All posts by Paul E. Paray

Electronic Health Records, Privacy, Risk Management

OCR’s April settlements reinforce HIPAA priorities

On March 24, 2017, the Office for Civil Rights (OCR) announced the first settlement and corrective action plan involving a wireless health services provider when it announced a $2.5 million settlement with CardioNet –  a provider of “remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.”   According to the Resolution Agreement and Corrective Action Plan, CardioNet sustained breaches of unsecured electronic protected health information (ePHI) resulting from lost laptops.  And, given that the lost laptops in question were unencrypted, CardioNet’s Corrective Action Plan required that CardioNet provide HHS with a certification that “all laptops, flashdrives, SD cards, and other portable media devices are encrypted, together with a description of the encryption methods used.”

In keeping with OCR’s apparent practice of announcing resolutions in groups – with a distinctive lesson to be made with each resolution, there was another settlement announced on April 20, 2017.  This time a fine of $31,000 was levied against the Center for Children’s Digestive Health (“CCDH”) after it could not produce a business associate agreement.  According to the negotiated Resolution Agreement and Corrective Action Plan, protected health information (PHI) was released to a third-party vendor who stored inactive paper medical records for patients of CCDH without satisfactory assurances in the form of a written business associate agreement that the vendor would appropriately safeguard the PHI in the vendor’s possession or control.  As done in the past when it came to the need for properly-worded business associate agreements, OCR made the point that business associate agreements are a necessary component of the HIPAA framework and the failure to have one when necessary would be a costly error.  See 45 C.F.R § 164.502(e).

And finally, on April 12, 2017, OCR announced a settlement and corrective action plan based on a covered entity’s failure to have an adequate risk management plan in place.  Specifically, on January 27, 2012, Metro Community Provider Network (“MCPN”), a federally-qualified health center filed a breach report with OCR indicating that a hacker accessed employees’ email accounts and obtained 3,200 individuals’ ePHI through a phishing incident.

OCR’s investigation revealed that MCPN took necessary corrective action related to the phishing incident; however, the investigation also revealed that MCPN failed to conduct a risk analysis until mid-February 2012. Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis. When MCPN finally conducted a risk analysis, that risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the Security Rule.

Despite being a non-profit that provides primary medical care, dental care, pharmacies, social work, and behavioral care services “to approximately 43,000 patients per year, a large majority of who have incomes at or below the poverty level”, MCPN was hit with a $400,000 fine for its lack of an adequate risk management plan.

To sum up, this most recent grouping of OCR settlements highlights yet again the need for encryption, business associate agreements, and a working risk management plan.  Given that OCR settlements often take years to mature, investigative costs and legal expenses should also be factored into the mix when weighing the benefits of initial compliance.   With this latest round of settlements, it, however, appears clearer and clearer that an ounce of prevention is worth a pound of cure.

Privacy

EU-US Privacy Shield review will take place in September

As set forth in a press release issued on March 31, 2017, Věra Jourová of the European Commission announced that the Privacy Shield will have its first annual review sometime in September.  This press release provides portions of a recent speech given by Ms. Jourová.  And, according to this speech given in Washington, the review “will be an important milestone where we need to check that everything is in place and working well.”

Given that over 2,000 U.S. companies have already committed to Privacy Shield compliance, it is highly unlikely that the EU will disrupt this replacement to Safe Harbor after the September review.   As before, it will likely take a court challenge to rock this crucial agreement for cross-border data flows.

Law Firm, Network Security, Privacy

ACC suggests $10 million in cyber coverage for outside legal counsel

On March 29, 2017, the Association of Corporate Counsel released a set of model cybersecurity practices to help corporate legal departments address security and risk management issues born out of their outside legal counsel’s use of sensitive company data.    Protecting corporate data has increasingly been a top-of-mind topic for in-house counsel.  As reported by Corporate Counsel magazine, from 2014 to 2017, the percentage of in-house lawyers viewing the threat of data loss as an “extremely” important issue rose from 19 percent to 26 percent.

