received and published large numbers of secret documents provided by Snowden, would no doubt urge that their intent was to bring necessary sunshine to what has been widely held to be illegal activity on the part of the government and to promote government by the people. It goes without saying that Snowden and Assange have articulated the same goals.  Snowden, as the leaker, is in a different category, and as an employee of a government contractor, has lower First Amendment protections, if any at all.  The odds of the Washington Post being prosecuted for violating the Espionage Act appear, at present, vanishingly small.  But these odds would appear to be greater than zero.  The Supreme Court decision in Bartnicki v. Vopper, which arose under the Federal Wiretap Act, holds that “a stranger’s illegal conduct does not suffice to remove the First Amendment shield about a matter of public concern.”  However, this holding may not address the issue raised by Justice White in his concurring opinion in the Pentagon Papers case that a publisher’s actions in and of themselves may be illegal under the Espionage Act.  I am left humming to myself the lyrics to a song by Elton John and Bernie Taupin – “keep your auditions for somebody who hasn’t got so much to lose, ’cause you can tell by the lines I’m reciting, that I’ve seen that movie, too.”

Sovereign Immunity Shields Native America Tribes from Fair Credit Reporting Act Liability

In 2014, Jeremy Meyers used his credit card to make purchases at the Green Bay Oneida Travel Center and Oneida One Stop retail locations, owned and operated by the federally‐recognized Oneida Indian tribe. He received electronically printed receipts that included more than the last five digits of his credit card and the card’s expiration date.

Meyers alleged, in a putative class action filed in April 2014, that the Tribe issued these receipts in violation of the Fair and Accurate Credit Transaction Act, which states that “[n]o person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction, 15 U.S.C. 1681c(g)(1).” FACTA defines a person as “any individual, partnership, corporation, trust, estate, cooperative, association, government or governmental subdivision or agency, or other entity.”

U.S. District Judge William C. Griesbach granted the tribe’s motion to dismiss the suit in September 2015, finding Congress did not waive Native American tribes’ immunity in the FCRA because the tribes are not mentioned in the statute. The district court also found Meyers failed to state a claim because he did not suffer an injury from the information being printed on the receipts.

Meyers appealed the district court decision, arguing that Native American tribes should be treated as governments under FACTA, claiming the court made previous exceptions to sovereign immunity in similar cases and separately found that immunity is not available to “any government” under the FCRA.

The tribe argued that because the Fair and Accurate Credit Transactions Act does not specifically mention Native Americans, U.S. District Judge William C. Griesbach rightly tossed the suit in September, and courts are prohibited from assuming Congress wanted to undermine sovereign immunity unless that intention is made plain.

“Congress did not clearly, unequivocally and unambiguously reference Indian tribes when it enacted the FCRA and FACTA and, therefore, it has not evinced an intent to waive a tribe’s sovereign immunity,” the tribe said in its brief.

The Oneida tribe also argued that substantial statutory damages from the proposed class action would affect the tribe’s right to self-governance and deprive the tribal treasury of essential funds for member services. The tribe also contended that if Congress intended FACTA to apply to them, it would have explicitly included Native American tribes under the amendment’s definition of “person,” as it did in the Fair Debt Collection Practices Act, but Meyers contends that precedent shows otherwise.

The Seventh Circuit affirmed, noting that whether a tribe is subject to a statute and whether the tribe may be sued for violating the statute are two different questions. Any ambiguity must be resolved in favor of immunity; “government or governmental subdivision or agency” does not unambiguously refer to tribes.

“Meyers argues that the district court dismissed his claim based on its erroneous conclusion that Indian tribes are not governments … [but] misses the point,” the circuit court panel said. “The district court did not dismiss his claim because it concluded that Indian tribes are not governments. It dismissed his claim because it could not find a clear, unequivocal statement in FACTA that Congress meant to abrogate the sovereign immunity of Indian tribes.”

