law.seattleu.edu - Cyber-Risk... · Cyber-Risk Management for the General Business Lawyer November 7, 2014 | 6.00 General CLE Credits Agenda 8:00 - 8:55 a.m. Registration and coffee

Cyber-Risk Management for the General Business Lawyer November 7, 2014 | 6.00 General CLE Credits

Agenda

8:00 - 8:55 a.m. Registration and coffee service 8:55 a.m. Welcome and Program introduction Program Chair: Leo Clarke 9:00 a.m. Session 1: Cybercrime Report

A survey of the latest developments in cybercrime and its effects in Western Washington How common is cybercrime; what types of crimes and losses occur in Western Washington; and what is the likelihood of arrest and restitution Presenters: Annette Hayes, Acting U.S Attorney, Western District of Washington; Bonnie McNaughton, Davis Wright Tremaine; Robert Kierstead, Special Agent in Charge of U.S. Secret Service, Seattle

9:40 a.m. Session 2: The Lawyer's Role in Cyber-Defense

Cyber-Risk Management-fundamentals all lawyers now need to know. Why and how clients need lawyers to become involved; cyber-risk issue-spotting for lawyers; legal contingency planning and disaster recovery plans; translating IT jargon and legalese into business talk; Cyber-risk issue spotting. Presenter: Leo Clarke, TechRisk.Law

10:25 a.m. Break 10:40 a.m. Session 3: Vendor Management and Contract Negotiation

Helping your client seize the power of the pen and deal with adhesion IT contracts. Allocating cyber-risk by contract up and down the supply chain. Analyzing key contract terms, typical market-resolutions, and strategies for dealing with the bargaining power of IT vendors. Presenter: Louisa Barash, Davis Wright Tremaine

11:25 a.m. Session 4: Protecting Proprietary Information and Responding to Intrusions and Breaches

Even the most sophisticated companies have experienced thefts of data, followed by extortion or black market sales. How can your client protect its proprietary information in a world of ever-increasing connectivity? What are the client's responsibilities to customers and employees whose non-public information is stolen?

Presenter: Gavin Skok, Riddell Williams 12:10 p.m. Lunch (on your own) 1:30 p.m. Session 5: Banking and Payments Issues

What happens when cybercriminals steal your client's bank account information and loots its account or steal credit card information as in the infamous Target disaster? Learn the legal issues surrounding bank account takeovers, credit card indemnities, and other fraudulent payments schemes. What are the responsibilities of banks and their customers? What can merchants do to protect themselves? Presenter: Arian Colachis, General Counsel, Washington Federal, N.A. and Wendy Beth Oliver, Principal, Policy and Compliance Advisors

2:15 p.m. Session 6: Shifting the Risk of Cybercrime: Evaluating and Negotiating Insurance Cybercrime can cause catastrophic losses. The insurance industry is finally addressing

the needs of the digital economy. Learn what losses can be insured and how to determine the best overage for your client, to evaluate appropriate limits, and to identify and negotiate the key terms.

Presenter: Frank Cordell, Gordon Tilden Thomas & Cordell, L.L.P. 3:00 p.m. Break 3:15 p.m. Session 7: Ethical Considerations in Data Security

What are the responsibilities of in-house and outside counsel with respect to security of client information? What ethical duties do lawyers face in the age of cloud-computing, out-sourcing, and "bring your own devices"? Presenters: Amit D. Ranade and Kurt Kruckeberg, Hillis Clark Martin Peterson

4:00 p.m. Session 8: Creating a Cyber-Risk Tool-Kit What lawyers need to know so that their clients aren't caught empty-handed. Cyber-attacks occur without warning and a delayed response can be disastrous, both financially and brand-wise. Learn what you need to have ready to help your client mitigate both risk and losses. Presenters: Martin C. Loesch, COO and General Counsel, Strategies 360; John Du Wors, Newman Du Wors, Seattle & Los Angeles; and Leo L. Clarke, TechRisk.Law

4:45 p.m. Session 9: Questions & Answers with the Speakers 5:00 p.m. Adjourn

Faculty Biographies

PROGRAM CHAIRPERSON Leo Clarke Leo L. Clarke is a Principal of TechRisk.Law, a cyber-risk management advisor, and General Counsel of Axia Financial, LLC, a mortgage lender with over offices in eight western states. Leo has been involved in technology risk management since co-founding TechRisk.Law in 1998 to advise insurance companies on then emerging e-commerce, Internet, and other IT risks. He has also served General Counsel of Washington Federal and the Federal Home Loan Bank of Seattle, practiced in six jurisdictions, been counsel of record in lawsuits in twelve states, and taught at five law schools. Leo has published over thirty articles on topics ranging from cyber-security and cyberwar to constitutional law, and he has lectured at dozens of conferences in locations as diverse as New York, Dubai, Estonia, and Green Bay. He is a member of the New York and Washington Bars and graduated with honors from Stanford University and UCLA Law School.

PRESENTERS Louisa Barash Louisa Barash is a partner at Davis Wright Tremaine LLP, where she focuses on software, cloud services, and other technology transactions, intellectual property commercialization, and IP counseling. Her practice includes advising on includes open source software, mobile technologies, and the intersection of technology and healthcare. She is experienced negotiating and structuring strategic alliances, joint ventures, IP licenses and commercial agreements. She is the chair of the firm’s Digital Health practice and a member of the firms’ Cloud Task Force. She has also served as lead counsel and IP counsel in numerous merger and acquisition transactions. Arian Colachis Arian Colachis. Ms. Colachis is General Counsel for Washington Federal. Prior to joining Washington Federal, Ms. Colachis worked as a compliance attorney for the Investment Office of William H. Gates III, a securities litigator in private practice and as an attorney representing several regulatory agencies including the Australian Securities and Investments Commission, New York Stock Exchange, Attorney General for the State of Arizona and the US Securities and Exchange Commission. Ms. Colachis received a JD from Pepperdine University School of Law. Frank Cordell Frank Cordell is a partner at Gordon Tilden Thomas & Cordell. His practice emphasizes advising and litigating on behalf of policyholders engaged in coverage disputes with their insurers. His experience ranges from large-scale coverage litigation on behalf of international corporate policyholders under complex coverage lines, to advising individual insureds under disability, property, auto, and other policies. Frank has written and lectured to a wide variety of groups on insurance-coverage topics. He also maintains an active litigation practice involving a wide range of non-insurance commercial disputes. Frank is a 1991 summa cum laude graduate of the Washington & Lee University School of Law, where he served as Senior Articles Editor of the Washington & Lee Law Review and was named to the Order of the Coif. Frank was a law clerk to the Hon. H. Emory Widener, Jr., of the United States Court of Appeals for the Fourth Circuit, before joining Covington & Burling in Washington, D.C. as an associate in 1992. In 1996 he became a founding attorney of GTT&C’s predecessor firm, and he was named Partner in 1998. John Du Wors John Du Wors is a trial lawyer. His practice emphasizes intellectual property, business, banking, securities and employment law. John has litigated hundreds of state and federal court cases and commercial arbitrations, throughout the country. John's representative clients include the Boeing Employee's Credit Union, Widevine Technologies, Inc., Labor Ready, Inc. and the Federal Depository Insurance Corporation. John speaks and writes regularly on legal issues relating to intellectual property and securities litigation. John has served as a chair to the Washington State Bar Association's Business

Law Section's Publications Committee, and previously served as chairman of the Pasadena Bar Association's panel on Bankruptcy Business & Commercial Law. An avid lover of the arts, John has volunteered as pro bono legal counsel for The Furious Theater Company, The Lineage Dance Company, and The Washington Ensemble Theater. He is an alumni of Seattle University School of Law and the University of Washington. Annette Hayes Annette L. Hayes is currently serving as the Acting United States Attorney for the Western District of Washington. Ms. Hayes received her Bachelor of Arts degree, with Honors, from Williams College, in 1984, and her Doctor of Law degree, with specialization in International Legal Affairs, from Cornell Law School, in 1991. During law school, she spent a year studying international and comparative law on a Genscher Fellowship at the Universitaet Heidelberg, in Germany. After graduating from law school, she practiced as a civil litigator at Heller Ehrman White and McAuliffe, in Seattle, from 1991 to 1994, and at Latham & Watkins, in Washington, D.C., from 1994 to 1997. Her practice included the representation of clients in civil litigation related to environmental, contract, employment, and international business disputes. In 1997, she joined the United States Attorney’s office in Seattle. During her tenure in the office, she has handled a wide variety of matters including homicide investigations, large-scale drug conspiracies, international computer malware/hacking cases, and multi-million dollar intellectual property crimes. Her criminal work has involved numerous trials in the District Court for the Western District of Washington, and appellate advocacy in the Ninth Circuit Court of Appeals. In addition to serving as the Acting United States Attorney, she also has served in the United States Attorney’s Office as: the Deputy Chief of the Complex Crimes Unit (2002-2005), supervising the work of Assistant United States Attorneys handling computer crimes and white collar prosecutions; the Chief of the General Crimes Unit (2005-2010), training new Assistant United States Attorneys and supervising the prosecution of a wide variety of drug, firearms, child exploitation, and other federal criminal cases; and, most recently, as the First Assistant United States Attorney (2010-2014) working with the United States Attorney to manage the Civil, Criminal and Administrative Divisions in the office. Robert Kierstead Robert Kierstead is the Special Agent in Charge of the U.S. Secret Service in Seattle, and directs such cases as the recent arrest of a Russian hacker who hacked into point of sales systems at retailers all across the United States. Kurt Kruckeberg Kurt Kruckeberg is an associate with the law firm of Hillis Clark Martin & Peterson in Seattle, Washington. Kurt’s practice involves assisting clients with a variety of transactional matters related to business, real estate, intellectual property, and finance. He is particularly interested in new developments in business formation, like social-purpose corporations and start-up financing through crowdfunding. Kurt’s interest in corporate social responsibility and work-life balance issues influenced his tenure as Editor in Chief of the Seattle University Law Review, where he oversaw special issues featuring the works of a number of scholars, including Joan Williams, Nancy Levit, Delaware Supreme Court Chief Justice E. Norman Veasey, and U.S. Supreme Court Justice Ruth Bader Ginsburg. Martin C. Loesch Marty Loesch is the Chief Operating Officer & General Counsel of Strategies 360. Marty oversees much of the firm’s operations, management and growth, in addition to working with clients on high-level initiatives. Marty recently served as Chief of Staff to Washington Gov. Christine Gregoire. In the governor’s office, he served as general counsel and director of external affairs before becoming chief of staff. In that role, Marty led the executive team and served as the principal advisor to the governor on policy, legislative, legal, communications, and political matters. Formerly, Marty was director of Inter-Governmental Affairs and the tribal attorney for the Swinomish Indian Tribe, representing tribal interests with local, state, and federal governments, and overseeing business operations and an economic development team. He also worked as an attorney for several firms, including as a principal in TechRisk.Law, a risk management law firm focused on high-tech clients. Marty was also a partner and litigator at Gordon & Polscer, and previously specialized in environmental insurance coverage litigation at Karr Tuttle Campbell. Additionally, Marty served as an international law consultant with Catholic Relief