This proposed set of best practices should really come as no surprise.  Law firms have already been targeted with ransomware exploits given a small payment to access encrypted data takes a far backseat to potential lost billable time .   Similarly, law firms have long been targeted by sophisticated criminals and state actors interested in the wealth of confidential data they maintain.

In is not clear, however, how most outside counsel will comply with several of the best practices outlined by the ACC given the significant expense, implementation risk, and time commitment.  For example, the ACC suggests the following three baseline measures:

Outside Counsel shall have vulnerability management and regular application, operating system and other infrastructure patching procedures and technologies reasonably designed to identify, assess, mitigate, and protect against new and existing security vulnerabilities and threats, including viruses, bots, and other malicious code.

Outside Counsel shall have, shall implement, and shall maintain network security controls, including the use of firewalls, layered DMZs and updated intrusion, intrusion detection and prevention systems, reasonably designed to protect systems from intrusion or limit the scope or success of any attack or attempt at unauthorized access to Company Confidential Information.

If Outside Counsel has not achieved ISO27001 certification, Company may request that Outside Counsel undertake the certification process and provide Company with evidence of certification when attained.

Although AV protection and patching is fairly standard fare, not many law firms will go to the trouble of getting ISO certified or developing an intrusion plan focused on thwarting or mitigating attacks that are based on the nature of the data involved.    In fact, the ACC has done what is fairly typical of published “best practices”, namely it put together a wish list that will never be implemented by the vast majority of outside counsel.

Found in these best practices, however, is one suggestion that may actually have some appeal for a wide range of law firms – a risk transfer model that puts the onus on an insurance carrier to foot the bill for a data incident.    Specifically, the ACC suggests law firms purchase at least $10 million in cyber insurance:

Without limiting its responsibilities set out in herein, in countries where cyber liability insurance coverage is available, Outside Counsel will obtain and maintain in force at all times cyber liability insurance with an insurance company having a minimum credit rating of A- from Standard and Poor’s or other equivalent rating agency, with a minimum coverage level of $10,000,000.

Although the cost to purchase $10 million in limits may be significant, it will open the door to some minimal underwriting for security best practices as well as the recognition that a deep pocket is always available to absorb the risk.    In other words, it will be a much softer route for outside counsel to obtain buy-in regarding its data security chops  if it starts with the purchase of data loss and privacy insurance.  After purchasing this insurance – and satisfying the encryption and other underwriting requirements, outside counsel’s next steps are largely dependent on the size of the firm.   Indeed, for a smaller firm, $10 million may not make any sense – a much smaller $5 million or even $2 million policy limit would be sufficient.  Even though some law firms rely on data loss and privacy insurance to address coverage gaps and transfer loss caused by a data intrusion it remains a non-standard coverage.

For a larger firm, there is also more likely an IT Director, CIO or even a CISO already in place.  Such positions necessarily bring with them certain advanced practices that can be found in the ACC’s suggested best practices.  On the other hand, in a law firm with no such position in place – nor the money or desire to create one, the Office Manager is often tasked with squeezing out the most security from the smallest possible budget.  In that instance, firewalls and proper endpoint protection are necessary baseline defenses.  Also, the use of certain cloud security vendors – including those providing encryption or phishing-detection email services, can end up being a cost-effective step up in security.   Applying the NIST Cybersecurity Framework or getting ISO certified is far fetched to say the least.

No matter what the size and level of sophistication law firms will always remain low-hanging fruit for dedicated thieves looking for some good data to steal.  To that end, the ACC’s grandiose best practices can only be perceived as a beneficial and necessary step in the right direction.

Privacy, Risk Management

Privacy Shield Is not in play

On March 2, 2017, Věra Jourová – the Justice on the European Commission tasked with “Consumers and Gender Equality” recently raised a vague concern as to whether the Privacy Shield could withstand President Trump’s recent immigration executive order.  She said “If there is a significant change, we will suspend”.  This minimalist threat, however, seems more like an attempt to play up her visit to the White House in late March.

