Category Archives: Network Security

First Circuit Rules Hannaford Damages Include ID Theft Insurance and Card Reissuance Fees

On October 20, 2011, the United States Court of Appeals for the First Circuit issued an opinion reversing a Maine District Court’s dismissal of negligence and implied contract claims against grocer Hannaford Brothers.  The underlying data breach publicly announced on March 17, 2008 by Hannaford led to a consolidated class action that was ultimately rejected in its entirety by the Maine District Court.   After receiving guidance from the Maine Supreme Court regarding whether time and effort alone could represent a cognizable injury — it did not — the District Court ultimately ruled that even though claims for implied contract and negligence could be alleged by the plaintiffs, because the associated damages were not cognizable in law, the action had to be dismissed. 

In reversing, the First Circuit recognized that “[t]here is not a great deal of Maine law on the subject [of damages recoverable under § 919 of the Restatement (Second) of Torts].”  Accordingly, it reviewed a good deal of caselaw outside of Maine before applying § 919’s rule that “[o]ne whose legally protected interests have been endangered by the tortious conduct of another is entitled to recover for expenditures reasonably made or harm suffered in a reasonable effort to avert the harm threatened” to the specifics of this case.   Several cited cases found such mitigation damages valid even if they exceed the potential savings and are purely financial in nature. 

Recognizing the Hannaford breach involved a large-scale criminal operation that already led to over 1,800 identified fraudulent charges and many banks issuing new cards, the First Circuit ruled that mitigation damages in the form of ID theft insurance and credit card reissuance fees were financial losses recoverable under the negligence and implied contract claims so long as they are considered reasonable mitigation damages.   There was no remand for further factual findings on the issue.  The First Circuit simply made a determination that such damages were both foreseeable and reasonable and reversed on that basis.  Now that the consolidated complaint lives another day, the District Court may certify a class but if it does it remains to be seen how far the lower court will go in sizing the class and allowing for such mitigation damages.

Anonymous Supports September 17 Efforts

On August 23, 2011, Anonymous released a video endorsing the September 17, 2011 planned “Day of Rage” occupation of Wall Street and other financial areas around the world.   Specifically, in its video, Anonymous urges protesters on September 17th to “flood into lower Manhattan, set up tents, kitchens, peaceful barricades and occupy Wall Street for a few months … Once there, we shall incessantly repeat one simple demand in a plurality of voices.”

This endorsement might seem fairly harmless.  On the other hand, those in the financial sector are urged to take this implicit threat pretty seriously.  According to a duo of FBI agents talking today at a public briefing regarding the entry of Anonymous to the September 17th efforts, financial institutions are advised to step up their network security during the next few days.  In fact, a recent FBI crackdown on Anonymous may be tied to S17.   Given there is deliberately no leadership core within Anonymous, all that can be hoped is that on the 17th its members choose to take a day off from clicking on a computer; and instead take a relaxing train ride downtown.

Update:  September 19, 2011
As of Monday morning, the “Day of Rage” event showed no publicly reported increase in data security events.  It is estimated that several thousand attended the rally in New York City but there was not much in the way of media reporting given it was largely a peaceful event.

Update:  September 28, 2011
On September 23, 2011, the FBI’s Cyber Division issued the following informational bulletin to Infragard members:

For situational awareness, the following message was posted online by the hacking group Anonymous:

Anonymous announces a nationwide “Day Of Vengence” to take place in dozens of cities across the USA on Saturday – September 24, 2011 at High Noon.  In coordination with these protests across the USA on September 24th, Anonymous and other cyber liberation groups will launch a series of cyber attacks against various targets including Wall Street, Corrupt Banking Institutions – and the NYC Police Department.  We encourage the media to follow the Twitter feed @PLF2012 for ongoing reports throughout the day.

Additional public source information has identified possible targets of these attacks, to include entities in New York (state and city), public and private entities associated with the recent execution of Troy Davis in the state of Georgia, and law enforcement in general.

No further information is available at this time in regard to the specific nature, means, or potential targets of Anonymous’ plans for September 24th; however, in the past, Anonymous has engaged in distributed denial of service (DDoS) attacks, utilized SQL injection to gain unauthorized access to computer systems, conducted social engineering to gather personal identifying information, and released both personal information (i.e. “doxing”) and the contents of compromised systems (e.g. e-mail message content, passwords, etc.).