Services, reviewing humanitarian practices in Kosovo, and has been an international elections monitor on numerous occasions. Marty has a bachelor’s degree and master’s degree from the University of Notre Dame and juris doctors and master of laws degrees from the Notre Dame School of Law. He is the author of numerous legal and scholarly articles and has served on multiple boards. Wendy Beth Oliver Ms. Oliver is the Principal of Policy and Compliance Advisors, which provides regulatory compliance services to financial institutions. She was previously Assistant General Counsel for the Commercial and Private Banks of Bank of America, Of Counsel at Graham & Dunn PC, and General Counsel for Southern Pacific Funding Corporation, a national mortgage lender. She received a JD from Duke University, an MPA from the University of Michigan, and an AB from The University of Chicago. Amit Ranade Amit Ranade is a principal with the law firm of Hillis Clark Martin & Peterson in Seattle, Washington. His law practice focuses on real estate, commercial, banking, and technology-related litigation and bankruptcy. Amit has represented major internet service providers and internet retailers on both sides of anti-SPAM litigation, including matters before the United States Court of Appeals for the Ninth Circuit. Amit is licensed to practice in the federal and state courts of Washington and Oregon. He holds bachelor’s and law degrees from the University of Washington (’98, ’03), where he teaches civil procedure, UCC Article 9 secured transactions, and constitutional law as an adjunct faculty member. Amit is a Member of the ABA House of Delegates, where he voted on recent amendments to the ABA’s Model Rules of Professional Conduct relating to cloud computing and cybersecurity. Gavin Skok Gavin is Chair of Riddell Williams' Litigation Group and a member of the firm's Executive Committee. He is a commercial litigator with extensive experience representing regional and national companies as both plaintiffs and defendants in state and federal courts throughout the Northwest and across the country. Gavin's practice emphasizes class action defense, data security litigation, securities fraud, and intellectual property disputes. Prior to joining Riddell Williams, Gavin was a federal judicial law clerk to United States District Court Judge Robert H. Whaley (E.D.Wash.).

SAIC Bob Kierstead - U.S. Secret Service, Seattle Field Office

Overview of data breach investigations, to include types , trends, and

numbers of attacks

Case studies on cybercrime investigations in the Seattle area:

1. Amazon.com (Dmitry Zubakha and Sergei Logashov)

2. Mondellos Italian Restaurant (David Benjamin Schrooten et al.)

3. Broadway Grill (Roman Seleznev)

Discuss the roles of the government and private sector in these

investigations

1

WHY ARE POS SYSTEMS COMPROMISED??

• Unsecure POS Systems

–Use old operating system

–Not Installing critical patches

–Unused ports open

– Internet access available via high speed connection

–Default passwords

–No anti‐virus

– Remote desktop clients

2

Case Study

3

CASE OVERVIEW

Exposure – 86,000 Credit Card Numbers

Three (3) suspects arrested;

o Two arrested domestically (Maryland & California)

o One Arrested overseas (Romania)

Actual Fraud Loss = $15M

Potential Fraud Loss = $46M

6

4

Global Exposure

1

THE LAWYER’S ROLE IN CYBER‐DEFENSE

Cyber‐Risk Management Fundamentals

Leo L. Clarke

TechRisk.Law

November 7, 2014

PART 1:7 REASONS CLIENTS NEED LAWYERS TO

HELP MANAGE

CYBER-RISK

2

2

WHY CLIENTS NEED LAWYERS TO HELP

MANAGE CYBER-RISK #1

• Start at the top with corporate governance:

• Lawyers understand business structures, fiduciary duties and corporate and securities regulatory issues

• Clients need cogent and comprehensive board-level policies:

• Lawyers are wordsmiths and are sensitive to litigation risk

3



• The Client must identify and quantify its vulnerabilities

• Lawyers are good at investigating and can often cloak investigations with privilege

4

3



• A lot of exposure arises from vendor and customer relationships

• Lawyers know how to analyze, draft, and negotiate contracts

5



• Theft of non-public customer information is a common cybercrime

• Privacy is heavily regulated at state, federal and international levels

• Lawyers understand federalism and can interpret complex and conflicting statutes and regulations

6

4



• Clients need to adopt crime response plans and business continuity plans

• Lawyers are good at contingency planning – “what ifs” are in our DNA

7



• Quickly determining the cause of cyber-crime and the appropriate responses present complex factual issues

• Lawyers excel at interviewing witnesses, reviewing documents, marshalling facts, and preserving evidence

8

5



• Internal resources with necessary skills generally aren’t available

• IT, no matter how sophisticated and dedicated, is never the complete answer (see handout)

• Inertia and bureaucracy can hinder cooperation

• Lawyers have credibility in times of stress

9

PART 2:CLIENT INTERESTS AFFECTED BY

CYBERCRIME

10

6

FINANCIAL RISK

• Cybercrime can cause financial losses:

• Theft of money in bank accounts

• Theft of value of proprietary information

• Expenses and losses of revenue arising from other risks identified in following slides

11

OPERATIONAL RISK

• Cybercrime can interfere with operation, i.e. business in ordinary course

• System downtime from Denial of Service attacks

• Loss or corruption of software or data

• Fraudulent/unauthorized transactions

• Limited contractual rights re IT vendors to require vendors to perform

12

7

LEGAL LIABILITY RISK

• Disruptions could cause your client to fail to perform contracts on a timely basis

• Breaches of representations and warranties regarding security

• Liability to up and downstream parties in payments systems• Banks, merchants taking credit cards

• Tort liability from bodily injury or property damage

• e.g., hospitals

13

POLITICAL/REGULATORY RISK

• Inadequate security and controls can lead to enforcement actions and fines for regulated businesses

• Examples are the banking and healthcare industries and public utilities

• These adverse actions can occur just because the client has not prepared for cybercrime

• These additional regulatory costs can become permanent

14

8

REPUTATION RISK

• Target – need we say more?

• JPMorgan Chase is another good example – now spending 2x on IT security

• Less obvious are intrusions that affect reliability of online services and can affect brand, especially of new products

• NE law firm hacked by 3rd party to obtain sensitive M&A information of a firm client

15

PART 3:ASSESSING CYBER-RISK

16

9

CORPORATE GOVERNANCE AND

ENTERPRISE RISK MANAGEMENT

• Has the Board/Executive Management been educated and has the Company assessed its risk?

• Has the company adopted a Cyber-Risk Policy as part of its Enterprise Risk Management Program?

• Has a cyber-security team been delegated responsibility and is its performance being monitored?

• Has the Board considered adequacy of IT security, both from technology and staffing perspectives?

• Has the Board approved Loss Contingency plans?

17

INTERNAL SECURITY TECHNOLOGY

• Experience/quality of IT department or outside vendor?

• Contractual rights v. vendors

• Independent IT assessment of defenses?

• Does company comply with regulatory and contractual commitments, and how is compliance monitored and demonstrated?

• Are update and patch policies and performance monitored

• Do not fall for “industry standard” response – there are none!

18

10

SOCIAL ENGINEERING/EMPLOYEES

• Techniques used by cybercriminals to gain access by duping employees etc.

• How effectively monitored are password and other authentication systems?• Especially re bank accounts, IP, and non-public customer info

• How effective are access controls?

• Does business monitor information leaving the system?

• Does firm have a “BYOD” policy?

• Does it monitor known unhappy employees and immediately disconnect terminated employees?

19

VENDOR RELATIONSHIPS

• Does the firm have a vendor management policy?

• Does it audit/monitor security practices of those who maintain or access the firm’s data?

• What contractual rights exist against vendors who lose data or permit intrusions?

• What contractual obligations does the firm have to vendors re uploaded information etc.?

• If vendors do not have substantial liability for damages for breach of contract, has the firm protected itself in other ways?

20

11

CUSTOMER RELATIONSHIPS

• Does the firm maintain non-public customer information –credit card data, health data, SSNs?

• Has it assumed any contractual duty to maintain confidential information?

• How does it monitor compliance with privacy statutes and confidentiality agreements?

• Do its contracts include strong force majeure clauses to eliminate liability for breaches caused by cybercrime, including cybercrime against others (utilities, vendors)?

21

INFRASTRUCTURE EXPOSURES

• The Financial System.

• Government sources predict widespread attacks on banks and payments systems

• How reliant is the firm on its banking relationships?

• What are its volumes of fund transfers (wires/ACH)?

• Does it have material risks from cash flow disruptions?

22

12

INFRASTRUCTURE EXPOSURES II

• The Power Grid.

• Government studies show that the power grid is extremely susceptible to attacks and that restoration of full service could take months or with years of reduced capacity.

• Utilities do not have liability for disruptions

• Are server back-ups geographically discrete?

• Does the firm have contingency plan?

23

LOSS MITIGATION

Loss mitigation refers to reducing the effect of the loss. Compare to risk mitigation, which refers to reducing the risk that a loss will occur.

Has the firm analyzed the coverage provided by its insurance program for losses caused by cybercrime?

Has the firm adopted and tested a disaster recovery plan?

How about a business continuity plan?

Has the firm created a response team of outside vendors and prepared them for immediate action?

24

13

PART 4 CYBER-SECURITY CHECK LIST

This should be starting to sound familiar

25

Corporate Governance

1. Board and Management awareness-training on the implications of cyber-threats and on new developments and defense strategies

2. Drafting of cyber-risk management policies and procedures

3. Advice regarding compliance with federal and state laws and regulations applicable to cyber-risk and loss

4. Advice regarding insurance coverage

5. Real-time updates on new technologies and defense tactics and legal and economic developments

26

14

RISK IDENTIFICATION AND QUANTIFICATION

1. Risk management usually entails a 3-pronged approach: identification of risk, estimation of frequency, and estimation of severity (cost)

2. Difficult to do with low frequency but potentially severe threats like cybercrime.

3. Some possibilities:• IT audit: Catalog of mission critical software and security procedures

• Vendor management: Review of mission critical and material cost contracts

• Potential costs of data breach

27

RISK MITIGATION

1. Adopt “best practices” of cyber-threat defense, including layered technical defenses and social engineering and rogue employee policies

2. Adopt best practices re vendor management and contract negotiation related to cyber-risk

3. Invigorate contract administration to limit liabilities and maximize recoveries, including up-chain recourse in the event of collateral damage and down-chain mitigation

4. Development of pre-loss public relations and governmental/regulatory strategies

28

15

LOSS RESPONSE

1. Adopt best practices for responding to crimes, including law enforcement involvement, legal counsel and IT forensics

2. Adopt best practices for mitigating potential liabilities, including customer contact strategy

3. Adopt a plan for complying federal and state notification statutes, including securities disclosures

29

LOSS MITIGATION

1. Adopt and test legal contingency planning and disaster recovery plans

2. Retain counsel to evaluate, prosecute, and defend potential loss-related litigation

3. Pursue indemnification and insurance coverage for cyber-threat losses

4. Retain PR and other advisors for post-loss reputational and regulatory compliance issues

30

16

PART 5TRANSLATING IT JARGON AND LEGALESE

INTO BUSINESS TALK

COMMUNICATION V. TALKING HEADS

31

CYBER-SECURITY RISK IS INTIMIDATING

• Smaller companies believe only the biggest are targets

• Fear-mongering leads to sense of hopelessness and futility

• No apparent return on expenditures

• Is cyber-defense like fire insurance?

• Or hurricane insurance in Nebraska?

