Category Archives: Law Firm

ACC suggests $10 million in cyber coverage for outside legal counsel

On March 29, 2017, the Association of Corporate Counsel released a set of model cybersecurity practices to help corporate legal departments address security and risk management issues born out of their outside legal counsel’s use of sensitive company data.    Protecting corporate data has increasingly been a top-of-mind topic for in-house counsel.  As reported by Corporate Counsel magazine, from 2014 to 2017, the percentage of in-house lawyers viewing the threat of data loss as an “extremely” important issue rose from 19 percent to 26 percent.

This proposed set of best practices should really come as no surprise.  Law firms have already been targeted with ransomware exploits given a small payment to access encrypted data takes a far backseat to potential lost billable time .   Similarly, law firms have long been targeted by sophisticated criminals and state actors interested in the wealth of confidential data they maintain.

In is not clear, however, how most outside counsel will comply with several of the best practices outlined by the ACC given the significant expense, implementation risk, and time commitment.  For example, the ACC suggests the following three baseline measures:

Outside Counsel shall have vulnerability management and regular application, operating system and other infrastructure patching procedures and technologies reasonably designed to identify, assess, mitigate, and protect against new and existing security vulnerabilities and threats, including viruses, bots, and other malicious code.

Outside Counsel shall have, shall implement, and shall maintain network security controls, including the use of firewalls, layered DMZs and updated intrusion, intrusion detection and prevention systems, reasonably designed to protect systems from intrusion or limit the scope or success of any attack or attempt at unauthorized access to Company Confidential Information.

If Outside Counsel has not achieved ISO27001 certification, Company may request that Outside Counsel undertake the certification process and provide Company with evidence of certification when attained.

Although AV protection and patching is fairly standard fare, not many law firms will go to the trouble of getting ISO certified or developing an intrusion plan focused on thwarting or mitigating attacks that are based on the nature of the data involved.    In fact, the ACC has done what is fairly typical of published “best practices”, namely it put together a wish list that will never be implemented by the vast majority of outside counsel.

Found in these best practices, however, is one suggestion that may actually have some appeal for a wide range of law firms – a risk transfer model that puts the onus on an insurance carrier to foot the bill for a data incident.    Specifically, the ACC suggests law firms purchase at least $10 million in cyber insurance:

Without limiting its responsibilities set out in herein, in countries where cyber liability insurance coverage is available, Outside Counsel will obtain and maintain in force at all times cyber liability insurance with an insurance company having a minimum credit rating of A- from Standard and Poor’s or other equivalent rating agency, with a minimum coverage level of $10,000,000.

Although the cost to purchase $10 million in limits may be significant, it will open the door to some minimal underwriting for security best practices as well as the recognition that a deep pocket is always available to absorb the risk.    In other words, it will be a much softer route for outside counsel to obtain buy-in regarding its data security chops  if it starts with the purchase of data loss and privacy insurance.  After purchasing this insurance – and satisfying the encryption and other underwriting requirements, outside counsel’s next steps are largely dependent on the size of the firm.   Indeed, for a smaller firm, $10 million may not make any sense – a much smaller $5 million or even $2 million policy limit would be sufficient.  Even though some law firms rely on data loss and privacy insurance to address coverage gaps and transfer loss caused by a data intrusion it remains a non-standard coverage.

For a larger firm, there is also more likely an IT Director, CIO or even a CISO already in place.  Such positions necessarily bring with them certain advanced practices that can be found in the ACC’s suggested best practices.  On the other hand, in a law firm with no such position in place – nor the money or desire to create one, the Office Manager is often tasked with squeezing out the most security from the smallest possible budget.  In that instance, firewalls and proper endpoint protection are necessary baseline defenses.  Also, the use of certain cloud security vendors – including those providing encryption or phishing-detection email services, can end up being a cost-effective step up in security.   Applying the NIST Cybersecurity Framework or getting ISO certified is far fetched to say the least.

No matter what the size and level of sophistication law firms will always remain low-hanging fruit for dedicated thieves looking for some good data to steal.  To that end, the ACC’s grandiose best practices can only be perceived as a beneficial and necessary step in the right direction.