Privacy Shield is the data-transfer agreement negotiated by the United States and the European Union in February 2016 that is now relied upon by many international firms transferring and maintaining personal data between the EU and US.   Given that it was a court challenge that ultimately gave rise to Privacy Shield, it will always be subject to threat from legal action.  In fact, the ACLU and Human Rights Watch has already tried to stir the pot by sending a letter to the EU Commission after Trump’s recent executive action on immigration.  It is not clear why the American Civil Liberties Union would care about the privacy rights of those in the EU but that is left for a separate discussion.

To nip all of this in the bud, on February 22, 2017, Acting Federal Trade Commission Chairman Maureen Ohlhausen previously said that the immigration order would not in any way affect the FTC’s enforcement of the Privacy Shield given that order does not impact commercial activity.  To that end, Commissioner Jourová also previously said she was “not worried” but remained vigilant regarding the order.

There are lawyers who believe that Privacy Shield may be in play due to the President’s activities.  For example,  Aaron Tantleff of Foley & Lardner LLP is reported as saying “certain actions being taken by this administration could lead to the suspension of Privacy Shield. We may leave the EU Commission and Parliament with no choice.”  Such vague missives may be good at percolating new business but do not represent a pragmatic perspective regarding Privacy Shield’s real threat.

Given the now entrenched nature of Privacy Shield and the vested interest EU and US business interests have in its continued implementation, it appears only another judicial blow based on the lack of data security will derail it – requiring the same sort of EU court ruling based on NSA data collection that ultimately cut down the predecessor Safe Harbor rules in the first place.  Simply put, until the new Administration’s activities adversely impact the security of personal data by mass collecting data or forcing companies to compromise data security features there is not much to worry about.

Electronic Health Records, Privacy, Risk Management

Horizon settles state HIPAA claims based on lost laptops

On February 15, 2017, Horizon Healthcare Services, Inc. (“Horizon”) agreed to pay New Jersey authorities $1.1 million to resolve alleged HIPAA Privacy and Security Rule violations based on the November 2013 theft of two unencrypted laptops.  The stolen laptops compromised the privacy of 687,838 New Jersey policyholders.  This settlement comes on the heels of the Third Circuit reversing the dismissal of a putative class action filed against Horizon based on the same laptop incident.

After acknowledging that vendor moving company employees may have stolen the laptops, the Complaint recounts numerous alleged HIPAA violations.   Complaint ¶ 17, 43.  Horizon ultimately agreed by way of its consent judgment to a corrective action plan (“CAP”) and third-party audit – with $150,000 of the consent judgment as a “suspended penalty” that would be automatically vacated if the CAP was in material compliance two-years after entry of the judgment.

This costly Horizon incident provides several takeaways that never get old – encrypt all laptops and use an IT asset management plan that ensures the IT team can track all laptops with network access.   Most importantly, unlike Horizon never make any exceptions.  Complaint ¶ 23 (“As a result of the procurement of the MacBooks outside of Horizon BCBSNJ’s established process, certain MacBooks were not configured with approved encryption, data deletion and other software required by corporate policy.”).

Behavioral Advertising, Privacy, Risk Management

FTC settles major IoT privacy case with smart TV maker VIZIO

On February 6, 2017, smart TV maker VIZIO entered into a stipulated Order granting injunctive relief and a monetary judgment to the FTC and New Jersey Division of Consumer Affairs.  The FTC brought its claims pursuant to Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and the New Jersey DCA brought claims pursuant to the New Jersey Consumer Fraud Act, N.J. Stat. Ann. § 56:8-1 et seq.  VIZIO and a subsidiary will pay $2.2 million to settle claims that the companies improperly tracked consumers’ viewing habits and sold this information without compensating viewers.  According to the Complaint filed the same day as the stipulated Order, Vizio and its subsidiary since February 2014 continuously collected viewing data on a “second-by-second” basis without any notice to the consumer.  Complaint at ¶ 14.  This action comes on the heels of the FTC’s smart TV workshop this past December.

Pursuant to the Order, all viewing data obtained by VIZIO prior to March 1, 2016 must be destroyed.  As for obtaining future viewing data, VIZIO must first prominently disclose to the consumer, separate and apart from any “privacy policy” or “terms of use” page: “(1) the types of Viewing Data that will be collected and used, (2) the types of Viewing Data that will be shared with third parties; (3) the identity or specific categories of such third parties; and (4) all purposes for Defendants’ sharing of such information.”  And, VIZIO will be able to collect such information only after the consumer affirmatively consents to such collection.

