Category Archives: Privacy

Financial Reporting, Law Firm, Litigation Management, Privacy, Risk Management

Plaintiffs’ Class Action Counsel Running on Empty: “Fear of ID Theft” and “Lost Time and Effort” Damages Theories Just Don’t Cut It

While some data breach victims will eventually sustain an ID theft, it is generally acknowledged that the vast majority will not.  Accordingly, the direct damages sustained by ID theft victims are not very helpful in a class action — there are just not enough plaintiffs.  Over the years, plaintiffs’ class action counsel have spent many hours trying to create a damages theory that would actually be common to all victims of a data breach event.   The two theories that have gotten the most class action traction are based on “fear of ID theft” or “lost time and effort” allegations.  Unfortunately — for plaintiffs’ counsel, that is — neither theory really fits the bill.

Damages Based on the “Fear of ID Theft”

Plaintiffs’ class action counsel chasing down data breach events have generally been unsuccessful in pursuing claims based solely on the “fear of identity theft” or related incidental damages.  Although Ruiz v. Gap, Inc, instructs us there may be an outside chance of surviving a motion to dismiss, a defendant’s summary judgment motion will eventually kill any claim brought by those who have not actually sustained theft of their identities.  In effect, an actual incidence of ID theft – which after a breach can take quite a while to happen – has become the de facto precursor to compensable damages.

Despite what some plaintiffs’ counsel have said after the standing ruling in Krottner v. Starbucks, Nos. 09-35823 and 35824 (9th Cir. , Dec. 14, 2010), nothing has really changed this dynamic.   In fact, as shown in Ruiz and other cases cited below, Krottner is not even the first court to rule federal standing exists for “fear of identity theft” claims.

By way of background, employees at Starbucks sued the company after the October 29, 2008 theft of a laptop computer containing “names, addresses, and social security numbers of approximately 97,000 Starbucks employees.”  Id.  The trial court had previously dismissed the case, finding that Washington law doesn’t recognize a cause of action where the only financial damage is “risk of future harm.” The trial court also found insufficient facts to carry an implied contract claim.

In a pair of rulings issued last month, the Ninth Circuit agreed with the lower court and affirmed dismissal of the action given that, under Washington law, “actual loss or damage is an essential element” of a negligence claim.  This opinion on the merits was not approved for publication.

It is the standing ruling – which was actually approved for publication – that has excited some in the data breach litigation business.  The Ninth Circuit ruled [insert big yawn here] plaintiffs had Article III standing given that “‘generalized anxiety and stress’ as a result of [a data breach] is sufficient to confer standing”.   It is very important to note that the court, quoting from Equity Lifestyle Props., Inc. v. County of San Luis Obispo, 548 F.3d 1184, 1189 n.10 (9th Cir. 2008), recognized as a threshold matter that “[t]he jurisdictional question of standing precedes, and does not require, analysis of the merits.”  In other words, with jurisdictional standing you can reach the federal courthouse but once inside, you still need to prove your case – something plaintiffs here were unable to do given they lost at the district court level and on appeal.

In reaching its decision, the Ninth Circuit cites to cases on both sides of the issue.  Compare Doe v. Chao,540 U.S. 614, 617-18, 624-25 (2004) (suggesting that a plaintiff who allegedly “was ‘torn . . . all to pieces’ and `was greatly concerned and worried’ because of the disclosure of his Social Security number and its potentially ‘devastating’ consequences’” had no cause of action under the Privacy Act, but nonetheless had standing under Article III) and Pisciotta v. Old National Bancorp, 499 F.3d 629, 634 (7th Cir. 2007) (holding that plaintiffs whose data had been stolen but had not yet been misused suffered an injury-in-fact sufficient to confer Article III standing) with Lambert v. Hartman,517 F.3d 433, 437 (6th Cir. 2008) (although plaintiff’s actual financial injuries resulting from the theft of her personal data were sufficient to confer standing, the risk of future identity theft was “somewhat ‘hypothetical’ and ‘conjectural.’”).

