What’s in a Name? Information Privacy Finds “New” Cause of Action in PA

As we have reported over the last several months, information and data privacy have become hot button issues in litigation.  Even still, it appears the trend in many jurisdictions has been to force fit many of these claims into predetermined, well established legal principles like negligence or breach of contract.  That trend, however, may be falling by the wayside in Pennsylvania where at least one Common Pleas judge has found that plaintiffs alleging misuse of their personally identifiable information (PII) may, in some instances, bring a newly recognized cause of action for defamation.

In Griffith v. PPL Susquehanna LLC, a pair of plaintiffs filed suit against their former employer which operated a nuclear power facility in Salem Township, Pennsylvania.  In particular, the plaintiffs alleged that PPL defamed them after their respective tenures at the Salem power plant ended by spreading false information through the Personnel Access Data System (PADS), a centralized database used by nuclear facilities throughout the country to process industry workers.  According to the plaintiffs, PPL used the PADS system to share unspecified “falsehoods” that prevented them from finding work at other nuclear facilities in retaliation for whistleblowing safety violations at the Salem site.

In response to the plaintiffs’ suit, PPL filed two rounds of preliminary objections aimed, in part, at dismissing the defamation claims.  Specifically, PPL argued that because the PADS system is not a public access vehicle, but rather for the internal use of the nuclear industry, the plaintiffs could not prove that false personal information had been published against them.  Unconvinced, however, Common Pleas Judge Denis P. Cohen concluded that the alleged dissemination of this personnel information by PPL to other members of the nuclear industry via the PADS system was legally sufficient to sustain a cause of action for defamation because plaintiffs alleged that the sharing of personal information caused lost employment opportunities.

Griffith demonstrates that information and data privacy claims continue to rapidly evolve in litigation.  Where even months ago, plaintiffs challenging the use of their PII may have been asked to fit their claims into preexisting molds in order to sustain recovery, Griffith in some ways signals a new reality wherein courts are responding to such litigation with greater flexibility and creativity.  Thanks to Adam Gomez for his contribution.  Please email Brian Gibbons with any questions.

Fraudulent Medical Claims Submitted by Computer not Covered under Cyber Liability Policy (NY)

In Universal American Corp. v. National Fire Insurance Co. of Pittsburgh, the New York Court of Appeals dealt with whether a cyber liability policy provide coverage for losses sustained as a result of submission and payment of fraudulent medical provider claims.  Plaintiff Universal American Corp. is a health insurance company that offers federal government-regulated alternatives to Medicare.  Universal sustained over $18 million dollars in losses when it paid fraudulent medical claims for services that were never actually rendered.  Universal’s computerized billing system allowed health care providers to access and submit fraudulent claims directly to Universal and obtain payment.  Interestingly, the great majority of claims were processed and paid automatically without manual review.

Universal sought coverage for the damages sustained pursuant to a rider of a financial institution bond issued by defendant National Union Fire Insurance Company.  The rider, entitled “Computer Systems” and “Computer System Fraud,” provided indemnification for “losses resulting directly from a fraudulent entry of Electronic Data or Computer Program into, or change of Electronic Data or Computer Program, within the Insured’s proprietary Computer System.”  The New York Court of Appeals held that the language of the rider unambiguously applies to losses incurred from unauthorized access to the computer system — e.g., computer hacking or data breach by a third-party — and not to losses resulting from fraudulent claims submitted by authorized users.

The Court’s ruling reiterated the fact that simply because a claim arises out of the improper use of a computer does not mean the insured’s cyber liability policy will provide coverage particularly where, as here, the culprit was authorized to access the computer system.

Thanks to Brett Kuller for his contribution to this post and please write to Mike Bono for more information.

European Union’s Highest Court Says US Not Fit to Receive Personal Data.