House Committee Report Details Extent of OPM Security Failures Resulting In Breach of Over 30 Million Records

According to a report by the Republicans on the U.S. House Oversight & Government Reform Committee, the hack of the Office of Personnel Management (OPM) was the direct result of the agency’s long-standing failure to properly “prioritize cybersecurity and adequately secure high value data.”

The breach, which has been attributed to at least two Chinese government operatives, resulted in the exfiltration of personnel files of 4.2 former and current government employees, security clearance background investigation on 21.5 million individuals, and fingerprint data on 5.6 million people. The background checks, which “are designed to identify the type of information that could be used to coerce an individual to betray their country,” included information on applicants’ work histories, home addresses, financial information, and the names of relatives.  Among the extremely sensitive information included in security clearance background checks was treatment information for mental or emotional health conditions, information on alcohol abuse or illegal drug use, and financial information relating to applicant gambling habits.

In addition to making multiple findings regarding the cause of the breach, the 241-page report also provided a detailed chronology of the attack. Beginning in November 2013, one of the two attackers (“Hacker X1”) began engaging in adversarial activity on OPM’s network. On March 20, 2014, US-CERT (Computer Emergency Readiness Team) alerted OPM that Hacker X1 was exfiltrating data (including manuals and IT system architecture information) from OPM’s network.  The two agencies developed a strategy to monitor Hacker X1’s movements in order to gather counterintelligence.  However, on May 7, 2014, a second attacker (“Hacker X2”) succeeded in gaining a foothold to OPM’s network by posing as a background investigations contractor, using OPM credentials to remotely access OPM’s network and install malware to create a network backdoor.  The report notes that “OPM did not identify [Hacker X2]’s May 7 foothold despite the fact that OPM was monitoring and removing [Hacker X1]” from the network.

On May 27, 2014, after OPM observed Hacker X1 load a keylogger onto several database administrators’ workstations with access to the PIPs system (holding background investigation data), OPM executed its “Big Bang” plan, shutting down its compromised systems in order to remove Hacker X1 from the network. However, undetected Hacker X2 continued to move freely through the OPM network, installing malware on a KeyPoint web server, registering opmlearning.org as its command-and-control center for malware operations, and conducting an RDP (remote desktop protocol) session in June 2014.  By July 2014, OPM thought that it had fully resolved the breach, disclosing to the New York Times that an exfiltration had occurred in March 2014 but stating that no PII (personally identifiable information) had been lost and without disclosing the exfiltration of the IT manuals.  During this same time, Hacker X2 began exfiltrating the background investigation data from the OPM environment in the Department of Interior’s (DOI) data center.  By December 2014, 4.2 million personnel records had been exfiltrated from OPM network and DOI’s databases.  As of March 26, 2015, Hacker X2 began downloading the stored fingerprint data as well.  On or about April 18, 2015, a vendor’s deployment of an endpoint detection tool resulted in the discovery of widespread malicious activities in the OPM network.  By April 23, 2015, OPM had concluded that there had been a “major incident” involving the exfiltration of personnel records, pursuant to which it notified Congress on April 30, 2015. On June 4, 2015, OPM briefed the media and issued a press release disclosing the release of 4.2 million records on current and former federal employees, which resulted in the filing of multiple lawsuits that have since been consolidated as a multidistrict litigation in D.C.’s federal circuit.

The report’s ire was focused squarely on OPM’s lax security protocols dating back to at least 2005. It notes that the OPM Inspector General had been warning the agency since at least 2005 that its vast treasure trove of valuable information was vulnerable to hackers. According to the report, “OPM consistently reported spending less than other federal agencies on cybersecurity.”  It was not until US-CERT notified OPM of the breach in March 2014 that OPM sought additional funds for network security.  In addition, OPM failed to implement the Office of Management and Budget’s (OMB) longstanding requirement of multi-factor authentication for employees and contractors with access to the network.  Overall, the Committee found that had OPM implemented basic cybersecurity protocols and deployed more advanced security tools when it became clear that attackers were targeting critical data, the extent and severity of the breach could have been prevented or at least substantially mitigated.  According to the report, “[t]he data breach by Hacker X1 should have sounded a high level multi-agency national security alarm that a sophisticated, persistent actor was seeking to access OPM’s highest-value data … Swifter action by OPM to harden the defenses of its IT architecture could have prevented or mitigated the damage that OPM’s systems incurred.”