Looking to exploit its Pyrrhic victory, plaintiffs’ counsel deftly uses the December 15, 2010 standing decision to solicit Starbucks employees who may have actually sustained an ID theft:

[We] received a favorable precedential opinion from the United States Court of Appeals for the Ninth Circuit in Krottner v. Starbucks Corporation, No. 09-35823.  In the opinion, the Ninth Circuit judges held that plaintiffs whose personal information had been stolen, but not misused, had standing to bring their case in federal court. The opinion held on the facts before it that the increased risk of future harm from identity theft was a credible enough treat [sic] to provide an injury-in-fact for Article III standing…

If you have any information regarding the Starbucks data breach, or if you believe you have been affected by the data breach and would like to discuss your rights and interests in this matter, please contact our Washington D.C. office.

Damages Based on “Lost Time and Effort”

Thankfully (for defendants), there is no compelling precedent that expressly recognizes negligence or contract damages derived solely from the time and effort spent to remediate an alleged wrongdoing.  Although mitigation damages are sometimes awarded in addition to other damages such damages generally never rest as the sole measure of injury in either a negligence or contract setting.  This general rule manifests as the “economic loss rule” in some jurisdictions (used to bar recovery in negligence when the only loss is pecuniary) or is simply bolted on to the concept of damages in other jurisdictions.

Seeking to resolve a “lost time and effort” argument made by plaintiffs in a very public data breach context, on November 24, 2009, Judge D. Brock Hornby, the federal district judge in Maine presiding over the Hannaford Brother data breach litigation, certified the following question to the Maine Supreme Court:

In the absence of physical harm or economic loss or identity theft, do time and effort alone, spent in a reasonable effort to avoid or remediate reasonably foreseeable harm, constitute a cognizable injury for which damages may be recovered under Maine law of negligence and/or implied contract?

See In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 671 F. Supp. 2d 198, 201 (D. Me. 2009).

On September 21, 2010, the Maine Supreme Court answered this question in the negative.  Relying on longstanding law, Maine’s highest court responded to Judge Hornby without equivocation:  “[Maine case law] does not recognize the expenditure of time and effort alone as a harm.”  In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 4 A.3d 492 (Me. 2010).  Rejecting a “mitigation of damages” argument that would elevate expended time and effort to the status of a compensable legal injury, the court ruled, “[u]nless the plaintiffs’ loss of time reflects a corresponding loss of earnings or earning opportunities, it is not a cognizable injury under Maine law of negligence.”  Id. And, given that “the time and effort expended by the plaintiffs here represent ‘the ordinary frustrations and inconveniences that everyone confronts in daily life’” damages were also not available under the implied contract claim.  Id. (quoting lower court).

Although other courts have made passing comments regarding the relevance of “lost time” as the sole measure of harm, the Maine Supreme Court decision is the only decision on all fours within a data breach context.  Id. (“In other cases, a passing mention of loss of time without adequate facts to demonstrate how those damages were being measured is insufficient to persuade us that the expenditure of time and effort alone is a harm recoverable in negligence.”) (citing Kuhn v. Capital One Fin. Corp., No 05-P-810, 2006 WL 3007931, at *3 (Mass. App. Ct. Oct. 23, 2006); Freeman v. Missouri Pac. Ry. Co., 167 P. 1062, 1063-65 (Kan. 1917)).

Even if a future court found these damages standing alone somehow compensable, there exists another barrier that would likely stymie future class certification motions relying on this damages theory — courts would have a tough time finding an efficient means of determining on a class-wide basis the value of a plaintiff’s “time and effort”.  Although courts have recognized that the need for individualized proof of damages is not per se an obstacle to class certification, the measure of a plaintiff’s relative “time and effort” would likely not predominate any data breach putative class.

To the extent such thorny class certification issues would possibly resolve differently among the federal circuits, the U.S. Supreme Court may soon add some needed clarity.  On December 6, 2010, the Court agreed to review the April 27, 2010 decision by the U.S. Court of Appeals for the Ninth Circuit granting class certification in the massive Wal-Mart sexual discrimination case.  See Dukes v. Wal-Mart Stores, Inc. , 603 F.3d 571 (9th Cir. 2010), cert. granted, Wal-Mart Stores, Inc. v. Dukes, 178 L. Ed. 2d 530 (2010) (“Petition for writ of certiorari to the United States Court of Appeals for the Ninth Circuit granted limited to Question I presented by the petition.  In addition to Question I, the parties are directed to brief and argue the following question: “Whether the class certification ordered under Rule 23(b)(2) was consistent with Rule 23(a).”) (emphasis added).