The EU’s highest court recently invalidated the Safe Harbor agreement for data transfers (of personally identifiable information) between EU countries and the US. The Safe Harbor agreement was created to allow for the transfer of data between the EU and US notwithstanding the fact that the US data privacy laws and regulations are far less stringent than European ones. In the case of Maximillian Schrems v. Data Protection Commissioner, the EU high court said that the Safe Harbor work around solution was no longer viable.

In reaching this conclusion, the Court cited inadequate US safety protocols, which became apparent in the wake of the Edward Snowden revelations. Specifically, the Court stressed that the EU places much more emphasis on digital privacy as a fundamental right than the US does. Thus, the Court first held that “legislation [like what exists in the US] permitting the public authorities to have access on a generalized basis to the content of electronic communications” is a violation of the right to privacy contained in the EU Charter of Fundamental rights. Second, the Court found that companies needed to allow consumers to delete their digital footprints (a/k/a the right to be forgotten). Third, the Court held that consumers need more judicial access for data privacy violations to hold companies accountable (which is often not possible in the US because of the standing issues on which we have previously written). Because of these deficiencies, the Court ruled that the Safe Harbor agreement had to go.

So, why should you care? First, if you are an American company that conducts business in the EU (or a European company that conducts business in the US), you now have to be careful as to what data you share across borders. This gets interesting if, for example, you are a London based insurance company that transacts business in the US and that is embroiled in a bad faith lawsuit in the US. How, for example, can you now produce personnel jackets of employees (which are discoverable as a matter of course in a bad faith claim)? If you do, are you in violation of Schrems? If you don’t, are you guilty of contempt of court?

And what then of companies that are involved in litigation and have European operations (or parents). If they produce documents, are they subject to EU fines? If they don’t are they breaching the “cooperation” clause in a standard ISO based insurance policies?

Schrems does not answer these questions (and it does not seem that the dangers of US litigation was high on the Court’s list of concerns). But, the danger is real and the only solution would seemingly take place on the US federal level, that is, in Congress, which would have to enact federal legislation to address the issue. Anyone want to take any bets on whether that is likely to happen in this Congress?

Special thanks to Matt Care for his contributions to this post. For more information please e-mail Bob Cosgrove .

Third Circuit Affirms Federal Trade Commission Role as Data Privacy Enforcer

As we have previously reported, the United States District Court for the District of New Jersey in FTC v. Wyndham Worldwide held that Section 45(a) of the Federal Trade Commission (“FTC”) Act permitted the FTC to prosecute civil actions for cyber security breaches arising out of or related to “unfair” or “deceptive” practices.  However, on appeal, the United States Court of Appeal for the Third Circuit found data controllers and processors who fail to live up to their privacy statements fall under the purview of the FTC.

By way of refresher, the case below in Wyndham pitted the FTC against the international hospitality corporation, and stemmed from a string of cyber-attacks that compromised more than 619,000 consumer payment account numbers and resulted in $10.6 million in fraudulent charges. In light of the magnitude of the data breach, the FTC commenced its own suit against Wyndham arguing that violations of the company’s own privacy statement constituted “unfair” or “deceptive” trade practices that the FTC is empowered to curtail through civil enforcement.  Wyndham responded to the FTC’s claims by filing a motion to dismiss that was ultimately denied by Judge Esther Salas.

On appeal, Wyndham’s attack on the trial court decision was simple: the FTC is only empowered to sue corporations for “unfair” or “deceptive” trade practices that are “unscrupulous” or “unethical”, and any civil action alleging conduct short of that is outside Section 45(a).  Despite this articulation of the scope of the FTC Act, the Third Circuit reasoned that Section 45(a) instead applies wherever corporate conduct is inequitable and, in respect of data privacy breaches, can warrant prosecution when “a company . . . publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.”  Moreover, even if the privacy issues arise out of a criminal act (as most, if not all, do), the Court concluded that this interpretation of Section 45(a) is supported by the foreseeability of a data breach affecting personal financial information.