32

17

BOARDS AND C-SUITERS

• Boards and non-IT execs need basic orientation into what systems do, how they work and why they are relevant.

• Pictures are very helpful in describing systems and where vulnerabilities exist or how breaches could occur or have occurred

33

IT ACRONYMS ARE CONFUSING, OFTEN TOO

GENERAL, AND OFTEN IMPROPERLY USED

• SaaS v. SAS 70 v. SSAE 16 v. SAS airlines

• In one software services agreements: ASP, SOW, RXP, SMS, PII, ACH, GLB, LPD, CICS,DASD, DB2, JCL, PPAs, ORAs, NOC, RTE, and ETES

• These can all be well-defined in a written agreement or manual, but over time and usage . . .

34

18

IT JARGON: ANOTHER EXAMPLE OF HOW

EASY IT IS TO MIS-SPEAK OR BE

MISUNDERSTOOD

• PKI (Public Key infrastructure) used in describing encryption method

• PCI (Payment Card Industry) sets standards for encryption

• KPI (key performance indicator) – a standard used to measure vendor’s compliance with encryption

35

AND LEGALESE ISN’T ANY BETTER

• Lawyers are notorious for using jargon and talking in vague-ish circles

• Even at the corporate governance level, for example, we need to distinguish between

• federal and state statutes, regs and cases,

• What is binding and what is just prudential

• We need to explain contract concepts: promises v. conditions, warranty exclusions v. limitations on remedies; representations v. indemnities • Even though clients are generally familiar with the concepts, their

application in this unfamiliar area requires careful elucidation

36

19

FINAL WORD: THE LAWYER’S ROLE

• IT expertise will never be sufficient

• Lawyers are uniquely positioned to help clients with cyber-risk

• At stake are intangible property rights, which are fundamentally contractual and law-based

• Lawyers are trained to be generalists and quick learners

• But not a time for the “Godfather” counseling model• Where the lawyer takes total charge once the client generally

identifies a problem

37

THANK YOULeo L. Clarke

[email protected]

TEN REASONS WHY TECHNOLOGY ALONE

CANNOT PREVENT CYBERCRIME

APRIL 2014

© 2014 TECHRISK.LAW

2

INTRODUCTION

The American experience is in large part a story of continuous and accelerating scientific and

technological progress, from railroads to moon-landings, washing machines to home robots,

penicillin to Prozac, radio to smartphones, and adding machines to I-pads. So no one denies

that cyber-technology (“CT”) has revolutionized our culture, made life more interesting, and

increased the economic productivity. These successes reinforce the widespread belief that

science and technology can solve everything, especially problems of a “technical” nature.

So far, however, there is no evidence that science and technology can prevent (as opposed to

reduce) losses from cybercrimes. Despite the fact that cybercrime is as old as the Digital Age,

foreign states and other cybercriminals continue to steal billions of dollars’ worth of research

and development secrets and financial data from our most sophisticated government agencies

and multi-national corporations as well as from Main Street businesses.

It is somewhat surprising, then, that confidence is so high that someone somewhere will

develop the cyber-equivalent of the Salk vaccine, a “silver bullet” that will prevent successful

cybercrimes. Instead, news reports of venture capitalist investments in start-up security

ventures lead to the inference that Big Money is betting on Technology to bring Law and Order

to Cyberspace. But those very same venture capitalists and cyber-technologists are the first to

recognize that no defensive weapon can immunize businesses or government agencies against

losses from cybercrimes. Indeed, belief in a silver bullet would be contrary to history because no

previous technology has provided lasting protection against attackers, whether that

technology was moats around castles, ramparts on the Alamo, or cannons guarding ports.

Today’s investments in security CT simply reflect the reality that technology is certain to be a

part of our cyber-defense, and a profitable part at that.

But why can’t CT stop or solve cybercrime? The purpose of this brief White Paper is to explain

why cybercrimes are an exception to the triumph of technology.

Some definitions.

Before we begin our explanation, however, we will define a few terms for clarity. By “cyber-

technology” or just “CT”, we mean the universe of technologies involved in creating,

processing, storing, and communicating data. CT includes hardware, software,

telecommunications, electronics, engineering, applied mathematics, and all sorts of other

knowledge disciplines – in short, every tool and application of science that enables us to collect,

process, transmit, and communicate data. We use “cybercrime” to include cybercrimes, cyber-

terrorism, and cyber-warfare; and “cybercriminals” includes cyber-terrorists and nation states

engaging in cyber-warfare as well as independent hackers in Bulgaria and Boston. Finally,

“vendor” means the developer/licensor/seller of CT; and “firm” describes the user of

technology, and therefore a potential cybercrime victim, whether a business, non-profit entity,

or a government agency.

3

THE CRUX OF THE PROBLEM: THE ASYMMETRY OF CYBERCRIME

To understand why CT cannot stop or solve cybercrime, it is first necessary to understand the

context in which our drama takes place. Cybercrime is by its nature guerilla warfare in which

mobile, stealthy cybercriminals attack complex and stationary targets. This asymmetry means

that victims have great difficulty identifying the perpetrator of a crime, much less pursuing

retribution or obtaining restitution.

A. The Inherent Disadvantage of the Target.

Every day parties throughout the world use CT to conduct flawlessly and instantaneously

billions of transactions of every type. We are so used to the reliability of CT that it is easy to

overlook the fact that CT’s functionality is dependent on more than just the laws of science. The

marvels of CT bring to mind the text of the very first American commercial telegram Samuel

Morse sent in 1844, “What hath God wrought?” But CT is as much creative art as science, and its

design and performance depends on both the laws of science and the creative genius of the

vendor. Thus, although science guaranteed that Morse’s message could be sent from

Washington to Baltimore, whether the message would be received depended on the skills of the

sending and the receiving operators and on the placement of the telegraph lines and their

freedom from interference by storms, cattle, and bandits.

So it remains with CT today. The risks that the laws of science will be foiled by bad art or bad

luck or cybercriminals are magnified as we combine individual products, components, and

concepts into increasingly complex systems, starting from the single computer, to a firm’s local

network, to satellite communications systems. As complexity increases, art begins to trump

science: The ability to rely on the laws of science is reduced dramatically each time a systems

designer includes even a simple component into a CT system.

Moreover, as firms grow and their operations become more complex, the data stored in their

systems tends to become more valuable. Yet the value of much of that date depends on its use

both within and without the firm – information is not like gold stored in the recesses of a castle.

This need for transmission adds another layer of risk of cybercrime.

A third feature of systems that affects cyber-defense is the fact that firms’ systems are

necessarily stationary in the sense that they cannot be moved geographically or even re-

configured electronically without great expense. Like a battleship on the open sea, a firm’s CT

system connected to the internet is theoretically and actually mobile, but at any given point it is

a sitting duck for attackers.

B. The Inherent Advantage of the Cybercriminal.

Since the appearance of first hacker, cybercriminals have been characterized as young,

alienated, lone wolves operating out of basements. Today, of course, the most significant

cybercrimes are committed by highly organized and well-financed teams of computer

scientists, often sponsored by nation states such as China, Iran, and North Korea. Whatever the

4

profile of the cybercriminal, however, he or she enjoys several inherent advantages over a

target firm. Among those advantages are the following:

The technology most commonly used by targets is widely available to criminals at low

cost. Cybercriminals start with the keys to the safe; it is just a matter of matching the

right key to the right safe. This advantage increases with time as piracy of intellectual

property becomes more sophisticated (in itself a fruit of cybercrime) and as networks of

criminals become more efficient.

Cybercriminals work virtually anonymously, using (ro)bot networks and other

techniques to hide their real locations and make attribution of a crime extremely

difficult.

Cybercriminals work in virtual space through easily transported computers and

networks of remote robot machines. There is no locus that victims or law enforcement

agencies can reach for purposes of prosecution or restitution because cybercriminals do

not require large CT systems to accomplish their crimes. Plus, the spoils of cybercrime

are not tangible assets, but data and money that can be transmitted instantaneously

and internationally. Therefore, cybercriminals face very little risk of detection or

disgorgement.

In short, even the wealthiest and most sophisticated firm faces cybercriminals on a very un-

level battlefield. Thus, this paper is not an attack on the wonders of CT, but rather an attempt

to address the reality that even the most competent and honest vendors are working against

very steep odds to provide cyber-security their customers.

It is in this context that we now turn to ten reasons that demonstrate the futility of reliance on

technology as the sole defense to cybercrime. To state it in more scientific terms, technology is

undoubtedly a necessary but not a sufficient component of any program to manage cybercrime

risk.

TEN REASONS CYBER-TECHNOLOGY ISN’T ENOUGH

1. Intellectual property and contract law preclude total reliance on security technology.

Most CT is protected by intellectual property (“IP”) rights and distributed pursuant to licenses

and other agreements that prevent users from deploying that CT as they desire and that limit

the vendor’s obligations and liabilities for performance failures. Patent and copyright laws, for

example, preclude a firm from adapting the product to fit its own systems and needs. Similarly,

even simple technology licenses severally limit the vendor’s warranties and the licensee’s

remedies for breach of those warranties. Thus, it is typical for a vendor to (a) warrant that its

product will perform only according to narrow specifications and only for a limited period, (b)

limit its obligation in the event of a product failure to using “commercially reasonable” efforts

to fix the breach, and (c) limit the firm’s damages to a refund of a few months’ fees regardless

of the amount of the firm’s lost income and other consequential damages.

5

CT providers, of course, have excellent arguments for all these restrictions and limitations,

most of which revolve around protecting and encouraging innovation and keeping their

products affordable. The question for current purposes is not whether those arguments are

valid, but whether the user can rely on the product to prevent or mitigate cybercrimes. The

answer is No. As just one example, suppose a cyber-security program has a defect that

cybercriminals are exploiting. First, nothing in the typical license requires the vendor to fix the

defect in a timely manner. Second, if the firm attempts any self-help measure, it could be liable

for infringing on the vendor’s IP rights. Third, the firm must integrate any patch into its system,

a process that in many smaller firms is honored more in the breach.

2. Security product selection, implementation, and maintenance are not risk-free.

Even if a firm buys open-source security technology that is not subject to any IP restrictions and

even if the vendor agrees to stand behind its product 100%, the firm should still not rely on that

technology to eliminate cyber-risk. Why not? Because only the firm (on its own or in

consultation with its consultant/experts) can:

Decide what defense measures its systems require;

Determine how those products will interact with its other system components;

Install those products; and

Maintain them as the vendor issues patches and updates and as the firm changes its

system.

Each of these steps is fraught with potential for mistakes in judgment and execution. Of course,

the firm could rely on a single cyber-security vendor to handle the entire product selection,

implementation and maintenance process, and many vendors are only too happy to do so. But

that reliance (a/k/a “the fox in the henhouse”) comes at significant cost and is subject to

contractual limitations that leave virtually all integration risk with the firm.

3. Systems are too complex and talent is too scarce.

Even if a firm did a perfect job of selecting, installing, and maintaining its security software, the

firm would still face cyber-risk. Why? Because cybercriminals have continued to develop their

skills and weapons to take advantage of the growing complexity of CT. Here are three ways

that increasing complexity reduces the probability that security CT can prevent cybercrime:

First, complexity makes it impossible to defend system perimeters. The general consensus

among cyber-security experts is that no system of any complexity is “hack-proof”. As Ted

Schlein, a venture capitalist with over thirty years of CT experience, says: “There are only two

kinds of companies: those that know they have been hacked and those who have been hacked

but don’t know it.” Defense strategies based on preventing intrusion are, therefore, obsolete.