Although named plaintiffs in the Wal-Mart case “waived any claim for compensatory damages, forfeiting the rights of individual class members to recover damages authorized by Congress solely in order to facilitate class treatment”, an important commonality ruling remains likely given the Court specifically requested that the parties brief the applicability of Federal Rule of Civil Procedure 23(a).  See Petitioners Brief at 35, dated January 20, 2011.  One way or the other, the Supreme Court’s decision in Wal-Mart will impact the class action landscape – including the potential landscape surrounding breach class action suits.

Data Breach Class Action Suits — Will the Floodgates Ever Open?

It may not arrive this year or next but the time will likely eventually come when class actions are routinely certified after a significant data breach.  As discussed above, these future certified class actions will not likely derive from courts applying a new and improved “fear of” or “lost time” damages theory.   Moreover, this shift certainly won’t happen using a newly varnished claim theory based on lost chattel, conversion, or a constructive bailment.

In part two of this post, I’ll outline the one data breach claim that will very likely eventually clog the class action dockets of judges throughout the country.

Electronic Health Records, Intellectual Property, IT Consultants, Network Security, Privacy, Risk Management

A Data Security Trend For 2011: The Data Threat Hype Continues

The new year appears to be continuing a trend begun in 2008 — ever increasing hype concerning the level of data security threats faced by public and private entities.  This hype is not just about increasing public breach disclosures (which have primarily been driven by the increase in breach notification laws) given it also manifests in:   the perceived threat of involuntary corporate transparency brought into public view by the “Wikileaks Effect”, the fact that papers such as the LA Times are able to report as true the powerful Stuxnet worm was able to trim years off of the Iranian nuclear program, and the fact that the Organisation for Economic Co-operation and Development (OECD), in a recent report, paints a picture of a world where “[p]reventative and detective security technologies will not provide protection against all the threats [so] considerable effort will be needed to mitigate and recover from losses.”  OECD Report (dated 14 January 2011) at 82.

For example, in the LA Times article, the Stuxnet worm was removed from its unique Iranian context and given broad scare appeal:  “Now that Stuxnet is in the public domain, experts are deeply concerned that hackers, criminals or terrorist groups could use some of the vulnerabilities it reveals to attack systems that control power grids, chemical plants and air traffic control.”

Third-party threats have indeed shifted but that shift took place over five years ago – when organized crime realized that stealing data could be more lucrative — and much safer — than traditional criminal activity.  The ego-driven hackers of yesterday may still exist in the form of the hackavists of today but they remain a minor threat compared to the threats driven by organized crime.  But that is not something new.

On the other hand, the hype that has filled the data security landscape has only risen to a fever pitch these past several years.  Not exactly sure why this is happening.  It may be the fact that more big business has entered the data security consulting/technology space – well equipped with PR firms in tow.  It may be because news organizations have found a new bogeyman that can help drive sales.  It may just be the case reporters and pundits truly feel the hype is justified.

No matter what the cause, one thing is for certain.  This hype does not help companies or governments better protect themselves.  Employees faced with this barrage of hype may be just a bit more lax — thinking there is little they can really do to prevent a theft.  This would be a grave mistake given that a significant source of data loss incidents is directly tied to employee negligence.   As well, if hype causes a CFO to think that state-sponsored incidents such as Stuxnet may be an imminent threat, he or she may suggest diverting resources from more important initiatives like employee training.

There are obviously ongoing data security threats faced by companies that are very real and not going away any time soon.  Marching into 2011, focused companies will weed the hype and address these many challenges utilizing a cost-effective risk management approach.   And, should they need legal or consultative advice, they will choose seasoned partners with the lowest volume setting.  Smart companies realize that succumbing to the hype is a zero-sum endeavor that will only benefit those who feed off the hype.