InfraGard members are encouraged to engage in information security best practices, such as using strong passwords, not reusing passwords, updating software to protect against known vulnerabilities, and ensuring that web-based applications are not at risk to attacks, such as SQL injection.

September 24, 2011 came and went without any publicly disclosed incident tied to this threat.  The hope is that the FBI’s future warnings are not ignored given the lack of traction of these recent Anonymous warnings.  Bottom line:  Safeguarding against SQL injection exploits is obviously sound advice with or without an Anonymous threat.

Update:  October 12, 2011
Although similar to the October 8-11, 1969 “Days of Rage” riots in Chicago that led to the arrest of several hundred Weatherman radicals, the current Wall Street “Days of Rage” protesters are not facing nearly as much opposition from the police or popular media.   Moreover, despite the Anonymous threat, there have been no reports of cyber incidents directly tied to this protest.  RIM, however, has faced several recent outages.  Although RIM has publicly stated that these Blackberry blackouts were caused by a “core switch failure”, given that there is still strong Blackberry usage in the financial sector, it will be interesting to hear in a few months time whether there was anything else that contributed to these blackouts.

Update:  November 13, 2011
Much has happened since the first Day of Rage took place several months ago on Wall Street — including its morphing  into a national “Occupy” movement in cities around the country.  It’s generally been tough going for these occupiers.  There have been deaths in the Occupy Oakland and Occupy Burlington protests as well as a death at the one in Salt Lake City; a tuberculosis outbreak  hit Occupy Atlanta; and the starting point at Zuccotti Park near Wall Street has seen its share of viruses and STDs thin the ranks.  As for Anonymous, the general consensus is that the hype they generated yielded PR benefits to the organization even though to date they apparently have not been directly involved in any related cyber-security incident.

Ponemon Second Annual Cost of Cybercrime Study

A detailed study regarding the impact of cybercrime on corporations was recently released by the Ponemon Institute.  According to the Second Annual Cost of Cyber Crime Study, the median annualized cost of cybercrime incurred by a benchmark sampling of organizations was $5.9 million per year, with a range of $1.5 million to $36.5 million each year per organization.  This was an increase of 56 percent from the median cost reported in the inaugural study.

According to this Ponemon deep dive of organizations who have sustained incidents of cybercrime, more than 90 percent of all cybercrime costs were caused by malicious code, stolen devices and web-based attacks.  During a four week period, the organizations surveyed by the Ponemon Institute experienced 72 successful attacks per week, an increase of nearly 45 percent from last year.  Interestingly, according to a recent study by Webroot Research, cybercrime on social networks also continues to increase — with the number of US-based users who have experienced attacks on social networks growing from 8% in 2009 to 13% in 2010 to 18% in 2011.

Smaller-sized organizations were found by Ponemon to incur a significantly higher per capita cost than larger-sized organizations ($1,088 versus $284).  This may be given that smaller organizations do not readily negotiate much off of vendor rack rates — another reason to evaluate network security and privacy insurance as well as working with a law firm that has significant experience in dealing with breaches.

According to this Ponemon survey, the average time to resolve a cyber attack is 18 days, with an average cost to participating organizations of $415,748 over this 18 day period.  Interestingly, this represents a 67 percent increase from last year’s estimated average cost of $247,744, which took place over a 14 day period. Results of the study show that malicious insider attacks can take more than 45 days on average to contain.

On September 14, 2011, New York Metro InfraGard and Coalfire are co-sponsoring a New York City event that will feature Dr. Larry Ponemon speaking on the Ponemon Institute’s Cost of Cybercrime Study.  For details on this event, visit the Infragard site or registration site.

Betterley Report on Cyber Insurance is Now Available

The highly-anticipated annual Betterley Report on cyber insurance was released right before the 4th of July holiday weekend.  In the free summary of the issue, there is mention of the 29 insurers now providing some form of network security and privacy insurance.  Betterley projects the existing market to be in the $800 million range — which would make it probably the fastest growing insurance product in the current soft insurance market.

