Category Archives: Privacy

Third Circuit Agrees Standing is Lacking in Breach Case

The United States Court of Appeals for the Third Circuit, in Reilly v. Ceridian Corporation, 2011 U.S. App. LEXIS 24561, 3 (3d Cir., December 12, 2011), found that “allegations of an increased risk of identity theft resulting from a security breach” were insufficient to secure Article III standing.  In so doing, the court affirmed the dismissal of claims brought by former employees of a NJ law firm after the firm’s payroll processor was breached.

Recognizing that “a number of courts have had occasion to decide whether the ‘risk of future harm’ posed by data security breaches confers standing on persons whose information may have been accessed”, the Third Circuit sided with those courts finding that plaintiffs lack standing because the harm caused is too speculative.   Specifically, the court did not consider an intrusion that penetrated a firewall and potentially allowed access to employee payroll data sufficient to meet the Article III requirement of an “actual or imminent” injury.  No misuse was alleged so no harm was found.

As well, the Third Circuit rejected the notion that time and money expenditures to monitor financial information conferred plaintiffs with standing.  Id. at 5 (“That a plaintiff has willingly incurred costs to protect against an alleged increased risk of identity theft is not enough to demonstrate a ‘concrete and particularized’ or ‘actual or imminent’ injury.”).  See also In re Michaels Stores PIN Pad Litigation, Slip Op. at 14 (N.D. Ill November 23, 2011) (reasoning that “individuals cannot create standing by voluntarily incurring costs in response to a defendant’s act.  Accordingly, Plaintiffs cannot rely on the increased risk of identity theft or the costs of credit monitoring services to satisfy the ICFA’s injury requirement.”).

The Third Circuit’s decision stands in sharp contrast to those decisions that stretched hard to find a cognizable harm sufficient to trigger constitutional standing as well as a recent ruling from the First Circuit reversing a dismissal because costs associated with credit card reissuance fees and ID theft insurance were deemed sufficient to constitute an injury.

There is now a growing body of law that has sprung from public data breaches that can be used by either side of the class action table.  The key metric will be how such decisions can be tooled by plaintiff’s counsel to defer dismissal.   Given the potential use of cy pres settlements, defense counsel need to cut off the discovery beast before it grows out of control and gives rise to such settlement discussions.  All plaintiff’s counsel needs to do is hope for a sympathetic judge before the wheel is spun.

Mexico City Redux: Conference of Data Protection and Privacy Commissioners

On November 2 – 3, 2011, about 600 persons from around the world attended the 33rd International Conference of Data Protection and Privacy Commissioners.   For those unable to make the trek to Mexico City, what follows is selected insight gained from several folks who attended and were kind enough to report back what was discussed in Mexico.

The event opened with an exposition of the “big data” concerns driving many large privacy programs.   Ken Cukier of The Economist used the example of how the Sumo wrestling scandal was uncovered using big data analytics, i.e., a complete analysis of 10 years’ worth of Sumo contests, to showcase the fast, ubiquitous, and distributed nature of big data.   A common big data thread turned on the data collection activities of Facebook and Google – with an obvious concern regarding their future usage of collected data.  It was pointed out that a browser configuration is so customized now that it can act as a fingerprint indentifying its owner — leading to even more big data concerns.

Two other covered substantive topics were, not surprisingly, social media and mobile technologies.  Tied to social media was the purported “right to be forgotten.”  Building on prior conferences, it appears as if the commissioners in attendance believed future regulations will eventually create such a right in the EU.  The question of enforcement was not really deemed much of a concern – which is curious given it would be wishful thinking to think anyone can actually completely scrub the Internet of one’s personal data.   Moreover, do we really even want bad information regarding a professional such as a doctor or lawyer ever completely wiped clean?

As for mobile discussions, one session focused exclusively on the ramifications of having over five billion mobile users worldwide.  In ten years time, it was estimated there would be 20 billion SIM cards in use connecting multiple devices to each other.  In effect, chips will be everywhere processing and collecting data — leading to ever-increasing privacy challenges. 

Another area of discussion was the “interoperability” of privacy laws around the world.  The lofty notion of harmonization was abandoned in lieu of the more workable interoperability concept.  This new perspective would entail better cooperation between the various commissioners with perhaps an executive committee to assist in such coordination efforts.  The committee would deal with global issues that would require better cooperation, e.g., regulatory efforts involving multi-national corporations potentially impacting the privacy rights of persons in  many countries.

An interesting sidebar on interoperability was the ability to use of common regulations instead of directives.  Such a change in course would take much longer to implement given the need to, for example, go to a Parliament to pass such  regulations.  It was assumed this path would take 3 – 5 years to implement.  On the other hand, it would allow for much more in the way of teeth to an executive committee’s agenda.   