Electronic Health Records, Network Security, Privacy, Risk Management

PC World: Self-Encrypted Drives Set to Become Standard Fare

Although they have been out now for a few years, it is only recently that manufacturers have decided to mass market self-encrypting hard drives, i.e., drives that have integrated keys within their chip set.  According to standards experts quoted in a recent PC World article, in a few years, companies will be relying on self-encrypting drives “and you won’t even realize it-because it will be so pervasive. The encryption just works, it doesn’t impact you.”

Companies looking to better navigate notification breach safe harbors and any recently enacted security standards should take an immediate hard look at deploying laptops, desktops, and storage devices using this relatively painless way of encrypting sensitive data.  That hard look should especially be taken by firms looking to comply with state laws such as the Massachusetts Data Protection Law or steer clear of possible penalties available under the HITECH Act.

Privacy

January 28, 2011 is Data Privacy Day

The third annual Data Privacy Day is set for January 28, 2011.   Just in case you missed the first two, this is an annual “international celebration of the dignity of the individual expressed through personal information.”  According to the official website, the purpose of the day is to raise privacy awareness worldwide:  

In this networked world, in which we are thoroughly digitized, with our identities, locations, actions, purchases, associations, movements, and histories stored as so many bits and bytes, we have to ask – who is collecting all of this – what are they doing with it  – with whom are they sharing it?  Most of all, individuals are asking ‘How can I protect my information from being misused?’  These are reasonable questions to ask – we should all want to know the answers.

Although the two major corporate sponsors are Microsoft and Intel, profit and non-profit organizations from around the world are participating in local events.  To get the latest information on events that may be in your area, join the Facebook page.

Intellectual Property, Law Firm, Litigation Management, Middle Market Business, Network Security, Privacy, Risk Management

NJ Supreme Court: Fired Employee Can Use Stolen Confidential Documents

In a decision that might have significant ramifications in future discrimination and whistle-blower lawsuits, the New Jersey Supreme Court  ruled in Quinlan v. Curtiss-Wright Corp., No. A-51-09 (N.J. Sup. Ct. Dec. 2, 2010) that an employee who copied 1,800 of pages of documents that she came upon during the normal course of her work — many with confidential information — could share them with the  attorney representing her in a lawsuit against the employer.  The Supreme Court allowed the usage of these documents even though the plaintiff signed her employer’s standard confidentiality agreement that bars employees from using confidential information for private use.

According to the dissent:

From this point forward, no business can safely discharge an employee who is stealing highly sensitive personnel documents even as she is suing her employer and disregarding the lawful means for securing discovery. Moreover, lawyers may think that, even after they have initiated a lawsuit, they can accept pilfered documents and benefit by using them to surprise an adversary in a deposition rather than abide by the rules of discovery.

Although the decision did reaffirm the ability of an employer to fire an employee for the theft of confidential documents, it provides for a potential safe harbor to the extent such documents are used in a subsequent suit for discrimination.   Newspapers as well as law firms have written on the decision, including Lowenstein Sandler, Proskauer Rose, Jackson Lewis, and Fox Rothschild.

Commentators have suggested that employers implement comprehensive confidentiality policies that are  communicated firm-wide and uniformly enforced.  Although that is certainly sound counsel, it is also suggested that adequate security measures be implemented that allow employers to prevent or at least track the copying and removal of over one thousand documents.  Moreover, although not discussed in either the ruling or subsequent  commentaries, there is only a minor leap to be made to extend this holding to whistle-blower suits.  Although choice of law issues remain untested, the new Dodd-Frank’s whistle-blower provisions — which allow employees to obtain significant rewards for providing information to law enforcement authorities about violations of the federal securities laws, the Foreign Corrupt Practices Act, the Investment Advisers Act and the Investment Company Act — may even be in play.   Bottom line:  New Jersey employers need to review their data security and confidentiality policies to address this new decision.

