Standing Taking a Seat in Cyber Claims.

The standard defense to a data breach lawsuit has been — there was no actual injury (only the fear of a potential injury), so the plaintiffs lack standing and the case must be dismissed. This defense has historically resulted in the dismissal of data breach lawsuits. But this standing defense is under siege and the Third Circuit might have given it a permanent seat.

In re: Horizon Data Breach Litigation, Horizon, a large health insurer, had two laptops stolen. The laptops contained the PII (or personally identifiable information) of hundreds of thousands of people. A class action lawsuit was filed in which the plaintiffs alleged that because Horizon did not take reasonable steps to secure its data, the plaintiffs were exposed to a potential vulnerability to identity theft. The district court dismissed the action, on the basis of standing, as none of the putative class members could show that the breached information was used to their detriment. The Third Circuit, in a published and precedential decision that was the first of its kind, reversed and found that, even without evidence that the information was used improperly, the plaintiffs had standing to proceed with their claims.

This decision is big news as it comes from a federal circuit court and means that the standing defense is losing its hold as a viable defense. Standing, in short, is taking a seat.

Special thanks to Matt Care for his contribution to this post. For more information, please e-mail Bob Cosgrove.

Pennsylvania Superior Court Finds Employers Have No Duty to Protect Electronically Stored Personal Information

In Dittman v. UPMC,  breach of contract and negligence actions were brought against an employer when employees’ personal information was stolen from the employer’s computer system and used to file fraudulent tax returns and steal tax refunds.  Particularly, the names, birth dates, social security numbers, tax information, addresses, salaries, and bank information of approximately 62,000 UPMC employees and former employees were accessed and stolen from UPMC’s computer system.  The information stolen was personal information that UPMC required employees to provide as a condition of employment.

The employees filed a class action lawsuit, arguing that UPMC had a legal duty to protect their personal and financial information and that UPMC failed to properly encrypt the data and establish adequate firewalls to protect the information in its network.  UPMC filed preliminary objections to the complaint, arguing that the employees lacked standing to assert these claims on behalf of an individual who had not yet been injured and that the negligence and breach of contract claims failed as a matter of law.  The trial court sustained the preliminary objections and dismissed the claims.

On appeal, the Superior Court agreed with the trial court that UPMC did not owe a duty of reasonable care in its collection and storage of the employees’ data.  In coming to that conclusion, the Superior Court weighed five factors.  First, the Superior Court found that the relationship between the parties, that of employer and employee, weighed in favor of imposing a duty on the employer.  Second, the Court reasoned that employers have an obvious need to collect and electronically store the personal information of their employees.  Although the foreseeability of a data breach is a substantial risk, the utility of electronically storing information outweighs the risk.  Next, the Court reasoned that it was unnecessary to have a judicially imposed duty requiring employers to incur significant costs to increase security when there is not true way to prevent security breaches altogether.  Finally, the Court found that it was not in the public interest to impose a duty and expend judicial resources, as there was already legislature to  address the issue.

Thanks to Alexandra Perry for her contribution to this post and please write to Mike Bono if you would like more information.

Going to Need a Bigger Boat? Will Cyber Rules Finally Impact Insurers and Their Vendors (Like Lawyers)?

You might have noticed that cybersecurity issues are a little bit in the news these days. But, we’re not here to talk about Russian spies influencing US presidential elections (although that would be an interesting discussion). Rather, we’re here to talk about boring NY bureaucrats, who have just promulgated (for comment) 23 NYCRR 500, CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES that is set to go into effect on January 1, 2017 (yes, that’s less than 3 months from now). The proposed regulation is currently in its comment period and, if adopted, will apply to insurers who do more than $5,000,000 in gross revenue and are regulated by the NY Department of Financial Services. It will also likely serve as the blueprint for other states across the country. So what does the regulation propose to do?

Basically, to prevent and mitigate a “cybersecurity event”, i.e. an act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system, a regulated entity (like an insurance company) is obligated to ensure that non-public information (like names, dates of birth and social security numbers) are protected. To do that, you must:

(1) develop and implement a cybersecurity program that includes penetration testing, vulnerability assessments, an audit trail system, access privilege limitations, application security, risk assessments, a data retention policy, encryption of nonpublic information and an incident response plan;

(2) develop and implement a cybersecurity policy that includes training and monitoring;

(3) have a chief information security officer (and other personnel); and

(4) have a third-party information security policy that will apply to all third-parties doing business with the insurer.

