“Check Your Mail” – OCR Phase II HIPAA Audits May Be Coming to You!

As reported in the March 21, 2016 Blog Post, the 2016 HIPAA Audits Season had begun. As stated on its website, “OCR uses the audit program to assess the HIPAA compliance efforts of a range of entities covered by HIPAA regulations.”  The OCR intends to use the audits as a proactive measure, in conjunction with its ongoing complaint investigations and compliance reviews, to identify problems before they result in breaches.  Phase II of the OCR audit program has been underway for several months.

On July 12, 2016, the OCR announced that it sent email letters to 167 Covered Entities, including health plans, health care providers, and health care clearinghouses, that they would be subject to desk audits. Recipients of this recent notification will have 10 days (or until July 22, 2016) to comply with the documents requests.  After these documents are received, the OCR auditor will review the information and provide the Covered Entity with draft findings.  The Covered Entity will then have 10 days to provide any written comments to the auditor.  Thereafter, it is expected that the OCR auditor will then complete a final audit report within 30 business days. The desk audit is intended to evaluate the Covered Entity’s compliance with HIPAA’s Privacy, Security, and Breach Notification Rules.  The email letter notified the Covered Entity of the subject(s) of the audit, which reportedly include whether the Covered Entity has required documents under the following areas:

  • Privacy Rule

Notice of Privacy Practices & Content Requirements

Provision of Notice – Electronic Notice

Right to Access

  • Breach Notification Review

Timeliness of Notification

Content of Notification

  • Security Rule

Security Management Process – Risk Analysis

Security Management Process – Risk Management

Based on the designated sections at issue with the HIPAA desk audits, the focus seems to be on the Covered Entity’s understanding and compliance with the requirements directed to patient rights under HIPAA and their ability to access their medical records.

As in the past, the OCR recommends that Covered Entities check their spam filter to make sure email from OSOCRAudi@hhs.gov lands in your “in-box” and it responded to in a timely manner. The same advice should be followed by Business Associates who will be the subject of desk audits in the fall.  Now is the time to conduct a HIPAA risk analysis to ensure that your organization is HIPAA compliant regardless of whether you organization is the recipient of the July 11, 2016 “desk audit” email.

Ransomware article by Scott Lyon published in Today’s General Counsel

The article “Lessons from Ransomware Attacks on Healthcare Providers” by Scott Lyon was published in the June/July issue of Today’s General Counsel. The article addresses the recent ransomware attacks on healthcare providers and proposes strategies for any company to avoid or mitigate ransomware attacks. Click here to view the article.

Upcoming Event: Critical Updates on HIPPA Enforcement Actions and 2016 OCR Audits

Wednesday, June 22, 2016
11 a.m. PT/1 p.m. CT/ 2 p.m. ET

Who: Lawyers and non-lawyers, insurers and commercial claims representatives.
Where: At your desk. (There is no dial-in required; the audio will stream through your computer).
How: Register here.

The Midwest Claims Association and Sedgwick LLP cordially invite you to join us for this webinar where Sedgwick LLP partners Cinthia Granados Motley and Fred A. Smith will share their experiences in the areas of data privacy, healthcare and HIPAA-related issues. They will provide an overview of the HIPAA and HITECH requirements for PHI and ePHI, compliance requirements for Covered Entities and Business Associates, and risks for non-compliance, including an overview of recent OCR enforcement actions and fines. They will also address how your organization can prepare for an OCR Audit.

Presenters:

Cinthia Granados Motley is a member of Sedgwick’s cybersecurity leadership team. She has an active practice handling data privacy, security and liability matters, both domestically and internationally, as well as information governance, e-discovery, international contract disputes, directors and officers liability and employment defense. In her litigation practice, she has also handled ERISA and professional liability matters both in state and federal courts, and routinely counsels clients in complex commercial disputes both domestically and abroad. Her experience extends beyond the United States to Latin America.

Fred Allen Smith, III, represents healthcare entities, corporations, partnerships and professionals in a wide variety of matters such as healthcare disputes, medical device claims, medical negligence, professional liability, class actions and products liability. Mr. Smith also counsels clients on insurance coverage disputes, including contract interpretation issues, environmental matters, reinsurance, professional liability and bad faith law.

CLE Information

Sedgwick LLP is an accredited MCLE provider in CA, FL, IL, NJ, NY and TX. The MCLE approval for this program is as follows:

1.0 hours of General Credit: CA, IL, NJ, NY and TX.

Pending 1.0 hours of General Credit: Florida

For questions about this event, please contact: Amy Beecham at 816-423-2121 or via email.

Learn more about Sedgwick’s Cybersecurity & Privacy Practices Group and Healthcare Practices Group.

FCC Net Neutrality Rules Upheld by Federal Appeals Court

Today, a federal appeals court upheld the FCC’s recent net neutrality rules which purportedly make internet service providers treat all web traffic equally, delivering a major defeat to cable and telephone companies.

The D.C. Circuit Court of Appeals, in a 2-1 vote, affirmed the FCC’s net neutrality rules, which have been supported by both consumer groups and the white house.

In March 2016, the FCC voted to approve the new rules which require ISPs to obtain consent (Opt-In) from their users to collect and monetize their data. Traditionally, ISPs have an opt-out policy, which allows users to disallow ISPs from monetizing their data. It is fairly obvious that ISPs could use a lot more users’ data by following an opt-out policy.