Current strategies now feature a series of “layered” defenses that attempt to identify and

isolate malware at likely attack points and to prevent data from escaping the system. But these

more sophisticated defenses cost more to obtain, install, and monitor. Many firms are unable or

6

unwilling to allocate the financial and human capital necessary to deploy these new products

successfully.

Second, as target networks become more complex, with more programs, more users, and more

access points, an “off the shelf, one-size-fits-all” security tool becomes less suitable even as a

component of a layered defense. This means that fewer firms can rely on a single security

vendor to address a specific need. Instead, the firm is left with the same risk that applied to the

first computer users – the hardware vendor says it’s the software and vice versa, only now it’s a

series of hardware vendors and software vendors.

Third, as the most publicized data breach cases demonstrate, identifying the source of a breach

and preventing future exploitation of the same flaw can be a time-consuming process; and the

more complex the system, the more risk that even the most efficient response will be too late.

As a result, complexity tends to increase the amount of a loss and the costs of deterring

additional exploitation.

Finally, the ability to deal with complexity is exacerbated by a dire shortage of CT talent,

especially in regional markets. Until recently, cyber-security lacked the intellectual and financial

rewards to compete for talent. Although that may be changing as cybercrime becomes more

publicized and defense initiatives attract more venture capital, we can expect that skills will

remain scarce, particularly for smaller firms and in regional markets.

4. Connectivity to other systems exposes firms to collateral cyber-risk.

Even if a firm could profitably operate with a very simple system using only simple products

with no restrictions, it would most likely be subject to risks entering its system through its

connectivity with other firms up and down its supply chain. Most businesses have myriads of

online relationships with vendors and customers that allow malware to enter the system

through connections. These connections are comparable to border crossings without customs

posts. Even small firms are dependent on suppliers’ systems to manage everything from just-in-

time inventory to payroll processing and product delivery. Cybercrimes against any of these

business “partners” can have financial and reputational risks as severe as direct attacks on its

own systems. These risks can be reduced, of course, but only at the cost of increased CT

budgets, slower transactions, and customer inconvenience. As discussed in Reason 8, security

will always compete with convenience and cost, and security will generally lose.

5. Time and money is on the criminals’ side.

Initial estimates of the value of the Target Stores data theft to the perpetrators were in the

neighborhood of $5 billion. Given that many attacks originate in developing countries, such

large rewards give attackers an incentive to spend substantial resources investigating defensive

weaknesses and finding unanticipated points of entry and exit. Compare these incentives to the

incentives of vendors to (a) avoid costs of identifying product flaws that do not affect

performance and (b) rush their products to market for competitive and financial reasons. These

financial incentives when combined with the vendors’ lack of downside risk (see Reason #1)

7

give cybercriminals the opportunity to discover and exploit security defects, especially when

vendors publicize their customer’s identities.

The continuing organization of cybercriminals also increases the risk of security CT product

failure. As with any sophisticated business enterprise, criminals now segment the parts of

cybercrime, allowing the development of specialties and the monetization of both components

and fruits of the criminal enterprise. For example, internet markets now allow criminals to buy

access to functioning bot networks, acquire information on “zero-day” defects that await

exploitation, and sell stolen credit card data.

In sum, the criminal element has every incentive to share knowledge, but the defenders of law

and order are divided: Vendors are protective of their IP, governments of their jurisdiction, and

firms of their competitively-sensitive data. Given the asymmetry of time and money between

cybercriminals and firms and between vendors and firms, it is no wonder that firms are left with

almost all cyber-risk. Adding insult to injury, a victim firm is unlikely to learn that its vendor

could have prevented the crime by addressing at least some of these asymmetric incentives.

6. Attacks are cheap. Defense is expensive.

A few hackers in Bulgaria can easily steal data protected by thousands, if not millions, of dollars

of CT products. Given the disparity in expertise between a regional or community business and

sophisticated and organized criminals, firms are at a distinct disadvantage in identifying threats

and in immediately responding to attacks. Of course, firms have access to consultants to

supplement their in-house expertise, but that access comes at a high cost and requires

additional time and internal CT resources to manage.

In this regard, we should mention that many firm IT departments remain unable to convince

management to allocate capital and human resources for defense for at least five reasons. First,

cyber-security is particularly prone to the problems of translating “IT-speak” to “business-

speak” because of its relative novelty and the lack of internal cyber-defense expertise. Second,

it is difficult for the IT department to project losses because cybercrimes are notoriously under-

reported. Third, most firms do not devote the resources to identifying losses, which leads

management to believe there is no need for investment. Fourth, even if intrusions have been

identified, management may naïvely believe that response costs are unnecessary because the

firm hasn’t suffered a financial loss. Fifth, management may be reluctant to invest in cyber-

security or loss response management because, absent a legal disclosure mandate, customers

will be unable to trace their losses back to the firm.

7. To err is human.

Perhaps the most obvious reason firms cannot rely solely on CT to prevent cybercrime is that

firms employ humans. Human error affects reliance on security technology in at least two ways.

First, employees can make mistakes, either out of ignorance or inattention, or they may simply

engage in malfeasance (the “rogue employee”) and fail to install and maintain CT. Second,

employees can be duped by third parties, either over the internet or in person, into disclosing

8

information that leads to an intrusion. In short, whether an employee loses an unencrypted

laptop or smartphone, leaves his password in his wallet or on his desk, or falls for any of the

thousands of tried and true social engineering tricks, there is no end to the ways cybercriminals

can access systems in ways that appear perfectly legitimate.

Although it is unclear what percentage of cybercrimes results from human error, we can expect

that cybercriminals will concentrate more on social engineering as security CT becomes more

sophisticated. After all, technology may change, but human nature does not.

8. Security is not the top priority.

Even if a firm could address all the foregoing issues, technology would still not be The Answer to

cybercrime because no rational firm will opt for security “at any price.” Instead, firms submit to

the pressures from employees, customers, and vendors and end up opting for convenience and

lower costs over security. The prime example of this calculus is the fact that the entire U.S.

credit and debit card industry uses outmoded magnetic strip card technology even though

most of the world uses more-secure microchip technology. In other words, a cybercrime loss is

just one more expense line on the spreadsheet, and that expense is discounted because the

losses are contingent, of uncertain economic value, and fall mostly on third parties such as

merchants who honor stolen card data.

Interestingly, the priority of convenience and cost over cyber-security seems to be increasing as

CT develops. Examples of this phenomenon are (a) the emergence of the Cloud as a place to

store data and conduct transactions and (b) the growth of mobile banking and other

commercial transactions on smartphones and other easily compromised devices.

In short, although directors and executive management are more attuned to the severity of

cyber-risk than ever, they still resist allocating capital and resources to security because of a

fear of undue impacts on brand images, revenues, and market shares.

9. Vendors and customers are shifting risk to the firm.

It is not just CT vendors who take advantage of the power of the pen to shift cybercrime risk.

Suppliers and customers that are connected to a firm by CT also use their written forms or

online “clickwrap” agreements to shift risk whenever they can. Whether it is the local bank, a

supplier in New Jersey, or an important customer, any party with bargaining power will demand

indemnification against losses from data breaches or fraudulent transactions. These

indemnification clauses may apply even though the drafter dealt with the cybercriminal and

was therefore in the better position to protect against the cybercrime.

These commonplace indemnities are not just “boilerplate”. They are increasingly being

litigated, especially as highly-publicized losses like Target and Neiman Marcus start wending

their way up and down supply chains. This is another situation where insult is added to injury.

Unlike the situation with limitations on remedies, however, indemnification clauses do not

involve just foregoing a remedy; they can require the indemnifying firm to incur litigation costs

and potentially to pay a claim.

9

10. CT cannot protect you against collateral damage from cybercrimes against

infrastructure.

Finally, even if a firm invested in all the CT in the universe, it would still not eliminate cyber-risk

because that risk extends, by definition, beyond mere data breaches, IP losses, and other direct

attacks. Virtually every business is dependent on public infrastructure, from the electrical grid

to run its systems and keep the lights on, to public transportation to get employees to work, to

the financial system to complete payments and collect receipts.

As just one example, a successful cybercrime against a utility could disrupt service for

significant time. Such a crime would almost certainly have significant financial and reputational

consequences for the utility’s customers. Of course, no CT can prevent the consequences to a

firm from such an attack on infrastructure. Instead, the firm must have effective business

recovery and continuity plans in place, possibly business interruption insurance, and a host of

other risk-management measures to mitigate those losses.

CONCLUSION

Cybercrimes present potential catastrophic risks. It is therefore fitting that directors and

executives invest appropriately in security technology. However, technology can never be the

sole defense to potential cybercrime, and material risk will remain even when the firm has the

optimum amount of technology protection. Those who rely on technology alone will therefore

face potential liability and loss of reputation. In sum, technology can be only one part, even if

the major part, of a holistic approach to cybercrimes.

TechRisk.Law

4619 SLAYDEN RD.

TACOMA, WA 98422

616.818.5397

[email protected]

1

NegotiatingCloud Contracts: Risk and Risk Mitigation

Louisa Barash

Intro

Louisa Barash, PartnerTechnology TransactionsDavis Wright Tremaine [email protected]

2

This Presentation ….

Focuses on B2BCloud and Software Services transactions Terms and tools forrisk mitigation

Especially privacy, security, and data breach activities and issues

These issues are paramount for both buyers and sellers

But first, a few quick basics and a little background…

Rise of Cloud Services The Rise of Cloud

Computing– Speed of broadband

networking– Networking virtualization

technologies– Enabling access to

technology updates– Internet saturation continues

to grow globally– Data explosion, mobility

explosion– Reducing IT complexity

Comes with Challenges– Compliance, privacy and

security - #1 customer issue– Infrastructure complexity– Standard solutions

rarely100% fit

3

Cloud Services Types

Software as a Service (SaaS)

(End User Layer)

Platform as a Service (PaaS) (Application

Layer)

Intrastructure as a Service (IaaS) (Base Layer)

• CRM• Social Media• E-mail services

• Web Servers• Databases• Development tools

• Storage• Virtual Machines• Datacenter servers

Some examples of cloud services

AmazonAWS

GoogleApps

GoogleAppEngine

Office 365

SalesforceForce.comMicrosoft Azure

QB OnlineSoftware as a Service

Platform as a Service

Infrastructure as a Service GoGrid Microsoft

Azure

4

Cloud Service

Provides

Software as a Service

Customer Provides

Cloud Service

Provides

Platform as a Service

5

Customer Provides

Cloud Service

Provides

Infrastructure as a Service

Private or Public?

PrivateHosted at a service

provider Site

Supports one Client/Customer

Does not share infrastructure

MS: Office 365 Dedicated/BPOS-D

PublicHosted at a service

provider site

Shared infrastructure

Multiple clients

Lower price point

Private vs. Public Cloud

6

The Cloud Paradigm

Computing as a utility Elastic,

scalable, on-demand

Economics of scale = cost savings

Background of B to C self-service, non-negotiable contracts

Legal Underpinnings

UCC (state commercial codes) do not apply

• No clear, consistent law• “buyer favored” clauses

not available• Warranty• Damages

State common law or statutes on contract

law

• Substantively different from UCC

• State law applies• However, historical usage

in software of UCC clauses….