There was also an interesting debate between the commissioners regarding their perceived roles.  It was universally acknowledged that they are overwhelmed by the explosive privacy issues impacting their respective offices.  What was not universally acknowledges was how they should prioritize their time in meeting this challenge.  One school of thought (spearheaded by Chris Graham, the UK Information Commissioner) was that commissioners and their offices should be counselors assisting companies reach relevant privacy standards — a definitely carrot-centric approach.  The combating school of thought (voiced strongly by Jacob Kohnstamm, Head of the Article 29 Working Group and Chairman of the Dutch Data Protection Authority) was that only enforcement sticks should be used.  Mr. Kohnstamm said that companies have had enough time to be compliant and it is now time to enforce existing laws.  He also apparently stated that even if he wanted to act as a counselor he does not have sufficient advisory personnel on staff to act in that role.  Interestingly, this divide may also be attributable to a common law vs. civil law axis.  Given that Mr. Kohnstamm is up for election as head of the Article 29 Working Group, his election may end up being a referendum on this debate.

There was also interesting insight gained regarding the difference in styles between two newly installed commissioners; the newfound influence of Asia at the conference; the focus — for the first time — on privacy violations involving state actors; and a belief that the closed session resolutions may formalize the working relationships between the various commissioners and their respective offices.  

There is no doubt that the global privacy landscape is expanding at a rapid rate and that this conference will only grow over time – next year it will be at a resort in Uruguay.  Simon Davies, Director of Privacy International, even spoke about how countries such as Pakistan and Afghanistan are now starting a privacy dialogue.   The Dragon also took a privacy bow when Zhou Hanhua of the Chinese Academy of Social Sciences in Beijing gave a keynote address that discussed the new revisions to China’s penal code regarding privacy infractions as well as its revisions to Identification and Telecommunications laws to better address privacy concerns.   And, it was even mentioned Korea will host the conference in a few years. 

In other words, there can be no denying privacy is and will forever be a global issue.  In fact, that truism may very well be the reason this year’s Conference of Data Protection and Privacy Commissioners was titled “PRIVACY: The Global Age.”

First Circuit Rules Hannaford Damages Include ID Theft Insurance and Card Reissuance Fees

On October 20, 2011, the United States Court of Appeals for the First Circuit issued an opinion reversing a Maine District Court’s dismissal of negligence and implied contract claims against grocer Hannaford Brothers.  The underlying data breach publicly announced on March 17, 2008 by Hannaford led to a consolidated class action that was ultimately rejected in its entirety by the Maine District Court.   After receiving guidance from the Maine Supreme Court regarding whether time and effort alone could represent a cognizable injury — it did not — the District Court ultimately ruled that even though claims for implied contract and negligence could be alleged by the plaintiffs, because the associated damages were not cognizable in law, the action had to be dismissed. 

In reversing, the First Circuit recognized that “[t]here is not a great deal of Maine law on the subject [of damages recoverable under § 919 of the Restatement (Second) of Torts].”  Accordingly, it reviewed a good deal of caselaw outside of Maine before applying § 919’s rule that “[o]ne whose legally protected interests have been endangered by the tortious conduct of another is entitled to recover for expenditures reasonably made or harm suffered in a reasonable effort to avert the harm threatened” to the specifics of this case.   Several cited cases found such mitigation damages valid even if they exceed the potential savings and are purely financial in nature. 

Recognizing the Hannaford breach involved a large-scale criminal operation that already led to over 1,800 identified fraudulent charges and many banks issuing new cards, the First Circuit ruled that mitigation damages in the form of ID theft insurance and credit card reissuance fees were financial losses recoverable under the negligence and implied contract claims so long as they are considered reasonable mitigation damages.   There was no remand for further factual findings on the issue.  The First Circuit simply made a determination that such damages were both foreseeable and reasonable and reversed on that basis.  Now that the consolidated complaint lives another day, the District Court may certify a class but if it does it remains to be seen how far the lower court will go in sizing the class and allowing for such mitigation damages.

ZIP Code Litigation Update

Earlier this year, the California Supreme Court ruled on the outer reach of a state statute meant to protect consumers during credit card transactions – the Song-Beverly Credit Card Act of 1971.  See Pineda v. Williams-Sonoma Stores, Inc., 51 Cal. 4th 524 (2011)Specifically, Song-Beverly precludes retailers from requesting and recording a customer’s “personal identification information” during a credit card transaction and the Pineda court reasoned that such information now includes ZIP code information.  The decision was largely driven by the fact current marketing firms can use a ZIP code to tap into vast stores of personal data about a consumer.  Although the law may have only applied to retail stores in California, the decision immediately gave rise to an avalanche of class action suits given class action counsels’ new-found access to statutory damages.