The rules create some of the strongest privacy regulations for any segment of the technology and telecommunications industries and could have a significant impact on how ISPs compete and do business. Such a significant change in their business model will in turn effectuate changes throughout the business of the Internet. Profits will no doubt shrink for ISPs, thereby putting pressure on providers to increase fees for users. Because not all Internet sites will be treated as ISPs, there will be an inequity in the treatment of different Internet business entities resulting in a power shift away from ISPs, which will likely compel service providers to exercise legal action in order to revoke the new rules.

The inclusion of an opt-in standard for certain data uses is significant. Traditionally in the U.S., privacy guidelines require only that users be permitted to opt-out of data uses such as ad targeting based on behavioral data. The new FCC rules for ISPs will require that users must opt-in for most uses of their data including but not limited to providing this information to marketing and advertising companies.

Not all Internet entities are covered by the new FCC rules. The rules affect only companies that connect users to the Internet including Comcast, Verizon and Sprint. The new rules do not apply to Internet companies that have huge advertising businesses based on customer data, such as Facebook or Google (non-ISPs, also referred to as “edge providers”). Those companies are regulated by the Federal Trade Commission (FTC). The result of the FCC’s new rules will be a revenue and power shift away from ISPs towards existing Internet behemoths.

Many in the industry are of the opinion that opt-in requirements will create a divide in the online world, giving an advantage to non-ISPs such as Google and Facebook. These edge providers will not be required to seek permission from users through the opt-in process.

The framework adopted by the FCC last year was to reclassify ISPs as common carriers, much like utilities. This enables the FCC to regulate them, which gave rise to the FCC net neutrality rules in 2016. Critics argue that the FCC should not be regulating ISPs since they, like edge providers, are already regulated by the Federal Trade Commission which analyses complaints on a case-by-case enforcement basis.

In the lawsuit brought to overturn the FCC rules, ISPs, such as Verizon and Comcast, argued the rules will chill investment in network infrastructure. Also included as plaintiffs in the lawsuit are AT&T, CenturyLink, along with cable, wireless and telecom trade groups. The crux of the lawsuit focused on the application of net neutrality to the wireless internet. The majority of the appellate court allowed that decision by the FCC to stand, citing the “rapidly growing and virtually universal use of mobile broadband service.” This is perceived to be a crucial part of the rules since most people are now accessing the web through their smartphones.

Also interesting in the decision was the opinion of the dissenting Judge Williams. He indicated that he felt the FCC does have the authority to regulate ISPs, but had not set forth enough of a basis to justify doing so in this instance. Many Democrats in Congress welcomed the court decision as a victory for consumers. Bernie Sanders tweeted that it “will help ensure we don’t turn over our democracy to the highest bidder.” Republicans in opposition were critical of the decision and many called for legislation to undo the FCC’s rules.

Bankruptcy Rules On Privacy Pose Risk to Unwary Creditors

With the advent of electronic case filing, the increased risk of identity theft, and proliferation of various privacy laws, creditors need to be more cautious than ever when filing their proofs of claim in bankruptcy cases to order to avoid inadvertent disclosure of the debtor’s personal information. This is of particular importance as to any invoices, statements of account or other documentary evidence that may be filed in support of the proof of claim.

We discuss below the applicable Bankruptcy Rule regarding public disclosure of the debtor’s personal information in a proof of claim and the possible consequences of any inadvertent violation of this Rule.

Scope of Bankruptcy Rule 9037

Rule 9037 of the Federal Rules of Bankruptcy Procedure requires that all electronic or paper filings with the bankruptcy court must be redacted if they contain any of the following personal information of the debtor or other individual: (1) social security number, (2) taxpayer ID number, (3) full name of any minor, (4) birth date, and (5) financial account number. The Rule is applicable to proofs of claims and all pleadings that are filed in bankruptcy cases, including all attachments or exhibits.

The Rule does not define “financial account number,” but some courts have construed the Rule broadly to include any statement of account or attached billing that identifies the debtor and lists the full account number. The Official Comment to the Rule notes that redaction of other personal information, such as driver’s license numbers or health care records, also may be appropriate or necessary.

In some jurisdictions, the courts also issue general orders to reinforce or augment the privacy requirements of Rule 9037.

Redaction Requirement

Rule 9037(a)(1) specifically requires any filing party to redact the electronic or paper filing to list only the last four digits of an individual’s social security or taxpayer ID number, the year of the birth date, the minor’s initials and the last 4 digits of any financial account number.

The Rule exempts certain filings from the redaction requirement, such as the filing of the record of any administrative, agency, or court proceedings (if the underlying record was not subject to a redaction requirement). Rule 9037(d) also permits the Bankruptcy Court to redact additional information from any filing or to limit or prohibit other parties from obtaining electronic access to any filings in the bankruptcy case, for cause shown.

Rule 9037 does not purport to grant any safe harbor for the public disclosure of any personally identifiable information that might violate other privacy laws, such as Health Insurance Portability and Accountability Act (HIPPA) or the Gramm-Leach-Bliley Act (GLBA).

Possible Consequences of Violating the Rule

Rule 9037 does not specify any penalty or sanction for any filings made in violation of the Rule, nor prescribe any remedy to redress the potential harm caused by court filings that contain unredacted personal information.

However, there are many reported decisions in which debtors have brought suits or other enforcement actions against the offending creditor to enforce the Rule and/or compensate the debtor for the unlawful disclosure of his or her personal information in unredacted proofs of claim or other bankruptcy filings. The debtors typically allege a number of different legal theories, and they often seek a wide variety of relief, including disallowance of the proof of claim, compensatory damages, attorney’s fees and punitive damages. We provide a short discussion of the most common enforcement actions and possible outcomes.