Law Firm, Middle Market Business, Network Security, Privacy, Risk Management, Small Business

The Red Flag Program Clarification Act of 2010 Passes House and Senate

Looking to beat the end of the year enforcement deadline, the Senate (on November 30, 2010) and the House (on December 7, 2010) have now both voted to pass a law that would limit the scope of the FTC’s Red Flags regulations.  Although the ABA lawsuit seeking to exempt lawyers from the scope of these regulations is on appeal, it appears as if that suit will soon be dismissed as moot.

First introduced by Sen. John Thune, The Red Flag Program Clarification Act of 2010, S. 3987, would define a creditor as someone who uses credit reports, furnishes information to credit reporting agencies or “advances funds…based on an obligation of the person to repay the funds or repayable from specific property pledges by or on behalf of the person.”  Sen. Thune’s web site statement regarding the regulations states that action was necessary given the FTC was threatening small businesses with its regulations. 

As written, the existing law applies to “creditors,” a term the FTC interpreted broadly to include professionals who regularly deferred payment on services.  The FTC had delayed enforcement of these regulations numerous times due to pressure by the ABA and AMA given that the sweeping nature of the regulations would take into account professionals who would incur significant costs to address a perceived slight exposure.   As recognized on the House floor by Rep. John Adler (D-N.J.),“When I think of the word ‘creditor,’ dentists, accounting firms and law firms do not come to mind.”

Lost on many is the fact these regulations will remain in force and will still impact business owners throughout the country, including financial institutions, car dealers, contractors, utilities, phone providers, retailers (if financing is provided), mortgage brokers, etc.  Moreover, even if a business may no longer be “technically” within the rubric of the regulations, it may be a good best practice to still comply.  For example, an ID theft victim may look to the FTC Red Flags regulations to help determine a baseline reasonableness standard.  Although estimates of compliance costs range from $1,000 to $1,500 for small business owners, this amount may pale when compared to the expenses incurred in defending a data breach claim.

[Update:  December 18, 2010]
President Obama signed the Act into law.

Electronic Health Records, Intellectual Property, Law Firm, Middle Market Business, Network Security, Privacy, Risk Management

Ponemon Institute: Lost Laptops Cost Billions

The Ponemon Institute’s latest report, “The Billion Dollar Laptop Study,” shows that 329 organizations surveyed lost more than 86,000 laptops over the course of a year.  Based on these findings and an earlier survey that put the average cost of lost laptop data at $49,246, the total cost amounts to more than $2.1 billion or $6.4 million per organization.

Some other key findings of the report:  (1)  while 46 percent of the lost systems contained confidential data, only 30 percent of those systems were encrypted; (2) only 10 percent had any other anti-theft technologies; and (3) 71 percent of laptops lost were not backed up so all work in progress was lost.

At the release media event reported on by InformationWeek, Larry Ponemon explained that most of the cost “is linked to the value of intellectual property on these laptops and the fees associated with data breaches and statutory notification requirements.”   During this same press conference, Ponemon recounted interviewing one woman at a company who had lost 11 laptops in two years:  “She claimed she wasn’t really that careful with laptops because the only way she could get a better one was to lose it.”

It is this disconnect — the value of the information lost vs. the relative interest in the user in protecting such information — that becomes the ultimate challenge faced by most firms.   Employee training remains the front line in addressing this challenge but having employees pay for their lost corporate laptops may actually yield more desirable results.   It would be interesting to have the next Ponemon lost laptop study include the ratio of lost business laptops compared to lost personal laptops, i.e., those actually purchased by an employee.

Electronic Health Records, Law Firm, Network Security, Privacy, Risk Management

IW: CIOs See Smartphones As Data Breach Time Bomb

As recently reported by InformationWeek, a study conducted by market researcher Ovum and the European Association for e-Identity and Security found that eight out of 10 CIOs believe using smartphones in the workplace increases their firm’s vulnerability to attack.  Although these CIOs rank data breaches as their top related security concern, half of the organizations acknowledge that they fail to provide some basic security measures for the use of smartphones.

