Category Archives: Privacy

Location-Based Tracking Data Creates a New Privacy Concern

On March 25, 2011, Fordham Law School conducted a timely symposium on the legal and privacy policy implications of location-based technologies, i.e., those technologies that collect and use data indicating a person’s specific physical location.  The lively panel discussions all had one underlying theme – location-based tracking may be pervasive but the relevant policies are still in their infancy.  Although the “privacy-worthiness” of geo-location data has recently been in the news given the California Supreme Court’s ruling that Zip Code information can be considered “personal identifiable information”, location-based tracking of persons may actually loom as an even more fertile proving ground for privacy litigation given the ubiquitous nature of the activity.

It is commonly known that most smart mobile devices built today have some sort of GPS tracking capability.  Despite numerous media accounts, it is unlikely, however, that many mobile phone users also realize that their phone carriers ping their location every seven seconds and actually store this data.  Although consumers may not be fully aware of the location-based tracking that is going on, there are a number of startups banking on this capability.  Free mobile apps such as “Color” provide folks with the opportunity to share images and videos with those persons located in their very near geographic location.  And, start-ups such as Foursquare and Bizzy offer a more commercially viable application that provides consumers with opt-in shopping recommendations based on their geographic location.

Just how big an issue this will become remains to be seen given we are at the early stages of location-based data collection and marketing.  What should be of concern is the fact huge stores of data exist on pretty much every mobile phone user.  Although the EU has had rules in place since 2005 regarding located-based tracking, the FTC has only recently raised the privacy implications of the vast amounts of location-based data being collected.  See Protecting Consumer Privacy in an Era of Rapid Change, A Proposed Framework for Businesses and Policymakers (Preliminary FTC Staff Report, December 2010) at 23 – 25.

German privacy advocate Malte Spitz wanted to find out exactly how much of tracking data T-Mobile Germany was storing about him so he used German privacy laws to obtain the information.  What he got back from T-Mobile was six months of data including 35,831 points of location information.

According to a German newspaper that first wrote about the data trove maintained by Spitz’s phone company:

This profile reveals when Spitz walked down the street, when he took a train, when he was in an airplane. It shows where he was in the cities he visited. It shows when he worked and when he slept, when he could be reached by phone and when was unavailable. It shows when he preferred to talk on his phone and when he preferred to send a text message. It shows which beer gardens he liked to visit in his free time. All in all, it reveals an entire life.

On March 29, 2011, U.S. Reps. Edward Markey (D-Mass) and Joe Barton (R-Texas), Co-Chairmen of the House Bi-Partisan Privacy Caucus, responded to the public disclosure of the Spitz data request, by sending letters to the CEOs of the four major U.S. wireless carriers – AT&T, Verizon, Sprint, and T-Mobile.  These letters request information regarding data collection, storage and disclosure practices.

After the four major U.S. wireless carriers respond to Congressmen Markey and Barton, we may be in a better position to understand how companies plan on using the location-based data that is being collected.  More importantly, we will get a better handle on how the FTC and other regulatory bodies may eventually chime in on this privacy debate.  In the interim, companies looking to harness the marketing potential of location-based tracking data should evaluate whether it makes sense to refrain from selling available data.

CNIL Goes Easy With Google Fine

On March 17, 2011, CNIL fined Google €100,000 for improperly gathering and storing data for its Street View application.   Founded over thirty years ago, CNIL is an independent administrative authority that protects the privacy and personal data of French citizens.

Although this is the largest penalty ever awarded by CNIL, it certainly does not begin to move the needle when it comes to hurting Google’s very deep pockets.  This is nothing more than an interesting wrist slap in light of the significant privacy infraction.  The vast amount of personal data that was improperly collected by roaming “Google bikes” and “Google cars” – included e-mails and web browsing histories amounted to 600 gigabytes of unencrypted Wi-Fi data.

Even though US regulators have been hitting hard with recent fines of $4.3 million and $1 million, one lingering threat that was always out there on the privacy regulatory front was from an EU privacy agency holding a firm to unexpectedly high standards.   After seeing CNIL’s Google fine, that threat may have sputtered away.  What US firms need to continue to fear are the many class action suits that quickly sprout up — as they did when Google disclosed this “Wi-Spy” mishap — whenever there is a public disclosure of a privacy breach.

Latest APT Victim: RSA

In what has become an annual mecca for the data security industry, thousands visit San Francisco each February to attend “RSA” — a conference named after the network security company purchased by data storage firm EMC five years ago.  This mega-conference caters to the security cognoscenti — as well as those who only profess to be.

Well, a few days ago, RSA announced it was the latest high-profile victim of an APT exploit.  As recognized by RSA’s Executive Chairman, Art Coviello,”APT threats are becoming a significant challenge for all large corporations.”  These exploits are the same sort of attacks that the press were quick to blame the Chinese on last year.  In fact, the Wall Street Journal reported last year that these attacks impacted over 2,400 businesses.  How exactly can a company avoid an APT or “advanced persistent attack” when a firm like RSA also gets hit by such criminal activity?