Action to Enforce Rule 9037

In some cases, the debtors bring a motion to redact the personal information from the proof of claim as necessary to conform to the Rule, or to strike the proof of claim and prohibit further public access to it. The Debtors often will also seek reimbursement their attorney’s fees incurred in bringing these motion, which the courts will award in appropriate circumstances, particularly where the offending creditor has refused the debtor’s request for corrective action.

Private Rights of Action

In other cases, the debtors will bring suit against the offending creditor seeking compensatory and punitive damages. In these cases, the debtor typically alleges a number of different legal bases for recovery. They include the Bankruptcy Court’s inherent contempt power under Section 105(a) of the Bankruptcy Code to enforce the bankruptcy rules (and/or any applicable general orders of the court that may be applicable), other potentially applicable privacy laws such HIPPA or GLBA, and invasion of privacy or other common law torts. In addition, the debtors often also seek to disallow the proof of claim.

Thus far, the courts generally have found that there is no private right of action to enforce Rule 9037 or the court’s contempt power. Likewise, the courts have specifically determined that neither HIPPA, nor GLBA affords the debtor a private right of action to collect damages or attorney’s fees. In addition, the courts have found the Bankruptcy Code does not permit disallowance of a proof of claim solely for the violation of a disclosure rule, like Rule 9037.

Common Law Tort Claims

The case law is less developed in the area of common torts, such as invasion of privacy, and more dependent upon the applicable state law. In one reported case, the court found that under the applicable common law an unredacted proof of claim in a bankruptcy case did not satisfy a “publicity requirement.” In short, the court found that access to proofs of claims in the Court’s database (PACER) was restricted only to registered users who paid subscription fees. As such, the unredacted personal information in the proof of claim was not disclosed to the general public – which the court found was a necessary element to the tort claim.

In addition, absent a showing of actual harm from the filing of the unredacted proof of claim, such as identify theft, courts have dismissed tort claims on the grounds that the asserted damages were too speculative.

Court Sanctions

Even if the debtor is unsuccessful in prosecuting a private right of action, the courts appear willing to impose sanctions – attorney’s fees and punitive damages – against a creditor for filing an unredacted proof of claim in blatant or willful disregard of the requirements of Rule 9037. The basis for the sanction award is the Bankruptcy Court’s power under section 105(a) of the Bankruptcy Code to, in essence, police the bankruptcy system and enforce the rules.

The fact patterns often involve creditors who fail to take any corrective action after being made aware of the violation by the debtor. In one recent case, the Bankruptcy Court awarded both attorney’s fees and punitive damages against an attorney who filed the debtor’s unredacted financial statement as an exhibit to a contested motion after finding that the attorney failed to demonstrate any just cause for refusing to correct the problem upon request by the debtor. In addition, the Bankruptcy Court required the attorney to reimburse the debtor for any future costs incurred in credit monitoring to avoid the risk of future damages caused by the public disclosure of the debtor’s name, address, social security and date of birth in the bankruptcy filing.

Takeaways

• The Bankruptcy Rules impose specific non-disclosure requirements for personal information, which apply to the filing of proofs of claim and any documents filed in connection therewith.

• Creditors should carefully review all documents and exhibits to be filed with their proof of claims, particularly invoices, billing statements or other statements of account, to insure that the debtor’s personal information is redacted.

• Failure to redact the debtor’s personal information from proofs of claim can result in the bankruptcy court’s imposition of sanctions and other liability exposure.

• In the event of any inadvertent disclosure of the debtor’s personal information in a proof of claim, creditors should act quickly to voluntarily request that the court redact the personal information from the proof of claim and without waiting for any request from the debtor or the Bankruptcy Court to do so.

Congressional Inquiries Into Facebook’s “Trending” Topics – In Context

There have been anonymous allegations, published by Gizmodo, that former Facebook “curators” had allegedly ignored Facebook’s algorithms and guidelines for its Trending topics section and suppressed links to conservative news stories. This prompted a letter to Mark Zuckerberg from Senator John Thune (R.-S.D.) seeking information about the algorithm, guidelines, enforcement of the guidelines, auditing of compliance with the guidelines and more.  Some have suggested that Facebook should simply ignore the letter from Thune, and, indeed, his legal right to the information seems tenuous.  Yet, it appears that Zuckerberg is inviting conservatives to come speak with him, and a company spokesman stated that Facebook is “looking forward” to addressing Sen. Thune’s questions.  So what gives?

Procedurally and legally speaking, Facebook can ignore Thune’s request for information – at least in its current form. A letter from a Senator requesting information, even if that Senator is the chairman of the Senate Committee on Commerce, Science and Transportation, is not legally enforceable.  To enforce the letter, Sen. Thune would have to obtain a subpoena, which would have to be issued by his committee, in compliance with its procedures.  Such a congressional subpoena may be extremely broad.  The Supreme Court has held that the scope of Congress’s power “is as penetrating and far-reaching as the potential power to enact and appropriate under the Constitution.” Eastland v. U.S. Serviceman’s Fund, 421 U.S. 491, 504 (1975).  Although Congress ought not to delve needlessly into the “private affairs” of the citizenry, it has the power to inquire about and investigate any issue “on which legislation could be had” and “the wisdom of congressional approach or methodology is not open to judicial veto.” Id.  An attack on a congressional subpoena through the court system is fraught with difficulty.