7

The Legacy of Outsourcing Outsourcing involves the transfer of the

management and/or day-to-day execution of an entire business function to an external service provider.

The client organization and the supplier enter into a binding agreement that defines the transferred services and terms.

Under the agreement the supplier often acquires the means of production in the form of a transfer of people, assets and other resources from the client.

The client agrees to procure the services from the supplier for the term of the contract.

Highly negotiated predecessor to the Cloud Creating tension with the “Cloud Paradigm”

New Software Delivery Model =New Risks (or not?)

Non-negotiable agreements (shifted risk)

Data breach/loss

Business interruption (outages) Ability to reclaim data

Replace services

Government action

Private actions and class action lawsuits

Mitigation costs (notices and credit monitoring)

Loss of control (discovery, auditability, exit (lock-in))

14

8

Risk Mitigation Through:Internal

governance

Vendor selection

Service level commitments

Supplier governance (certifications, audits and security reviews)

Indemnification and liability caps

Good exit plans

Insurance

15

Internal Governance

What functions in your business are suitable for the cloud?

Click-thru risk

Data breach response plans

16

Private or public cloud?

9

Vendor Selection

Big v. small

Integrators, aggregators, middlemen

RFP process

Agreement pre-review

Leverage and options

17

Key Terms

Privacy, Data SecurityService Level Commitments

Changes in Services

Cooperation in Discovery

Audit

Warranties

Indemnification

Limitation on Liability

Return of Data

Insurance

10

Privacy and Security – What Worries Customers?How is my data being used and for what????

What security procedures in place and can my own policies be followed

Data transfer issues

Data location issues

Movement and storage of data

Use of subcontractors

Data breach issues

Data destruction issues

Ability to impose security and privacy requirements

Compelled disclosure to the government

Privacy and Security – U.S. Legal Framework

State laws

Various states have compliance regulations

Fragmented state of affairs

Apply to residents of those states

Contain particular breach notification provisions

Cross-industry

Specific State Issues

Massachusetts has an extensive data security legal regime

Data breach notifications differ – 46 states have regulations, plus DC, Puerto Rico, and US Virgin Islands

http://www.dwt.com/statedatabreachstatutes/

11

Privacy and Security – U.S. Legal Framework

Federal laws

HIPAA – Health Insurance Portability & Accountability act of 1996

Gramm-Leach-Bliley Act

COPAA

FTC governance (deceptive trade practices, Section 5)

Health Information Technology for Economic and Clinical Health (HITECH)

Sarbanes-Oxley

Privacy – E.U. Legal FrameworkThe EU Data Protection Directive governs providers where the client or the cloud provider is in the EU

For US companies, it governs the handling and export of EU data

Data export to non EEA countries is not permitted unless:

Safe listed country (not many)

U.S. Safe Harbor, where an entity agrees to minimum data handling/privacy provisions – self certification

Model Clauses, where an entity signs a form EU contract controlling handling of the data

- Customers now routinely request Model Clauses

July 1, 2012 Article 29 Working Party issued an opinion advising cloud providers to maximize oversight of cloud providers – this increased pressure to use Model Clauses

12

Key Terms: Security and Audits Cloud Services come with a framework of security practices

– These describe various controls used by a service provider to deliver services

– Operations may be ISO 27002 or other standards– For large scale operations, cannot customize for particular customers

Security Controls Scope– Physical, logical controls– Encryption– Account control– Incident response– Certifications, Audits– Use of subcontractors

Auditing Controls– Auditing standards attest to adequacy

of controls and safeguards– Statement on Standards for Attestation Engagement (SSAE 16)– SOC 1, 2 and 3– SAS 70 (Statement on Auditing Standards No. 70) is outdated

Key Terms: Audit

Example clauses:– Common type of clause: Vendor will either conduct or

procure an annual audit (which audit meets or exceeds the requirements of [Insert audit standard]) of its internal systems and procedures for the retention of data. Vendor will provide Customer with a summary of the results of such audit. The cost of the audit will be borne solely by Vendor.

– Very rare clause: Upon reasonable advance notice but in no event with less than seven (7) calendar days prior notice, Customer may conduct an audit of Vendor internal systems and procedures for the retention of Customer’s data. Vendor shall cooperate with Customers audit.

– Very rare clause: Vendor shall address shortcomings identified by the audit by implementing industry best practices to Vendor's systems or procedures within thirty (30) days following receipt of the security audit report.

13

Key Terms: Data and Security Breaches

Breach-related provisions are more negotiated– Compliance with laws– Defining “breach” or “security incident”– Time frame for notifying client

of breach upon discovery– Notification costs, legal costs

(indemnification), investigation costs (such as IT forensic firms), and reputational costs

– Who controls drafting of the notification?

Security Breaches – Constant Attacks

During a 24-hour period, a Washington entity counted 4,000 attacks from 16 countries on 19 of its 300,000 computers.

14

Security Breaches – Types of Data

Trustwave 2013 Global Security Report, 8.

Security breaches – the cost

Online theft of 35,000 payment card datasets costs:– Additional employee wages $94,893 – Temp. staffing $82,773 – Forensic investigation $93,020– PCI DSS compliance review $22,200 – New hosting service $185,880 – Network redesign $17,000 – New hardware $65,460 – New software $27,241 – Legal $30,000 – Customer notices, call center,

credit restoration services ($6.25/customer) $218,750 – Lost profits during temporary shutdown $159,784– PCI DSS fines $10,000 Total $1,007,001

15

Key Terms: Changes in Services

Customers worry that the service they bought is going to change in a way that won’t work for them.

Providers want all customers to be on the same standard, and provide customers with a lower (non-outsourced price) for the standard service.

Current Standard: The cloud provider can change the services with notice to customer.

Negotiation Tip: Customers and providers should work through any major concerns in this area by:– Providing customers with long range roadmaps– Including key customers on advisory boards– Providing termination rights if service features change in a

way detrimental to a customer

Key Terms: Service Level Commitments Current Standard: Nearly all cloud providers offer a SLA of

some kind, with credits as a remedy for failure. Usually the SLA relates to downtime, but some offer KPIs (Key Performance Indicators) with some remedies.

Negotiation Tip: Customers should expect most services SLAs are standard, with standard remedies, due to operational constraints. Providers should understand that customers are nervous about key infrastructure pieces on the cloud. – Customer should focus any SLA deviations on the remedy, not getting

a custom SLA– For example, is repeat failure to meet

SLAs a default that warrants termination? Consider:

– Service availability and measurement period– Planned downtime definition– Force majeure exclusions– Sole and exclusive remedy

16

Key Terms: Suspension of Services Not Termination. Suspension of services is a right different than

termination of the agreement and allows the cloud services provider to suspend the provision of services in the event of an issue.

A critical issue. Outside of privacy and security issues (and liability for the same), this issue is very key for customers. Businesses do not want their mission critical functions taken away without a very large amount of due process.

Negotiation tip: Customers and providers should work to jointly understand what might trigger this clause and how long it might last, and draft it as narrowly as possible.

Example clauses:– Suspension of Services without liability if: (i) Vendor reasonably believes that the

Services are being used in violation of the Agreement; (ii) Customer doesn't cooperate with Vendor’s reasonable investigation of any suspected violation of the Agreement; (iii) there is an attack on Customer’s server(s), Customer’s server is accessed or manipulated by a third party without its consent, or there is another event for which we reasonably believe that the suspension of Services is necessary to protect Vendor’s network or its other customers, or (iv) required by law. Vendor will give Customer advance notice of a suspension under this paragraph of at least twelve Business hours that a suspension on shorter or contemporaneous notice is necessary to protect Vendor or its other customers from imminent and significant operational or security risk.(IaaS)

Key Terms: Warranties – An Elusive Friend

Current Standards: Generally, warranties in cloud computing contracts are very slim! – SLA: Sometimes just a warranty relating to the SLA only– Documentation: Sometimes a warranty relating to

documentation/specifications– Non-Infringement, Rarely: Warranties of non-infringement are

not common– Virus Protection: Sometimes warranties regarding reasonable

protections against viruses/malware can be obtained Negotiation Tip: Customers should determine if issues

can be resolved through contractual commitments rather than warranties.

Example clause:– Vendor warrants that (i) the Services shall perform materially in

accordance with the User Guide, and (ii) the functionality of the Services will not be materially decreased during a subscription term. (SaaS)

17

Key Terms: Limitation on Liability

Current Standard. Limitation of liability is limited by vendors, usually a 12 month lookback or some cap related to customer spend.

Negotiation Tip: Focus on the liability number is misplaced. It’s not necessarily the cap to worry about, it’s the exclusions to the cap.– Confidentiality/privacy/indemnity are the #1 negotiated items– “Step caps” more common (e.g., higher liability for

privacy/security) but can be complicated to draft – beware!– Current standard carveouts are 1) IP indemnity and 2)

confidentiality breaches– Confidentiality breaches are not the same thing as privacy

breaches!!

Key Terms: Indemnification

Current standard: – IP indemnity only from cloud provider– Customer indemnifies for use of the services and breach of

acceptable use policy– Intentionally lopsided due to cloud providers’ stance that they do not

have control over what customers are doing on the service Common Ask: Customers will ask for protection from privacy

and security breaches (these contractual concessions are rare) and indemnity from contract breach by the cloud provider (also rare).

Negotiation Tip: Cloud providers and other software providers are generally somewhat more willing to provide indemnities rather than warranties or other commitments that might lead to a contractual breach claim. Explore indemnities where warranties/contract terms are missing. Even capped indemnity may be better than no indemnity and may help get a deal done.

18

Key Terms: Return of Data and Transition

As a customer, be sure to figure out how you will offload when the contract comes to an end. Current Standard: Cloud providers usually store data for a 30-90 day

period and provide “standard tools” for migration. Negotiation Tip: Be clear about format, retention, and transition

services. Example clauses:

– Upon request by Customer made within 30 days after the effective date of termination of a Services subscription, Vendor will make available to Customer for download a file of Customer’s data in comma separated value (.csv) format along with attachments in their native format. After such 30-day period, Vendor shall have no obligation to maintain or provide any of Customer’s data and shall thereafter, unless legally prohibited, delete all of Customer’s data in Vendor’s systems, possession or under Vendor’s control.

– If Vendor suspends or terminates Customer’ use of the Service with cause (or Customer voluntarily discontinues use of the Service), Customer will have access to, and the ability to export, its content for a period of ninety (90) days following such suspension or termination. Fees will continue to be assessed for usage of the Service during the 90 day period.

Key Terms: Insurance

General liability policies generally do not cover E&O coverage may apply Cyber risk, cloud and managed services

insurance But . . . traditional coverage issues arise

36

19

Questions?

? ? ??? ? ? ? ?

Consequences and Appropriate Responses After a Data Breach

Presented by:

Gavin Skok, Riddell Williams P.S.

Riddell Williams P.S. November 7, 2014

#4812-4855-6576

2

How Likely is a Data Breach?