But, you might ask, what does this really mean for me? It means that you’re going to need a bigger boat (to paraphrase Jaws) if you want to stay ahead of this shark and avoid fines and penalties by the NY Department of Financial Services (and also avoid lawsuits where failure to follow the NY regulations will serve as a blueprint for what you were supposed to do and failed to do). Insurers and their vendors (like attorneys) have in their possession voluminous amounts of information (like medical records, discovery responses and transcripts) that include non-public information. Yet, how often is such information being transmitted by insurers to their attorneys (and from attorneys to their insurers) in unsecured ways? How many insurers are capable of downloading and adding to their files information that is sent by attorneys in secured ways (e.g. via Sharefile — which is our preferred data transmission method at WCM)? I think the answer is “not as many as you would hope.” We here at WCM are happy to help work with you as to what you need to do (and to do what we can for you to help ensure compliance). But, there’s a lot of work to be done and not a lot of time to start doing it.

For more information about this post please e-mail Bob Cosgrove .

Editors Note — Due to public outcry, implementation of the regulations has been delayed to March 1, 2017. The shark remains in the water, but there is not yet blood.

Do CGL Policies Now Insure Data Breaches?

The case that everyone is talking about is Travelers Indemnity v. Portal Health, a just released, unpublished Fourth Circuit opinion. The quick story is that the Fourth Circuit affirmed the trial court opinion and held that Travelers owed coverage (specifically defense) under a CGL policy for a data breach. The real story is a bit more nuanced.

In the case, Portal Healthcare, a Virginia based company, was sued in NY in a class action lawsuit. In the lawsuit, patients of Glen Falls Hospital claimed that Portal Healthcare failed to safeguard medical records entrusted to Portal Healthcare by the hospital and instead allowed those records to be posted on the internet – accessible to everyone via a Google search. Portal Healthcare was insured by Travelers under two consecutive commercial general liability insurance policies – a 2012 policy and a 2013 policy. The Policies were not standard policies – rather they contained special endorsements that expanded the scope of personal injury, advertising injury and web site injury.

Specifically, the 2012 Policy contained a Web Xtend Liability Endorsement that deleted and replaced the definition of Personal and Advertising Injury liability. The 2013 Policy contained an Amendment of Coverage B – Personal And Advertising Liability Endorsement that deleted and replaced the definition of Personal and Advertising Injury liability. Under both endorsements, the parties (and court) seemed to agree that coverage was triggered if the underlying complaint alleged: (1) injury arising out of the offense of “electronic publication of material that . . . gives unreasonable publicity to a person’s private life” (the language utilized in the insuring agreement of the 2012 Policy) or (2) injury caused by the offense of “electronic publication of material that . . . discloses information about a person’s private life” (the language utilized in the insuring agreement of the 2013 Policy).

In respect of the first point, Travelers argued that, although the data was available to the general public, since Portal Healthcare did not intend to publish it, publication did not occur. This argument was rejected by the court which held that it was the fact of publication (and not the intent of publisher) that mattered.

In respect of the second point, Travelers argued that there was no “publicity” given to a person’s private life as the leak was not intended to generate publicity. This argument was also rejected by the court which held that since the leaked data was available to the general public, publicity had occurred.

All of this seems rather straightforward, so why all the fuss? It seems that a top sheet review might be to blame. When you look at the trial court’s decision and the policies themselves, you see that the Travelers’ decision to broaden the scope of potential claims that would qualify as “personal and advertising injury” is the root cause of the decision. So, it’s true that CGL policies might have more potential exposure to data breaches – but only if you enhance the coverages.
For more information about this post please e-mail Bob Cosgrove.

What’s in a Name? Information Privacy Finds “New” Cause of Action in PA

As we have reported over the last several months, information and data privacy have become hot button issues in litigation.  Even still, it appears the trend in many jurisdictions has been to force fit many of these claims into predetermined, well established legal principles like negligence or breach of contract.  That trend, however, may be falling by the wayside in Pennsylvania where at least one Common Pleas judge has found that plaintiffs alleging misuse of their personally identifiable information (PII) may, in some instances, bring a newly recognized cause of action for defamation.

