DEATH, TAXES AND DATA BREACH:THE LEGAL LESSONS

NAPA VALLEY VINTNERS ∙ AUGUST 27, 2015

CHRIS PASSARELLISENIOR COUNSEL, I.P.DICKENSON, PEATMAN & FOGARTYT: 707.261.7070 | CP@DPF‐LAW.COM 

AGENDA

Overview

Legal Framework

Notable Cases & Outcomes

Regulatory Liability

Lessons

ConclusionThese materials are made available to you for general informational purposes only. None of the information provided herein should be considered to constitute legal advice. 

OVERVIEW

Dual Objectives: 

1. Educational: Convey an appreciation of the scope of the issue.

2. Practical: Convey useful information, awareness of and access to available resources.

RECENT BREACHESAugust 19th – Web.com

August 17th – University of VA

August 12th – Nationstar Mortgage LLC

August 7th – Sterling BackCheck, Ubiquiti Networks, Inc., SabreCorporation

August 6th – WP Technology, Inc. dba Wattpad

August 4th – Mama Mio US

Source: http://www.privacyrights.org/data‐breach

OVERVIEW

Data Breach lawsuits arise from loss or disclosure of personal identification information.

Consumer/Industry Class Action Suits

Focus: Increased risk of identity theft following a breach

Plaintiffs often seek to recover credit monitoring expenses, card cancellation fees, and repayment for unauthorized charges.

21 Rich. J.L. & Tech. 3

OVERVIEW

Theories of Injury:Increased risk of identity theft after personal information has been compromised in a breach (most common)Expenses incurred to mitigate risk, e.g., credit monitoring & cancellation of credit cardsAnxiety and distress upon learning about the loss of personal information (less common); andBreached an implied contract to keep information secure.

21 Rich. J.L. & Tech. 3, 21 Rich. J.L. & Tech. 3

COST OF BREACH – U.S.

Year Avg. Cost Per Breach Event

Avg. Cost Per Record Compromised

% Caused by Malicious attack

2013 $5.85M $201 44%

2012 $5.4M $188 41%2011 $5.5M $194 37%2010 $7.2M $214 31%2009 $6.8M $204 24%2008 $6.7M $202 12%2007 $6.3M $197 Unknown

2006 $4.8M $182 Unknown

LEGAL FRAMEWORK

1. Statutes – State and Federal

2. Notable Cases & Outcomes

3. Standards

4. Regulatory Enforcement

STATE LEGISLATION

CALIFORNIA CIVIL CODE §§ 1798.80, et seq.

STATE LEGISLATIONPersonal Information (CA):

First name/first initial & last name plus: SSN, orDL No./State-issued ID No., orAccount, credit card or debit card no. plus access code/PIN/password; orUsername or email address plus password or security question and answer

STATE LEGISLATIONPersonal Information (CA), cont.

Does not apply to: information lawfully made publicly available from federal, state or local government records, or widely distributed media.

STATE LEGISLATIONBreach NotificationCal. Civ. Code § 1798.82

Applies to businesses that own, license or maintain personal information Required to disclose any breach of the security of the system following discovery or notification of the breach* in the most expedient time possible and without unreasonable delay.

STATE LEGISLATIONAB 1710 Personal Information: Privacy

On Sept. 30, 2014, CA Gov. Brown signed AB 1710, amending CA’s existing personal information privacy laws.CIV. CODE § 1798.82 now requires businesses that “maintain” (not just own or license) personal information about CA residents must:

1. Implement and maintain reasonable security measures to protect residents’ personal information; and

2. Offer to provide appropriate identity theft prevention and mitigation services for at least 12 mos.

STATE LEGISLATIONBreach Notification RequirementsMust be written in plain language and include: (1) the name and contact information of the

person reporting a breach;(2) the date of the notice;(3) a list of the types of personal information

likely impacted; and (4) if the breach exposed SSN, DLN or CA IDN,

must provide toll-free phone no. and addresses for credit reporting agencies.

STATE LEGISLATIONBreach Notification RequirementsThe following information must be included if available or can be determined prior to notification: (1) date range of breach; (2) whether notification was delayed as a result of

a law enforcement investigation; and (3) a general description of the breach incident.