New York’s DFS provides a two-month reprieve

On December 28, 2016 – after a very public outcry from the financial community it regulates, New York’s Department of Financial Services (“DFS”) pushed to March 1, 2017 the January 1, 2017 deadline to comply with its proposed data security standards.  These security standards and related regulatory requirements – which are unique in the country, were first disclosed by DFS this past September and include a data breach reporting deadline that is a mere three days in length.

After reviewing 150 comments, the DFS doubled down on its proposed standards and only gave two more months for compliance.  As it now stands, the regulation will be officially implemented on March 1, 2017 and impacted firms will have 180 days to begin compliance – September 1, 2017.  And, by February 15, 2018, firms will be required to submit a certificate of compliance to DFS.

Despite vigorous opposition found in the submitted comments, the DFS retained several important aspects of its proposed regulations, including the three-day window to report a “cybersecurity event” – broadly defined to also include unsuccessful attempts, and the need to file annual certifications of compliance.

Another key component of these proposed regulations requires the designation of a Chief Information Security Officer.  Even though most large financial institutions already have that position filled, many firms subject to DFS jurisdiction will now have to allocate resources to either hire such an employee or reassign an existing employee to take on these new challenges.

All in all, the new DFS regulations – implementing specific security standards on New York’s largest business sector, will immediately generate significant business for those tech vendors and privacy lawyers offering gap-filling solutions that actually work.

The rise of Ransomware

Given credit card data and account information is now dirt-cheap to buy on the dark web; it no longer makes much sense for criminals to exclusively target financial information – especially since the data must also be sold after it’s stolen. Much more lucrative – and quicker to obtain, are the bitcoins deposited by ransomware victims into a thief’s account.

Welcome to the hottest cyber-criminal activity of today – ransomware.  Although ransomware such as PGPCoder has been around for a decade, this exploit only gained wide traction during the past several years. Combining the best of social engineering, e.g., well-crafted spear phishing using publicly available information, including emails of licensed professionals, with botnets usually tasked with promulgating spam, criminals have been able to re-purpose the latest Trojans for a much more lucrative job.

The most recent crop of ransomware scams have successfully targeted professionals. The Florida Bar recently warned its members these phishing exploits can use various subject lines, including “Florida Bar Complaint – Attorney Consumer Assistance Program”.   A scam email with “Lawyers and judges may now communicate through the portal” in the subject line uses information found in a June 1, 2016 Florida bar article. Preying on many lawyers’ natural tendency to help, the email asks recipients to “test the portal and give feedback.”

Florida Scam Email

During the past several weeks, Florida lawyers clicking on the masked link found in the above email notice were surprised to learn their entire computer network was held for ransom – automatically encrypted in one fell swoop by criminals half way across the world. Users only become aware of this exploit when they can no longer access their data and see a message on their screen demanding a ransom payment in exchange for a decryption key. The message also includes instructions on how to pay the ransom, usually with a widely traded anonymous digital currency such as Bitcoin or anonymous pre-paid cash vouchers such as MoneyPak and Ukash.

In the same way the IRS would never cold call you about an audit, no bar association would ever deliver a complaint simply by email.   Nevertheless, these scams succeed with a good number of professionals who are pressed for time, have computers systems that do not automatically filter executable content or simply just don’t have adequate training. Indeed, even if there is adequate training and sophisticated IT personnel running a firm’s network, law firms are never immune to hacking incidents.   This past March, it was reported by The Wall Street Journal that two blue chip firms, Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, were among a number of law firm hacking victims.  Law firms will always be vulnerable to a direct attack by a sophisticated hacker.  A panel of law enforcement specialists in 2015 put it best when they said law firms are seen as “soft, ripe targets for hackers.”

As reported by the Wisconsin Bar Association, the ABA’s Division for Bar Services has been monitoring a rise in ransomware exploits, with recent confirmations of scam emails also sent to lawyers in Alabama, Georgia, and California. The ABA has been working with the FBI to get the word out regarding ransomware – leading to state bars pushing out the message via newsletters and blog posts. In fact, the ABA has been warning lawyers for years regarding data security. Indeed, there is an argument that improved data security helps with the marketing of a law firm.

Although recent attacks have fed on a lawyer’s publicly accessible email address, these very same attacks also go after other professionals. For example, targets include hospitals – where patient information can ill afford to stay locked for a very long time.  As well, a growing number of accounting firms are falling prey to ransomware.   Ransomware is especially damaging to accounting firms given accountants hold critical financial data of clients that is often deadline-focused. Indeed, there may be significant penalties accessed against clients for untimely filings.