The report also acknowledged that OPM’s cybersecurity maturity has improved since the breach was initially disclosed. In June 2016, OPM reported to the Committee that it had “taken significant steps to enhance its cybersecurity posture, protect individuals who had their data stolen in the incidents last summer, and reestablish confidence in its ability to deliver on OPM’s core missions.”  Those steps included complete deployment of two-factor authentication for all users, implementation of a continuous monitoring program for all IT systems, hiring of a cybersecurity advisor that reports to OPM Acting Director Beth Cobert, modifying the OPM network to limit remote access exclusively to government-owned computers, and deployment of a Data Loss Prevention System to automatically prevent sensitive information from leaving the network without proper authorization.  They also established a new agency-wide centralized IT security workforce under a newly hired CISO and provided enhanced security awareness training relating to phishing and social engineering attacks.

However, the report also made broader recommendations for the federal government as a whole, including strategies to retain qualified Chief Information Officers (CIOs) for longer terms, reduction in the use of social security numbers by federal agencies, utilization of “critical position pay” to recruit and retain IT security specialists, and elimination of bureaucratic roadblocks to swift implementation of IT security policies and cyber tools. The Committee also recommended that federal agencies promote a “zero trust IT security model,” under which users inside the network are not deemed any more trustworthy than users outside the network.  This model would require agencies to strictly enforce authentication, user access controls, and closely monitor all network traffic.  The report noted that, because OPM was unable to visualize and log its network traffic, it was also unable to determine exactly how much data had been actually exfiltrated by its attackers.

While the attack on OPM could be discounted as the targeting of a government agency by foreign government operatives, there remains a broader lesson for all organizations.  In OPM’s case, they were in possession of vast stores of valuable data, whose value to attackers they apparently failed to appreciate.  As a result, they neglected to expend the resources necessary to adequately protect that data, ignoring the recommendations of industry experts and even standards adopted by other similarly-situated agencies.  When they became aware that they were under attack, they still failed to take the steps necessary to discover the full extent to which their network had been breached.  The consequences of OPM’s inaction will be borne not only by the current and former federal employees who trusted their data to their government and are now vulnerable to identity theft and extortion;  this breach has also resulted in breaches of valuable intelligence data (the CIA was forced to pull several officers from its embassy in Beijing) and expenditure of substantial government resources to discover the full extent of the data exfiltrated.  Hopefully this incident was the wake-up call needed to improve systems throughout the federal government and prevent (or mitigate) similar future attacks.

Spokeo’s Impact on Article III Standing

It has now been just over three months since the Supreme Court in Spokeo v. Robins made clear that “Article III standing requires a concrete injury even in the context of a statutory violation.” Since then, federal courts have begun to consider what impact is necessary to constitute a concrete injury-in-fact. Thus far, courts have varied in their application of Spokeo and in what is required to satisfy the concreteness requirement.

Luckily for defendants, several recent decisions support dismissal in cases alleging bare procedural violations. Below, we summarize many of these recent decisions:

  • Hancock v. Urban Outfitters, Inc., No. 14-7047, 2016 WL 3996710 (D.C. Cir. July 26, 2016) involved the defendant’s alleged violation of District of Columbia’s data collection statutes, by requesting the plaintiff’s zip code at the point-of-sale. The D.C. Circuit found that the plaintiffs failed to allege any injury that they suffered as result of having their information collected, and thus lacked Article III standing. The D.C. Circuit remanded the case to state court.
  • Attias v. CareFirst, Inc., No. 15-CV-00882 (CRC), 2016 WL 4250232 (D.D.C. Aug. 10, 2016) is a data breach case, in which the plaintiffs alleged a number of injuries, including an increased risk of identity theft, actual identity theft (for two of the plaintiffs), economic harm through purchasing credit-monitoring services and insurance coverage, loss of intrinsic value of their personal information, and violation of their statutory rights under consumer protection acts. The court rejected each of these arguments, and dismissed the case for lack of Article III standing with leave to amend. As to plaintiff’s statutory claim, the court, citing Spokeo, explained that “Where a violation of a statute may result in no harm, that mere violation is insufficient to confer standing. Even if Plaintiffs’ rights under applicable consumer protection acts have been violated, because they do not plausibly allege concrete harm, they have not demonstrated that they have standing to press their claims.” (Internal citations and quotation marks omitted).
  • Similarly, in Khan v. Children’s National Health Sys., No. TDC-15-2125, 2016 WL 2946165 (D. Md. May 19, 2016), the court held that the plaintiff lacked standing, in part, because she failed to connect the alleged statutory and common-law violations arising from a data breach to a concrete harm.
  • In Gubala v. Time Warner Cable, Inc., No. 15-cv-1078, 2016 WL 3390415 (E.D. Wis. June 17, 2016), the court dismissed the plaintiff’s claim under the Cable Communications Policy Act (CCPA), holding that defendant’s mere failure to dispose of ex-customers’ personally identifiable information in violation of the CCPA, without more, was not enough to confer Article III standing on plaintiff, where plaintiff did not allege that defendant distributed the information or that its retention caused plaintiff any harm.
  • In McCollough v. Smarte Carte, Inc., No. 16 C 03777, 2016 WL 4077108 (N.D. Ill. Aug. 1, 2016), the plaintiff claimed that the defendant violated the Illinois Biometric Information Privacy Act (BIPA) by storing her fingerprint information without obtaining her advance consent. The defendant was a locker rental company, where users used their fingerprint information to check out a locker, and to open it after it had locked (thus, the renter’s fingerprint acted as a key to the locker). The court dismissed the plaintiff’s claim for lack of standing, finding that she failed to allege how the defendant’s retention of plaintiff’s fingerprint data could constitute a concrete harm, especially where the defendant “undoubtedly understood” when she first used the system that her fingerprint data would have to be retained until she retrieved her belongings from the locker. The court found that the plaintiff also failed to establish statutory standing, but held that even with statutory standing, the plaintiff would lack Article III standing “Since a state statute cannot confer constitutional standing.”
  • Romero v. Dep’t Stores Nat’l Bank, No. 15-CV-193-CAB-MDD, 2016 WL 4184099 (S.D. Cal. Aug. 5, 2016) involved claims under the Telephone Consumer Protection Act (TCPA). Here, the plaintiff claimed to have been injured as result of being called by defendant through an automated telephone dialing system (ATDS). The plaintiff argued that this statutory violation was sufficient to establish an injury-in-fact, because she suffered the exact harm that Congress wanted to eliminate with the TCPA. The court disagreed. First, the court found that the plaintiff could not have been injured by calls she did not know were made, such as calls that she did not hear or that were made when her phone was turned off. Second, the court found that the plaintiff failed to establish any injury from calls that she did hear ring or actually answered, since she “does not offer any evidence of a concrete injury caused by the use of an ATDS, as opposed to a manually dialed call.” Additionally, the court also rejected the plaintiff’s claims to have been injured as a result of “invasion of privacy” and “trespass to chattels,” because these are not injuries in and of themselves, but instead torts, for which an injury is an element of the claim.
  • Sartin v. EKF Diagnostics, Inc., No. CV 16-1816, 2016 WL 3598297 (E.D. La. July 5, 2016), is another TCPA case dismissed for lack of standing. The plaintiff in Sartin claimed to have been injured as a result of receiving unsolicited faxes by the defendant. The defendant’s 12(b)(1) motion argued that the plaintiff lacked standing because he failed to plead an injury in fact divorced from the defendant’s alleged violations of the TCPA. The court agreed, explaining that although the plaintiff had plausibly alleged a claim under the TCPA, “Congress may not erase the requirements of Article III by legislative fiat,” and the plaintiff failed to plead facts demonstrating how the defendant’s statutory violation caused him concrete harm. The court dismissed the complaint with leave to amend.
  • In Smith v. Ohio State Univ., No. 2:15-CV-3030, 2016 WL 3182675 (S.D. Ohio June 8, 2016), the plaintiffs sought statutory damages on behalf of a putative class for violations of Fair Credit Reporting Act (FCRA), alleging that defendant obtained consumer reports on them “without first providing [them] a clear and conspicuous written disclosure, in a document consisting solely of the disclosure, that a consumer report may be obtained for employment purposes.” More specifically, the plaintiffs alleged that the defendant provided a disclosure and authorization during the job hiring process that “improperly included extraneous information such as a liability release.” The defendant challenged the plaintiffs’ claims under Rule 12(b)(1), arguing that the alleged violations amounted to FCRA procedural requirements that result in no harm. The plaintiffs, in response, attempted to establish a concrete injury by arguing that the extraneous material invaded their privacy and misled them as to their rights under the FCRA. The court found that the plaintiffs failed to alleged any concrete consequential damage.
  • Similarly, in Groshek v. Time Warner Cable, Inc., No. 15-C-157, 2016 WL 4203506 (E.D. Wis. Aug. 9, 2016), the plaintiff argued that the defendant violated the FCRA by obtaining his consumer report without first providing him with a standalone document warning him that it was going to do so. As in Smith, the court found that the plaintiff had failed to allege any concrete harm, and dismissed the case with leave to amend.
  • Jamison v. Bank of Am., N.A., No. 2:16-CV-00422-KJM-AC, 2016 WL 3653456 (E.D. Cal. July 7, 2016) also concerned a defendant’s alleged failure to make certain disclosures, but in a different context. Here, the plaintiff alleged that the defendant violated the Truth in Lending Act (TILA) by failing to disclose insurance claim proceeds in its mortgage payoff and periodic statements. The court dismissed the plaintiff’s claim for lack of Article III standing, finding that the plaintiff did not allege any injury caused by the defendant’s failure to disclose the insurance claim proceeds on the statements. The court specifically noted that the plaintiff failed to allege that she could not have gotten the proceeds information through other means.