STATE LEGISLATIONBreach Notification Requirements

For breach of ONLY username or email address plus password or security Q&A –

Notification can be electronicMust direct user to change password or Q&A plus other appropriate steps to protect account or other accounts with the same username/password combo

If entity maintains but does not own the personal information, must immediatelynotify owner/licensee of breach.

STATE LEGISLATIONCivil Liability

Persons injured by a violation of §1798.82 may recover damages in civil suit.Businesses may be enjoined by Court order.

STATE LEGISLATIONRequired Notice to CA Attorney General

Must submit copy of notification letter if >500 affected.

Safe Harbors 1. (CA) Only applies to unencryptedpersonal info;2. EXC for disposing of records

STATE LEGISLATIONCA Bus. & Professions Code § 17200

BROAD: Prohibits unlawful, unfair or deceptive (fraudulent) trade practices.

“Unlawful” - allows plaintiffs to borrow violations of other laws and treat them as independently actionable “unfair competition.”

Plaintiff must personally suffer injury in fact and lost money or property as a result.

STATE LEGISLATIONCA Bus. & Professions Code § 17200Economic injury may be shown by:

“Paying” more or “getting” less in a transaction than he/she otherwise would;

Present or Future property interest diminished;

Deprived of money or propertyRequired to enter into an otherwise

unnecessary transaction, costing money or property

DO NOT TRACK LEGISLATIONCalifornia Online Privacy Protection Act (CalOPPA)CA Bus. & Professions Code §§ 22575 - 22579

Applies to online “operators” that collection personal information (i.e. any website or app)Must explain how they respond to DNT signals in privacy policy to allow consumers to exercise choice.Must disclose whether 3rd parties collect personal information on sites/apps.Must disclose whether parties may collect info over time and across different websites by using operator’s sites.Can provide hyperlink in the operator’s privacy policy to an online description of any program the operator follows that offers the consumer that choice.Enforced by CA Attorney General - up to $2500 per violation.

FEDERAL LEGISLATIONGramm-Leach-Bliley Act (GLBA) – applies to financial institutions

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Data Security and Breach Notification Act of 2015 (Blackburn (R-TN) & Welch (D-VT))

Goal: “comprehensive plan to help safeguard sensitive consumer information and shield Americans from the harmful consequences of cyber attacks.”

LIABILITY – “TO WHOM”Consumers

Financial Institutions ‐ Credit Card Issuers

Regulatory Investigation and Enforcement

Common Sources of Liability

Improperly retained dataFailure to secure & segregate (segmentation)Failure to heed warningsDelay in responding to threat*

NOTABLE CASESIssue: Standing to Sue

U.S. Constitution Article IIIRequires:

(1) Concrete Injury (2) Traceable to the challenged

conduct (i.e., causation), (3) Redressable by favorable judicial

decision.

SOURCES OF LAW ‐ CASES

Issue: Standing to Sue

Split: Increased Risk of ID Theft giving rise to standing:

While initial federal decisions were hostile to the idea that an increased risk of identity theft could constitute injury-in-fact, a shift occurred after the Seventh Circuit endorsed such a theory in Pisciotta v. Old National Bancorp.

Despite more success for plaintiffs after Pisciotta, other courts have continued to find that an increased risk of identity theft does not establish injury-in-fact, including the Third Circuit in Reilly v. Ceridian Corp.

NOTABLE CASESClapper v. Amnesty Int’l USA, 133 S. Ct 1138 (2013)

Issue: Standing and Future HarmPassage of foreign surveillance law (FISA)Plaintiffs: Lawyers, journalists, activistsSecond Circuit found “objectively reasonable likelihood” of harm via surveillance.Wrong Standard. U.S. Supreme Court finds that there is no “injury in fact” and plaintiff had no standing to challenge a foreign surveillance law that may cause them possible future harm.

NOTABLE CASES (CA)In re Adobe Sys. Privacy Litigation, 66 F. Supp. 3d 1197 (CA Northern District)

38 million customersNames, login IDs, passwords, credit and debit card number, expiration dates, mailing and emailing addresses, as well as source code for Adobe productsTheories: Viol. CA Customer Records Act (CC §§1798.81.5 & 1798.82) – Failure to maintain reasonable security measures and failure to promptly disclose the breach.

NOTABLE CASESIn re Adobe Sys. Privacy Litigation, cont.