The threats have become more pronounced as criminals realize the benefit of redirecting resources to ransomware aimed at professionals such as lawyers and accountants. A consultant who assists accounting firms guard against ransomware attacks warned accountants last year of the polymorphic Virlock that spawns unique versions after every use so antivirus programs cannot recognize it as well as TeslaCrypt that uses file names associated with well-known online games found on a child’s computer – which can spread to other computers attached to a home network, including an office PC.

As set forth in a 2014 CERT notice, destructive and lucrative ransomware variants include: Xorist, CryptorBit, CryptoLocker, CryptoDefense, and Cryptowall. All of these exploits encrypt files on the local computer, shared network files, and removable media. Although the private decryption keys for CryptoLocker, Xorist, CryptoDefense have since become available – rendering these exploits defensible, recent ransomware variants with no available decryption keys continue to launch.  For example, in June 2015, the ABA warned about the CryptoWall ransomware exploit.  And, a March 9, 2016 blog post from the security firm TrustWave details a major botnet operator moving from spam campaigns to delivering a new ransomware exploit deploying malicious javascript – the Locky ransomware.   Kaspersky Labs also wrote about the Locky ransomware – and its successful targeting of several hospitals.   If it has not already done so, it is only a matter of time before the Locky ransomware migrates to lawyers and accountants.

 

FBI April 2016 Report

The FBI has addressed ransomware exploits for some time now – likely given it was inadvertently a participant in one such exploit. In 2012, the FBI was spoofed in a Reveton ransomware attack activated when a user visited a compromised website. Once infected, the victim’s computer immediately locks, and the monitor displays a screen stating there has been a violation of federal law. The bogus message goes on to say that the user’s Internet address was identified by the FBI as having been associated with child pornography sites or other illegal online activity. To unlock their machines, users are required to pay a fine using the MoneyPak prepaid money card service.

According to an April 29, 2016 FBI Bulletin, the FBI saw a pronounced increase in ransomware attacks in 2015 – with a projection that it will grow a great deal more during 2016. Despite the fact it will always be easy to pay ransom given the instructions are explicit and the amount sought can be in the $400 range, the FBI doesn’t support paying a ransom in response to a ransomware attack: “Paying a ransom doesn’t guarantee an organization that it will get its data back [and] not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”

Instead, the FBI suggests the key areas to focus on with ransomware are prevention, business continuity, and remediation. Given that ransomware techniques are rapidly evolving, business recovery and continuity become even more crucial. More to the point, as recognized by the FBI: “There’s no one method or tool that will completely protect you or your organization from a ransomware attack.”   Instead, the FBI suggests firms focus on a variety of prevention efforts – in terms of awareness training for employees and technical prevention controls, as well as the creation of a solid business continuity plan in the event of a ransomware attack.  Planning for disaster can never be considered wasted time. And, after a ransomware attack is suspected, victims should immediately contact the local FBI field office and report the incident to the Bureau’s Internet Crime Complaint Center.

If a firm has a proactive approach, there are certainly some basic things that can be done today to avoid a ransomware exploit. In an effort to help its constituency, the ABA has conveyed some basic technical defenses against ransomware:

  • Block executable files (such as “.exe” files) and compressed archives (such as zip files) containing executable files before they reach a user’s inbox.
  • Keep operating systems, browsers and browser plug-ins, such as Java and Silverlight, fully updated.
  • Program hard drives on your computer network to prevent any unidentified user from modifying files.
  • Regularly back up data with media not connected to the Internet.

As for the most basic of “basic training”, law firm administrators are being awakened to this threat with some sound advice that never gets old: “Be smart. Be aware. Don’t open or click on anything that looks suspicious. They won’t come in if you don’t open the door.” In other words, never click on a link, file or image from an untested source or untrusted URL. The extra seconds it takes to confirm the actual sender of an email message or owner of a website is well worth the time.

Given that business continuity best practices should mesh with IT security best practices, backups should obviously be stored outside the network. And, if you are forced to restore from a backup it is never wise to restore your data over existing production data. Consulting with a disaster recovery specialist before disaster strikes probably is a good idea.