In fact, given this new extension of the law, California legislators quickly amended Song-Beverly to exclude from its reach retail motor fuel sales and state law obligations.  This proposed law passed both the Senate and Assembly, was presented to the Governor on September 22, 2011 and will likely soon be signed into law.   What this proposed law does not do is expressly reverse Pineda or turn the tide against class actions brought against retailers.

It appears, however, courts on their own have found ways to curtail further extensions of Song-Beverly.  In an August 2011 Order, a California trial court sustained an online service provider’s demurrer to a class action complaint under Song-Beverly.  The action involved the purchase of an online advertisement.  The Order simply states that the law “on its face does not apply to online transactions,” and “the applicable case law, legislative intent and public policy indicate that such transactions are not, and should not be, encompassed” by Song-Beverly.

Other jurisdictions have been reluctant to create Pineda-like precedent.  In an unpublished opinion filed on September 26, 2011, a New Jersey District Court Judge decided that New Jersey’s Truth-in-Consumer Contract, Warranty and Notice Act (TCCWNA) – which provides for a civil penalty of not less than $100 per violation – was not triggered when plaintiff provided her ZIP code during a retail credit card transaction.  The statute requires that the provisions of a specific consumer contract violate a state or federal law.  In dismissing the Complaint, the District Judge found that a credit card transaction did not implicate a specific consumer contract given the card number and ZIP code at issue were merely a series of numbers and not part of a specific consumer contract.  Given that New Jersey’s version of Song-Beverly (Restrictions on Information Required to Complete Credit Card Transactions, N.J.S.A. § 56:11-17) does not provide for a private right of action, plaintiff did not claim standing under that law.  With no small sense of irony, the case was dismissed against the same defendant as in Pineda.

A bench opinion recently entered by a New Jersey state judge came to the exact opposite conclusion.  In that ruling from the bench, the court found that a violation of N.J.S.A. § 56:11-17 was a sufficient predicate for a violation of the Truth-in-Consumer Contract, Warranty and Notice Act – which, in turn, allowed access to the statutory damages so eagerly sought by class action plaintiffs.  Given that it was only a bench opinion, the decision has no precedential weight.  In other words, it’s a decision that now means nothing to other retailers in New Jersey.  On the other hand, it only takes a chip here and there to sometimes break a levy – or the willing hand of an appellate court.  Stay tuned.

Update:  October 1, 2011
After reading a transcript of the oral argument and opinion, it appears the state court judge ultimately gave too much deference to NJ’s motion to dismiss standard.   Although the court concluded by saying he was “making no comment about the merits of the case”, he ultimately found that a common law privacy claim exists when a retailer obtains a customer’s ZIP code during a credit card transaction.  Moreover, he reasoned that a claim under TCCWNA could also exist given ZIP code information was was part of the writings required to complete the consumer transaction.  Accordingly, there was enough of a consumer contract to trigger the statute.

Update:  January 6, 2012
Although it ultimately dismisses an action against Michael’s Stores, Inc. given there is no cognizable common law injury and the applicable law does not provide for statutory damages, a Massachusetts federal court  rules that ZIP code information is “personal identification information”.

Ponemon Second Annual Cost of Cybercrime Study

A detailed study regarding the impact of cybercrime on corporations was recently released by the Ponemon Institute.  According to the Second Annual Cost of Cyber Crime Study, the median annualized cost of cybercrime incurred by a benchmark sampling of organizations was $5.9 million per year, with a range of $1.5 million to $36.5 million each year per organization.  This was an increase of 56 percent from the median cost reported in the inaugural study.

According to this Ponemon deep dive of organizations who have sustained incidents of cybercrime, more than 90 percent of all cybercrime costs were caused by malicious code, stolen devices and web-based attacks.  During a four week period, the organizations surveyed by the Ponemon Institute experienced 72 successful attacks per week, an increase of nearly 45 percent from last year.  Interestingly, according to a recent study by Webroot Research, cybercrime on social networks also continues to increase — with the number of US-based users who have experienced attacks on social networks growing from 8% in 2009 to 13% in 2010 to 18% in 2011.

Smaller-sized organizations were found by Ponemon to incur a significantly higher per capita cost than larger-sized organizations ($1,088 versus $284).  This may be given that smaller organizations do not readily negotiate much off of vendor rack rates — another reason to evaluate network security and privacy insurance as well as working with a law firm that has significant experience in dealing with breaches.