While Wyndham is a watershed case for the federal government’s enforcement of citizens’ data privacy rights, the real question posed by the defendant is whether such an action can survive the conspicuous absence of uniform data privacy laws or regulations in the United States.  For our part, however, the reasoning in Wyndham is at least clear insofar as federal courts need not entertain the lack of a national or state data privacy regime when analyzing third-party liability if, in fact, the data controller or processor at issue publishes its own privacy statement or protocol.   Thanks to Adam Gomez for his contribution to this post.  Please email Brian Gibbons with any questions.

Standing Argument Told to Sit-Down in Recent Data Breach Lawsuit (PA)

As we predicted in our essay, standing attacks are becoming less useful in obtaining the dismissal of data breach lawsuits. Last week, the Seventh Circuit Court of Appeals found that customers of Neiman Marcus were able to satisfy Article III’s standing requirements despite the fact that there was no indication that the social security numbers or other personal information of customers had been exposed in any way.

In mid-December 2013, Neiman Marcus learned that fraudulent charges had shown up on the credit cards of some of its customers. As the company began to investigate these charges, it discovered potential malware in its computer system. Malware is malicious software designed to infiltrate damage or otherwise cause unintended or unauthorized conditions or actions. In this case, the malware attempted to collect credit card data between July 16, 2013 and October 20, 2013. Around 350,000 cards were potentially exposed and of those 350,000, 9,200 were known to have been used fraudulently.

In the wake of the breach, Senior Vice President and Chief Information Officer for the Neiman Marcus Group, Michael Kingston, testified before the United States Senate Judiciary Committee. Although he testified that there was “no indication that social security numbers or other personal information [was] exposed in any way,” his testimony sparked a class-action complaint.[1] The complaint relied on a number of theories for relief, including negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violation of multiple state data breach laws.

In framing its analysis on the alleged harms, the Court found that “[t]hese plaintiffs must allege that the data breach inflicted concrete, particularized injury on them; that Neiman Marcus caused that injury; and that a judicial decision can provide redress for them.”

Although there was no evidence that the plaintiff’s data had been misused, the Court found that the plaintiffs had suffered particularized harm for which a judicial decision could provide redress. The Court found that a favorable judicial decision could redress any injuries for less than the full reimbursement of unauthorized charges. Although some credit card companies offer customer’s “zero liability” policies in which the customer is not held responsible for fraudulent charges, this practice is a business practice and not a federal requirement. As such, it did not defeat the injury in fact requirement nor the redressability requirement.

So, where does this new opinion leave us? While we don’t know exactly what the future holds for standing arguments in data breach lawsuits, we can surmise that the opinion we expressed in our CounterPoint article holds true – attacks on standing may not be the best way to defend against data privacy claims. Thanks to Erica Woebse for her contribution.  Please email Brian Gibbons with any questions.

[1] Originally there were a number of class-action complaints. They were consolidated in a First Amended Complaint, which was filed on June 2, 2014 by Hilary Remijas, Melissa Frank, Debbie Farnoush and Joanne Kao.

Lack of Standing Still Viable Defense Against Data Breaches (PA)

Around September 20, 2010, health insurance carriers Keystone Mercy Health Plan and Amerihealth Mercy Health Plan lost an unencrypted flash drive containing the personal and confidential health information of over 200,000 individuals.  The theft of the information contained on the flash drive not only violated the carriers’ own privacy practices, but breached both federal and states laws, including the HIPPA Privacy Rule and Pennsylvania’s Privacy of Consumer Health Information law.

As a result,Avrum Baum, the father of a special-needs minor insured by the carriers elected to bring suit on behalf of himself, his daughter, and other similarly situated individuals. On behalf of this group, he asserted claims for negligence, negligence per se, and a violation of the Pennsylvania Unfair Trade Practices and Consumer Protection Law (UTPCPL), 73 Pa.C.S. § 201-1, et seq. What is more, Baum sought to certify the class of individuals who he alleged had their privacy compromised as a result of the flash drive loss.