Plaintiffs alleged:Increased risk of future harm (fraud)Cost to mitigate risk of future harm (credit monitoring)Loss of value of Adobe products

Held: Customers have standing to sue based on actual breach plus risk of future misuse of data and costs to mitigate future harm, as well as unfair business practices under CA law.Confidential settlement agreement filed with Court under seal on August 13, 2015.

CASESIn re: Target Corp. Customer Data Security Breach Litigation (Case No. MD-02522-PAM) filed August 1, 2014

Theft of unprotected vendor’s credentials provides access to Target systems.Plaintiff financial institutions: banks, S&L.110 million customers affected.Customer names, credit or debit card numbers, expiration dates and CVVs.Theories: Negligence, negligent omission, Minnesota state data breach lawOutcome: $67 million settlement reached on August 18, 2015 – other plaintiffs still disputing settlement.

Legal StandardsMinnesota’s Plastic Card Security Act, Minn. Stat. §325E.64

Imposes liability upon merchants who “retain the card security code data, the PIN verification code number, or the full contents of any track of magnetic stripe data, subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction.”

Intended “to create an incentive [for retailers] to do the right thing and create consequences to prevent breaches from happening in the first place.”

BASES FOR LIABILITYIn re: Target Corp. Customer Data Security Breach Litigation, cont.

Failure to adequately secure payment information on its systems.

Complaint alleges breach was easily preventable.

Failure to take adequate, reasonable measures to ensure data systems are protected.

Ignored clear warnings of intruder breach and failed to take actions to thwart breach.

Treatment of sensitive personal and financial information entrusted to it by its customers fell woefully short of legal duties and obligations.

FAILURESIn re: Target Corp. Customer Data Security Breach Litigation allegations, cont.

Visa warnings allegedly instructed Target to:

Review its “firewall configuration and ensure only allowed ports, services and IP addresses are communicating with your network”;

“segregate the payment processing network from other non-payment processing networks”;

“implement hardware-based point-to-point encryption”;

“perform periodic scans on systems to identify storage of cardholder data and securely delete the data”; and

“assign strong passwords to your security solution to prevent application modification.” Target did not implement these measures.

Customer payments and personal data network not properly segmented from vendor billing, etc.

Target’s security software provider spotted the hackers while they were uploading the malware and alerted Target’s security team, which could have completely foiled the breach, but Target took no action.

NOTABLE CASESRemijas v. Nieman Marcus Group, LLC, 2015 U.S. App. LEXIS 12487 (7th Cir.) (decided July 20, 2015)

350,000 customers affectedPayment card account informationTheories of liability: negligence, breach of implied contract, unjust enrichment, unfair & deceptive business practices, invasion of privacy, multiple state data breach lawsOutcome: Consistent with Adobe, 7th Cir. allowed case to move forward on theory of standing based on imminent future harm “certainly impending.”“Opening the floodgates”

NOTABLE CASESRemijas v. Nieman Marcus Group, LLC, 2015 U.S. App. LEXIS 12487 (N.D. Ill. Sept. 16, 2014)

Alleged Injury:Lost time and money to resolve fraudulent charges;Lost time and money to protect against future ID theft;Financial loss of buying items at NM which plaintiffs would not otherwise have purchased, had they known;Lost control over the value of personal information

Holding: “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” are sufficient for standing

On the HorizonMissing Link/eCellar

70 wineries – 250,000 customers affectedNames, credit and debit card numbers, billing addresses and dates of birthSocial Security numbers, the CVV and pin numbers were not compromised.

Ashley Madison40 million user records exposedCompany's user databases, financial records along with other confidential information. The company has not stated the exact personal information compromised.On August 18, 2015, hackers posted sensitive data online :A data dump, 9.7 gigabytes in size, appear to include account details and log-ins for some 32 million users, seven years worth of credit card and other payment transaction details are also part of the dump, going back to 2007. Data includes names, street address, email address and amount paid, but not credit card numbers; instead it includes four digits for each transaction that may be the last four digits of the credit card or simply a transaction ID unique to each charge."

Contractual Liability to Financial InstitutionsCard Operating Regulations

Contractual: Enforceable upon merchant under contract with acquiring bank.Prohibit merchants from disclosing cardholder account numbers, personal information, magnetic stripe information, or transaction information to 3rd parties other than the merchant’s agent, the acquiring bank, or the acquiring bank’s agents. Required to protect cardholder information from unauthorized disclosure.