By way of background, APTs are social engineering techniques — once upon a time simply known as confidence or con games — applied with a healthy dose of hacking and malware.  RSA’s attack is a bit more troublesome than most APTs given the possible repercussions to customers as per a recent alert:

We have determined that a recent attack on RSA’s systems has resulted in certain information being extracted from RSA’s systems that relates to RSA’s SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. RSA urges immediate action.

The reason that this breach is significant has to do with the fact RSA customers all over the world use RSA SecurID to protect outside access to sensitive data.  In order to access a computer protected by SecurID, users enter a traditional password as well as the number displayed on their RSA SecurID hardware token. The numeric value displayed on the token changes once every few minutes to provide added protection.

Although the security community gave RSA high marks for its quick disclosure, there are obvious concerns — not the least of which is the mere fact that a firm such as RSA was able to be compromised in the first place.  A leading security consultant voiced a complaint that the lack of information emanating from firm makes it hard for customers to know what exactly to do other than be really diligent regarding password usage.

Although exactly how RSA was compromised will likely never make it to the kitchen table, there are many vectors that can be compromised during a successful APT threat.  The key factor to a successful APT exploit is the level of trusted connection breached — whether that is an executive friend on FaceBook or a next door neighbor’s email address.  Another important success factor is the willingness to be patient and wait for the right time to retrieve the sought-after information.  This is where there is a significant disconnect from the typical financial data hacker.  Such hackers may wait before using card data to commit a fraudulent purchase but will not likely wait to steal the compromised data.  That is why most APTs are blamed on governmental entities — who are notoriously patient when moving on a target.  Those committing APTs may get very valuable data along the way but would never risk getting caught with such data until the final target is achieved.  In other words, the APT criminal may spend months lurking in a network before any information is even compromised.  That is one of the reasons why detecting APT activity is so difficult.

For now, the way to address this very real corporate threat is not necessarily to change a firm’s security posture.  The threat is more derived from employee policy lapses, i.e., use of social media at a workstation and use of infected thumb drives, than it is from brute force hacking.  Accordingly, employee training and testing that is tied to discipline and compensation is a step in the right direction.

Thinking like an intelligence agency can’t hurt.  If a senior executive does not need to know all aspects of a project, there is no need to provide her with constant email reports.   In other words, the old adage “on a need to know basis” becomes more and more important as APTs become more and more familiar to corporations.

Finally, the basic tenets of risk management should play a role in the defense of APTs — if there is even such as a thing as a viable defense.  Knowing the relative value of your assets and the costs to mitigate a loss in advance of a loss are the bread and butter of risk managers.  Applying such insight in the proper measure will remove from the equation some ego-driven security initiatives to be replaced by focused efforts aimed at the most sensitive data of an organization.  Risk managers are routinely given the task of protecting the personal assets of the chairman of the board — by, among other things, a D&O insurance placement — as well as coordinating large scale enterprise risk management initiatives.  Providing some guidance on this front should not be that much of a stretch.

New Amazon Class Action Based on Privacy Setting Circumvention

In a class action suit filed against Amazon.com, Inc.  on March 2, 2011, plaintiffs argue that “Amazon circumvents the privacy filters of IE users by spoofing [Internet Explorer] into categorizing Amazon.com as more privacy protective than it actually is” and seek relief “under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030; the [Washington State] Consumer Protection Act, RCW § 19.86.010 et seq.; and common law [unjust enrichment, trespass to chattels, and fraud].”  Although this suit appears to be similar to the flash cookie suits filed against against marketing firms such as Quantcast and their respective clients, the case has different implications.

By way of background, according to the Quantcast complaint filed last July, Quantcast used flash cookies to “respawn” previously deleted HTTP cookies in order to continue tracking web users.  The Quantcast suit was settled this past December using a cy pres fund akin to what was done by Google a few months prior.  It is worth pointing out that none of the settlement proceeds in a cy pres fund actually go directly to any victims.  Applying a class settlement strategy only previously deployed after plaintiffs were compensated, plaintiffs’ counsel now use cy pres funds — which usually go to non-profit organizations — even if plaintiffs receive zero actual compensation.  This stands apart as a troublesome trend in privacy class action settlements given it allows plaintiffs’ counsel to file and resolve class actions even when actual damages are not readily apparent.

At some point, the Amazon.com suit may also end up resolving itself via the cy pres route given the potential lack of actual damages.  Plaintiffs in the Amazon.com case are claiming that Amazon.com found a way to trick browsers into believing the site was more privacy conscious than it was.    Given that Internet Explorer automates for a user the process of reading a website’s privacy policy, such shenanigans can obviously lead visitors to go on a site she or he might not otherwise visit.   Not exactly a powder-keg of potential damages.  Plaintiffs up the ante by claiming that, in contravention to its privacy policy, Amazon.com was allegedly rewarded for its trickery by gaining access to a visitor’s personally identifiable information (PII) and providing it to third parties.  Specifically, the Complaint states:  “Amazon claims in its privacy notice that it does not share users’ information with third parties for advertising purposes and that, instead, it delivers third parties’ advertisements on their behalf.  In fact, Amazon shares users’ PII with third parties for those third parties’ independent use and does not disclose this fact to consumers.”  Complaint at paragraphs 64 – 65.  Despite several readings of the Complaint, it remains far from certain what quantum of damages were actually sustained by plaintiffs.