Professionals – especially lawyers and accountants should also consider purchasing insurance that covers ransomware losses – including the related IT expenses.  Such insurance is typically purchased using a standalone policy that has been around for years. There are some malpractice insurers, however, e.g., CPAGold, who provide such coverage directly in the policy. Tech vendors and legal counsel associated with these carriers typically have years of experience handling these incidents and can be rapidly deployed to address any situation.

Given the serious threat of ransomware, businesses large and small are reminded to at least do the basics – train staff regarding email and social media policies, implement minimum IT security protocols, regularly backup data, plan for disaster, and regularly test your plans.

NJ Court Rules No Privacy Tort Exists for Location Tracking

In what may be a case of first impression, the New Jersey Appellate Division ruled, on July 7, 2011, that the tort of invasion of privacy does not necessarily exist whenever a plaintiff alleges surreptitious location tracking by a defendant.  Specifically, the court ruled:

We hold that the placement of a GPS device in plaintiff’s vehicle without his knowledge, but in the absence of evidence that he drove the vehicle into a private or secluded location that was out of public view and in which he had a legitimate expectation of privacy, does not constitute the tort of invasion of privacy.

Villanova v. Leonard, No. A-0654-10T2, slip op. at 3 (N.J. App. Div. July 7, 2011).

The facts of the case are likely not that uncommon.  A woman hired an investigator to track her husband (who she suspected of infidelity) and the investigator suggested she place a GPS tracking device in the glove compartment of the car shared with her husband.   After related divorce proceedings were concluded, the husband sued the investigator in state court.  In a summary judgment motion, the husband’s privacy claim against the investigator was dismissed by the trial court.  In affirming, the court reasoned there was “no direct evidence in [the] record to establish that during the approximately forty days the GPS device was in the Denali glove compartment the device captured a movement of plaintiff into a secluded location that was not in public view, and, if so, that such information was passed along by Mrs. Villanova to defendants.”  Id. at 11.

The court certainly took pains to limit the impact of its decision by pointing out that if the car did travel to “secluded locations”  there would be more of an issue with the conduct of defendants.  It is hard to envision, however, situations where a person traveling in a car would ever have much of an expectation of privacy sufficient to trigger an invasion of privacy claim.   See Id. at 16 (“‘A person traveling in an automobile on public thoroughfares has no reasonable expectation of privacy in his [or her] movements from one place to another.'”)  (quoting United States v. Knotts, 460 U.S. 276, 281 (1983)).

In seeking to avoid dismissal, the plaintiff conjectured that secluded places might include “a private parking garage, an impound yard, or a stretch of a lonely beach.”  Id. at 6.   In strongly worded dicta, the court left the door open to such an argument:  “Although these hypothetical circumstances might well exist, there is nothing in this record to suggest that any such incident ever occurred during the time the GPS device was in place.”  Id.

As well, the court pointed out several times that the GPS data was likely not provided to the defendants.  This factor obviously undercuts by some measure the impact of the decision.  For example, if the same general set of facts were presented in a new case but the data was actually sent to numerous third parties, would a future court have more leeway in allowing a privacy claim to proceed?   Did the court inadvertently create a test whereby some allegations regarding  “secluded excursions” coupled with evidence of third party release of the location data is enough to withstand a motion for summary judgment?

Although it remains to be seen how persuasive this decision will be outside of New Jersey, it is nevertheless helpful given how unsettled location tracking remains as an area of privacy and constitutional law.   Further guidance, however, may be right around the corner given a recent privacy class action based on location tracking and the fact that, on June 27, 2011, the United States Supreme Court agreed to hear United States v. Jones — actually directing the parties to brief and argue the following question:  “Whether the government violated respondent’s Fourth Amendment rights by installing the GPS tracking device on his vehicle without a valid warrant and without his consent.”

Law Firm Sues to Have Non-Lawyer Ownership

On May 18, 2011, Jacoby & Meyers Law Offices LLP filed lawsuits challenging state professional rules in New York, New Jersey and Connecticut that prohibit non-lawyers from having an ownership interest in law firms.  The New York lawsuit was filed in the United States District Court for the Southern District of New York and alleges that Rule 5.4 of New York’s Rules of Professional Conduct — which precludes a lawyer from practicing law with an entity where a non-lawyer owns any interest therein — causes “critical sources of funding (to be) unavailable to a majority of lawyers in New York (and elsewhere) which dramatically impedes access to legal services for those otherwise unable to afford them.” See Complaint at Paragraph 2.