Plaintiffs will be quick to distinguish these cases, arguing that they have adequately alleged a concrete injury separate from the statutory violation. And because many of these decisions were granted without prejudice, the plaintiffs in these cases may be successful in alleging concrete injuries not included in the complaints above. Regardless, these decisions offer welcome ammunition to defendants seeking dismissal in “gotcha” cases lacking any actual harm.

Size Does Not Matter When It Comes to OCR Investigations of HIPAA Violations

In the past, the focus of regulatory investigations for HIPAA violations has generally been perceived as focusing resources on breaches and other violations involving a large number of individuals or presenting a particularly egregious issue. Recent announcements of initiative by the Health & Human Resources‘ (HHS) Office of Civil Rights (OCR) has made it clear that its determination of which reported incidents it will investigate is not going to depend on size.

On August 18, 2016, the OCR announced an initiative to “more widely investigate the root causes of breaches affecting fewer than 500 individuals.” Breaches affecting fewer than 500 individuals are not subject to the same timing of notification to HHS as larger breaches. While if a covered entity sustains a breach of unsecured Protected Health Information (PHI) affecting 500 or more it must notify HHS “without unreasonable delay” and in no case later than 60 days from discovery, for breaches affecting fewer than 500 individuals, the covered entity can notify HSS within 60 days after the end of the calendar year and report all such breaches for the prior calendar year at the same time. 45 CFR §164.408. Regional offices generally have discretion on whether to investigate such smaller breaches.