Payment Card Industry Data Security Standards (“PCI DSS”)12 information security requirements promulgated by the Payment Card Industry Security Standards Council. Apply to all organizations and environments where cardholder data is stored, processed, or transmitted Require merchants to protect cardholder data, ensure the maintenance of vulnerability management programs, implement strong access control measures, regularly monitor and test networks, and ensure the maintenance of information security policies. Prohibits merchant from retaining certain customer data.

Industry StandardsPCI DSS 2.0 requires merchants to adhere to the following rules:

Build and Maintain a Secure Network � Install and maintain a firewall configuration to protect cardholder data � Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data � Protect stored cardholder data � Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program � Use and regularly update anti-virus software or programs � Develop and maintain secure systems and applications Implement Strong Access Control Measures � Restrict access to cardholder data by business need-to-know � Assign a unique ID to each person with computer access � Restrict physical access to cardholder data

Regularly Monitor and Test Networks � Track and monitor all access to network resources and cardholder data � Regularly test security systems and processes Maintain an Information Security Policy � Maintain a policy that addresses information security for all personnel

Contractual Liability to Financial InstitutionsEMV Chip Technology

aka “ChipandSignature”Global standard for secure credit card payments. Already used in EU.Embedded chip protects cardholder info from fraud.Used in place of magnetic stripe.Creates unique transaction code with each use.

In October, 2015 contractual liability for counterfeit card transactions will move from card issuers to merchants if an EMV card transaction turns out to be fraudulent.Affects card present transactions only at this time.

eCommerce, online or phone orders are not yet included.Merchants are not required to switch to EMV…yet.Cost to implement = $200-500 or low monthly rental fee.Tokenization standard – keep customer data stored in a secured “payment vault”

with your processor, not on your system!

Research: LitigationEmpirical Analysis of Data Breach Litigation, Sasha Romanosky, David Hoffman, Alessandro Acquisti* April 6, 2013

First comprehensive empirical analysis of data breach litigation Built database and analyze court dockets for over 230 federal data breach lawsuits from 2000 to 2010. Two questions:

Q1: Which data breaches are being litigated?; and Q2: Which data breach lawsuits are settling? A1: odds of a firm being sued are 3.5 times greater when individuals suffer financial harm, but 6 times lower when the firm provides free credit monitoring. A2: Defendants settle 30% more often when plaintiffs allege financial loss, or when faced with a certified class action suit.

Research: LitigationQ1: Which data breaches are being litigated?

A1: odds of a firm being sued are 3.5 times greater when individuals suffer financial harm, but 6 times lower when the firm provides free credit monitoring.

Q2: Which data breach lawsuits are settling?

A2: Defendants settle 30% more often when plaintiffs allege financial loss, or when faced with a certified class action suit.

Empirical Analysis of Data Breach Litigation, Romanosky, Hoffman, Acquisti

Regulatory EnforcementWho:

FBISecret ServiceFederal Trade Commission (FTC)CA Office of Privacy ProtectionCA Attorney General

What: Potential fines and penaltiesImperative to engage counsel in responding to a communication from regulatory authorities!

The ConsumerRecent Pew Research Center survey:

“91% of adults in the survey ‘agree’ or ‘strongly agree’ that consumers have lost control over how personal information is collected and used by companies.”

Response Plan – Jayme Soulati Soulati Media, Inc. · jayme@soulati.com

The Consumer“Best” Practice = Standard Practice What is reasonable?Constantly evolving “moving” target.

CountermeasuresBefore breach -

Develop a written response planForm a response teamReview Insurance coverageSet Internal/External Communication strategies

CountermeasuresDuring/After Breach -

Investigate incidents without delayConsult with counsel to coordinate:

Law enforcementForensic consultant PR Firm

Assess response

THANK YOU!

QUESTIONS?

CHRISTOPHER J. PASSARELLISR. INTELLECTUAL PROPERTY ATTORNEYDICKENSON, PEATMAN & FOGARTY1455 FIRST STREET, STE. 301  |  NAPA, CA  94559TELEPHONE: 707.252.7122CP@DPF‐LAW.COM | WWW.DPF‐LAW.COM