This suit should, nevertheless, be monitored given the new FTC online privacy framework set forth in December (“The FTC’s harm-based approach also has limitations. In general, it focuses on a narrow set of privacy-related harms – those that cause physical or economic injury or unwarranted intrusion into consumers’ daily lives.  But, for some consumers, the actual range of privacy related harms is much wider and includes reputational harm, as well as the fear of being monitored or simply having private information ‘out there.'”) as well as the bills currently being discussed that may very well use the FTC’s new perspective as a legislative springboard.  According to recent public statements from Representative Cliff Stearns, a senior member of the House Energy and Commerce Committee, he will soon propose online privacy legislation that will focus “on allowing Web users to know what personal information Internet companies are collecting about them and to control how it’s used.”

OCR: Lost Records of 192 Patients = $1 million

On the heels of the Cignet Health CMP, the OCR has just announced a Resolution Agreement with Massachusetts General that includes a $1 million “resolution amount”.  Under this Resolution Agreement, Mass General is also required to develop and implement “a comprehensive set of policies and procedures to safeguard the privacy of its patients.”

According to the OCR’s Resolution Agreement dated February 14, 2011, the incident giving rise to the agreement involved the loss of protected health information of 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS.   Specifically, the facts (as recited in the Resolution Agreement) are as follows:

On March 6, 2009, an MGH employee removed from the MGH premises documents containing protected health information (“PHI”). The MGH employee removed the PHI from the MGH premises for the purpose of working on the documents from home. The documents consisted of billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of provider of 66 patients and the practice’s daily office schedules for three days containing the names and medical record numbers of 192 patients.

On March 9, 2009, while commuting to work on the subway, the MGH employee removed the documents containing PHI from her bag and placed them on the seat beside her. The documents were not in an envelope and were bound with a rubber band. Upon exiting the train, the MGH employee left the documents on the subway train and they were never recovered.  These documents contained the PHI of 192 individuals.

In other words, HHS has just determined that employee negligence of the most common variety is worth a cool $1 million.   Enough said.

OCR Gets Serious: $4.3 Million Penalty Under Privacy Rule

As shown by yesterday’s press release and this morning’s email blast, OCR is certainly eager to let the world know that it just issued a Notice of Final Determination and Notice of Proposed Determination finding that Cignet Health violated the HIPAA Privacy Rule to the tune of $4.3 million dollars.

According to yesterday’s Associated Press news feed that blanketed the news outlets as well as fed many privacy blogs, Cignet Health “is a Christian-influenced medical service, has four locations in Prince George’s County, in southern Maryland just outside Washington.”   And, according to its website, “[t]he focus of Cignet health center is to minister to the whole person, both spiritually and physically. Our desire is to help the sick and suffering people the best way we can to the glory of God.”   Cignet Health offers health plans in Nigeria as well as Ghana and acts as “a patient-Provider advocacy alternative to other healthcare presently available in the healthcare market today.”

It is unknown whether this apparently small-scale operation is equipped to pay a $4.3 million penalty.  Frankly, it is pretty surprising that such a small healthcare player has the honor of being the very first CE in which HHS has imposed a civil money penalty (CMP) for alleged  violations of the HIPAA Privacy Rule.  As well, this CMP is the first one based on the “violation categories and increased penalty amounts authorized under the Health Information Technology for Economic and Clinical Health (HITECH) Act.”  The HITECH Act has certainly seen noteworthy action given the Connecticut AG’s HITECH Act penalties against Health Net – the first time a state has used the HITECH Act to settle a data breach claim — as well as the enforcement of the HITECH Act’s public disclosure of data breaches.  Cignet Health, however, did not sustain a data breach so the huge penalty is curious to say the least.

What exactly did Cignet Health do?  For starters, it did NOT breach the privacy rights of its patients in any traditional sense.  Unlike with the Health Net breach or the HITECH publications of breaches, this incident involved a more vanilla HIPAA violation.  According to the OCR:

In a Notice of Proposed Determination issued Oct. 20, 2010, OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009.  These patients individually filed complaints with OCR, initiating investigations of each complaint.  The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The CMP for these violations is $1.3 million.

During the investigations, Cignet refused to respond to OCR’s demands to produce the records.  Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena.  OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010.  On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means.

OCR also found that Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule.  Covered entities are required under law to cooperate with the Department’s investigations.  The CMP for these violations is $3 million.