In Griffith v. PPL Susquehanna LLC, a pair of plaintiffs filed suit against their former employer which operated a nuclear power facility in Salem Township, Pennsylvania.  In particular, the plaintiffs alleged that PPL defamed them after their respective tenures at the Salem power plant ended by spreading false information through the Personnel Access Data System (PADS), a centralized database used by nuclear facilities throughout the country to process industry workers.  According to the plaintiffs, PPL used the PADS system to share unspecified “falsehoods” that prevented them from finding work at other nuclear facilities in retaliation for whistleblowing safety violations at the Salem site.

In response to the plaintiffs’ suit, PPL filed two rounds of preliminary objections aimed, in part, at dismissing the defamation claims.  Specifically, PPL argued that because the PADS system is not a public access vehicle, but rather for the internal use of the nuclear industry, the plaintiffs could not prove that false personal information had been published against them.  Unconvinced, however, Common Pleas Judge Denis P. Cohen concluded that the alleged dissemination of this personnel information by PPL to other members of the nuclear industry via the PADS system was legally sufficient to sustain a cause of action for defamation because plaintiffs alleged that the sharing of personal information caused lost employment opportunities.

Griffith demonstrates that information and data privacy claims continue to rapidly evolve in litigation.  Where even months ago, plaintiffs challenging the use of their PII may have been asked to fit their claims into preexisting molds in order to sustain recovery, Griffith in some ways signals a new reality wherein courts are responding to such litigation with greater flexibility and creativity.  Thanks to Adam Gomez for his contribution.  Please email Brian Gibbons with any questions.

Fraudulent Medical Claims Submitted by Computer not Covered under Cyber Liability Policy (NY)

In Universal American Corp. v. National Fire Insurance Co. of Pittsburgh, the New York Court of Appeals dealt with whether a cyber liability policy provide coverage for losses sustained as a result of submission and payment of fraudulent medical provider claims.  Plaintiff Universal American Corp. is a health insurance company that offers federal government-regulated alternatives to Medicare.  Universal sustained over $18 million dollars in losses when it paid fraudulent medical claims for services that were never actually rendered.  Universal’s computerized billing system allowed health care providers to access and submit fraudulent claims directly to Universal and obtain payment.  Interestingly, the great majority of claims were processed and paid automatically without manual review.

Universal sought coverage for the damages sustained pursuant to a rider of a financial institution bond issued by defendant National Union Fire Insurance Company.  The rider, entitled “Computer Systems” and “Computer System Fraud,” provided indemnification for “losses resulting directly from a fraudulent entry of Electronic Data or Computer Program into, or change of Electronic Data or Computer Program, within the Insured’s proprietary Computer System.”  The New York Court of Appeals held that the language of the rider unambiguously applies to losses incurred from unauthorized access to the computer system — e.g., computer hacking or data breach by a third-party — and not to losses resulting from fraudulent claims submitted by authorized users.

The Court’s ruling reiterated the fact that simply because a claim arises out of the improper use of a computer does not mean the insured’s cyber liability policy will provide coverage particularly where, as here, the culprit was authorized to access the computer system.

Thanks to Brett Kuller for his contribution to this post and please write to Mike Bono for more information.

European Union’s Highest Court Says US Not Fit to Receive Personal Data.

The EU’s highest court recently invalidated the Safe Harbor agreement for data transfers (of personally identifiable information) between EU countries and the US. The Safe Harbor agreement was created to allow for the transfer of data between the EU and US notwithstanding the fact that the US data privacy laws and regulations are far less stringent than European ones. In the case of Maximillian Schrems v. Data Protection Commissioner, the EU high court said that the Safe Harbor work around solution was no longer viable.

In reaching this conclusion, the Court cited inadequate US safety protocols, which became apparent in the wake of the Edward Snowden revelations. Specifically, the Court stressed that the EU places much more emphasis on digital privacy as a fundamental right than the US does. Thus, the Court first held that “legislation [like what exists in the US] permitting the public authorities to have access on a generalized basis to the content of electronic communications” is a violation of the right to privacy contained in the EU Charter of Fundamental rights. Second, the Court found that companies needed to allow consumers to delete their digital footprints (a/k/a the right to be forgotten). Third, the Court held that consumers need more judicial access for data privacy violations to hold companies accountable (which is often not possible in the US because of the standing issues on which we have previously written). Because of these deficiencies, the Court ruled that the Safe Harbor agreement had to go.