In the free summary there is also an article written regarding cloud exposures and how such exposures may impact coverage under a network security and privacy policy.  As recently reported in the Wall Street Journal, a World Economic Forum report found “that 90% of suppliers and users of cloud services consider privacy risks to be a ‘very serious’ impediment to widespread cloud adoption.”  Given this concern, having the right privacy insurance in place becomes that much more important.

Defense Contractors May Be Impacted by RSA Breach

On the heels of the breach that potentially exposed RSA’s source code for its SecurID tokens– the same tokens used every day by thousands of employees to access their corporate VPNs –  a defense contractor acknowledged on May 27, 2011 that its network may have been compromised as an indirect result of the RSA breach.  As reported by Reuters, Bloomberg, and the New York Times, the defense contractor “detected an intruder trying to break into its networks last Sunday. It shut down much of its remote access and has been providing new tokens and passwords to many workers.”

It is still not certain whether the two breaches are related but it is interesting to note that this story was first broke by a blogger and not the broader media.   Given the fact this incident may  involve military information, it is likely we will never fully learn what has happened.  When it comes to divulging secrets, misinformation is usually the stock in trade of the military.

What remains clear, however, is that advanced persistent threats continue to pose long term threats to corporate and governmental interests.   The good old days of naive hackers stumbling upon exposed databases and inadvertently helping to plug a previously unknown hole are no more.   We are now in the age where a state actor or sophisticated cyber criminal will gladly sit on vulnerabilities for as long as it takes.  Simply put, with enough patience, a determined and sophisticated thief will eventually get whatever information a buyer may want.

[Update:  June 10, 2011]
RSA conceded that the defense contractor breaches may be related to RSA’s March breach and has offered to replace corporate SecurID fobs.  There is some supposition that a large defense bid was the catylist leading to both the RSA breach and subsequent defense contractor breaches.  We may never know who caused the various attacks or why.   What we do know, however, is that RSA has decided to appoint its first chief security officer.

Latest APT Victim: RSA

In what has become an annual mecca for the data security industry, thousands visit San Francisco each February to attend “RSA” — a conference named after the network security company purchased by data storage firm EMC five years ago.  This mega-conference caters to the security cognoscenti — as well as those who only profess to be.

Well, a few days ago, RSA announced it was the latest high-profile victim of an APT exploit.  As recognized by RSA’s Executive Chairman, Art Coviello,”APT threats are becoming a significant challenge for all large corporations.”  These exploits are the same sort of attacks that the press were quick to blame the Chinese on last year.  In fact, the Wall Street Journal reported last year that these attacks impacted over 2,400 businesses.  How exactly can a company avoid an APT or “advanced persistent attack” when a firm like RSA also gets hit by such criminal activity?

By way of background, APTs are social engineering techniques — once upon a time simply known as confidence or con games — applied with a healthy dose of hacking and malware.  RSA’s attack is a bit more troublesome than most APTs given the possible repercussions to customers as per a recent alert:

We have determined that a recent attack on RSA’s systems has resulted in certain information being extracted from RSA’s systems that relates to RSA’s SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. RSA urges immediate action.

The reason that this breach is significant has to do with the fact RSA customers all over the world use RSA SecurID to protect outside access to sensitive data.  In order to access a computer protected by SecurID, users enter a traditional password as well as the number displayed on their RSA SecurID hardware token. The numeric value displayed on the token changes once every few minutes to provide added protection.

Although the security community gave RSA high marks for its quick disclosure, there are obvious concerns — not the least of which is the mere fact that a firm such as RSA was able to be compromised in the first place.  A leading security consultant voiced a complaint that the lack of information emanating from firm makes it hard for customers to know what exactly to do other than be really diligent regarding password usage.

Although exactly how RSA was compromised will likely never make it to the kitchen table, there are many vectors that can be compromised during a successful APT threat.  The key factor to a successful APT exploit is the level of trusted connection breached — whether that is an executive friend on FaceBook or a next door neighbor’s email address.  Another important success factor is the willingness to be patient and wait for the right time to retrieve the sought-after information.  This is where there is a significant disconnect from the typical financial data hacker.  Such hackers may wait before using card data to commit a fraudulent purchase but will not likely wait to steal the compromised data.  That is why most APTs are blamed on governmental entities — who are notoriously patient when moving on a target.  Those committing APTs may get very valuable data along the way but would never risk getting caught with such data until the final target is achieved.  In other words, the APT criminal may spend months lurking in a network before any information is even compromised.  That is one of the reasons why detecting APT activity is so difficult.