In contrast to the well-thought out plan executed in the UK that will soon allow UK law firms to take on non-lawyer equity owners and managers, Jacoby & Meyers is doing what most plaintiffs’ counsel resort to when they don’t get their way, namely the filing of a lawsuit.  There is nothing new in the Complaint regarding this longstanding debate and certainly nothing that has not been argued before by law firms looking to combat a stagnating book of business. 

The gist of the Complaint turns on the purported need for law firms to have access to outside capital.  Specifically, the Complaint alleges that without such access firms like Jacoby & Meyers are unable to pay for necessary improvements in technology and infrastructure.  And, without such improvements, the disenfranchised will not have adequate legal services available to them.

Although it is unlikely that the three filed lawsuits will survive very long or directly change longstanding ethical requirements, there is certainly nothing wrong in having this issue come up for discussion.   And, it may be very timely given the American Bar Association ethics committee is now taking comments on whether to change its model ethics rules to allow for the joint ownership of law firms.  In fact, this ABA initiative may have actually precipitated the Jacoby & Meyers lawsuit given it is cited in the Complaint.

CNIL Goes Easy With Google Fine

On March 17, 2011, CNIL fined Google €100,000 for improperly gathering and storing data for its Street View application.   Founded over thirty years ago, CNIL is an independent administrative authority that protects the privacy and personal data of French citizens.

Although this is the largest penalty ever awarded by CNIL, it certainly does not begin to move the needle when it comes to hurting Google’s very deep pockets.  This is nothing more than an interesting wrist slap in light of the significant privacy infraction.  The vast amount of personal data that was improperly collected by roaming “Google bikes” and “Google cars” – included e-mails and web browsing histories amounted to 600 gigabytes of unencrypted Wi-Fi data.

Even though US regulators have been hitting hard with recent fines of $4.3 million and $1 million, one lingering threat that was always out there on the privacy regulatory front was from an EU privacy agency holding a firm to unexpectedly high standards.   After seeing CNIL’s Google fine, that threat may have sputtered away.  What US firms need to continue to fear are the many class action suits that quickly sprout up — as they did when Google disclosed this “Wi-Spy” mishap — whenever there is a public disclosure of a privacy breach.

Plaintiffs’ Class Action Counsel Running on Empty: “Fear of ID Theft” and “Lost Time and Effort” Damages Theories Just Don’t Cut It

While some data breach victims will eventually sustain an ID theft, it is generally acknowledged that the vast majority will not.  Accordingly, the direct damages sustained by ID theft victims are not very helpful in a class action — there are just not enough plaintiffs.  Over the years, plaintiffs’ class action counsel have spent many hours trying to create a damages theory that would actually be common to all victims of a data breach event.   The two theories that have gotten the most class action traction are based on “fear of ID theft” or “lost time and effort” allegations.  Unfortunately — for plaintiffs’ counsel, that is — neither theory really fits the bill.

Damages Based on the “Fear of ID Theft”

Plaintiffs’ class action counsel chasing down data breach events have generally been unsuccessful in pursuing claims based solely on the “fear of identity theft” or related incidental damages.  Although Ruiz v. Gap, Inc, instructs us there may be an outside chance of surviving a motion to dismiss, a defendant’s summary judgment motion will eventually kill any claim brought by those who have not actually sustained theft of their identities.  In effect, an actual incidence of ID theft – which after a breach can take quite a while to happen – has become the de facto precursor to compensable damages.

Despite what some plaintiffs’ counsel have said after the standing ruling in Krottner v. Starbucks, Nos. 09-35823 and 35824 (9th Cir. , Dec. 14, 2010), nothing has really changed this dynamic.   In fact, as shown in Ruiz and other cases cited below, Krottner is not even the first court to rule federal standing exists for “fear of identity theft” claims.

By way of background, employees at Starbucks sued the company after the October 29, 2008 theft of a laptop computer containing “names, addresses, and social security numbers of approximately 97,000 Starbucks employees.”  Id.  The trial court had previously dismissed the case, finding that Washington law doesn’t recognize a cause of action where the only financial damage is “risk of future harm.” The trial court also found insufficient facts to carry an implied contract claim.