In other words, Cignet Health failed to give 41 patients copies of their records on a timely basis and then “failed to cooperate with OCR’s investigations” after complaints were filed by these patients.   Although OCR points out in its Notice of Proposed Determination that the boxes provided to OCR by Cignet Health “also contained the medical records of approximately 4,500 individuals for whom OCR made no request or demand and for whom Cignet had no basis for the disclosure of their protected health information to OCR” this inadvertent disclosure was not the basis of the CMP.

This Cignet Health result is in contrast to the non-CMP “resolution amount” of $100,000 issued to Providence Health in 2008 for alleged HIPAA privacy violations involving unprotected backup tapes, optical disks and laptops that compromised the protected health information of more than 386,000 patients.  HHS publicly stated there was no need for a CMP given the level of cooperation given during the investigation.  Providence Health did, however, sustain significant defense costs and a corrective action plan that brought that $100,000 fee into the millions.

The lesson here is that if called upon to respond to an investigation, do it.  Based on the Cignet Health result and public statements made by OCR personnel at various privacy seminars, OCR certainly places a significant premium on what it perceives to be good faith during an investigation.  As well, be ready to smile into the camera because the OCR is obviously launching into an aggressive enforcement campaign in 2011 and beyond.   For example, the OCR email missive of February 23, 2011 includes the following appeal to potential claimants and whistleblowers:

If you believe that a person or organization covered by the Privacy and Security Rules (a “covered entity”) violated your health information privacy rights or otherwise violated the Privacy or Security Rules, you may file a complaint with OCR.  For additional information about how to file a complaint, visit OCR’s web page on filing complaints at http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.

Make no mistake about it:  The OCR is HHS’s enforcement arm and is looking to knock some heads together and make some money for the boss.  And, the tools, i.e., the HITECH Act and accompanying regs, are now in place to make that Supranos moment a reality.

The Elephant in the Room: The Potential for Privacy Breach Statutory Damages

Over the years, plaintiffs’ class action counsel have utilized their jet flyover time trying to create a claims theory that would be common to any victim of a data breach event.   For the reasons set forth in the first of this two-part post, theories based on a “fear of ID theft” or “lost time and effort” have not withstood scrutiny in a class action setting – nor will likely in the future.  So, what exactly is the damages theory that will someday clog the class action dockets of judges around the country?

In the same way state breach notification statutes jump started data breach litigation, aggressive legislative bodies will again likely lead the way.  By now considered a scratched CD/broken record on this topic, I’ve been saying for years now that the only real significant liability threat to those companies sustaining a data breach is the advent of statutory damages – damages that would ensue with or without any showing of real harm to a plaintiff.  No matter how small the statutory amount per breach victim, such statutes will not only open up the class action floodgates – they will literally blow them wide open.  Although there is no such law on the books right now, companies need to remain diligent and prepare for the day when the first statutory damages law is enacted.

Maybe there is some level of poetic justice in the fact that the volcanic state of Hawaii – by virtue of S.B. 728 or a watered down version of S.B. 728 – may become the first state to expressly provide for such damages.  After all, the potential business impact is much like a volcano erupting. Before getting to Hawaii’s newly introduced bill – which on February 11, 2011 was voted by a standing committee to be held from the full house for further consideration – it might be helpful to reference a framework for statutory damages using two laws that are decades old and a more recent law that already acts as an ID theft prevention statute.

The Video Privacy Protection Act of 1988 (VPPA)

On December 17, 2009, a class action Complaint was filed against Netflix, Inc., alleging that Netflix “perpetrated the largest voluntary privacy breach to date.” (Complaint at Paragraph 1).  According to the Complaint, Netflix knowingly and voluntarily disclosed the video purchases of approximately 480,000 Netflix subscribers when Netflix provided to contest participants data containing over 100 million subscriber movie ratings and preferences. When launching its contest, Netflix stated that all provided data was anonymized and that the subscribers’ movie ratings were given tokenization numbers, i.e., “numeric identifier unique to the subscriber” rather than any actual personal data.  (Complaint at Paragraph 32(b)).  The Complaint alleges researchers were able to identify individual subscribers by cracking Netflix’s anonymization process.  (Complaint at Paragraph 37).

Among other claims, plaintiffs brought suit under VPPA seeking statutory damages.  VPPA generally prohibits any “video tape service provider” from “knowingly disclosing the personally identifiable information concerning any customer of such provider” (18 U.S.C. 2710(b)).  According to EPIC, this law “stands as one of the strongest protections of consumer privacy against a specific form of data collection.”   In addition to other VPPA damages that may be awarded, VPPA provides for “actual damages but not less than liquidated damages in an amount of $2,500.” (18 U.S.C. 2710(c)(2)(a)).

On March 19, 2010, the case was dismissed pursuant to a confidential settlement between the named plaintiffs and NetFlix. For some reason – maybe due to Federal Rules of Civil Procedure 23(a) concerns given the choice of plaintiff representative or an offer too good to pass up – plaintiffs’ counsel chose to resolve this suit prior to seeking certification of the class.  Although it would have been interesting to see how this privacy statutory damages suit resolved itself via motion practice, the case remains noteworthy given legislative bodies may look to it to see how quickly class action suits can resolve themselves when faced with statutory damages.