For now, the way to address this very real corporate threat is not necessarily to change a firm’s security posture.  The threat is more derived from employee policy lapses, i.e., use of social media at a workstation and use of infected thumb drives, than it is from brute force hacking.  Accordingly, employee training and testing that is tied to discipline and compensation is a step in the right direction.

Thinking like an intelligence agency can’t hurt.  If a senior executive does not need to know all aspects of a project, there is no need to provide her with constant email reports.   In other words, the old adage “on a need to know basis” becomes more and more important as APTs become more and more familiar to corporations.

Finally, the basic tenets of risk management should play a role in the defense of APTs — if there is even such as a thing as a viable defense.  Knowing the relative value of your assets and the costs to mitigate a loss in advance of a loss are the bread and butter of risk managers.  Applying such insight in the proper measure will remove from the equation some ego-driven security initiatives to be replaced by focused efforts aimed at the most sensitive data of an organization.  Risk managers are routinely given the task of protecting the personal assets of the chairman of the board — by, among other things, a D&O insurance placement — as well as coordinating large scale enterprise risk management initiatives.  Providing some guidance on this front should not be that much of a stretch.

OCR Gets Serious: $4.3 Million Penalty Under Privacy Rule

As shown by yesterday’s press release and this morning’s email blast, OCR is certainly eager to let the world know that it just issued a Notice of Final Determination and Notice of Proposed Determination finding that Cignet Health violated the HIPAA Privacy Rule to the tune of $4.3 million dollars.

According to yesterday’s Associated Press news feed that blanketed the news outlets as well as fed many privacy blogs, Cignet Health “is a Christian-influenced medical service, has four locations in Prince George’s County, in southern Maryland just outside Washington.”   And, according to its website, “[t]he focus of Cignet health center is to minister to the whole person, both spiritually and physically. Our desire is to help the sick and suffering people the best way we can to the glory of God.”   Cignet Health offers health plans in Nigeria as well as Ghana and acts as “a patient-Provider advocacy alternative to other healthcare presently available in the healthcare market today.”

It is unknown whether this apparently small-scale operation is equipped to pay a $4.3 million penalty.  Frankly, it is pretty surprising that such a small healthcare player has the honor of being the very first CE in which HHS has imposed a civil money penalty (CMP) for alleged  violations of the HIPAA Privacy Rule.  As well, this CMP is the first one based on the “violation categories and increased penalty amounts authorized under the Health Information Technology for Economic and Clinical Health (HITECH) Act.”  The HITECH Act has certainly seen noteworthy action given the Connecticut AG’s HITECH Act penalties against Health Net – the first time a state has used the HITECH Act to settle a data breach claim — as well as the enforcement of the HITECH Act’s public disclosure of data breaches.  Cignet Health, however, did not sustain a data breach so the huge penalty is curious to say the least.

What exactly did Cignet Health do?  For starters, it did NOT breach the privacy rights of its patients in any traditional sense.  Unlike with the Health Net breach or the HITECH publications of breaches, this incident involved a more vanilla HIPAA violation.  According to the OCR:

In a Notice of Proposed Determination issued Oct. 20, 2010, OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009.  These patients individually filed complaints with OCR, initiating investigations of each complaint.  The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The CMP for these violations is $1.3 million.

During the investigations, Cignet refused to respond to OCR’s demands to produce the records.  Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena.  OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010.  On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means.

OCR also found that Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule.  Covered entities are required under law to cooperate with the Department’s investigations.  The CMP for these violations is $3 million.

In other words, Cignet Health failed to give 41 patients copies of their records on a timely basis and then “failed to cooperate with OCR’s investigations” after complaints were filed by these patients.   Although OCR points out in its Notice of Proposed Determination that the boxes provided to OCR by Cignet Health “also contained the medical records of approximately 4,500 individuals for whom OCR made no request or demand and for whom Cignet had no basis for the disclosure of their protected health information to OCR” this inadvertent disclosure was not the basis of the CMP.