In a pair of rulings issued last month, the Ninth Circuit agreed with the lower court and affirmed dismissal of the action given that, under Washington law, “actual loss or damage is an essential element” of a negligence claim.  This opinion on the merits was not approved for publication.

It is the standing ruling – which was actually approved for publication – that has excited some in the data breach litigation business.  The Ninth Circuit ruled [insert big yawn here] plaintiffs had Article III standing given that “‘generalized anxiety and stress’ as a result of [a data breach] is sufficient to confer standing”.   It is very important to note that the court, quoting from Equity Lifestyle Props., Inc. v. County of San Luis Obispo, 548 F.3d 1184, 1189 n.10 (9th Cir. 2008), recognized as a threshold matter that “[t]he jurisdictional question of standing precedes, and does not require, analysis of the merits.”  In other words, with jurisdictional standing you can reach the federal courthouse but once inside, you still need to prove your case – something plaintiffs here were unable to do given they lost at the district court level and on appeal.

In reaching its decision, the Ninth Circuit cites to cases on both sides of the issue.  Compare Doe v. Chao,540 U.S. 614, 617-18, 624-25 (2004) (suggesting that a plaintiff who allegedly “was ‘torn . . . all to pieces’ and `was greatly concerned and worried’ because of the disclosure of his Social Security number and its potentially ‘devastating’ consequences’” had no cause of action under the Privacy Act, but nonetheless had standing under Article III) and Pisciotta v. Old National Bancorp, 499 F.3d 629, 634 (7th Cir. 2007) (holding that plaintiffs whose data had been stolen but had not yet been misused suffered an injury-in-fact sufficient to confer Article III standing) with Lambert v. Hartman,517 F.3d 433, 437 (6th Cir. 2008) (although plaintiff’s actual financial injuries resulting from the theft of her personal data were sufficient to confer standing, the risk of future identity theft was “somewhat ‘hypothetical’ and ‘conjectural.’”).

Looking to exploit its Pyrrhic victory, plaintiffs’ counsel deftly uses the December 15, 2010 standing decision to solicit Starbucks employees who may have actually sustained an ID theft:

[We] received a favorable precedential opinion from the United States Court of Appeals for the Ninth Circuit in Krottner v. Starbucks Corporation, No. 09-35823.  In the opinion, the Ninth Circuit judges held that plaintiffs whose personal information had been stolen, but not misused, had standing to bring their case in federal court. The opinion held on the facts before it that the increased risk of future harm from identity theft was a credible enough treat [sic] to provide an injury-in-fact for Article III standing…

If you have any information regarding the Starbucks data breach, or if you believe you have been affected by the data breach and would like to discuss your rights and interests in this matter, please contact our Washington D.C. office.

Damages Based on “Lost Time and Effort”

Thankfully (for defendants), there is no compelling precedent that expressly recognizes negligence or contract damages derived solely from the time and effort spent to remediate an alleged wrongdoing.  Although mitigation damages are sometimes awarded in addition to other damages such damages generally never rest as the sole measure of injury in either a negligence or contract setting.  This general rule manifests as the “economic loss rule” in some jurisdictions (used to bar recovery in negligence when the only loss is pecuniary) or is simply bolted on to the concept of damages in other jurisdictions.

Seeking to resolve a “lost time and effort” argument made by plaintiffs in a very public data breach context, on November 24, 2009, Judge D. Brock Hornby, the federal district judge in Maine presiding over the Hannaford Brother data breach litigation, certified the following question to the Maine Supreme Court:

In the absence of physical harm or economic loss or identity theft, do time and effort alone, spent in a reasonable effort to avoid or remediate reasonably foreseeable harm, constitute a cognizable injury for which damages may be recovered under Maine law of negligence and/or implied contract?

See In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 671 F. Supp. 2d 198, 201 (D. Me. 2009).

On September 21, 2010, the Maine Supreme Court answered this question in the negative.  Relying on longstanding law, Maine’s highest court responded to Judge Hornby without equivocation:  “[Maine case law] does not recognize the expenditure of time and effort alone as a harm.”  In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 4 A.3d 492 (Me. 2010).  Rejecting a “mitigation of damages” argument that would elevate expended time and effort to the status of a compensable legal injury, the court ruled, “[u]nless the plaintiffs’ loss of time reflects a corresponding loss of earnings or earning opportunities, it is not a cognizable injury under Maine law of negligence.”  Id. And, given that “the time and effort expended by the plaintiffs here represent ‘the ordinary frustrations and inconveniences that everyone confronts in daily life’” damages were also not available under the implied contract claim.  Id. (quoting lower court).