Now, however, OCR has indicated concern that smaller breaches may not be isolated instances of minimal impact, but rather, may have a root cause that indicates entity- or industry-wide causes of non-compliance with HIPAA. Thus, each regional office is, according to the August 18 announcement, to increase its efforts to identify entity and systemic non-compliance including through investigation of such smaller breaches, and obtain corrective action. Factors the OCR identified for consideration in Regional Offices’ determination of whether to investigate a breach are:

  • The size of the breach
  • Theft of or improper disposal of unencrypted PHI
  • Breaches that involve unwanted intrusions to IT systems (for example, by hacking)
  • The amount, nature and sensitivity of the PHI involved
  • Instances where numerous breach reports from a particular covered entity or business associate raise similar issues
  • Theft of or improper disposal of unencrypted PHI
  • Lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates

Earlier this year, OCR announced Phase II of its Audit Program in which it was reviewing the policies and procedures adopted and employed by covered entities and their business associates to meet the standards and implement the applicable Privacy, Security and Breach Notification Rules.

“Check Your Mail” — OCR Phase II HIPAA Audits May Be Coming to You!, July 19, 2016 — http://www.cybersecuritytodayblog.com/2016/07/19/check-your-mail-ocr-phase-ii-hipaa-audits-may-be-coming-to-you/

OCR 2016 HIPAA Audits Underway, March 21, 2016 —http://www.cybersecuritytodayblog.com/2016/03/21/ocr-2016-hipaa-audits-underway/

The increased aggressiveness of OCR with regard to HIPAA violations is also demonstrated by the size of fines being levied, with five of the twelve largest fines reported levied in 2016 alone. Fines have also been levied against business associates, and not just against covered entities.

Since the compliance date of the Privacy Rule in April 2003, OCR has received over 134,246 HIPAA complaints and has initiated more than 879 compliance reviews. According to the HHS website, OCR has successfully enforced the HIPAA Rules by applying corrective measures in all cases where an investigation indicates noncompliance by the covered entity or its business associate, which may include settling with the entity in lieu of imposing a civil money penalty. As of May 31, 2016, OCR reports that it settled 35 such cases resulting in a total amount of $36,639,200.00. OCR has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains and small provider offices. OCR also reports that it referred 575 cases involving the knowing disclosure or obtaining of PHI in violation of the Rules to the Department of Justice (DOJ) for criminal investigation.

Not all investigations result in fines or penalties. In 11,018 cases, OCR reported that its investigations found no violation had occurred. Additionally, in 13,748 cases, OCR has intervened early and provided technical assistance to HIPAA-covered entities, their business associates and individuals exercising their rights under the Privacy Rule, without the need for an investigation. OCR reports that in the rest of its completed cases, (79,865) OCR determined that the complaint did not present an eligible case for enforcement.

If you have any questions, please feel free to email a member of our Cybersecurity team at Laurie.Kamaiko@sedgwicklaw.com or Cinthia.Motley@sedgwicklaw.com

Sedgwick’s Cinthia Motley speaking at ACI’s 14th Advanced Forum on Cyber & Data Risk Insurance

Coverage, Underwriting and Claims Strategies for Managing Privacy/Security, Data and Network Risk and Liability

Who Should Attend: Insurance professionals, in-house counsel, and outside counsel specializing in technology, products, pricing, coverage options, prevention strategies and more.

Where: Park Central Hotel, San Francisco, CA

When: November 30 – December 1, 2016

Register at: www.AmericanConference.com/CyberRiskSNF

In its 14th year, the Cyber & Data Risk Insurance Conference is the premier event to learn the latest in federal and state enforcement, regulatory initiatives as well as take away invaluable information you can use in your practice, matters of critical importance and best practices for preparation, provisions, policies and response.

Sedgwick partner, Cinthia Granados Motley will participate on a panel discussion Doing Business with Europe: An Examination of the Implications of the GDPR and the Privacy Shield on Thursday, December 1 at 9:35am.

This panel will discuss and review the following:

  • What are the operational impacts of the GDPR?
    • Cybersecurity and data breach notification obligations
    • The mandatory data protection officer requirement
    • Consent and cross-border data transfers
    • Profiling and vendor management
    • Codes of conduct and certifications
    • Consequences for GDPR violations
  • The EU Privacy Shield and its impact on the US companies
  • The Network and Information Security Directive (NIS Directive) and its impact
  • What are some of the more practical ways in which businesses can understand various rules in different locations where they do business?