This Cignet Health result is in contrast to the non-CMP “resolution amount” of $100,000 issued to Providence Health in 2008 for alleged HIPAA privacy violations involving unprotected backup tapes, optical disks and laptops that compromised the protected health information of more than 386,000 patients.  HHS publicly stated there was no need for a CMP given the level of cooperation given during the investigation.  Providence Health did, however, sustain significant defense costs and a corrective action plan that brought that $100,000 fee into the millions.

The lesson here is that if called upon to respond to an investigation, do it.  Based on the Cignet Health result and public statements made by OCR personnel at various privacy seminars, OCR certainly places a significant premium on what it perceives to be good faith during an investigation.  As well, be ready to smile into the camera because the OCR is obviously launching into an aggressive enforcement campaign in 2011 and beyond.   For example, the OCR email missive of February 23, 2011 includes the following appeal to potential claimants and whistleblowers:

If you believe that a person or organization covered by the Privacy and Security Rules (a “covered entity”) violated your health information privacy rights or otherwise violated the Privacy or Security Rules, you may file a complaint with OCR.  For additional information about how to file a complaint, visit OCR’s web page on filing complaints at http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.

Make no mistake about it:  The OCR is HHS’s enforcement arm and is looking to knock some heads together and make some money for the boss.  And, the tools, i.e., the HITECH Act and accompanying regs, are now in place to make that Supranos moment a reality.

The Elephant in the Room: The Potential for Privacy Breach Statutory Damages

Over the years, plaintiffs’ class action counsel have utilized their jet flyover time trying to create a claims theory that would be common to any victim of a data breach event.   For the reasons set forth in the first of this two-part post, theories based on a “fear of ID theft” or “lost time and effort” have not withstood scrutiny in a class action setting – nor will likely in the future.  So, what exactly is the damages theory that will someday clog the class action dockets of judges around the country?

In the same way state breach notification statutes jump started data breach litigation, aggressive legislative bodies will again likely lead the way.  By now considered a scratched CD/broken record on this topic, I’ve been saying for years now that the only real significant liability threat to those companies sustaining a data breach is the advent of statutory damages – damages that would ensue with or without any showing of real harm to a plaintiff.  No matter how small the statutory amount per breach victim, such statutes will not only open up the class action floodgates – they will literally blow them wide open.  Although there is no such law on the books right now, companies need to remain diligent and prepare for the day when the first statutory damages law is enacted.

Maybe there is some level of poetic justice in the fact that the volcanic state of Hawaii – by virtue of S.B. 728 or a watered down version of S.B. 728 – may become the first state to expressly provide for such damages.  After all, the potential business impact is much like a volcano erupting. Before getting to Hawaii’s newly introduced bill – which on February 11, 2011 was voted by a standing committee to be held from the full house for further consideration – it might be helpful to reference a framework for statutory damages using two laws that are decades old and a more recent law that already acts as an ID theft prevention statute.

The Video Privacy Protection Act of 1988 (VPPA)

On December 17, 2009, a class action Complaint was filed against Netflix, Inc., alleging that Netflix “perpetrated the largest voluntary privacy breach to date.” (Complaint at Paragraph 1).  According to the Complaint, Netflix knowingly and voluntarily disclosed the video purchases of approximately 480,000 Netflix subscribers when Netflix provided to contest participants data containing over 100 million subscriber movie ratings and preferences. When launching its contest, Netflix stated that all provided data was anonymized and that the subscribers’ movie ratings were given tokenization numbers, i.e., “numeric identifier unique to the subscriber” rather than any actual personal data.  (Complaint at Paragraph 32(b)).  The Complaint alleges researchers were able to identify individual subscribers by cracking Netflix’s anonymization process.  (Complaint at Paragraph 37).