Although other courts have made passing comments regarding the relevance of “lost time” as the sole measure of harm, the Maine Supreme Court decision is the only decision on all fours within a data breach context.  Id. (“In other cases, a passing mention of loss of time without adequate facts to demonstrate how those damages were being measured is insufficient to persuade us that the expenditure of time and effort alone is a harm recoverable in negligence.”) (citing Kuhn v. Capital One Fin. Corp., No 05-P-810, 2006 WL 3007931, at *3 (Mass. App. Ct. Oct. 23, 2006); Freeman v. Missouri Pac. Ry. Co., 167 P. 1062, 1063-65 (Kan. 1917)).

Even if a future court found these damages standing alone somehow compensable, there exists another barrier that would likely stymie future class certification motions relying on this damages theory — courts would have a tough time finding an efficient means of determining on a class-wide basis the value of a plaintiff’s “time and effort”.  Although courts have recognized that the need for individualized proof of damages is not per se an obstacle to class certification, the measure of a plaintiff’s relative “time and effort” would likely not predominate any data breach putative class.

To the extent such thorny class certification issues would possibly resolve differently among the federal circuits, the U.S. Supreme Court may soon add some needed clarity.  On December 6, 2010, the Court agreed to review the April 27, 2010 decision by the U.S. Court of Appeals for the Ninth Circuit granting class certification in the massive Wal-Mart sexual discrimination case.  See Dukes v. Wal-Mart Stores, Inc. , 603 F.3d 571 (9th Cir. 2010), cert. granted, Wal-Mart Stores, Inc. v. Dukes, 178 L. Ed. 2d 530 (2010) (“Petition for writ of certiorari to the United States Court of Appeals for the Ninth Circuit granted limited to Question I presented by the petition.  In addition to Question I, the parties are directed to brief and argue the following question: “Whether the class certification ordered under Rule 23(b)(2) was consistent with Rule 23(a).”) (emphasis added).

Although named plaintiffs in the Wal-Mart case “waived any claim for compensatory damages, forfeiting the rights of individual class members to recover damages authorized by Congress solely in order to facilitate class treatment”, an important commonality ruling remains likely given the Court specifically requested that the parties brief the applicability of Federal Rule of Civil Procedure 23(a).  See Petitioners Brief at 35, dated January 20, 2011.  One way or the other, the Supreme Court’s decision in Wal-Mart will impact the class action landscape – including the potential landscape surrounding breach class action suits.

Data Breach Class Action Suits — Will the Floodgates Ever Open?

It may not arrive this year or next but the time will likely eventually come when class actions are routinely certified after a significant data breach.  As discussed above, these future certified class actions will not likely derive from courts applying a new and improved “fear of” or “lost time” damages theory.   Moreover, this shift certainly won’t happen using a newly varnished claim theory based on lost chattel, conversion, or a constructive bailment.

In part two of this post, I’ll outline the one data breach claim that will very likely eventually clog the class action dockets of judges throughout the country.

NJ Supreme Court: Fired Employee Can Use Stolen Confidential Documents

In a decision that might have significant ramifications in future discrimination and whistle-blower lawsuits, the New Jersey Supreme Court  ruled in Quinlan v. Curtiss-Wright Corp., No. A-51-09 (N.J. Sup. Ct. Dec. 2, 2010) that an employee who copied 1,800 of pages of documents that she came upon during the normal course of her work — many with confidential information — could share them with the  attorney representing her in a lawsuit against the employer.  The Supreme Court allowed the usage of these documents even though the plaintiff signed her employer’s standard confidentiality agreement that bars employees from using confidential information for private use.

According to the dissent:

From this point forward, no business can safely discharge an employee who is stealing highly sensitive personnel documents even as she is suing her employer and disregarding the lawful means for securing discovery. Moreover, lawyers may think that, even after they have initiated a lawsuit, they can accept pilfered documents and benefit by using them to surprise an adversary in a deposition rather than abide by the rules of discovery.