On the other hand, if Mr. Zuckerberg were to refuse to comply with all or part of a congressional subpoena, Senator Thune would face his own set of challenges to find Facebook in “contempt of Congress.” Initially, both the Senate Committee on Commerce, Science and Transportation and the full Senate would have to vote to enforce the subpoena.  This, of course, would be political theater writ large.  Assuming a favorable floor vote on finding Facebook in contempt of Congress, this would still need to be enforced through: 1) the Senate’s inherent contempt power by instructing its sergeant-at-arms to arrest the noncompliant party, apparently in this case Mr. Zuckerberg, and bring him or her before the chamber’s presiding officer; 2) Senator McConnell as presiding officer of the Senate could refer the matter to the U.S. Attorney for the District of Columbia to pursue criminal contempt proceedings, pursuant to 2 U.S.C. §§ 192, 194; or 3) the Senate could initiate a civil action in federal district court, seeking a court ordered injunction to compel compliance with Senate process.

Probably the most famous example of congressional inquiry into the media came out of the controversy surrounding “The Selling of the Pentagon,” a CBS Reports documentary, which exposed the huge expenditure of public funds, partly illegal, to promote militarism. The program came under intense criticism from two men who appeared on the program, from the House of Representatives, other media and some prominent politicians. Daniel Henkins, Undersecretary of Defense for Public Relations, charged that statements from his interview with Roger Mudd about his work had been doctored, as did Col. John MacNeil, who accused CBS of rearranging his comments in a speech he gave about the situation in Southeast Asia. The Investigations Subcommittee of the House Commerce Committee subpoenaed CBS’s outtakes to determine whether or not distortion had taken place. Against threat of jail, CBS president Frank Stanton refused the subpoena from the House Commerce Committee ordering him to provide copies of the outtakes and scripts from the documentary. He claimed that such materials are protected by the freedom of the press guaranteed by the First Amendment. Stanton observed that if such subpoena actions were allowed, there would be a “chilling effect” upon broadcast journalism.  The committee ultimately let it drop.

It is this course of action that some commentators and First Amendment lawyers have recommended in response to Thune’s letter. But this is not Facebook’s fight.  Facebook vice president Tom Stocky responded to the Gizmodo report allegations even before Thune sent his letter, posting to Facebook on May 9:

Facebook is a platform for people and perspectives from across the political spectrum. There are rigorous guidelines in place for the review team to ensure consistency and neutrality. These guidelines do not permit the suppression of political perspectives. Nor do they permit the prioritization of one viewpoint over another or one news outlet over another. These guidelines do not prohibit any news outlet from appearing in Trending Topics.

To put a fine point on it, Facebook does not particularly want people to think of its curators as journalists. A social network is far more popular than a media company, even if that is what Facebook in fact is.  We should not expect Facebook to show “editorial courage” when it is its business model to not have an editorial position.

Proposed Legislation Could Make It More Difficult For Law Enforcement To Identify Criminals Using Anonymizing Technology

A bipartisan group of senators has introduced legislation that would make it more difficult for the FBI to investigate child pornography and other crimes in instances where the criminals are using anonymizing or location-obfuscating technology.

In April, the U.S. Supreme Court approved a change to Rule 41(b) of the Federal Rules of Criminal Procedure which would authorize courts to issue warrants outside their jurisdiction in situations where the exact location of the data being sought has been obfuscated by technology. The revision was originally proposed by the Judicial Conference Advisory Committee on Criminal Rules in August 2014 at the request of the Department of Justice.  Under the current rule, a federal magistrate is only authorized to issue a warrant for a person or property either 1) “located within the district” or 2) located outside of the district so long as the person or property was located within the district when the warrant was issued but moved outside the district before the warrant was executed.  The purpose of the rule change is to address jurisdictional difficulties posed when a website or server in one jurisdiction is accessed by users in another jurisdiction, but the user’s physical location has been hidden by routing the communications through anonymizing networks.

One such incident recently came to light on April 20 when a Massachusetts federal judge ruled that child pornography evidence must be suppressed because the Virginia judge who issued a warrant to the FBI was not located in the same physical jurisdiction as the defendant’s computer that was searched. In that case, the FBI had taken over a child pornography site called Playpen in February, which was hosted on a Tor anonymity network.  The Tor protocol encrypts data being transmitted (including the destination IP address) multiple times before sending it through a series of relays, with each relay only able to decrypt the outermost layer that reveals the next link in the chain until the data finally reaches its final destination – this prevents users on either endpoint from knowing the physical location of the other.  However, rather than shutting the site down, the FBI continued operating the service and implemented a hacking tool called a “network investigative technique” (NIT), which was served to the users’ computers and sent back the IP addresses of visitors to the site.  Before employing the NIT, the FBI obtained a warrant from a magistrate judge in Virginia (where Playpen’s server was located).  Without deploying the NIT, the FBI had no idea where the users’ computers were physically located and therefore could not identify from which jurisdictions warrants would be required – this was only learned after the NIT sent back the physical location information.  A federal judge in Massachusetts, where the defendant’s computer was located and where he was being prosecuted,  held that the search warrant issued by the Virginia judge to utilize the NIT was not valid and therefore all evidence obtained in a subsequent search of the defendant’s home must be suppressed because it was based on a warrantless search.