Among other claims, plaintiffs brought suit under VPPA seeking statutory damages.  VPPA generally prohibits any “video tape service provider” from “knowingly disclosing the personally identifiable information concerning any customer of such provider” (18 U.S.C. 2710(b)).  According to EPIC, this law “stands as one of the strongest protections of consumer privacy against a specific form of data collection.”   In addition to other VPPA damages that may be awarded, VPPA provides for “actual damages but not less than liquidated damages in an amount of $2,500.” (18 U.S.C. 2710(c)(2)(a)).

On March 19, 2010, the case was dismissed pursuant to a confidential settlement between the named plaintiffs and NetFlix. For some reason – maybe due to Federal Rules of Civil Procedure 23(a) concerns given the choice of plaintiff representative or an offer too good to pass up – plaintiffs’ counsel chose to resolve this suit prior to seeking certification of the class.  Although it would have been interesting to see how this privacy statutory damages suit resolved itself via motion practice, the case remains noteworthy given legislative bodies may look to it to see how quickly class action suits can resolve themselves when faced with statutory damages.

Song-Beverly Credit Card Act of 1971

This California law protects consumers from merchants who request personal data during a credit card transaction – in essence, a very old privacy statute.  A recent California Supreme Court case, Pineda v. Wiliams-Sonoma Stores, Inc., applied basic statutory construction rules to this statute and found that “personal identification information concerning the cardholder” includes a person’s ZIP code.  What is noteworthy about the case is not the result as much as it is the fact it has immediately created a significant spike in class action “privacy” suits.

This increase in class action suits (which will obviously abate a bit after retailers modify their checkout policies) results from a court’s ability to now award statutory civil penalties up to a maximum $250 for the first violation and $1,000 for subsequent violations – all because a cashier asks for a ZIP code during checkout.  Although technically not a privacy ruling (this case is a statutory construction 101 case), it definitely helps move the ball towards a statutory damages goalpost.

Unless the California Legislature decides to clarify the statute in light of Pineda, this decision stands as a very low threshold both for what may constitute “personal identification information” pursuant to state law and for what sort of minor privacy transgression merits a statutory damages award.  And, if the California Legislature decides not to change the statute, it will signal that potential mega-class action suits are not something that will prevent future legislatures from enacting privacy laws with much more bite.  Although decided prior to Pineda, a Ninth Circuit decision referenced below picks up the ball from Pineda and moves it much further down the field when it comes to sanctioning mega class actions involving privacy indiscretions.

Fair and Accurate Transaction Act of 2003 (FACTA)

Among other things, FACTA provides consumers with a very important anti-ID theft protection.  Specifically, the law provides that, “no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.” (15 U.S.C. § 1681c(g)(1)).  A willful failure to comply with these requirements allows for statutory damages “in an amount equal to the sum of any actual damages sustained by the consumer as a result of the failure or damages of not less than $100 and not more than $1,000.”  (15 U.S.C. § 1681n(a)(1)(A)).

In Zaun v. J.S.H. Inc. of Faribault d/b/a Long John Silver’s – Mall of America, 2010 U.S. Dist. LEXIS 102062 (D. Minn. Sept. 28, 2010), the court dismissed a class action complaint based on a violation of the above FACTA requirement (no willfulness) but recounts other FACTA class action cases able to withstand a motion to dismiss.  All of those cases may have pushed the privacy statutory damages envelope but the case that provides the most ammunition for a full frontal assault is Bateman v. American Multi-Cinema, Inc., 623 F.3d 708 (9th Cir. 2010) (en banc petition pending), reversing, Bateman v. American Multi-Cinema, Inc., 252 F.R.D. 647 (C.D. Cal. 2008).

In Bateman, the Ninth Circuit flat out rejects defendant’s argument that “minor” privacy transgressions should not be able to morph into a class action potentially totaling $290 million in statutory damages – 290,000 credit card receipts in violation of FACTA.  In reaching its conclusion, the court in Bateman reasons:

In the absence of such affirmative steps to limit liability, we must assume that Congress intended FACTA’s remedial scheme to operate as it was written. To limit class availability merely on the basis of ‘enormous’ potential liability that Congress explicitly provided for would subvert congressional intent…. Here, AMC did not argue before the district court that the potential $ 290 million liability would put it out of business, nor did it submit any declarations, documents, or other evidence demonstrating that such liability would be ‘ruinous.’