Industries at risk

(2014 Verizon Data Breach Investigations Report)

19% chance of data breach involving at least 10,000 records in next 24 months (2014 Ponemon Institute Research Report)

Running list of data breaches: http://www.privacyrights.org/data-breach-asc

http://www.privacyrights.org/data-breach-asc






3

Most Common Sources of Data Risk

Malicious attack - 44%

System glitch - 25%

Human error - 31%

(2014 Ponemon Institute Research Report)

4

Human Error

Hardware losses

Improper disposal

Low-tech scams

BYOD

5

What Are the Consequences of a Breach?

Public relations

Response costs

Regulators

Lawsuits

6

Consequence: Public Relations

Lost profits

Reputational damage

51% said they would take business elsewhere after a breach

45% said keeper is criminally negligent moment a breach occurs

HyTrust Survey “Cloud Under Control” (September 2014)

7

“Who Should be Held Accountable?”

HyTrust Survey “Cloud Under Control” (September 2014)

8

Consequence: Response Costs

Average # records: 29,087

Average total cost per record: $201 per record

Average total cost: $5.8 million

2014 Ponemon Institute Research Report

9

Consequence: Response Costs

Impact on breach costs

2014 Ponemon Institute Research Report

10

Consequence: Regulatory Enforcement

Whose data is it?

Who is enforcing? FTC

SEC

FCC

State attorneys general

Health and Human Services (HIPAA)

FDIC and Gramm-Leach-Bliley Act (15 U.S.C. §§6801-6810) (banks)

11

Consequence: FTC Action

FTC

50+ enforcement actions

Beat recent challenges to authority

FTC standards?

“Administrative, technical, and physical safeguards appropriate to [entity’s] size and complexity, the nature and scope of [its] activities, and the sensitivity of the personal information collected from or about consumers.”

Collection, storage, handling, transport, disposal

12

Consequence: Other Enforcement Actions

FCC $10 million sought from TerraCom and YourTel America

Next debate over authority?

No standards

State attorneys general JPM, Staples, Home Depot

Illinois, Connecticut, California

AU Optronics result in more AG enforcement suits?

13

Consequence: Litigation

Who is suing?

Consumers

Banks

Insurer subrogation?

14

Litigation: The Challenge of Standing

Is increased risk of harm enough?

Used to be, at least in some places 9th Circuit’s “credible threat” analysis (Krottner v. Starbucks, 628 F.3d 1139 (2010))

Is Clapper the end of all that? Risk of future harm may establish standing only if “certainly impending”

Most post-Clapper courts

rigorously apply “certainly impending” standard … but maybe not the Ninth Circuit

In re Sony Playstation (S.D. Cal. Jan. 21, 2014)

In re Adobe Sys., Inc., 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014)

15

Evolving Litigation Theories

Benefit of the bargain Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012)

Would not have bought or paid less In re LinkedIn User Privacy Litig., 2014 WL 1323713 (N.D. Cal. Mar. 28, 2014)

Misrepresentation claims In re Sony Playstation, 996 F.Supp.2d 942 (S.D.Cal. 2014)

Negligence duty?

Statutory claims?

16

Remijas v. Neiman Marcus Group (N.D. Ill. 2014)

Plaintiffs’ liability theories Common law

Implied contract

Statutory

Alleged damages Lost control over information

Fraudulent charges

Increased risk of identity theft, mitigation cost, inconvenience

Overpaid for upscale security, would not have purchased

Dismissed: No certainly impending injury from increased risk

Any injury from fraudulent charges was not concrete

Overpayment and loss of control theories fail

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://www.bidnessetc.com/21409-neiman-marcus-news-analysis-russian-hacking-group-behind-data-breach/&ei=PBRUVJK8CJbtoAS9qoE4&bvm=bv.78677474,d.cGU&psig=AFQjCNFREBuFqdldME5Se3SJAYUHup4nTg&ust=1414882712919240

17

Class Certification?

Common security and breach, but …

Individual variations:

Was info accessed or used

Financial harm?

Examples

Harris v. ComScore (Ill. 2013)

Hannaford Bros. (D.Me. 2013)

Tabata v. Charleston Area Med. Ctr. (W.Va. 2014)

18

Notification Requirements

47 states have data breach notification laws

Commonalities Define personal information

Identify covered entities required to give notice

Define events triggering notice

How soon is notification required

Who must be notified

Differences Breadth of information protected

Content of notice

Trigger for notice and safe harbors

Timing

Cause of action for non-compliance?

19

Notification – Washington RCW 19.255

“Personal information” is name plus: SSN

Driver’s license

Number & access code

Timing of notice

Exceptions?

Cause of action

20

Responding Well to a Data Breach

21

5 Steps for Responding Well to a Data Breach

1. What is your first step after securing the system? Privilege

Coordination

2. Incident response team Internal resources

Technical experts

Manage the crisis

Insurance?

22


3. Determine what happened Identify affected information

Scope of breach

23


4. What are your legal obligations? Notification

Contractual obligations

Law enforcement

5. Fix the problem Technical fixes

Data security policies, oversight, training

Preemptive steps against litigation

Review privacy and data security policies

24

Response Readiness Checklist

Assume you are a target

Disaster Recovery Plan: Prepared and rehearsed with key decision-makers identified and ready

Supply chain vendor contract review and audit

Appropriate insurance in place

Periodic risk analysis

Professionals at the ready - who you gonna call? Attorneys

Insurance company

Forensic experts

Federal and state regulators

Public relations

Vendors for notification, credit monitoring, call center

Questions? Please contact us any time with additional questions.

Gavin Skok Riddell Williams P.S. 206.389.1731 [email protected]

�

��

��

�� !"#$%�

�

�� ! ��"� �! ��#�� $ ��! ��

�� "��! �"��! ! ! �%��

��&�� %�&��'��(�� )�� )�� *��

�

'��(��)� #�+�$��)�"��+��! �� $��,��

$��

��*�*�*��*�+�

��,�

- ��,�� $��,�� $�� +)�

�� +)��+��$�� "+��$��)�

"��+��

��*�*�*��'��-�

��. ��*��

- ��&�� .�� "��! ��+�

�� ! �� )�! ��

� �� +$��/�

• 0�� +�� "��1�

• 2��&��.�� "�� "��1��

• #�� "��"�� "��)�� "��! ��+�

��+��)��)��$��! ��! �� $��

��&�� .��

��+/�*�� 3�� +��$$ �� $��,�� $��

��+$��

��*��'��)��0�*. *�1� #�+�$��"��+�� +�"��+��

�+�� ! ��&��+��"��+��

��+�� #�! ��+$��$�� ! ��)��" +�

"� ��&��&��"��)��"+��,��$��3�� "��

� �� 4$�� $��" ��! ��" �� +)�

��! �� ! �� )��+�� +�

�� $��"��" ��+��

�+��

#�+�$��"��+�� $��,��

$�� $��"��! �� +��! ��

�� +�"��+�� +�

�� ! ��&��+)��$�� ! ��)��" +�"� ��&��&��

"��)��"+��,��$��

�*�2��. ��-+�*�� #�$��"��+�� "��

�� "��+��+�� " +� �5� +��

��"6�� 5�� &��+��

�--�3 � -��-�+�*��

��*�*��*��

�� +�"�� +�� ! �� +��

��! � �� $�� &�� "��

�! �� +�� ! � �� $�� &��

��,�)��*�� +�"��$��&��"+�� ! �� /�

• � ��1�

• 7 ��)��$��&��! ��$��&��

�� 8 �0�'��0��

2#3#�9%7#': �� ; 3<=<'#3<; � �%7> 8<%7- 7�30�8�27%�� #0:<�?3;� �@#� �

A'��; ��"�� B�

C��

��

�� *��*�� 0�"�� +�"��)��$��)�"��)��+��

��$��&��! �� 4��D �)��)��

��"6��$��"��4��)��)��$��"��

��&�� 0�"��

�� ! ��/�

• 7�� 1�

• '��$��$��! �"��$��$��)��

"��+)�� 1��

• �� 6��! ��

��. /-*��3 *�,�

��*�*��*��4�*��. ��

#�$��)�"��+�� ! ��$��$��

�� +�$� ��+�� $��

��! ��! �� $ ��

! �� "6��$��! ��

��$� ��&��"��+��+��

��*��. ��

��/��*�1��1��*��

3��$��$�� +��"��

��*��+�

��-�

3��$��$�� +��"��

5*�-��*�� #�+�� 6��"+��&�� +��&� ��

��&�� #�+�"��&�� )�$��$��&�� )��&��

�� +�"��6��3�� &�� " ��

�� &��+�� &�� " �� ! ��

C��)�"��)��&�� " ��%'� �� A�B��

�� ! ��+$�� "��)��A"B��$��)�

"��)��&��! �� $ ��! ��$�+� ��+��

��+��$��"+��$�+� ��+��+�� )�

�� "��

<��$��)�"��)��&�� 5��" ��

��,�� $��

�� )�� "��$��4�� "��)�� " ��

�� "�� " ��

��"��)��&��

��$�+�� 6��+��! ��"��<��+� �� )��

$��&�� $��+�� &��" ��+�.��

��

��*(�� #�+�! ��&��$��&��+��$�" ��$� ��+)��&��

��" ��

�

UNITED STATES DISTRICT COURTNORTHERN DISTRICT OF ILLINOIS

EASTERN DIVISION

HILARY REMIJAS, MELISSA FRANK,DEBBIE FARNOUSH, and JOANNE KAO, individually and on behalf of all others similarly situated,

Plaintiffs,

v.

THE NEIMAN MARCUS GROUP, LLC, a Delaware limited liability company,

Defendant.

Case No. 14-cv-1735

Hon. James B. Zagel

Magistrate Judge Maria Valdez

FIRST AMENDED CLASS ACTION COMPLAINT

JURY TRIAL DEMANDED

CLASS ACTION COMPLAINT- 1 -

FILED6/2/2014

THOMAS G. BRUTON

CLERK, U.S. DISTRICT COURT

Case: 1:14-cv-01735 Document #: 27 Filed: 06/02/14 Page 1 of 38 PageID #:258

Plaintiffs HILARY REMIJAS (“Remijas”), MELISSA FRANK (“Frank”),

DEBBIE FARNOUSH (“Farnoush”), and JOANNE KAO (“Kao”) (collectively,

“Plaintiffs”) bring this action against Defendant THE NEIMAN MARCUS GROUP,

LLC (“Neiman Marcus” or “Defendant”), a Delaware limited liability company, on

behalf of themselves and all others similarly situated to obtain damages, restitution and

injunctive relief for the Class, as defined below, from Defendant. Plaintiffs make the

following allegations upon information and belief, except as to their own actions, the

investigation of their counsel, and the facts that are a matter of public record:

NATURE OF THE ACTION

1. Plaintiffs bring this class action against Defendant for failing to secure

and safeguard the personally identifiable information (“PII”) and payment card data

(“PCD”) that Defendant collected and maintained (collectively “Private Information”),

and for failing to provide timely and adequate notice to Plaintiffs and other Class

members that their information had been stolen and precisely what types of information

were stolen (the “Data Breach”).