It is not entirely clear what incentive currently exists for consumers to voluntarily provide their viewing data to VIZIO given their initial smart TV purchases exist apart from any potential future relationship with VIZIO.  In other words, VIZIO really has nothing new to offer for this viewing data – it can only offer something on behalf of those who buy or broker this data.  Accordingly, VIZIO may act in the future as a new stream of commercials.  It has already been suggested that Netflix could make billions by bringing ads to its streaming offerings.

It has been reported that over half of US households use an internet-enabled television.  The VIZIO settlement with the FTC and New Jersey DCA does a great job of highlighting the peril of collecting IoT data such as TV viewing data without proper consent.  Samsung and LG faced similar pressure in 2015 but that was far from a clarion call given the lack of any hefty fine.

The VIZIO resolution may actually be more similar to the major shift brought on after CardSystems was breached over a decade ago.  CardSystems had no excuse for unsecurely maintaining track 2 data for its potential marketing purposes so that breach definitely helped promulgate the PCI data security standard.  Similarly, the VIZIO settlement may lead to more safeguards regarding the use of IoT data.  Rather than Visa or Mastercard waiting in the wings to enforce compliance we would have the FTC and state regulatory bodies.  Nevertheless, such efforts will still have to garner consumer support given the backdoor of affirmative consent that still exists even after the VIZIO resolution.  In other words, there may still have to be something in it for the consumer.

As previously suggested, it may finally be time for consumers to just be paid cash for their consumer data.

Litigation Management, Privacy, Risk Management

Third Circuit reinstates data breach case alleging FCRA violation

On January 20, 2017, the Third Circuit reversed the dismissal of a putative class action filed against Horizon Healthcare Services, Inc. (“Horizon”).  The suit was brought after two laptops containing personally identifiable information were stolen in 2013 from Horizon’s Newark offices.  The four named Plaintiffs filed suit on behalf of themselves and 839,000 other Horizon customers whose unencrypted personal information was stored on those laptops.  Plaintiffs alleged willful and negligent violations of the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681, et seq., claiming that Horizon inadequately protected their personal information.

The District Court dismissed the suit under Fed. R. Civ. P. 12(b)(1) for lack of Article III standing.  According to the lower Court, none of the Plaintiffs had claimed a cognizable injury because, although their personal information had been stolen, none of them had adequately alleged that the information was actually used to their detriment.

According to the Third Circuit, in light of the congressional decision to create a remedy for the unauthorized transfer of personal information, an alleged violation of FCRA gives rise to an injury sufficient for Article III standing purposes.  And, even without evidence that the Plaintiffs’ information was in fact used improperly, the alleged disclosure of their personal information created a de facto injury. Accordingly, the Court ruled that all of the Plaintiffs suffered a cognizable injury, and the Complaint should not have been dismissed under Fed. R. Civ. P. 12(b)(1).  The fact that Horizon offered credit monitoring and identity theft protection services to those affected was not of any import to the majority or concurring opinion.

Reviewing the matter de novo, the Third Circuit first recognized that FCRA was enacted in 1970 “to ensure fair and accurate credit reporting, promote efficiency in the banking system, and protect consumer privacy.” In Re: Horizon Healthcare Services Inc. Data Breach Litigation, No. 15-2309, Slip Op. at 8 (3d Cir. January 20, 2017) (citing Safeco Ins. Co. of Am. v. Burr, 551 U.S. 47, 52 (2007)). With respect to consumer privacy, the statute imposes certain requirements on any “consumer reporting agency” that “regularly … assembl[es] or evaluat[es] consumer credit information . . . for the purpose of furnishing consumer reports to third parties.” 15 U.S.C. § 1681a(f).  Id.  And, any such agency that either willfully or negligently “fails to comply with any requirement imposed under [FCRA] with respect to any consumer is liable to that consumer.” Id.  (citing 15 U.S.C. §§ 1681n(a) (willful violations); 1681o(a) (negligent violations)).  See also Id. at 27 (“But with the passage of FCRA, Congress established that the unauthorized dissemination of personal information by a credit reporting agency causes an injury in and of itself – whether or not the disclosure of that information increased the risk of identity theft or some other future harm.”); Id. at 29, n. 20 (“Congress has elevated the unauthorized disclosure of information into a tort. And so there is nothing speculative about the harm that Plaintiffs allege.”).