On July 25, 2013, the Court of Common Pleas denied the plaintiff’s motion for class certification on all of the courts asserted.

On appeal, the Superior Court upheld the denial of class certification on the negligence claim. The Court found that there was no evidence that the plaintiff or any members of the purported class were at risk of identity theft because the personal health information on the flash drive could not be linked to individuals by name. However, where the Philadelphia Court found that the plaintiff could not establish typicality on the UTPCPL claims, the Superior Court elected to remand the case back to the Court of Common Pleas to determine whether the class could be certified based on the UTPCPL “catch-all provision.”

Thus, the question left to the court was: is there a class to be certified on plaintiff’s claim of deceptive practices under the “catch-all” provision of the UTPCPL which prohibits one from “engaging in any other fraudulent or deceptive conduct which creates a likelihood of confusion or of misunderstanding.” 73 Pa.C.S. § 201-2(4)(xxi).

Ultimately, the Court of Common Please determined that Baum could not satisfy the typicality and adequacy standards that are required for class certification. The Court found that unlike other members of the class, the plaintiff’s daughter did not lose her personal data. None of the information on the flash drive could be linked to her identity. As such, plaintiff was rendered an inadequate representation of the group. Furthermore, the plaintiff did not give any consideration in exchange for the policy covering his daughter. Instead, the insurance was paid for by the state through Medicaid.

Baum serves as a reminder of the difficulties associated with data breach claims. If this case is any indication, these difficulties will not be going away any time soon.  Please email Brian Gibbons with any questions.  Thanks to Erica Woebse for her contribution.

DDoS Attacks on Local Universities Highlights Increasing Cybersecurity Risks (PA & NJ)

Penn State and Rutgers University join the ever-growing list of victims to cybersecurity attacks. In only the past two months, both universities have suffered distributed denial of service attacks, or as they are more commonly referred, DDoS attacks.

A DDoS attack is intended to render a server or network unavailable to its users. DDoS attackers use multiple devices and multiple internet connections to flood a victim’s computer system with web traffic until it is crippled by the requests and goes offline. Aside from the debilitating effects of DDoS attacks, they are difficult to combat. Victims cannot focus their efforts on deflecting attacks from a single attacker or a single source. Rather, the victim is flooded with requests from hundreds or even thousands of sources. While DDoS attacks are often just a frustrating nuisance for a victim to deal with, these attacks are continuing to evolve into a serious threat for network operators across the world. For Rutgers, the DDoS attack not only caused multiple internet outages, but affected the university’s final exam schedule.

So, what makes universities such a target for DDoS and other cybersecurity attacks? As explained in a recent article in the New Jersey Law Journal, universities are relatively easy targets. The article quotes Vincent Polley, the head of technology consultancy KnowConnect to explain that because the university structure is a “confederation of schools that are fairly loosely coordinated…[there’s] frequently not a lot of top-down management.” Universities store vast amounts of their students’ personal and financial information, as well as sensitive research materials.

This begs the question: what can universities and colleges across the country do to protect their students’ information? According to a recent article in the New York Times, Penn State, like many other universities and colleges across the country, are beefing up their authentication requirements. Authentication requirement are generally used before a university system can be accessed remotely. Authentication techniques can be broken into three categories: (1) things only a specified individual knows (i.e. a password, pin number, mother’s maiden name, or other type of security question; (2) things that only a specified individual would have (i.e. a key, card badge, token, one-time password); or (3) something specific about the specified individual (i.e. an encoded fingerprint, voice recognition or an iris scan).

To further beef up security, schools like Penn State are requiring a two-factor authentication, which incorporates two of the above mentioned techniques to create a multilayer defense against unauthorized access. However, how effective these measures are against DDoS attacks and other cyberattacks remains to be seen.  Thanks to Erica Woebse for her contribution.  Please email Brian Gibbons with any questions.