By modifying Rule 41(b) of the Federal Rules of Criminal Procedure, the Supreme Court recognized that the nature of interstate and international communications has expanded beyond the provincial physical jurisdiction of local federal judges. The search to be conducted or investigative method to be employed will still be subject to judicial scrutiny in compliance with the Fourth Amendment, but without the requirement to first de-anonymize the user’s physical location before obtaining the warrant. According to the proposed revision, the rule would grant authority to a magistrate judge “in any district where activities related to a crime may have occurred … to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if: (A) the district where the media or information is located has been concealed through technological means; or (B) in an investigation of a violation of 18 U.S.C. §1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts.”  In other words, the rule change would only apply in the narrow circumstance where: 1) some part of the crime occurred within the issuing judge’s physical district (such as the location of the affected server), 2) the warrant authorizes remote access to electronically stored data, and 3) where the location of the data has been concealed through technological means or for violations of the Computer Fraud and Abuse Act affecting protected computers in five or more districts.  The rule change will go into effect on December 1 absent action by Congress to block it.

On May 19, sponsoring Senators Ron Wyden (D-Ore.) and Rand Paul (R-Ky.), as well as Tammy Baldwin (D-Wis.), Steve Daines (R-Mont.), and Jon Tester (D-Mont.), introduced a one-page bill entitled Stopping Mass Hacking Act which would block implementation of the changes to Rule 41(b).  The senators contend that the revision of the federal rules amounts to government overreach.  “By allowing a single judge to issue a single warrant for any number of searches, this rule change will allow DOJ to hack as many as ten thousand or a million computers with the order of a single judge,” according to the senators.  However, it bears noting that under the existing rule, if all “ten thousand or million computers” were located in the same judicial district, a single judge could already issue warrants permitting the use or technique – the only difference affected by the judicial rule change would be one of physical geography, not overall legal scope.  While Senator Wyden described the rule change as “a dramatic expansion of the government’s hacking and surveillance authority,” the rule change itself does not inhibit the FBI’s ability to utilize innovative investigative techniques such as the use of NITs – it only reduces the geographic hurdles the government would need to overcome in order to utilize such techniques.  Whether the technique authorized by the issuing judge constitutes an unreasonable search and seizure in violation of the Fourth Amendment would still be an issue for the courts to consider, with the substantive constraints of the Constitution overriding the procedural authority of the Federal Rules of Criminal Procedure.

The rule change has also been met with opposition from the private sector, with organizations such as Google, the American Civil Liberties Union, the Electronic Freedom Frontier, the National Association of Criminal Defense Lawyers, and the Pennsylvania Bar Association arguing in February that the proposed rule change would unreasonably expand the government’s search and seizure authority, which should be addressed by Congress and not the courts. The Department of Justice has attempted to counter the criticism, characterizing it as backlash based on a misunderstanding of the actual effect of the rule change.

U.S. Supreme Court Ruling in Spokeo: How Will It Impact Data Breach Litigation?

The decision of the U.S. Supreme Court on May 16 to remand a case addressing whether a violation of a statutory right is sufficient to satisfy the “injury-in-fact” requirement for standing in federal actions has resulted in an interesting range of discussions as to whether it makes assertion of class actions based on statutory violations more difficult, whether it simply avoided making it easier, or whether it side-stepped the issue entirely by remanding it. Spokeo, Inc. v. Robins, 578 U.S. ___ (2016).

For the privacy litigation bar, a major issue is whether the decision changes the current landscape in data breach litigation, in which the issue of what is sufficient actual or imminent injury has been the subject of a number of recent court decisions.

Before the decision was issued, it was often billed as one that would decide whether, in the data breach arena, claimant’s attorneys would be able to circumvent the Article III of the U.S. Constitution requirement of showing an injury in fact by each claimant, by simply pleading a statutory violation, such as violation of a state consumer protection statute. The statute at issue in Spokeo was the Fair Credit Reporting Act (FRCA), but other consumer protection statutes also provide for statutory damages when there is a procedural violation even if there is no actual damages demonstrated, and are often pled in data breach litigation.

The Supreme Court in its decision found that an analysis of whether a statutory violation was sufficient for the “injury in fact” necessary for standing required an analysis of whether the plaintiff had alleged an injury that was “concrete” as well as “particularized” (affecting the plaintiff personally). The focus on “concrete” moved the analysis from the spotlight previously placed on whether injury was “actual or imminent” as discussed in the prior U.S. Supreme Court case of Clapper v. Amnesty International USA, 568 U.S. ___ (2013), to the nature of the injury alleged. In Spokeo, the majority opinion defined a “concrete” injury as “de facto; that is, it must actually exist.” It also noted that “‘[c]oncrete’ is not, however, necessarily synonymous with ‘tangible’.” On the other hand, the Court also stated that “it is instructive to consider whether an alleged intangible harm has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit,” holding that a plaintiff could not obtain standing by alleging “a bare procedural violation, divorced from any concrete harm.” It noted that a violation of procedural requirements set forth in a statute may result in no harm. For example, provision of inaccurate information in violation of a statute may not “cause harm or present any material risk of harm.”

The question of whether statutory violations alone would support standing has been of particular interest to parties facing data breach litigation, in which claimants are often not able to demonstrate actual out of pocket financial or other damages from a data breach of their personally identifiable information. However, between the time the lawsuit wended its way up from the Ninth Circuit through the U.S. Supreme Court, there were several decisions issued in other data breach litigation cases that had arguably already weakened the “actual or imminent” injury prong, taking a broader view of what is “imminent” than many federal courts had previously accepted in the data breach context.

In Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688,690 (7th Cir. 2015), the Seventh Circuit found standing for plaintiffs relating to a data breach based on the increased risk of identity theft. Following Clapper’s “substantial risk” of harm and “certainly impending” future injury requirements, the court found that even though plaintiffs were reimbursed for fraudulent charges, they had standing because there was a an “objectively reasonable likelihood” that plaintiffs would be subjected to future fraudulent charges or other injuries. Id at 692-94. Most recently, the Seventh Circuit followed the same Clapper and Remijas analysis in in Lewert v. P.P. Chang’s China Bistro, Inc., No. 14-3700, 2016 WL 1459226, at *3-4 (7thCir. Apr. 14,2016) and held that there was standing where a plaintiff had already discovered fraudulent charges.

So far, at least one district court has addressed the “concrete” injury requirement post-Spokeo. In Khan v. Children’s National Health System, No. 8:15-cv-02125, May 19, 2016 (U.S.D.C. of Maryland), the district court remanded a putative class action to state court following Spokeo based on the lack of alleged facts indicating misuse of personal information. Notably, the court pointed out that the majority of district courts faced with the issue of standing in data breach litigation follow the same pattern in finding that, where there is no specific incident of misuse use of stolen data, the increased risk of identity theft does not confer standing, citing In re Zappos.com, Inc., 108 F. Supp. 3d 949, 955 (D. Nev. 2015) (listing cases). Id at *9. In contrasting those cases with Remijas, the court noted that the only post-Clapper cases in which data breach plaintiffs were found to have standing all included allegations indicating that some of the stolen data had already been misused, that there was a clear intent to use the plaintiffs’ personal data for fraudulent purposes, or both. Id. As a result, the court concluded that in the data breach context, plaintiffs must allege an injury in fact arising from increased risk of identity theft by putting forth facts that provide either (1) actual examples of the use of the fruits of the data breach for identity theft, even if involving other victims; or (2) a clear indication that the data breach was for the purpose of using the plaintiffs’ personal data to engage in identity fraud. Id. at *11. In particular, the Khan court noted that the plaintiff had not alleged any facts indicating any attempt to misuse patients’ personal information since the breach was discovered, no suspicious activity, no unauthorized bank accounts or credit cards, no medical fraud or identity theft, and no targeted solicitations for health care products or services. There was also no indication that the purpose of the breach was to use personal data for identity fraud. Applying Spokeo’s “concrete” injury analysis, the court noted that plaintiff’s alleged violations of state law do not advance any authority for the proposition that a state legislature or court, through a state statute or cause of action, can manufacture Article III standing for a litigant who has not suffered a concrete injury.

While at least one court so far has interpreted Spokeo’s “concrete” injury analysis in data breach litigation to require actual or intended misuse of personal data for identity fraud, the difficulty in deciding what allegations are sufficient to satisfy the required prong of “concrete” injury is demonstrated by the dissent of two of the U.S. Supreme Court Justices, Justices Ginsburg and Sotomayor, who agreed with the standard but found that the allegations of the claimant were sufficient to “carry him across the threshold.” The dissent focused on “concreteness” as referring to a “an injury, harm that is real, not abstract, but not necessarily tangible” and opined that the claimants contention of inaccurate representations as to his education, family situation and economic status could affect his fortune in the job market, and thus caused actual harm to his employment prospects.

Thus, just as Clapper’s emphasis on the requirement of actual or imminent injury gave only a brief respite from cases with no actual injuries (until the Circuit courts, and in particular the Seventh Circuit, focused on the “imminent” aspect of injury), the Spokeo decision may simply generate a focus on increasing allegations of “concrete” impacts from “imminent” injuries arising from statutory violations. The decision puts to rest the spectre of standing being conferred simply by alleging a procedural statutory violation that generates a statutory damage award but no harm. What falls within or outside that line of harm, however, is likely to be the subject of continuing disagreement and debate in the lower courts.

Data Breach Class Actions Survive Standing Challenge in 7th Circuit’s Decision in Lewert v. PF Chang’s

Potential defendants to data breach class actions received unwelcome news from the 7th Circuit Court of Appeal on April 14 when it reversed a District Court’s decision to dismiss a potential class action against PF Chang’s, a nation-wide restaurant chain which suffered a hacking attack affecting customers’ credit and debit card information.  The District Court dismissed the plaintiffs’ suit against PF Chang’s on the grounds plaintiffs lacked Article III standing—a common and often successful tool used by defendants to defeat data breach suits.  However, the 7th Circuit reversed on the grounds that the plaintiffs did successfully plead standing—(1) a concrete and particularized injury (injury in fact) (2) that is fairly traceable to the challenged conduct (causation) (3) and is likely to be redressed by a favorable judicial decision (redressability).

Discussing injury in fact, the 7th Circuit highlighted its decision in Remijas v. Nieman Marcus where it held that the increased risk of fraudulent card charges and increased risk of identity theft were sufficiently imminent future harms to establish standing for plaintiffs.  In Remijas, the Court also held the time and money spent by plaintiffs resolving fraudulent charges, the identity theft that had already occurred, and the time and effort to protect against future fraudulent charges or identity theft qualified as sufficiently immediate injury to confer standing on class members.  Significantly, the Court noted that “mitigation expenses” qualify as actual injury only when harm is imminent, but where a data breach has already occurred, the risk of identity theft and fraudulent charges are immediate such that mitigation efforts are justified.