Song-Beverly Credit Card Act of 1971

This California law protects consumers from merchants who request personal data during a credit card transaction – in essence, a very old privacy statute.  A recent California Supreme Court case, Pineda v. Wiliams-Sonoma Stores, Inc., applied basic statutory construction rules to this statute and found that “personal identification information concerning the cardholder” includes a person’s ZIP code.  What is noteworthy about the case is not the result as much as it is the fact it has immediately created a significant spike in class action “privacy” suits.

This increase in class action suits (which will obviously abate a bit after retailers modify their checkout policies) results from a court’s ability to now award statutory civil penalties up to a maximum $250 for the first violation and $1,000 for subsequent violations – all because a cashier asks for a ZIP code during checkout.  Although technically not a privacy ruling (this case is a statutory construction 101 case), it definitely helps move the ball towards a statutory damages goalpost.

Unless the California Legislature decides to clarify the statute in light of Pineda, this decision stands as a very low threshold both for what may constitute “personal identification information” pursuant to state law and for what sort of minor privacy transgression merits a statutory damages award.  And, if the California Legislature decides not to change the statute, it will signal that potential mega-class action suits are not something that will prevent future legislatures from enacting privacy laws with much more bite.  Although decided prior to Pineda, a Ninth Circuit decision referenced below picks up the ball from Pineda and moves it much further down the field when it comes to sanctioning mega class actions involving privacy indiscretions.

Fair and Accurate Transaction Act of 2003 (FACTA)

Among other things, FACTA provides consumers with a very important anti-ID theft protection.  Specifically, the law provides that, “no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.” (15 U.S.C. § 1681c(g)(1)).  A willful failure to comply with these requirements allows for statutory damages “in an amount equal to the sum of any actual damages sustained by the consumer as a result of the failure or damages of not less than $100 and not more than $1,000.”  (15 U.S.C. § 1681n(a)(1)(A)).

In Zaun v. J.S.H. Inc. of Faribault d/b/a Long John Silver’s – Mall of America, 2010 U.S. Dist. LEXIS 102062 (D. Minn. Sept. 28, 2010), the court dismissed a class action complaint based on a violation of the above FACTA requirement (no willfulness) but recounts other FACTA class action cases able to withstand a motion to dismiss.  All of those cases may have pushed the privacy statutory damages envelope but the case that provides the most ammunition for a full frontal assault is Bateman v. American Multi-Cinema, Inc., 623 F.3d 708 (9th Cir. 2010) (en banc petition pending), reversing, Bateman v. American Multi-Cinema, Inc., 252 F.R.D. 647 (C.D. Cal. 2008).

In Bateman, the Ninth Circuit flat out rejects defendant’s argument that “minor” privacy transgressions should not be able to morph into a class action potentially totaling $290 million in statutory damages – 290,000 credit card receipts in violation of FACTA.  In reaching its conclusion, the court in Bateman reasons:

In the absence of such affirmative steps to limit liability, we must assume that Congress intended FACTA’s remedial scheme to operate as it was written. To limit class availability merely on the basis of ‘enormous’ potential liability that Congress explicitly provided for would subvert congressional intent…. Here, AMC did not argue before the district court that the potential $ 290 million liability would put it out of business, nor did it submit any declarations, documents, or other evidence demonstrating that such liability would be ‘ruinous.’

The court in Bateman also recognized that “the civil liability provisions were added in order to assist consumers in ‘protect[ing] their privacy.’” Id. (quoting S. Rep. No. 103-209, at 6 (1993)).   To that end, “[a]llowing consumers to recover statutory damages [deters] businesses from willfully making consumer financial data available, even where no actual harm results.”  Id. The full impact of this case remains to be seen given that it has not yet been resolved – the Ninth Circuit remanded for further findings on the class certification motion.

Recognizing the potential adverse business impact of this case, the US Chamber of Commerce has fought hard to reverse the ruling.   Although there is an apparent dispute among the Circuits that should be fodder for a cert grant and it is not uncommon for the Ninth Circuit to get overturned by the Supreme Court, the Bateman decision may never land in the Supreme Court.  More importantly, it is far from clear what direction the Supreme Court would take if it even heard the case.

Where does this trilogy of laws and resulting privacy class actions leave us?  For one, they can be perceived as a solid vote in favor of the viability of class actions suits tied to privacy-related statutory damages.  After all, these three privacy laws providing for statutory damages have withstood class action scrutiny without any subsequent limiting legislative changes – even though such laws can readily be amended to curtail the availability of class actions.  Second, they demonstrate courts have no problem remedying minor individual privacy infractions with massive class actions.  Third, and most importantly, they provide concrete examples for future legislatures who may look to address the typical data breach scenario – compromised privacy rights yielding little actual harm.