Although the decision did reaffirm the ability of an employer to fire an employee for the theft of confidential documents, it provides for a potential safe harbor to the extent such documents are used in a subsequent suit for discrimination.   Newspapers as well as law firms have written on the decision, including Lowenstein Sandler, Proskauer Rose, Jackson Lewis, and Fox Rothschild.

Commentators have suggested that employers implement comprehensive confidentiality policies that are  communicated firm-wide and uniformly enforced.  Although that is certainly sound counsel, it is also suggested that adequate security measures be implemented that allow employers to prevent or at least track the copying and removal of over one thousand documents.  Moreover, although not discussed in either the ruling or subsequent  commentaries, there is only a minor leap to be made to extend this holding to whistle-blower suits.  Although choice of law issues remain untested, the new Dodd-Frank’s whistle-blower provisions — which allow employees to obtain significant rewards for providing information to law enforcement authorities about violations of the federal securities laws, the Foreign Corrupt Practices Act, the Investment Advisers Act and the Investment Company Act — may even be in play.   Bottom line:  New Jersey employers need to review their data security and confidentiality policies to address this new decision.

The Red Flag Program Clarification Act of 2010 Passes House and Senate

Looking to beat the end of the year enforcement deadline, the Senate (on November 30, 2010) and the House (on December 7, 2010) have now both voted to pass a law that would limit the scope of the FTC’s Red Flags regulations.  Although the ABA lawsuit seeking to exempt lawyers from the scope of these regulations is on appeal, it appears as if that suit will soon be dismissed as moot.

First introduced by Sen. John Thune, The Red Flag Program Clarification Act of 2010, S. 3987, would define a creditor as someone who uses credit reports, furnishes information to credit reporting agencies or “advances funds…based on an obligation of the person to repay the funds or repayable from specific property pledges by or on behalf of the person.”  Sen. Thune’s web site statement regarding the regulations states that action was necessary given the FTC was threatening small businesses with its regulations. 

As written, the existing law applies to “creditors,” a term the FTC interpreted broadly to include professionals who regularly deferred payment on services.  The FTC had delayed enforcement of these regulations numerous times due to pressure by the ABA and AMA given that the sweeping nature of the regulations would take into account professionals who would incur significant costs to address a perceived slight exposure.   As recognized on the House floor by Rep. John Adler (D-N.J.),“When I think of the word ‘creditor,’ dentists, accounting firms and law firms do not come to mind.”

Lost on many is the fact these regulations will remain in force and will still impact business owners throughout the country, including financial institutions, car dealers, contractors, utilities, phone providers, retailers (if financing is provided), mortgage brokers, etc.  Moreover, even if a business may no longer be “technically” within the rubric of the regulations, it may be a good best practice to still comply.  For example, an ID theft victim may look to the FTC Red Flags regulations to help determine a baseline reasonableness standard.  Although estimates of compliance costs range from $1,000 to $1,500 for small business owners, this amount may pale when compared to the expenses incurred in defending a data breach claim.

[Update:  December 18, 2010]
President Obama signed the Act into law.

Ponemon Institute: Lost Laptops Cost Billions

The Ponemon Institute’s latest report, “The Billion Dollar Laptop Study,” shows that 329 organizations surveyed lost more than 86,000 laptops over the course of a year.  Based on these findings and an earlier survey that put the average cost of lost laptop data at $49,246, the total cost amounts to more than $2.1 billion or $6.4 million per organization.

Some other key findings of the report:  (1)  while 46 percent of the lost systems contained confidential data, only 30 percent of those systems were encrypted; (2) only 10 percent had any other anti-theft technologies; and (3) 71 percent of laptops lost were not backed up so all work in progress was lost.

At the release media event reported on by InformationWeek, Larry Ponemon explained that most of the cost “is linked to the value of intellectual property on these laptops and the fees associated with data breaches and statutory notification requirements.”   During this same press conference, Ponemon recounted interviewing one woman at a company who had lost 11 laptops in two years:  “She claimed she wasn’t really that careful with laptops because the only way she could get a better one was to lose it.”

It is this disconnect — the value of the information lost vs. the relative interest in the user in protecting such information — that becomes the ultimate challenge faced by most firms.   Employee training remains the front line in addressing this challenge but having employees pay for their lost corporate laptops may actually yield more desirable results.   It would be interesting to have the next Ponemon lost laptop study include the ratio of lost business laptops compared to lost personal laptops, i.e., those actually purchased by an employee.