As to this case, one of the lead plaintiffs actually had fraudulent charges on his card (which his bank stopped before going through) after he dined at a PF Chang’s restaurant within the time period in which the hacking may have occurred, and he purchased identity theft monitoring services after learning of the breach. The other lead plaintiff did not have fraudulent charges on the card he used to pay at the PF Chang’s where he dined, but he spent time and effort monitoring his card statements.  The 7TH Circuit treated the plaintiffs’ allegations of an increased risk of fraudulent charges and identity theft because their data was already stolen as sufficient injury to survive a standing challenge in light of one of the specific pleadings that one of the plaintiffs already experienced fraudulent charges and purchased identity theft monitoring services while the other alleged he spent time and effort monitoring his card statements.  The Court left for evaluation on the merits below whether the time and money spent resolving fraudulent charges were compensable losses.

The Court also rejected the defendant’s argument that the plaintiffs’ data was not exposed in the breach; the Court viewed this point as immaterial because the plaintiffs pleaded plausible allegations that their data was stolen—a public statement by PF Chang’s regarding the breach was directed to all customers who dined at its stores across the U.S., and PF Chang’s admitted it did not know how many stores were affected, only later concluding 33 stores were affected.  PF Chang’s argument that the plaintiffs were not affected was considered a factual dispute by the Court over the scope of the breach which did not destroy standing. Instead, the Court broadly declared that “when the data system for an entire corporation with locations across country experiences a data breach and the corporation reacts as if that breach could affect all of its locations, it is certainly plausible that all of its locations were in fact affected.”

As to causation, plaintiffs’ allegation the PF Chang’s at which they dined was hit by the breach was sufficient to survive the defendant’s standing challenge despite the defendant’s argument that the store in which plaintiffs dined was not affected by the breach. According to the Court, the disputed fact as to whether the specific restaurant was hacked did not defeat plaintiffs’ allegations and had to be addressed on the merits.

Redressability, like causation, was dealt with rather quickly by the Court—it held that a favorable judicial decision would redress the plaintiffs’ purchase of credit monitoring services, plaintiffs’ inability to accrue points on a debit card while waiting for a replacement card, and other class members’ unreimbursed fraudulent charges. The Court noted that all class members should have the opportunity to show they spent time and resources tracking possible fraud, changing automatic charges, and replacing cards.

Significant lessons are to be learned from this decision. First, the threat of fraudulent charges and identity theft appears to be a sufficiently imminent injury, at least within the 7th Circuit, to withstand a standing challenge when the breach involves theft of consumers’ financial information. It seems the Court would have reached this same result even if one of the plaintiffs did not actually suffer fraudulent charges on his account. Second, broad language in the decision suggests that defendants’ standing attacks face a significant uphill battle since a company reacting as if a breach could affect all its locations or systems provides a plaintiff with sufficient plausibility of injury for standing purposes even if it turns out through further investigation that not all locations or systems were affected. This is particularly troubling because often businesses react to data breaches quickly, endeavoring to inform the public of a breach to permit potentially affected individuals to take immediate action to prevent losses, but often do not have a full grasp of the scope of a breach at the time of informing the public.  By trying to benefit the greatest number of people and prevent harm as early on as possible, businesses may be undercutting themselves in their defense strategy for future data breach litigation brought by plaintiffs who may (or may turn out not to) be affected by the data breach.  Businesses facing data breaches may want to carefully craft public statements alerting all consumers to be alert but avoiding making any representations that all locations, stores, or systems are potentially affected.  But, even a carefully crafted statement might be treated by a court as an admission by a business that it suspected, even for a discrete moment in time, that all of its locations or systems could be affected.

ALERT — President Obama Signs Defend Trade Secrets Act of 2016

Marking a sea change in the protection of US trade secrets, on May 11, President Obama signed into law S. 1890, titled the “Defend Trade Secrets Act of 2016” (DTSA), which establishes the first federal private right of action for trade secret misappropriation and opens the doors of federal courts to trade secrets litigants.

In passing the DTSA, the Senate specifically noted cybersecurity risks as a driving force. In its report, the Senate Judiciary Committee specified the following: “Protecting trade secrets has become increasingly difficult given ever-evolving technological advancements. Thieves are using increasingly sophisticated methods to steal trade secrets and the growing use of technology and cyberspace has made trade secret theft detection particularly difficult.” The DTSA is to be used as a tool to prevent such espionage.

Theft of trade secrets has been a federal crime since the passage of the Economic Espionage Act of 1996 but prior to the DTSA, civil claims for trade secret misappropriation were the exclusive province of state courts, which resulted in state-to-state variation on a number of important issues. Efforts at enhancing uniformity have been somewhat successful in recent years, with 48 states adopting the Uniform Trade Secrets Act (UTSA), a model statute aimed at bolstering trade secret protection for businesses operating in multiple states. (Bills adopting UTSA have also been introduced in New York and Massachusetts, the two remaining holdouts.) Even with the widespread adoption of UTSA, however, variation in trade secret law has persisted. The DTSA strengthens trade secret protections by furthering nationwide uniformity in this area of law.

The DTSA is modeled largely upon UTSA, and businesses already operating in UTSA states should therefore see much in the new law that looks familiar. For example, the DTSA’s definitions of “trade secret” and “misappropriation” are striking similar to the definitions found in UTSA, though some may argue that the DTSA’s definition for “trade secret” is potentially more broad. The DTSA does not pre-empt state law, though, and there are some notable distinctions between UTSA and the DTSA about which companies would be well-advised to take notice:

Interstate Commerce. A DTSA action may only be brought if the trade secret at issue is one that “is related to a product or service used in, or intended for use in, interstate or foreign commerce.” This stretches the DTSA to the limit of Congress’ authority under the Commerce Clause and precludes an action in federal court where the trade secret is not “used or intended for use” outside of the plaintiff’s home state. Of course, in the interconnected marketplace of the 21st century, misappropriation claims that are beyond a federal court’s DTSA jurisdiction will likely be the exception, rather than the rule. And even in those seemingly rare instances, the plaintiff will not be without recourse; it will simply be limited to pursuing its claim in state court under state trade secret laws.