The court in Bateman also recognized that “the civil liability provisions were added in order to assist consumers in ‘protect[ing] their privacy.’” Id. (quoting S. Rep. No. 103-209, at 6 (1993)).   To that end, “[a]llowing consumers to recover statutory damages [deters] businesses from willfully making consumer financial data available, even where no actual harm results.”  Id. The full impact of this case remains to be seen given that it has not yet been resolved – the Ninth Circuit remanded for further findings on the class certification motion.

Recognizing the potential adverse business impact of this case, the US Chamber of Commerce has fought hard to reverse the ruling.   Although there is an apparent dispute among the Circuits that should be fodder for a cert grant and it is not uncommon for the Ninth Circuit to get overturned by the Supreme Court, the Bateman decision may never land in the Supreme Court.  More importantly, it is far from clear what direction the Supreme Court would take if it even heard the case.

Where does this trilogy of laws and resulting privacy class actions leave us?  For one, they can be perceived as a solid vote in favor of the viability of class actions suits tied to privacy-related statutory damages.  After all, these three privacy laws providing for statutory damages have withstood class action scrutiny without any subsequent limiting legislative changes – even though such laws can readily be amended to curtail the availability of class actions.  Second, they demonstrate courts have no problem remedying minor individual privacy infractions with massive class actions.  Third, and most importantly, they provide concrete examples for future legislatures who may look to address the typical data breach scenario – compromised privacy rights yielding little actual harm.

As succinctly put by the court in Bateman, “[t]he need for statutory damages to compensate victims is plain. The actual harm that a willful violation of FACTA will inflict on a consumer will often be small or difficult to prove.”  Couple the above trilogy with the fact that there are other “privacy-related” laws that provide for statutory damages and the statutory damages framework is complete.  See e.g., Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp, LLC, 08-civ-4810 (S.D.N.Y. Dec. 22, 2010) (awarding statutory damages for a violation of the Stored Communications Act, 18 U.S.C. § 2707).

Hawaii’s S.B. 728

After the University of Hawaii’s latest data breach took place this past October – its third significant breach in under one year’s time – Hawaii’s state legislature chose to get on the offensive.  On January 21, 2011, S.B. 728 was formally introduced, including the following language:

If a judgment is obtained by the plaintiff, the court shall award the plaintiff a sum of not less than $ [yet to be determined] or threefold damages sustained by the plaintiff, whichever sum is greater, and reasonable attorney’s fees and costs. Damages sustained by the person shall include actions taken to mitigate injury from future identity theft, including actual or future purchase of credit report monitoring and identity theft insurance.

Given that two of three committees have recently held the bill, it is not clear where this is all heading.  It may be the case that the February 8, 2011 hearing which yielded significant opposition from the business community transformed the bill into a political hot potato that is now potentially DOA.  Although Pearl Harbor analogies are obviously premature, the opening salvo remains cleanly fired from Hawaii.

It is the California legislature that, not surprisingly, may eventually again lead the way.  A California bill introduced on February 8, 2011, S.B. 208 requiring restitution payments from criminal defendants to their ID theft victims, states that “the immediate preservation of the public peace, health, or safety within the meaning of Article IV of the Constitution” includes ensuring that “an identity theft victim can monitor their credit report and repair his or her credit at no cost to him or her.”   This is the sort of constitutional spin (albeit a necessity here to get the bill fast tracked) that might finally make statutory damages a reality.  Until that day arrives, companies are well advised to continue to update their various policies to comply with applicable law and test their internal controls as well as bolster their defenses by using reasonable security measures.

The NSAP Insurance Three-Step Dance

Companies looking to purchase network security and privacy insurance for the first time only need to learn a quick three-step dance.

First, know that there are around 25 viable liability markets so most any company should be able to quickly get a quote that will likely have solid coverages and be reasonably priced.  Although defendants ultimately do well in data breach litigation, getting there is not usually without significant costs.  In other words, this coverage is definitely necessary — especially since it can include regulatory expense and often needs to be purchased in order to get the below two coverages.