2. Due to Defendant’s negligence, the Private Information that Defendant

collected and maintained is now in the hands of thieves. Accordingly, Plaintiffs bring

this action against Defendant asserting claims for negligence, violation of N.Y. G.B.L. §

349 and 815 ILCS 505/1, Breach of Implied Contract, Violation of California Unfair

Competition Law, Business & Professions Code § 17200, Invasion of Privacy, Bailment

and Conversion under California law, violation of California Civil Code § 1798.80 et.

seq., and violation of the Fair Credit Reporting Act, codified at 15 U.S.C. § 1681 et. seq.



PARTIES

3. Plaintiff Remijas is a citizen and current resident of Illinois. Ms. Remijas

made purchases using a Neiman Marcus credit card at a Neiman Marcus location in Oak

Brook, Illinois on August 7, 2013 and December 21, 2013. Ms. Remijas did not receive

any notice from Defendant about the Data Breach.

4. Plaintiff Frank is a citizen and current resident of New York. Ms. Frank

and her husband have a joint debit card account that they used to make purchases at a

Neiman Marcus retail location in Long Island, New York, during the month of

December, 2013 (hereafter the “In Store Purchases”). An online purchase was also

made on a retail website maintained by Defendant using the same joint account earlier

that same month (hereafter the “Online Purchase”). On January 9, 2014, Ms. Frank was

the victim of fraudulent charges on her debit card, and in mid-March, she was the victim

of a phishing incident on her cell phone. In January 2014, Frank’s husband received a

notice letter from Defendant about the Data Breach.

5. Plaintiff Farnoush is a citizen and current resident of California. After

using her card at Defendant’s store in 2013, Ms. Farnoush was the victim of fraudulent

charges on her credit card.

6. Plaintiff Kao is a citizen and current resident of California. Ms. Kao

made purchases at a Neiman Marcus retail location in San Francisco, California on:

February 25, March 15, April 13, April 19, May 2, June 19, October 1, October 11,

November 11, and December 31, 2013. On January 7, 2014, Ms. Kao received an email

from Chase Bank that her debit card had been compromised and that a new card would

be issued to replace the compromised card. In January 2014, she received a notice letter



from Defendant about the Data Breach.

7. Defendant The Neiman Marcus Group, LLC (“Defendant”) is a Delaware

limited liability company headquartered in Dallas, Texas. Defendant operates retail

stores within this District, including on North Michigan Avenue. Defendant allowed a

massive breach of personal and financial information it collected and maintained to

occur in 2013, which is the subject of this Complaint.

JURISDICTION AND VENUE

8. This Court has subject matter jurisdiction over this action pursuant to 28

U.S.C. § 1332(d), the class contains members of diverse citizenship from Defendant,

and the amount in controversy exceeds $5 million.

9. This Court has personal jurisdiction over Defendant because Defendant is

authorized to and does conduct substantial business in Illinois, and in this District.

Defendant owns and operates two retail locations within this District and in another

location in the state of Illinois.

10. Venue is proper in this District pursuant to 28 U.S.C. § 1391(b)(2)

because a substantial part of the events or omissions giving rise to this action occurred in

this District, Defendant operates retail locations within this District, and the Data

Breach affected consumers in this District.

FACTUAL BACKGROUND

DEFENDANT’S COLLECTION OF PERSONALLY IDENTIFIABLE INFORMATION AND PAYMENT CARD DATA

11. Defendant is an American luxury specialty department store. Millions of

Americans regularly shop at Defendant’s online and brick-and-mortar stores.



12. When individuals transact business with Defendant or visit one of its

stores or website, Defendant collects a wide variety of PII about them.

13. Defendant discloses the Information it collects about individuals who

either shop online or in stores – or simply enter any of its stores or browse its website,

even without making a purchase – on its website:

The Information We Collect

Generally, you may browse the website without providing any personally identifiable information. However, we may ask you to provide personally identifiable information at various times and places on this website. In some cases, if you choose not to provide us with the requested information, you may not be able to access all of this website or participate in all of its features.

We receive and store any personally identifiable information you enter on the website, whenever you shop with Neiman Marcus—online, through our catalogs, or in our stores, or information you give us in any other way, such as by subscribing to our catalogs, email, or mobile messaging. For example, we may collect the following personally identifiable information: your name, address, telephone number, mobile telephone number, driver's license number, birth date, and email address. If you use a credit or debit card or pay by check, we will also include your account number.

When you register with us as an online customer, we may ask for additional information, such as your favorite designers.

If you use one of our services, or participate in one of our surveys, promotions, or sweepstakes, we may ask for additional information, such as your age, interests, or product preferences.

From your purchases and other interactions with us, we obtain information concerning the specific products or services you purchase or use.

When you visit this website, our web server automatically collects anonymous information such as log data and IP addresses, and may collect general information concerning your location. We may use the automatically collected



information for a number of purposes, such as improving our site design, product assortments, customer service, and special promotions.

When you visit one of our stores, if your mobile device accesses one of our wireless networks we may also automatically collect information about your geo-location based, in part, upon which wireless network has been accessed. When this happens we attempt to de-identify the information, which means that we remove or change (e.g., hash) certain pieces of information that might be used to link the data to you, or to your device. We will not attempt to re-identify geo-location information (i.e., link it to you or your device) unless you affirmatively give us permission to collect geo-location information about you. If you give us such permission, you can later decide to opt-out of geo-location tracking by sending an email to [email protected] with your MAC address (which can be found on most mobile devices under the "settings" menu).

Our mobile applications will not transmit geo-location information about you to us unless you give them permission to do so.

Some web browsers and devices permit you to broadcast a preference that you not be "tracked" online. At this time we do not modify your experience based upon whether such a signal is broadcast.

<http://www.neimanmarcus.com/assistance/assistance.jsp?itemId=cat33940739

(Security & Privacy Tab, “Information We Collect” last updated December 17, 2013)>

(emphasis added) (last visited Feb. 28, 2014).

14. Thus, Defendant stores massive amounts of PII on its servers and utilizes

this information to maximize its profits through predictive marketing and other

marketing techniques.

IMPORTANCE OF DATA SECURITY TO PURCHASING DECISIONS

15. Consumers place value in data privacy and security, and they consider it

when making purchasing decisions. Plaintiffs would not have made purchases at



Neiman Marcus, or would not have paid as much for them, had they known that Neiman

Marcus does not take all necessary precautions to secure their personal and financial

data. Neiman Marcus failed to disclose its negligent and insufficient data security

practices and consumers relied on this omission to make purchases at Neiman Marcus.

16. Furthermore, when consumers purchase goods at a high-end retailer, such

as Defendant, they assume that its data security practices and policies are state of the art

and that the retailer will use part of the purchase price that consumers to pay for such

state of the art practices. Consumers thus enter into an implied contract with Defendant

that Defendant will adequately secure and protect their Private Information, and will use

part of the purchase price of the goods to pay for adequate data security measures. In

fact, rather than use those moneys to implement adequate data security policies and

procedures, Neiman Marcus simply kept the money to maximize its profits, thus

breaching the implied contract.

VALUE OF PII TO COMPANIES AND HACKERS

17. A market exists for personal data and information regarding individuals’

preferences and interests. This information is valuable because it can be compiled and

sold as demographic data and advertising analytics or sold on a per-name basis.

Companies like infoUSA compile consumer information and sell name and contact

information categorized by demographic data, interests or other behavioral information.

18. It is well known and the subject of many media reports that PII data is

also highly coveted by and a frequent target of hackers. PII data is often easily taken

because it is less protected and regulated than PCD.

19. Thus, both legitimate organizations and the criminal underground alike



recognize the value of PII. Otherwise, they wouldn’t pay for it or aggressively seek it.

For example, in “[o]ne of 2013’s largest breaches . . . [n]ot only did hackers compromise

the [card holder data] of three million customers, they also took registration data from

38 million users . . . .” Verizon 2014 PCI Compliance Report,

<http://www.nocash.info.ro/wp-content/uploads/2014/02/Verizon_pci-report-

2014.pdf>(hereafter “2014 Verizon Report”), at 54. Similarly, in the Target data breach,

in addition to PCD pertaining to 40,000 credit and debit cards, hackers stole PII

pertaining to 70,000 customers.

20. PII data has been stolen and sold by the criminal underground on many

occasions in the past, and the accounts of thefts and unauthorized access have been the

subject of many media reports. Unfortunately, and as will be alleged below, despite all

of this publicly available knowledge of the continued compromises of PII in the hands

of other third parties, such as retailers, Defendant’s approach at maintaining the security

of Plaintiffs’ and Class Members’ PII was lackadaisical, cavalier, reckless, or at the very

least, negligent.

LACK OF SEGREGATION OF CARD HOLDER DATA FROM PII

21. Unlike PII data, payment card data is heavily regulated. The Payment

Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to

ensure that companies maintain consumer credit and debit card information in a secure

environment.

22. “PCI DSS provides a baseline of technical and operational requirements

designed to protect cardholder data.” PCI DSS v. 2 at 5 (2010) (“PCI Version 2”).

23. PCI Version 2.0 prohibits retailers such as Defendant from: (1)



improperly storing and retaining credit card transaction and customer data in an

unencrypted, unsecure, and unauthorized manner; (2) failing to render PCD on

electronic media unrecoverable so that it cannot be reconstructed; (3) failing to properly

install, implement and maintain firewall(s) to protect consumer data; (4) failing to

properly limit inbound Internet traffic to certain IP addresses; (5) failing to perform

dynamic packet filtering; (6) failing to properly restrict access to the business’s

computers; (7) failing to properly protect stored data; (8) failing to encrypt cardholder

data and other sensitive information; (9) failing to properly use and regularly update

anti-virus software or programs; (10) failing to track and monitor all access to network

resources and cardholder data; and (11) failing to regularly test security systems or run

vulnerability scans at least quarterly and after any significant network change.

24. One critical PCI requirement is to protect stored cardholder data.

Cardholder data includes Primary Account Number, Cardholder Name, Expiration Date,

and Service Code. Id. at 7.

25. “Network segmentation of, or isolating (segmenting), the cardholder data

environment from the remainder of an entity’s network is not a PCI DSS requirement.”

Id. at 10. However, segregation is recommended because among other reasons, “[i]t’s

not just cardholder data that’s important; criminals are also after other personally

identifiable information (PII) and corporate data.” See Verizon Report at 54.

26. Many state statutes mandate additional data security requirements. For

example, Cal. Civil Code § 1798.81 requires businesses to “take all reasonable steps to

dispose, or arrange for the disposal, of customer records within [their] custody or control

containing personal information when the records are no longer to be retained by the



business by (a) shredding, (b) erasing, or (c) otherwise modifying the personal

information in those records to make it unreadable or undecipherable through any

means.”

27. Illicitly obtained PII and PCD is sold on the black market, including on

websites, as a product at a set price. See, e.g.,

<http://krebsonsecurity.com/2011/11/how-much-is-your-identity-worth> (last visited

Mar. 4, 2014).

THE DATA BREACH AFFECTING NEIMAN MARCUS

28. Defendant’s credit card processor, TSYS, notified Defendant on

December 13, 2013 that fraudulent card usage had been linked to a “common point of

purchase” at Neiman Marcus stores. Visa and Mastercard confirmed additional fraud

over the next few days. <http://online.wsj.com/news/articles/

SB10001424052702303947904579338570638774960> (last visited Mar. 12, 2014).