WCM Essay on Data Privacy Breaches, Claims and Litigations Published in Trade Magazine.

Partner Bob Cosgrove and associate Adam Gomez have written an essay entitled Somebody’s Watching Me: Defending Data Privacy Claims that was published in the April 2015 edition of Counterpoint, the Pennsylvania Defense Institute’s quarterly newsletter. The PDI is the Pennsylvania state affiliate of the Defense Research Institute. The article explores some of the common issues involved in data privacy breach claims litigation. The essay was the basis for a seminar that Bob conducted in London for the IUA, a presentation that was reported on by Re360 and by All About Shipping — http://www.allaboutshipping.co.uk/2015/06/04/somebodys-watching-me-trends-in-cyber-security-and-data-privacy-breach-suits, both London based insurance publications. For more information about the essay or WCM’s Privacy, Cybersecurity and E-Discovery practice, please contact Bob .

Who’s Laughing Now? Third Circuit Rules Bank Can’t Recover for Identity Theft (PA)

In an ironic twist of fate, the United States Court of Appeals for the Third Circuit recently ruled that even financial institutions face a rough road ahead when it comes to recovering damages for data security and identity theft claims.

In the case of Citizens Bank v. Reimbursement Technologies, Pennsylvania financial juggernaut Citizens Bank sued a third-party medical billing company whose employees allegedly accessed personally identifiable information belonging to over one hundred Citizen’s account holders and then used the data to illegally withdraw money from branches across six different states.  Although Citizen’s Bank suit focused on violations of the Stored Communications Act that regulates the disclosure of electronic communications and transactional records held by internet service providers, it also asserted state law causes of action for common law negligence.  However, the district court below ultimately dismissed the federal law action and, in addition, ruled that Citizens Bank’s state law claims failed to state a legally recognized theory of negligence against the defendant.

On appeal to the Third Circuit, the appellate panel was asked to determine whether Citizens Bank’s state law negligence and fraud claims could proceed independently of the federal action.  Citizens Bank argued that the district court erred in also dismissing its negligence claims against the defendant because as a data controller, Reimbursement Technologies owed its patients and their financial institutions a duty to safeguard their personally identifiable information.  The Court of Appeals concluded that Pennsylvania’s five-factor test for determining the existence of a duty required dismissal.  Specifically, the Third Circuit explained that notwithstanding Reimbursement Technologies’ failings, Citizens Bank, itself, was in the best position to prevent its claimed harm and, as a result, liability could not pass to the defendant as a matter of Pennsylvania law.

Citizens Bank represents a proverbial turning of the tables, insofar as the jurisprudence of data privacy and consumer protection has often operated in favor of protecting financial institutions that are sued for failing to protect their customers’ data.  Rarely, if ever, does the law recognize that what is good for the goose is likewise good for the gander, but Citizens Bank clearly indicates that the law concerning cyber security and identity theft is slow to develop irrespective of whether the claimant is an individual or a national corporation.  Thanks to Adam Gomez for his contribution, and please email Brian Gibbons with any questions.

WCM to Host Data and Privacy Breach Seminar in London.

WCM Partner Bob Cosgrove, the head of WCM’s Privacy, Cybersecurity and E-Discovery practice group, will present a seminar at the International Underwriting Association of London entitled Defending Data and Privacy Breach Claims in the US. The seminar, which will take place on Wednesday, May 13, 2015, will explore the kinds of claims that can result in the US from a data or privacy breach and provide guidance on the strategies needed to successfully defend data and privacy breach litigation in the US. Special attention will be paid to both the regulatory and compliance aspects of a data breach as well as the resulting litigation from individuals whose “personally identifiable information” has been disclosed.

For more information about this seminar, please e-mail Bob, or click here. A videoclip overview of the presentation can also be found at http://re360.co/#/articles/robert-j-cosgrove-on-the-data-privacy-claims-arena/