According to this Ponemon survey, the average time to resolve a cyber attack is 18 days, with an average cost to participating organizations of $415,748 over this 18 day period.  Interestingly, this represents a 67 percent increase from last year’s estimated average cost of $247,744, which took place over a 14 day period. Results of the study show that malicious insider attacks can take more than 45 days on average to contain.

On September 14, 2011, New York Metro InfraGard and Coalfire are co-sponsoring a New York City event that will feature Dr. Larry Ponemon speaking on the Ponemon Institute’s Cost of Cybercrime Study.  For details on this event, visit the Infragard site or registration site.

NJ Court Rules No Privacy Tort Exists for Location Tracking

In what may be a case of first impression, the New Jersey Appellate Division ruled, on July 7, 2011, that the tort of invasion of privacy does not necessarily exist whenever a plaintiff alleges surreptitious location tracking by a defendant.  Specifically, the court ruled:

We hold that the placement of a GPS device in plaintiff’s vehicle without his knowledge, but in the absence of evidence that he drove the vehicle into a private or secluded location that was out of public view and in which he had a legitimate expectation of privacy, does not constitute the tort of invasion of privacy.

Villanova v. Leonard, No. A-0654-10T2, slip op. at 3 (N.J. App. Div. July 7, 2011).

The facts of the case are likely not that uncommon.  A woman hired an investigator to track her husband (who she suspected of infidelity) and the investigator suggested she place a GPS tracking device in the glove compartment of the car shared with her husband.   After related divorce proceedings were concluded, the husband sued the investigator in state court.  In a summary judgment motion, the husband’s privacy claim against the investigator was dismissed by the trial court.  In affirming, the court reasoned there was “no direct evidence in [the] record to establish that during the approximately forty days the GPS device was in the Denali glove compartment the device captured a movement of plaintiff into a secluded location that was not in public view, and, if so, that such information was passed along by Mrs. Villanova to defendants.”  Id. at 11.

The court certainly took pains to limit the impact of its decision by pointing out that if the car did travel to “secluded locations”  there would be more of an issue with the conduct of defendants.  It is hard to envision, however, situations where a person traveling in a car would ever have much of an expectation of privacy sufficient to trigger an invasion of privacy claim.   See Id. at 16 (“‘A person traveling in an automobile on public thoroughfares has no reasonable expectation of privacy in his [or her] movements from one place to another.'”)  (quoting United States v. Knotts, 460 U.S. 276, 281 (1983)).

In seeking to avoid dismissal, the plaintiff conjectured that secluded places might include “a private parking garage, an impound yard, or a stretch of a lonely beach.”  Id. at 6.   In strongly worded dicta, the court left the door open to such an argument:  “Although these hypothetical circumstances might well exist, there is nothing in this record to suggest that any such incident ever occurred during the time the GPS device was in place.”  Id.

As well, the court pointed out several times that the GPS data was likely not provided to the defendants.  This factor obviously undercuts by some measure the impact of the decision.  For example, if the same general set of facts were presented in a new case but the data was actually sent to numerous third parties, would a future court have more leeway in allowing a privacy claim to proceed?   Did the court inadvertently create a test whereby some allegations regarding  “secluded excursions” coupled with evidence of third party release of the location data is enough to withstand a motion for summary judgment?

Although it remains to be seen how persuasive this decision will be outside of New Jersey, it is nevertheless helpful given how unsettled location tracking remains as an area of privacy and constitutional law.   Further guidance, however, may be right around the corner given a recent privacy class action based on location tracking and the fact that, on June 27, 2011, the United States Supreme Court agreed to hear United States v. Jones — actually directing the parties to brief and argue the following question:  “Whether the government violated respondent’s Fourth Amendment rights by installing the GPS tracking device on his vehicle without a valid warrant and without his consent.”

Betterley Report on Cyber Insurance is Now Available

The highly-anticipated annual Betterley Report on cyber insurance was released right before the 4th of July holiday weekend.  In the free summary of the issue, there is mention of the 29 insurers now providing some form of network security and privacy insurance.  Betterley projects the existing market to be in the $800 million range — which would make it probably the fastest growing insurance product in the current soft insurance market.

In the free summary there is also an article written regarding cloud exposures and how such exposures may impact coverage under a network security and privacy policy.  As recently reported in the Wall Street Journal, a World Economic Forum report found “that 90% of suppliers and users of cloud services consider privacy risks to be a ‘very serious’ impediment to widespread cloud adoption.”  Given this concern, having the right privacy insurance in place becomes that much more important.