So, why should you care? First, if you are an American company that conducts business in the EU (or a European company that conducts business in the US), you now have to be careful as to what data you share across borders. This gets interesting if, for example, you are a London based insurance company that transacts business in the US and that is embroiled in a bad faith lawsuit in the US. How, for example, can you now produce personnel jackets of employees (which are discoverable as a matter of course in a bad faith claim)? If you do, are you in violation of Schrems? If you don’t, are you guilty of contempt of court?

And what then of companies that are involved in litigation and have European operations (or parents). If they produce documents, are they subject to EU fines? If they don’t are they breaching the “cooperation” clause in a standard ISO based insurance policies?

Schrems does not answer these questions (and it does not seem that the dangers of US litigation was high on the Court’s list of concerns). But, the danger is real and the only solution would seemingly take place on the US federal level, that is, in Congress, which would have to enact federal legislation to address the issue. Anyone want to take any bets on whether that is likely to happen in this Congress?

Special thanks to Matt Care for his contributions to this post. For more information please e-mail Bob Cosgrove .

Third Circuit Affirms Federal Trade Commission Role as Data Privacy Enforcer

As we have previously reported, the United States District Court for the District of New Jersey in FTC v. Wyndham Worldwide held that Section 45(a) of the Federal Trade Commission (“FTC”) Act permitted the FTC to prosecute civil actions for cyber security breaches arising out of or related to “unfair” or “deceptive” practices.  However, on appeal, the United States Court of Appeal for the Third Circuit found data controllers and processors who fail to live up to their privacy statements fall under the purview of the FTC.

By way of refresher, the case below in Wyndham pitted the FTC against the international hospitality corporation, and stemmed from a string of cyber-attacks that compromised more than 619,000 consumer payment account numbers and resulted in $10.6 million in fraudulent charges. In light of the magnitude of the data breach, the FTC commenced its own suit against Wyndham arguing that violations of the company’s own privacy statement constituted “unfair” or “deceptive” trade practices that the FTC is empowered to curtail through civil enforcement.  Wyndham responded to the FTC’s claims by filing a motion to dismiss that was ultimately denied by Judge Esther Salas.

On appeal, Wyndham’s attack on the trial court decision was simple: the FTC is only empowered to sue corporations for “unfair” or “deceptive” trade practices that are “unscrupulous” or “unethical”, and any civil action alleging conduct short of that is outside Section 45(a).  Despite this articulation of the scope of the FTC Act, the Third Circuit reasoned that Section 45(a) instead applies wherever corporate conduct is inequitable and, in respect of data privacy breaches, can warrant prosecution when “a company . . . publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.”  Moreover, even if the privacy issues arise out of a criminal act (as most, if not all, do), the Court concluded that this interpretation of Section 45(a) is supported by the foreseeability of a data breach affecting personal financial information.

While Wyndham is a watershed case for the federal government’s enforcement of citizens’ data privacy rights, the real question posed by the defendant is whether such an action can survive the conspicuous absence of uniform data privacy laws or regulations in the United States.  For our part, however, the reasoning in Wyndham is at least clear insofar as federal courts need not entertain the lack of a national or state data privacy regime when analyzing third-party liability if, in fact, the data controller or processor at issue publishes its own privacy statement or protocol.   Thanks to Adam Gomez for his contribution to this post.  Please email Brian Gibbons with any questions.

Standing Argument Told to Sit-Down in Recent Data Breach Lawsuit (PA)

As we predicted in our essay, standing attacks are becoming less useful in obtaining the dismissal of data breach lawsuits. Last week, the Seventh Circuit Court of Appeals found that customers of Neiman Marcus were able to satisfy Article III’s standing requirements despite the fact that there was no indication that the social security numbers or other personal information of customers had been exposed in any way.

In mid-December 2013, Neiman Marcus learned that fraudulent charges had shown up on the credit cards of some of its customers. As the company began to investigate these charges, it discovered potential malware in its computer system. Malware is malicious software designed to infiltrate damage or otherwise cause unintended or unauthorized conditions or actions. In this case, the malware attempted to collect credit card data between July 16, 2013 and October 20, 2013. Around 350,000 cards were potentially exposed and of those 350,000, 9,200 were known to have been used fraudulently.