Horizon did not challenge the validity of any of the Plaintiffs’ factual claims as part of its standing motion – arguing instead that that the allegations of the Complaint, even accepted as true, are insufficient to establish the Plaintiffs’ Article III standing.  Id. at 13.  This is significant given that the Third Circuit was only hearing the standing issue and not the substantive motion to dismiss.  See Id. at 13, n. 9 (“In its 12(b)(6) motion, which is not before us, Horizon questions whether it is bound by FCRA. In particular, Horizon suggests that it is not a “consumer reporting agency” and therefore is not subject to the requirements of FCRA. . . . Because we are faced solely with an attack on standing, we do not pass judgment on the merits of those questions. Our decision should not be read as expanding a claimant’s rights under FCRA. Rather, we assume for purposes of this appeal that FCRA was violated, as alleged, and analyze standing with that assumption in mind. Likewise, our decision regarding Article III standing does not resolve whether Plaintiffs have suffered compensable damages.”) (emphasis added).

It was this alleged substantive FCRA violation – which again was assumed to exist for purposes of its standing ruling, that ultimately caused the Third Circuit to find in favor of plaintiffs.     See Id. at 22, n. 16 (“Again, whether that injury is actionable under FCRA is a different question, one which we are presently assuming (without deciding) has an affirmative answer. See supra note 9.”); Id. at 28 – 29 (“So the Plaintiffs here do not allege a mere technical or procedural violation of FCRA. They allege instead the unauthorized dissemination of their own private information – the very injury that FCRA is intended to prevent.”) (footnotes omitted).

In reviewing the allegations found in the Complaint, the Third Circuit reasoned that the “trifle of injury” necessary to determine standing was met by virtue of the alleged FCRA violation.  Id. at 15.  Moreover, it found that its prior recent cases of In re Google Inc. Cookie Placement Consumer Privacy Litigation, 806 F.3d 125 (3d Cir. 2015) and In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3d Cir. 2016) reconciled with such a result.  Id. at 22 (“In light of those two rulings, our path forward in this case is plain. The Plaintiffs here have at least as strong a basis for claiming that they were injured as the plaintiffs had in Google and Nickelodeon.”).

In a strong nod to what it perceived to be the stare decisis injury-in-fact precedents rendered prior to the Supreme Court’s decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), the Third Circuit reconciled that decision with the following:  “Although it is possible to read the Supreme Court’s decision in Spokeo as creating a requirement that a plaintiff show a statutory violation has caused a “material risk of harm” before he can bring suit, id. at 1550, we do not believe that the Court so intended to change the traditional standard for the establishment of standing.”  Id. at 24See also Id. at 25 (“Spokeo itself does not state that it is redefining the injury-in-fact requirement. Instead, it reemphasizes that Congress “has the power to define injuries,” 136 S. Ct. at 1549 (citation and internal quotation marks omitted), “that were previously inadequate in law.” Id.”).

In Re: Horizon Healthcare Services Inc. Data Breach Litigation is an important decision for numerous reasons – not the least of which is the fact the Third Circuit is one of the most influential circuit courts in the country.  First, notwithstanding the fact Defendant is a health insurer, in their Complaint, the Plaintiffs successfully asserted for standing purposes Horizon is also a consumer reporting agency.  This is significant given that the very first count of Plaintiffs’ Complaint claims that Horizon committed a willful violation of FCRA.  And, FCRA permits statutory damages for willful violations. See 15 U.S.C. § 1681n(a) (“Any person who willfully fails to comply with any requirement imposed under this subchapter with respect to any consumer is liable to that consumer in an amount equal to the sum of … any actual damages sustained by the consumer as a result of the failure or damages of not less than $100 and not more than $1,000. . . .”).