Second, determine whether your total exposure is significant enough to merit higher limits or a better coverage grant on remediation expenses such as credit/ID monitoring, call center, notification costs, etc.  Companies holding over 50,000 sensitive records should at least evaluate obtaining more robust coverage.  The BCBS of Tennessee incident is a stark reminder regarding just how much such first-party expenses can hit the bottom line.   During the evaluation process, companies should evaluate relatively new products from Beazley and Chartis that provide coverage tied to a pre-determined number of  IDs as well as those insurers, e.g., AWAC, providing full policy limits on this usually sub-limited coverage.

Third, determine whether you want coverage for network failure.  A good example of how this coverage works can be gleaned from the headlines.  For example, if you go to the Lush corporate website (as of February 3, 2011), you will see the following:

We are very sorry to confirm that our website has been the victim of hackers.  24 hour security monitoring has shown us that we were still being targeted and there were continuing attempts to re-enter.  We refuse to put our customers at risk of another entry – so have decided to completely retire this version of our website.  For complete peace of mind, we would like all customers that placed ONLINE orders with us between 4th Oct 2010 and today, 20th Jan 2011, to contact their banks for advice as their card details may have been compromised.

In addition to liability and remediation expense, there are a growing number of insurers who also provide coverage for lost revenue and added expenses incurred during such “lost downtime” — whether the downtime impacts a corporate website or a firm’s internal network.  There are a few London insurance markets, including Barbican, who, in addition to the network security trigger for business interruption, also provide coverage triggers based on employee error and general systems failure.  Any broker in the United States can access Barbican and these other London markets using London wholesalers such as Chris Cotterell of Safeonline.

And, that’s the NSAP insurance three-step dance.

Swing Your Partner Do-SeDo

A Data Security Trend For 2011: The Data Threat Hype Continues

The new year appears to be continuing a trend begun in 2008 — ever increasing hype concerning the level of data security threats faced by public and private entities.  This hype is not just about increasing public breach disclosures (which have primarily been driven by the increase in breach notification laws) given it also manifests in:   the perceived threat of involuntary corporate transparency brought into public view by the “Wikileaks Effect”, the fact that papers such as the LA Times are able to report as true the powerful Stuxnet worm was able to trim years off of the Iranian nuclear program, and the fact that the Organisation for Economic Co-operation and Development (OECD), in a recent report, paints a picture of a world where “[p]reventative and detective security technologies will not provide protection against all the threats [so] considerable effort will be needed to mitigate and recover from losses.”  OECD Report (dated 14 January 2011) at 82.

For example, in the LA Times article, the Stuxnet worm was removed from its unique Iranian context and given broad scare appeal:  “Now that Stuxnet is in the public domain, experts are deeply concerned that hackers, criminals or terrorist groups could use some of the vulnerabilities it reveals to attack systems that control power grids, chemical plants and air traffic control.”

Third-party threats have indeed shifted but that shift took place over five years ago – when organized crime realized that stealing data could be more lucrative — and much safer — than traditional criminal activity.  The ego-driven hackers of yesterday may still exist in the form of the hackavists of today but they remain a minor threat compared to the threats driven by organized crime.  But that is not something new.

On the other hand, the hype that has filled the data security landscape has only risen to a fever pitch these past several years.  Not exactly sure why this is happening.  It may be the fact that more big business has entered the data security consulting/technology space – well equipped with PR firms in tow.  It may be because news organizations have found a new bogeyman that can help drive sales.  It may just be the case reporters and pundits truly feel the hype is justified.

No matter what the cause, one thing is for certain.  This hype does not help companies or governments better protect themselves.  Employees faced with this barrage of hype may be just a bit more lax — thinking there is little they can really do to prevent a theft.  This would be a grave mistake given that a significant source of data loss incidents is directly tied to employee negligence.   As well, if hype causes a CFO to think that state-sponsored incidents such as Stuxnet may be an imminent threat, he or she may suggest diverting resources from more important initiatives like employee training.

There are obviously ongoing data security threats faced by companies that are very real and not going away any time soon.  Marching into 2011, focused companies will weed the hype and address these many challenges utilizing a cost-effective risk management approach.   And, should they need legal or consultative advice, they will choose seasoned partners with the lowest volume setting.  Smart companies realize that succumbing to the hype is a zero-sum endeavor that will only benefit those who feed off the hype.