In the wake of the breach, Senior Vice President and Chief Information Officer for the Neiman Marcus Group, Michael Kingston, testified before the United States Senate Judiciary Committee. Although he testified that there was “no indication that social security numbers or other personal information [was] exposed in any way,” his testimony sparked a class-action complaint.[1] The complaint relied on a number of theories for relief, including negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violation of multiple state data breach laws.

In framing its analysis on the alleged harms, the Court found that “[t]hese plaintiffs must allege that the data breach inflicted concrete, particularized injury on them; that Neiman Marcus caused that injury; and that a judicial decision can provide redress for them.”

Although there was no evidence that the plaintiff’s data had been misused, the Court found that the plaintiffs had suffered particularized harm for which a judicial decision could provide redress. The Court found that a favorable judicial decision could redress any injuries for less than the full reimbursement of unauthorized charges. Although some credit card companies offer customer’s “zero liability” policies in which the customer is not held responsible for fraudulent charges, this practice is a business practice and not a federal requirement. As such, it did not defeat the injury in fact requirement nor the redressability requirement.

So, where does this new opinion leave us? While we don’t know exactly what the future holds for standing arguments in data breach lawsuits, we can surmise that the opinion we expressed in our CounterPoint article holds true – attacks on standing may not be the best way to defend against data privacy claims. Thanks to Erica Woebse for her contribution.  Please email Brian Gibbons with any questions.

[1] Originally there were a number of class-action complaints. They were consolidated in a First Amended Complaint, which was filed on June 2, 2014 by Hilary Remijas, Melissa Frank, Debbie Farnoush and Joanne Kao.

Lack of Standing Still Viable Defense Against Data Breaches (PA)

Around September 20, 2010, health insurance carriers Keystone Mercy Health Plan and Amerihealth Mercy Health Plan lost an unencrypted flash drive containing the personal and confidential health information of over 200,000 individuals.  The theft of the information contained on the flash drive not only violated the carriers’ own privacy practices, but breached both federal and states laws, including the HIPPA Privacy Rule and Pennsylvania’s Privacy of Consumer Health Information law.

As a result,Avrum Baum, the father of a special-needs minor insured by the carriers elected to bring suit on behalf of himself, his daughter, and other similarly situated individuals. On behalf of this group, he asserted claims for negligence, negligence per se, and a violation of the Pennsylvania Unfair Trade Practices and Consumer Protection Law (UTPCPL), 73 Pa.C.S. § 201-1, et seq. What is more, Baum sought to certify the class of individuals who he alleged had their privacy compromised as a result of the flash drive loss.

On July 25, 2013, the Court of Common Pleas denied the plaintiff’s motion for class certification on all of the courts asserted.

On appeal, the Superior Court upheld the denial of class certification on the negligence claim. The Court found that there was no evidence that the plaintiff or any members of the purported class were at risk of identity theft because the personal health information on the flash drive could not be linked to individuals by name. However, where the Philadelphia Court found that the plaintiff could not establish typicality on the UTPCPL claims, the Superior Court elected to remand the case back to the Court of Common Pleas to determine whether the class could be certified based on the UTPCPL “catch-all provision.”

Thus, the question left to the court was: is there a class to be certified on plaintiff’s claim of deceptive practices under the “catch-all” provision of the UTPCPL which prohibits one from “engaging in any other fraudulent or deceptive conduct which creates a likelihood of confusion or of misunderstanding.” 73 Pa.C.S. § 201-2(4)(xxi).

Ultimately, the Court of Common Please determined that Baum could not satisfy the typicality and adequacy standards that are required for class certification. The Court found that unlike other members of the class, the plaintiff’s daughter did not lose her personal data. None of the information on the flash drive could be linked to her identity. As such, plaintiff was rendered an inadequate representation of the group. Furthermore, the plaintiff did not give any consideration in exchange for the policy covering his daughter. Instead, the insurance was paid for by the state through Medicaid.

Baum serves as a reminder of the difficulties associated with data breach claims. If this case is any indication, these difficulties will not be going away any time soon.  Please email Brian Gibbons with any questions.  Thanks to Erica Woebse for her contribution.