In other words, counsel recognized that statutory damages are a necessary predicate to successfully pursuing a class action based on a data breach claim and that merely alleging that a company is a consumer reporting agency will now be sufficient to get in the courthouse.   Even though retail breaches may be too difficult a stretch, there is nothing stopping class counsel from branching out from health insurers.   In the future, defense counsel may be forced to simply forego the previously successful standing motions and go straight to a Fed. R. Civ. P. 12(b)(6) substantive motion.   And, given that such motions are quite difficult to win, the end result may be many more “cost of suit” settlements ranging significantly upward.

This decision may ultimately end up being more noteworthy for the concurring opinion of Judge Shwartz.   According to Judge Shwartz, there was no reason to even rely on FCRA to reverse the lower court’s decision.  According to Judge Shwartz, the mere “loss of privacy” was sufficient to demonstrate injury in fact.  See Id. at 1, n. 4 (Shwartz, J., concurring) (“Plaintiffs allege that the theft of the laptops caused a loss of privacy, which is itself an injury in fact.”).    Moreover, the lack of encryption was deemed the efficient cause of this loss.  Id. at 5, n. 4 (Shwartz, J., concurring) (“I also conclude that Plaintiffs have sufficiently alleged that the injury was traceable, in part, to the failure to encrypt the data, and am satisfied that if proven, the injury could be redressable.”).

Judge Shwartz was not persuaded that there was sufficient reconciliation with prior cases or that there was even the need to have such reconciliation based on her view of the law.  Id. at 5, n. 3  (Shwartz, J., concurring) (“My colleagues view In re Google Cookie Placement Consumer Privacy Litigation, 806 F.3d 125 (3d Cir. 2015), and In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3d Cir. 2016), as providing a basis for Plaintiffs to assert that a violation of the FCRA, without any resulting harm, satisfies the injury-in-fact requirement.  I do not rely on the possible existence of a statutory violation as the basis for standing, and am not persuaded that these cases support that particular point.”).   As a result, Judge Shwartz’ concurring opinion will likely be heavily cited by plaintiffs in data breach cases involving unencrypted data whether or not there are any possible FCRA violations.

All in all, January 20, 2017 was a very good day for class counsel pursuing data breach litigation.

Electronic Health Records, Privacy, Risk Management

OCR’s latest expensive HIPAA lessons

On January 18, 2017, the Office for Civil Rights (OCR) announced a HIPAA settlement based on the disclosure of unsecured electronic protected health information (ePHI) by MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) stored in a USB storage device.    Simply put, a thumb drive stolen in 2011 from MAPFRE’s IT department cost it an astounding $2.2 million as a “resolution amount” in addition to a fairly onerous corrective action plan.

Apparently, the fact that MAPFRE is the U.S. subsidiary of a large “global multinational insurance company headquartered in Spain” played some role in the harsh fine.  The USB data storage device included complete names, dates of birth and Social Security numbers and impacted 2,209 individuals.   Given that MAPFRE’s lack of encryption was an adverse mitigating factor for OCR, covered entities should bite the bullet and continue to encrypt all devices touching ePHI no matter what the budget constraints.

Another recent HIPAA settlement allowed OCR to shine a light on something else of concern to HHS, namely the need to report breaches within the 60-day reporting window applicable to breaches impacting 500 or more patients.  On January 9, 2017, OCR issued a press release that says it all:  “First HIPAA enforcement action for lack of timely breach notification settles for $475,000”.  Rather than report within 60 days, Presence Health – a large health care network serving Illinois, took 104 days to report the loss of “paper-based operating room schedules, which contained the PHI of 836 individuals.”  A spokesman from Presence Health said in a statement that contact and financial information were not even compromised.

As done in the past when it came to the need for properly-worded business associate agreements, undergoing a comprehensive risk analysis, and cooperating in investigations, covered entities should be appreciate the examples made of MAPFRE and Presence Health – encrypt and timely report after a breach.