As succinctly put by the court in Bateman, “[t]he need for statutory damages to compensate victims is plain. The actual harm that a willful violation of FACTA will inflict on a consumer will often be small or difficult to prove.”  Couple the above trilogy with the fact that there are other “privacy-related” laws that provide for statutory damages and the statutory damages framework is complete.  See e.g., Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp, LLC, 08-civ-4810 (S.D.N.Y. Dec. 22, 2010) (awarding statutory damages for a violation of the Stored Communications Act, 18 U.S.C. § 2707).

Hawaii’s S.B. 728

After the University of Hawaii’s latest data breach took place this past October – its third significant breach in under one year’s time – Hawaii’s state legislature chose to get on the offensive.  On January 21, 2011, S.B. 728 was formally introduced, including the following language:

If a judgment is obtained by the plaintiff, the court shall award the plaintiff a sum of not less than $ [yet to be determined] or threefold damages sustained by the plaintiff, whichever sum is greater, and reasonable attorney’s fees and costs. Damages sustained by the person shall include actions taken to mitigate injury from future identity theft, including actual or future purchase of credit report monitoring and identity theft insurance.

Given that two of three committees have recently held the bill, it is not clear where this is all heading.  It may be the case that the February 8, 2011 hearing which yielded significant opposition from the business community transformed the bill into a political hot potato that is now potentially DOA.  Although Pearl Harbor analogies are obviously premature, the opening salvo remains cleanly fired from Hawaii.

It is the California legislature that, not surprisingly, may eventually again lead the way.  A California bill introduced on February 8, 2011, S.B. 208 requiring restitution payments from criminal defendants to their ID theft victims, states that “the immediate preservation of the public peace, health, or safety within the meaning of Article IV of the Constitution” includes ensuring that “an identity theft victim can monitor their credit report and repair his or her credit at no cost to him or her.”   This is the sort of constitutional spin (albeit a necessity here to get the bill fast tracked) that might finally make statutory damages a reality.  Until that day arrives, companies are well advised to continue to update their various policies to comply with applicable law and test their internal controls as well as bolster their defenses by using reasonable security measures.

Is Geo Data a New Privacy Battleground?

Four years ago, the EU’s Article 29 Data Protection Working Party stated that it “considered IP addresses as data relating to an identifiable person” — even though such nuggets of information can only discern a likely geographic location.  Indeed, firms like Google and MaxMind routinely use IP addresses to help identify where Internet users are located geographically to create targeted ads and help other companies create such ads.  As recently posted on the Hunton & Williams privacy blog, Germany is now separately enforcing this EU position and companies using service providers such as Google and MaxMind cannot themselves escape EU data protection responsibilities by relying on such service providers.

Now, we have California saying that merchants can no longer ask for ZIP Codes during a credit card purchase.  As reported in the Los Angeles Times, the California Supreme Court ruled unanimously that retailers may no longer collect ZIP Codes from their credit card customers except for shipping or security reasons.  Although the Court did not rely on broad privacy grounds in making its decision — instead ruling that because a ZIP Code was part of a person’s address it was subject to existing state law which precluded merchants from asking for information unrelated to a credit card transaction.

This opinion was in the context of a class action suit and because of this ruling future courts will have discretion to award statutory civil penalties up to a maximum $250 for the first violation and $1,000 for subsequent violations.  Food for thought.

The NSAP Insurance Three-Step Dance

Companies looking to purchase network security and privacy insurance for the first time only need to learn a quick three-step dance.

First, know that there are around 25 viable liability markets so most any company should be able to quickly get a quote that will likely have solid coverages and be reasonably priced.  Although defendants ultimately do well in data breach litigation, getting there is not usually without significant costs.  In other words, this coverage is definitely necessary — especially since it can include regulatory expense and often needs to be purchased in order to get the below two coverages.

Second, determine whether your total exposure is significant enough to merit higher limits or a better coverage grant on remediation expenses such as credit/ID monitoring, call center, notification costs, etc.  Companies holding over 50,000 sensitive records should at least evaluate obtaining more robust coverage.  The BCBS of Tennessee incident is a stark reminder regarding just how much such first-party expenses can hit the bottom line.   During the evaluation process, companies should evaluate relatively new products from Beazley and Chartis that provide coverage tied to a pre-determined number of  IDs as well as those insurers, e.g., AWAC, providing full policy limits on this usually sub-limited coverage.

Third, determine whether you want coverage for network failure.  A good example of how this coverage works can be gleaned from the headlines.  For example, if you go to the Lush corporate website (as of February 3, 2011), you will see the following:

We are very sorry to confirm that our website has been the victim of hackers.  24 hour security monitoring has shown us that we were still being targeted and there were continuing attempts to re-enter.  We refuse to put our customers at risk of another entry – so have decided to completely retire this version of our website.  For complete peace of mind, we would like all customers that placed ONLINE orders with us between 4th Oct 2010 and today, 20th Jan 2011, to contact their banks for advice as their card details may have been compromised.