Round Four of The Personal Data Privacy and Security Act

On June 7, 2011, Senator Patrick Leahy introduced “The Personal Data Privacy and Security Act” — the fourth time he has introduced this particular piece of legislation.  According to the senator’s press release, the law would “establish a national standard for data breach notification, and require American businesses that collect and store consumers’ sensitive personal information to safeguard that information from cyber threats.”  This latest reincarnation of the law was likely prodded by the White House’s recent legislative call to action — a call to action that had listed first a national data breach notification law.

The 70 page bill proposes significant changes to existing laws – many of which make sense now that the theft of personal data has become a mainstay of organized crime.  For example, as recommended by the recent White House proposal, it amends the Computer Fraud and Abuse Act to add RICO-like language.  There are also significant obligations for data brokers as well as money penalties assessed to data brokers who violate these obligations.  Throughout the proposed law; and including the section regarding data broker duties, state attorney generals are given broad powers to bring civil actions and can obtain significant money penalties for violations of the law.

Another section of the proposed law seeks to ensure that any business “engaging in interstate commerce that involves collecting, accessing, transmitting, using, storing, or disposing of sensitive personally identifiable information in electronic or digital form on 10,000 or more United States persons” must adhere to “standards for developing and implementing administrative, technical, and physical safeguards to protect the security of sensitive personally identifiable information.”  Unlike the Red Flags regulations promulated by the FTC and subsequently clarified by Congress, these requirements would reach beyond creditors.  And, those businesses already subject to existing data safeguarding laws such as HIPAA and Gramm-Leach-Bliley would be exempt from these new requirements. Violations of this section would bring with it significant money penalties as well as possible enforcement by either the FTC or state attorney generals.  As with the other sections of the proposed law, there is no private right of action.

The final section of the proposed law provides for nationwide data breach notification which generally requires that all subject breaches be reported without unreasonable delay.  Again, state attorney generals are given broad enforcement rights:

The Attorney General may bring a civil action in the appropriate United States district court against any business entity that engages in conduct constituting a violation of this subtitle and, upon proof of such conduct by a preponderance of the evidence, such business entity shall be subject to a civil penalty of not more than $1,000 per day per individual whose sensitive personally identifiable information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person, up to a maximum of $1,000,000 per violation, unless such conduct is found to be willful or intentional.

Without the ability to bring a private right of action, these enforcement powers and penalties still only indirectly stir the class action pot. 

Of the many competing privacy and data security laws being offered up in Congress, it remains to be seen which is the front runner.  Given that both parties have endorsed a federal breach notification law that would serve to harmonize the 47 state breach notice laws and this one apparently seeks to combine the best of current state law, it seems at least the breach notification section of Leahy’s proposed law might have a chance of passing both houses.    As well, this proposed law is not likely to upset privacy advocates given the Department of Commerce is given no new powers.  Most importantly, given that it has much of what was outlined in the recent White House proposal, the entire proposed law would likely be signed into law by the President.  For good or for bad, with only 40 legislative days left before the election that wouldn’t be happening any time soon.

Do Not Track Law Comes Closer to Reality

Apparently seeking to mimic the success of the “do not call” registry, on May 9, 2011, Sen. Jay Rockefeller (D-W.Va.) introduced an online “do not track” privacy bill that would give consumers the ability to block companies from tracking their online activities.  The proposed Do-Not-Track Online Act of 2011 comes on the heels of another consumer privacy bill proposed by Senators Kerry and McCain.  The competing Kerry bill does not have a “do not track” feature, excludes the possibility of a private right of action (Sec. 406)  and was generally panned by privacy activists as potentially being too pro-business.   On the other hand, an ACLU spokesman described the Rockefeller bill as “a crucial civil liberties protection for the twenty-first century.

Given the support being offered by the White House, the Rockefeller bill has a real chance of being passed into law.  What it will eventually mean to the cost of “free” applications sponsored by marketers and their clients remains to be seen.

 

 

Location Tracking Class Action Suit is Filed Against Google

On the heels of the awareness created by a recent California Supreme Court decision, the actions of a German privacy advocate, and a widely tweeted Wall Street Journal article, Google has been sued for its holding of location-based tracking information.   This action differs from an earlier Apple lawsuit in several respects outlined by infosec island.

Given the broad scope of the five claims brought against Google, this suit is definitely worth monitoring.

Update — August 18, 2011

Korea gets into the action with a class action suit from 27,000 South Koreans claiming Apple violated Korean privacy law with the location based tracking feature found on the company’s iPhone smartphone, iPad tablet and iPod Touch.