IT Consultants, Law Firm, Privacy, Risk Management

New York’s DFS provides a two-month reprieve

On December 28, 2016 – after a very public outcry from the financial community it regulates, New York’s Department of Financial Services (“DFS”) pushed to March 1, 2017 the January 1, 2017 deadline to comply with its proposed data security standards.  These security standards and related regulatory requirements – which are unique in the country, were first disclosed by DFS this past September and include a data breach reporting deadline that is a mere three days in length.

After reviewing 150 comments, the DFS doubled down on its proposed standards and only gave two more months for compliance.  As it now stands, the regulation will be officially implemented on March 1, 2017 and impacted firms will have 180 days to begin compliance – September 1, 2017.  And, by February 15, 2018, firms will be required to submit a certificate of compliance to DFS.

Despite vigorous opposition found in the submitted comments, the DFS retained several important aspects of its proposed regulations, including the three-day window to report a “cybersecurity event” – broadly defined to also include unsuccessful attempts, and the need to file annual certifications of compliance.

Another key component of these proposed regulations requires the designation of a Chief Information Security Officer.  Even though most large financial institutions already have that position filled, many firms subject to DFS jurisdiction will now have to allocate resources to either hire such an employee or reassign an existing employee to take on these new challenges.

All in all, the new DFS regulations – implementing specific security standards on New York’s largest business sector, will immediately generate significant business for those tech vendors and privacy lawyers offering gap-filling solutions that actually work.

Litigation Management, Privacy, Risk Management

New Jersey District Court Denies Standing in FACTA Case

On October 20, 2016, Judge William J. Martini of the District of New Jersey ruled, in Kamal v. J.Crew, that actual evidence of fraudulent credit card use was necessary before a customer could properly assert Article III standing in a suit brought under Section 113(g) of the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”). Given FACTA allows statutory damages of up to $1,000 in a private cause of action based on a willful violation, FACTA has been a very popular statute for class actual counsel. For example, in 2015, LabCorp agreed to fund an $11 million settlement – nearly $200 to each class member to settle FACTA charges, which included a nationwide class of plaintiffs comprising 665,000 consumers.

Relying on the May 2016 Supreme Court ruling in Spokeo v. Robins, Judge Martini dismissed a previously-stayed FACTA class action against J.Crew. Judge Martini ruled J.Crew’s printing of ten digits of a customers’ account does not meet or create a claim meeting Article III’s concreteness requirement.

Although FACTA precludes a retailer from printing more than five digits of a credit card number on a sales receipt, Judge Martini found that printing 10 digits instead of five did not raise the risk of fraud sufficiently to create a concrete injury for “case” or “controversy” standing purposes. According to the Court, without the risk of concrete harm, the court lacks subject matter jurisdiction and has no choice but to dismiss the case given Article III of the Constitution did not allow him to hear the case.

In dismissing, the Court essentially ruled that the mere exposure of more numerals of a credit card number did not compromise plaintiff’s security sufficiently to demonstrate actual harm.  Of most significance, the Court ruled: “Congress’ role in identifying and elevating intangible harms does not mean that a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person a statutory right.” Kamal v. J.Crew at 5 – 6.  See also Kamal v. J.Crew at 3 (“Spokeo did not disturb this circuit’s standing jurisprudence. See In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262, 273 (3d Cir. 2016).”).

Other courts interpreting Spokeo have been more tenuous. For example, in Carr v. Parking Solutions, the District Court ruled: “The Supreme Court did not offer a conclusive ruling, and instead remanded Spokeo to the Ninth Circuit for further consideration of Article III’s injury-in-fact requirements.” See also Spokeo, 136 S. Ct. at 1553 (Thomas, J., concurring) (“Congress can create new private rights and authorize private plaintiffs to sue based simply on the violation of those private rights. A plaintiff seeking to vindicate a statutorily created private right need not allege actual harm beyond the invasion of that private right.”).

No one can predict whether or not Judge Martini’s ruling will stand the test of time.  What is clear, however, is that his ruling has significance with future privacy actions beyond FACTA.  As previously pointed out, FACTA could have been an important stepping stone for privacy class counsel seeking to monetize a data breach.   As it currently stands in the Third Circuit, however, statutory damages would not even be enough to get the job done for class counsel.