In addition to liability and remediation expense, there are a growing number of insurers who also provide coverage for lost revenue and added expenses incurred during such “lost downtime” — whether the downtime impacts a corporate website or a firm’s internal network.  There are a few London insurance markets, including Barbican, who, in addition to the network security trigger for business interruption, also provide coverage triggers based on employee error and general systems failure.  Any broker in the United States can access Barbican and these other London markets using London wholesalers such as Chris Cotterell of Safeonline.

And, that’s the NSAP insurance three-step dance.

Swing Your Partner Do-SeDo

Plaintiffs’ Class Action Counsel Running on Empty: “Fear of ID Theft” and “Lost Time and Effort” Damages Theories Just Don’t Cut It

While some data breach victims will eventually sustain an ID theft, it is generally acknowledged that the vast majority will not.  Accordingly, the direct damages sustained by ID theft victims are not very helpful in a class action — there are just not enough plaintiffs.  Over the years, plaintiffs’ class action counsel have spent many hours trying to create a damages theory that would actually be common to all victims of a data breach event.   The two theories that have gotten the most class action traction are based on “fear of ID theft” or “lost time and effort” allegations.  Unfortunately — for plaintiffs’ counsel, that is — neither theory really fits the bill.

Damages Based on the “Fear of ID Theft”

Plaintiffs’ class action counsel chasing down data breach events have generally been unsuccessful in pursuing claims based solely on the “fear of identity theft” or related incidental damages.  Although Ruiz v. Gap, Inc, instructs us there may be an outside chance of surviving a motion to dismiss, a defendant’s summary judgment motion will eventually kill any claim brought by those who have not actually sustained theft of their identities.  In effect, an actual incidence of ID theft – which after a breach can take quite a while to happen – has become the de facto precursor to compensable damages.

Despite what some plaintiffs’ counsel have said after the standing ruling in Krottner v. Starbucks, Nos. 09-35823 and 35824 (9th Cir. , Dec. 14, 2010), nothing has really changed this dynamic.   In fact, as shown in Ruiz and other cases cited below, Krottner is not even the first court to rule federal standing exists for “fear of identity theft” claims.

By way of background, employees at Starbucks sued the company after the October 29, 2008 theft of a laptop computer containing “names, addresses, and social security numbers of approximately 97,000 Starbucks employees.”  Id.  The trial court had previously dismissed the case, finding that Washington law doesn’t recognize a cause of action where the only financial damage is “risk of future harm.” The trial court also found insufficient facts to carry an implied contract claim.

In a pair of rulings issued last month, the Ninth Circuit agreed with the lower court and affirmed dismissal of the action given that, under Washington law, “actual loss or damage is an essential element” of a negligence claim.  This opinion on the merits was not approved for publication.

It is the standing ruling – which was actually approved for publication – that has excited some in the data breach litigation business.  The Ninth Circuit ruled [insert big yawn here] plaintiffs had Article III standing given that “‘generalized anxiety and stress’ as a result of [a data breach] is sufficient to confer standing”.   It is very important to note that the court, quoting from Equity Lifestyle Props., Inc. v. County of San Luis Obispo, 548 F.3d 1184, 1189 n.10 (9th Cir. 2008), recognized as a threshold matter that “[t]he jurisdictional question of standing precedes, and does not require, analysis of the merits.”  In other words, with jurisdictional standing you can reach the federal courthouse but once inside, you still need to prove your case – something plaintiffs here were unable to do given they lost at the district court level and on appeal.

In reaching its decision, the Ninth Circuit cites to cases on both sides of the issue.  Compare Doe v. Chao,540 U.S. 614, 617-18, 624-25 (2004) (suggesting that a plaintiff who allegedly “was ‘torn . . . all to pieces’ and `was greatly concerned and worried’ because of the disclosure of his Social Security number and its potentially ‘devastating’ consequences’” had no cause of action under the Privacy Act, but nonetheless had standing under Article III) and Pisciotta v. Old National Bancorp, 499 F.3d 629, 634 (7th Cir. 2007) (holding that plaintiffs whose data had been stolen but had not yet been misused suffered an injury-in-fact sufficient to confer Article III standing) with Lambert v. Hartman,517 F.3d 433, 437 (6th Cir. 2008) (although plaintiff’s actual financial injuries resulting from the theft of her personal data were sufficient to confer standing, the risk of future identity theft was “somewhat ‘hypothetical’ and ‘conjectural.’”).

Looking to exploit its Pyrrhic victory, plaintiffs’ counsel deftly uses the December 15, 2010 standing decision to solicit Starbucks employees who may have actually sustained an ID theft:

[We] received a favorable precedential opinion from the United States Court of Appeals for the Ninth Circuit in Krottner v. Starbucks Corporation, No. 09-35823.  In the opinion, the Ninth Circuit judges held that plaintiffs whose personal information had been stolen, but not misused, had standing to bring their case in federal court. The opinion held on the facts before it that the increased risk of future harm from identity theft was a credible enough treat [sic] to provide an injury-in-fact for Article III standing…

If you have any information regarding the Starbucks data breach, or if you believe you have been affected by the data breach and would like to discuss your rights and interests in this matter, please contact our Washington D.C. office.