Civil Seizure. The ex parte civil seizure provision is the most notable distinction separating the DTSA from UTSA. Under this provision, without even notifying the defendant that a lawsuit has been filed, the plaintiff may obtain a court order directing a federal marshal to seize from the defendant the allegedly misappropriated trade secret. While at first glance, civil seizure seems like a powerful tool, this provision is subject to a number of limitations and may be employed “only in extraordinary circumstances.” To obtain such a civil seizure order, the plaintiff must show, among other things, that it will likely succeed when its misappropriation claim is tried, that it will suffer “immediate and irreparable injury” if the order is not issued and that the harm it will suffer “outweighs the harm to the legitimate interests” of the defendant. The plaintiff must also demonstrate that if it provided notice to the defendant before the issuance of the seizure order, the defendant would destroy, move, hide or otherwise make the alleged trade secret inaccessible. Consistent with federal court practice regarding temporary restraining orders, the plaintiff must also provide security for the payment of damages to the defendant, should it later be determined that the seizure was wrongful or excessive.

Even where the plaintiff meets its burden and demonstrates that a civil seizure order is appropriate, the court may only order “the narrowest seizure of property necessary” to protect the alleged trade secret. Moreover, the seizure must be conducted in a manner that minimizes any interruption of the business operations of third parties and, to the extent possible, will not interrupt the legitimate operations of the defendant.

Companies should exercise caution in seeking a civil seizure order. The statute requires a hearing seven days after an order is issued, at which the defendant is afforded the opportunity to be heard and the court will determine if seizure order should be modified or dissolved. Importantly, if the court determines that the seizure was wrongful or excessive — terms which the DTSA does not define — the defendant may recover from the plaintiff its reasonable and necessary attorney’s fees, as well as damages for any lost profits, cost of materials and loss of good will occasioned by the seizure. The defendant can even recover punitive damages, if it shows the plaintiff sought the seizure in bad faith.

Remedies. Like UTSA, the DTSA authorizes the court to issue an injunction to prevent “actual or threatened misappropriation” and allows the plaintiff to recover monetary damages for the actual loss and any unjust enrichment caused by the misappropriation or, in the alternative, a reasonable royalty for the unauthorized disclosure or use of the trade secret. The plaintiff may also recover its reasonable and necessary attorney’s fees under either law where a trade secret has been “willfully and maliciously misappropriated,” together with exemplary damages of up to twice the amount of actual damages awarded.

The DTSA, however, limits the scope of any potential injunction by restricting the application of the “inevitable disclosure doctrine,” a legal theory which has been applied in a handful of UTSA states. Under that doctrine, a court may enjoin “threatened” misappropriation by a company’s former employee through an injunction prohibiting him from competing or accepting employment with a competitor if doing so would inevitably compromise any of the company’s trade secrets that the former employee knows. A DTSA injunction cannot “prevent a person from entering into an employment relationship” and the court may use the injunction to place conditions on a person’s employment only where there is “evidence of threatened misappropriation” and not merely evidence that the person knows the alleged trade secret. Additionally, if the enjoined person resides in a state with laws prohibiting restraints on the practice of a lawful profession, trade or business, a DTSA injunction cannot conflict with those laws.

Whistleblower Protections. The DTSA includes specific protections for any person who discloses a trade secret to a federal, state or local government official solely for the purpose of reporting or investigating a suspected violation of the law. To that end, a “whistleblower” who discloses a trade secret to a government official cannot be held criminally or civilly liable for the disclosure. If a person is terminated from his employment because of his whistleblowing activities, the DTSA also protects the person from liability for disclosing his employer’s trade secrets in any subsequent retaliation lawsuit.

Notice Requirements. The DTSA requires employers to provide notice of its immunity provisions in any contract or agreement with an employee that governs the use of a trade secret. If an employer fails to comply with this notice provision and later files suit against the employee for misappropriation of trade secrets, the DTSA bars the employer from recovering its attorney’s fees or any exemplary damages. This requirement only applies to contracts or agreements entered into or updated after DTSA’s enactment, so companies need not race to renegotiate old agreements with their employees. As to any new agreements or older agreements that are amended, companies should be mindful of the notice requirement and ensure that they have complied with it. If they do not, they limit the recourse that will be available to them in any future misappropriation suit.

Enhanced Criminal Penalty. Recognizing the increasing value of trade secrets in an ever more competitive and innovative marketplace, Congress also increased the potential criminal fine to which a person guilty of trade secret misappropriation is subject from $5,000,000 to “the greater of $5,000,000 or 3 times the value of the stolen trade secret to the organization, including expenses for research and design and other costs of reproducing the trade secret that the organization has thereby avoided.”

Congress aptly observed that “trade secret theft occurs in the United States and around the world” and “harms the companies that own trade secrets and the employees of the companies.” Generally speaking, the DTSA helps to alleviate the harm of trade secret misappropriation by augmenting existing trade secret protections and creating a potential alternative forum for misappropriation claims. Sedgwick will continue to follow the developments surrounding the DTSA as it is implemented and stands ready to assist any clients seeking to avail themselves of its protections.

LexBlog