This report should be of major concern to doctors and lawyers — two groups of professionals that rely heavily on the use of smartphones to manage their workloads.    At the very least, an easily applied security precaution for smartphones should be the use of a strong password that is changed every 60 days or sooner.  Two-factor authentication is preferable.   Users should back up data regularly and not have it remain solely on a mobile device – unfortunately, default settings can have the communications emanating from your mobile device remain resident solely on a mobile network.  Make sure your mobile device is equipped with anti-virus protection and if you receive an e-mail from a company or person that you’re not familiar with, do what you do on your work computer – just delete it.   Use your idle timer feature to lock down your smartphone as you would your laptop.  

If you have an IT support team (in-house or outsourced), make sure it keeps your operating system and server patches up to date and strictly enforces what applications can be used and what connections can be accessed.   What OS is even used may impact security.   For example, researchers have recently discovered flaws in the WebOS smartphone platform that could let an attacker build a mobile botnet or execute other remote attacks.  More advanced security features include the use of remote wiping applications, encryption and data loss/leak prevention tools.  

Notwithstanding the fact it can also place a call, the key to improving your security posture is to respect the fact your mobile smartphone is now no different from any other computer you use at work.  Act accordingly.

Law Firm, Middle Market Business, Network Security, Privacy, Risk Management

ABA: Law firms are Likely Targets for Attacks Seeking to Steal Information off Computer Systems

According to a recent ABA Journal article, the global digital infrastructure is under siege and law firms are to some extent on the front lines given the vast amounts of sensitive data they process and maintain.  Bradford A. Bleier, unit chief to the Cyber National Security Section in the FBI’s Cyber Division, is quoted in the article:  “Law firms have tremendous concentrations of really critical private information” and breaking into a firm’s computer system “is a really optimal way to obtain economic and personal security information.”  Philip Reitinger, the director of the National Cybersecurity Center in the Department of Homeland Security, believes this threat is increasing for two different reasons.   First, he said, “the skill level of attackers is growing across the board.” And, secondly, the nation’s networks of computer systems are becoming more connected and complex all the time, “and complexity is the enemy of security.”  Marc Zwillinger, a founding partner of Zwillinger Genetski, recognized another obvious problem for law firms:   “Lawyers haven’t been as diligent with security as some of the institutions that gave them information.”

After sufficiently spreading the FUD (fear, uncertainty, and doubt) throughout, what does the ABA author suggest as a solution.  Well, not much of note.  It is suggested that firms change their culture to be more in tune to security – which will likely need to be done from the top down given most managing partners, according to the author, have little time with sophisticated passwords and things that might otherwise slow them down.   It is also suggested that data be segregated and that encryption be deployed. 

The most relevant bit of information from the article actually was added in the sidebar and builds on Marc Zwillinger’s suggestion that a client’s security is usually more evolved than that of its law firm.    The author’s sidebar comment points out that clients may soon be auditing their law firm’s security.  Given that lawyers have been helping clients with technology due diligence for years now and have also been advising  on the use of audits, it is not much of a stretch to expect one law firm to recommend auditing another firm.  Those law firms in front of this issue will not only keep existing clients – they will also be in great shape to potentially win new ones.   Afterall, what law firm would suggest such an audit if it did not already deploy a sophisticated security infrastructure of its own?

Law Firm, Network Security, Privacy, Risk Management

Study: Electronic Theft Costs More Than Physical Theft

In a recently published study conducted by security firm Kroll, findings showed electronic and information theft are at 27.3 percent of total fraud losses while physical theft at 27.2 percent.  Although this is statistically a dead heat, the fact that it is even close is significant for all companies looking to curtail fraud costs.  Interestingly, China had the highest level of fraud, with 98 percent of businesses affected, and Colombia and Brazil came in next, with 94 percent and 90 percent respectively.  

According to Kroll, “information-based industries reported the highest incidence of theft of information and electronic data over the past 12 months. These include financial services (42% in 2010 versus 24% in 2009), professional services (40% in 2010 versus 27% in 2009) and technology, media and telecoms (37% in 2010 versus 29% in 2009).”

There are two common sense takeaways from this recent study — devote the right resources (including training) to avoid electronic theft and fraud and ensure the right security and vetting processes are in place when doing business in emerging markets, especially if your firm holds a good deal of sensitive data.  Although both suggestions may seem obvious it often takes the cumulative impact of these surveys and anecdotal evidence to really push the risk management needle.