Damages Based on “Lost Time and Effort”

Thankfully (for defendants), there is no compelling precedent that expressly recognizes negligence or contract damages derived solely from the time and effort spent to remediate an alleged wrongdoing.  Although mitigation damages are sometimes awarded in addition to other damages such damages generally never rest as the sole measure of injury in either a negligence or contract setting.  This general rule manifests as the “economic loss rule” in some jurisdictions (used to bar recovery in negligence when the only loss is pecuniary) or is simply bolted on to the concept of damages in other jurisdictions.

Seeking to resolve a “lost time and effort” argument made by plaintiffs in a very public data breach context, on November 24, 2009, Judge D. Brock Hornby, the federal district judge in Maine presiding over the Hannaford Brother data breach litigation, certified the following question to the Maine Supreme Court:

In the absence of physical harm or economic loss or identity theft, do time and effort alone, spent in a reasonable effort to avoid or remediate reasonably foreseeable harm, constitute a cognizable injury for which damages may be recovered under Maine law of negligence and/or implied contract?

See In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 671 F. Supp. 2d 198, 201 (D. Me. 2009).

On September 21, 2010, the Maine Supreme Court answered this question in the negative.  Relying on longstanding law, Maine’s highest court responded to Judge Hornby without equivocation:  “[Maine case law] does not recognize the expenditure of time and effort alone as a harm.”  In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 4 A.3d 492 (Me. 2010).  Rejecting a “mitigation of damages” argument that would elevate expended time and effort to the status of a compensable legal injury, the court ruled, “[u]nless the plaintiffs’ loss of time reflects a corresponding loss of earnings or earning opportunities, it is not a cognizable injury under Maine law of negligence.”  Id. And, given that “the time and effort expended by the plaintiffs here represent ‘the ordinary frustrations and inconveniences that everyone confronts in daily life’” damages were also not available under the implied contract claim.  Id. (quoting lower court).

Although other courts have made passing comments regarding the relevance of “lost time” as the sole measure of harm, the Maine Supreme Court decision is the only decision on all fours within a data breach context.  Id. (“In other cases, a passing mention of loss of time without adequate facts to demonstrate how those damages were being measured is insufficient to persuade us that the expenditure of time and effort alone is a harm recoverable in negligence.”) (citing Kuhn v. Capital One Fin. Corp., No 05-P-810, 2006 WL 3007931, at *3 (Mass. App. Ct. Oct. 23, 2006); Freeman v. Missouri Pac. Ry. Co., 167 P. 1062, 1063-65 (Kan. 1917)).

Even if a future court found these damages standing alone somehow compensable, there exists another barrier that would likely stymie future class certification motions relying on this damages theory — courts would have a tough time finding an efficient means of determining on a class-wide basis the value of a plaintiff’s “time and effort”.  Although courts have recognized that the need for individualized proof of damages is not per se an obstacle to class certification, the measure of a plaintiff’s relative “time and effort” would likely not predominate any data breach putative class.

To the extent such thorny class certification issues would possibly resolve differently among the federal circuits, the U.S. Supreme Court may soon add some needed clarity.  On December 6, 2010, the Court agreed to review the April 27, 2010 decision by the U.S. Court of Appeals for the Ninth Circuit granting class certification in the massive Wal-Mart sexual discrimination case.  See Dukes v. Wal-Mart Stores, Inc. , 603 F.3d 571 (9th Cir. 2010), cert. granted, Wal-Mart Stores, Inc. v. Dukes, 178 L. Ed. 2d 530 (2010) (“Petition for writ of certiorari to the United States Court of Appeals for the Ninth Circuit granted limited to Question I presented by the petition.  In addition to Question I, the parties are directed to brief and argue the following question: “Whether the class certification ordered under Rule 23(b)(2) was consistent with Rule 23(a).”) (emphasis added).

Although named plaintiffs in the Wal-Mart case “waived any claim for compensatory damages, forfeiting the rights of individual class members to recover damages authorized by Congress solely in order to facilitate class treatment”, an important commonality ruling remains likely given the Court specifically requested that the parties brief the applicability of Federal Rule of Civil Procedure 23(a).  See Petitioners Brief at 35, dated January 20, 2011.  One way or the other, the Supreme Court’s decision in Wal-Mart will impact the class action landscape – including the potential landscape surrounding breach class action suits.

Data Breach Class Action Suits — Will the Floodgates Ever Open?

It may not arrive this year or next but the time will likely eventually come when class actions are routinely certified after a significant data breach.  As discussed above, these future certified class actions will not likely derive from courts applying a new and improved “fear of” or “lost time” damages theory.   Moreover, this shift certainly won’t happen using a newly varnished claim theory based on lost chattel, conversion, or a constructive bailment.

In part two of this post, I’ll outline the one data breach claim that will very likely eventually clog the class action dockets of judges throughout the country.