29. Nevertheless, Defendant waited until news of the Data Breach was first

published by a blogger (Brian Krebs of <http://krebsonsecurity.com/>) on or about

January 10, 2014, some twenty-eight (28) days later, before making any attempt

whatsoever to notify affected customers.

30. On January 10, 2014, instead of notifying affected customers directly,

Defendant posted a statement on its Twitter account (not on the shopping site regularly

accessed by customers), vaguely indicating: “The security of our customers’ information

is always a priority and we sincerely regret any inconvenience”; and “We are taking

steps, where possible, to notify customers whose cards we know were used fraudulently

after purchasing at our stores.” <https://twitter.com/neimanmarcus> (last visited Jan.



12, 2014).

31. On January 12, 2014, Ginger Reeder, a spokeswoman for Defendant,

confirmed that Defendant “had been notified in mid-December by its credit card

processor about potentially unauthorized payment activity following customer purchases

at stores.” <http://abcnews.go.com/US/wireStory/neiman-marcus-victim-cyber-

security-attack-21498673> (last visited Jan. 12, 2014). Ms. Reeder “wouldn't estimate

how many customers may [have] be affected but said the merchant [wa]s notifying

customers whose cards it ha[d] now determined were used fraudulently.” Id.

32. While Defendant has stated that “there is no indication that” social

security numbers, PINs and dates of birth were compromised, it has not disclosed

whether the wide range of other PII that it collects, including names, addresses,

telephone numbers, mobile telephone numbers, driver’s license numbers, bank account

numbers, email addresses, computer IP addresses, and location information, were

disclosed in the breach. <http://www.neimanmarcus.com/en-au/NM/Security-

Info/cat49570732/c.cat?icid=topPromo_hmpg_ticker_SecurityInfo_0114> (last visited

Mar. 4, 2014). Without such detailed disclosure, Plaintiffs and Class members are

unable to take the necessary precautions to prevent imminent harm, such as continued

misuse of their personal information.

33. Moreover, while Defendant claims that card data was scraped between

July 16 and October 30, 2013, it acknowledges that “[o]ther malware associated with the

attack, but not capable of scraping card data, was found to be in the environment as

early as March.” Id. Defendant has failed to disclose the effects of this “other

malware” and whether or not and when this malware was extinguished.



34. It’s very unusual for malware to self-expire. In addition, if fraud were

occurring between July and October 2013, because hackers already had their hands on

cardholder data and PII, credit card company analytics and other methods (undercover

investigations of the black market) would likely have discovered it before December of

2013. Defendant has failed to provide a cogent picture of how the Data Breach occurred

and its full effects on customers’ PII and PCD.

35. Reports further state that “hackers took control of a vulnerable server”

which connected both to Defendant’s secure payment system and its general purpose

network. This lack of segregation suggests that hackers had access to both PCD and PII

during the Breach. See <http://www.businessweek.com/articles/2014-02-21/neiman-

marcus-hackers-set-off-60-000-alerts-while-bagging-credit-card-data>.

36. During the months that hackers were scouring Defendant’s information

systems, 59,746 alerts were set off by malware indicating “suspicious behavior” within

Defendant’s security system. Id. However, Defendant’s centralized security system’s

ability to automatically block the activity was “turned off.” Id. Defendant has failed to

explain why it ignored nearly sixty thousand alerts that should have led it to discover

and stop the Data Breach.

37. Hacking is often accomplished in a series of phases to include

reconnaissance, scanning for vulnerabilities and enumeration of the network, gaining

access, escalation of user, computer and network privileges, maintaining access,

covering tracks and placing backdoors.

38. The malware as described by Defendant does not appear to have initiated

or caused the infiltration into Defendant’s system or networks. Instead, this malware



appears to have come later in order to maintain control of the system, execute programs

or processes and to parse and syphon consumer confidential data.

39. On information and belief, Defendant failed to properly segregate PII

from payment card data. As a result, while hackers scoured Defendant’s networks to

find a way into the point-of-sale (“POS”), they had access to and collected PII stored on

Defendant’s networks.

40. On information and belief, the Data Breach lasted for a longer time

period than July 16-October 30, 2013. On information and belief, the Data Breach

began no later than March 2013 when hackers took control of “a vulnerable server”

belonging to Defendant, and lasted until January 10, 2014, when the Data Breach was

finally contained.

CONSEQUENCES OF DEFENDANT’S CONDUCT

41. According to Defendant, 350,000 credit and debit cards swiped in 77

U.S. stores were affected by the Data Breach in 2013, including “Last Call” outlets.

42. According to Defendant, “approximately 9,200 of those [credit or debit

cards used at its stores] were subsequently used fraudulently elsewhere.”

<http://www.neimanmarcus.com/en-au/NM/Security-Info/cat49570732/

c.cat?icid=topPromo_hmpg_ticker_SecurityInfo_0114> (last visited Mar. 5, 2014).

43. On information and belief, Plaintiffs’ identifying and/or financial

information was disclosed in the Data Breach.

44. Frank had never suffered any type of fraud, identity theft or phishing

before the Data Breach.

45. However, within weeks of the In Store and Online Purchases, two



fraudulent charges appeared on Frank’s Chase debit card. These charges were identical,

both described as “IPC POS Debit” and “Starbucks Card Reload,” in the amount of $100

each, dated January 9, 2014. Frank was not able to ascertain any location or other

identifying data, other than a phone number (800-782-7282) that appears to belong to

Starbucks Corporation. See, e.g., <http://www.starbucksstore.com/on/

demandware.store/Sites-Starbucks-Site/default/Page-Show?cid=cs-landing> (last visited

Jan. 20, 2014) (providing same phone number, also appearing as “1-800-STARBUC,”

for Starbucks).

46. The following screenshot depicts the information provided to Frank

concerning these fraudulent charges:

47. Frank was without use of her debit card for approximately one day as a

result of the fraud.

48. A few weeks after the fraudulent and unauthorized charges, Frank’s

husband received a notice letter from Defendant concerning the Data Breach.

49. On information and belief, the fraudulent charges on Frank’s debit card

were fairly traceable to Defendant’s negligence and its failure to keep her personal

and/or financial information secure.

50. “Phishing” is when thieves e-mail or call victims appearing as legitimate

callers or company representatives, in an attempt to access PCD and/or PII about victims

for whom they already have some financial or personal information. The more

information thieves have about a person, the broader the fraud or identity theft they are



able to perpetrate.

51. In March 2014, Frank suffered a “phishing” incident on her cell phone.

Armed with information about her deactivated Chase debit card, the caller tried to coax

her into providing additional PCD. On information and belief, the caller’s goal was to

conduct additional fraud and/or identity theft using Frank’s Private Information.

52. On information and belief, this “phishing” incident was fairly traceable to

Defendant’s negligence and its failure to keep Frank’s Private Information secure.

53. Kao never suffered fraud, identity theft or phishing before the Data

Breach. But within a week of her December 2013 purchase, she experienced fraud on

her debit card.

54. On January 7, 2014, Kao received notice from Chase that her card had

been compromised and was therefore being canceled.

55. Kao was without use of her debit card from the time she received notice

that her card was compromised until she walked into a branch and got a new card.

56. Kao received her notice on January 7, 2014, a mere two days before the

fraud on Frank’s card, on January 9, 2014.

57. On information and belief, the fraud on Kao’s card was fairly traceable to

Defendant’s negligence and its failure to keep her Private Information secure.

58. Defendant failed to provide reasonable and appropriate security for the

PII and PCD that it collected and maintained.

59. The ramifications of Defendant’s failure to keep Class members’ data

secure are severe.

60. The information Defendant lost, including Plaintiffs’ identifying



information and/or other financial information, is “as good as gold” to identity thieves,

in the words of the Federal Trade Commission (“FTC”). FTC Interactive Toolkit,

Fighting Back Against Identity Theft, available at

<http://www.vanderbilt.edu/PersonalIdentityTheftProtection.pdf > (last visited Mar. 12,

2014). Identity theft occurs when someone uses another’s personal identifying

information, such as that person’s name, address, credit card number, credit card

expiration dates, and other information, without permission, to commit fraud or other

crimes. Id.

61. As the FTC has stated, once identity thieves have personal information,

“they can drain your bank account, run up your credit cards, open new utility accounts,

or get medical treatment on your health insurance.” FTC, Signs of Identity Theft,

available at <http://www.consumer.ftc.gov/articles/0271-signs-identity-theft> (last

visited Jan. 21, 2014).

62. According to Javelin Strategy and Research, “one in every three people

who is notified of being a potential fraud victim becomes one . . . with 46% of

consumers who had cards breached becoming fraud victims that same year.”

<http://www.foxbusiness.com/personal-finance/2014/02/05/someone-became-identity-

theft-victim-every-2-seconds-last-year>.

63. Identity thieves can use personal information such as that pertaining to

the Class, which Defendant failed to keep secure, to perpetrate a variety of crimes that

harm victims. For instance, identity thieves may commit various types of government

fraud such as: immigration fraud; obtaining a driver’s license or identification card in

the victim’s name but with another’s picture; using the victim’s information to obtain



government benefits; or filing a fraudulent tax return using the victim’s information to

obtain a fraudulent refund. This activity may not come to light for years.

64. In addition, identity thieves may get medical services using consumers’

lost information or commit any number of other frauds, such as obtaining a job,

procuring housing, or even giving false information to police during an arrest.

65. It is incorrect to assume that reimbursing a consumer for fraud makes that

individual whole again. On the contrary, after conducting a study the Department of

Justice’s Bureau of Justice Statistics (“BJS”) found that “[a]mong victims who had

personal information used for fraudulent purposes, 29% spent a month or more resolving

problems.” Victims of Identity Theft, 2012 at 1 (2013), available at

<http://www.bjs.gov/content/pub/pdf/vit12.pdf> (last visited Mar. 5, 2014). In fact, the

BJS reported, “[r]esolving the problems caused by identity theft [could] take more than

a year for some victims.” Id. at 11.

66. Frank’s experience here confirms the veracity of the BJS statistics

detailed above. For example, while the last purchase using her joint account was made

at Defendant’s store in December 2013, she did not suffer fraud on her debit card until 3

weeks later, and did not suffer “phishing” until 12 weeks later.

67. According to the U.S. Government Accountability Office (“GAO”),

which conducted a study regarding data breaches:

[S]tolen data may be held for up to a year or more before being used to commit identity theft. Further, once stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years. As a result, studies that attempt to measure the harm resulting from data breaches cannot necessarily rule out all future harm.

GAO, Report to Congressional Requesters, at p. 29 (June 2007), available at



<http://www.gao.gov/new.items/d07737.pdf>. Frank’s experience corroborates GAO’s

finding that there may be, and often is, a time lag between when harm occurs versus

when it is discovered, and also between when PII or payment card data is stolen and

when it is used.

68. Given that at least 9,200 confirmed instances of fraud have already

resulted from the Data Breach to date, Plaintiffs and the Class they seek to represent

now face years of constant surveillance of their financial and personal records,

monitoring, and loss of rights. The Class is incurring and will continue to incur such

damages in addition to any fraudulent credit and debit card charges incurred by them,

and the resulting loss of use of their credit and access to funds whether or not such

charges are ultimately reimbursed by the credit card companies.

69. Plaintiffs would not have shopped at Defendant’s stores, paid as much for

the products they purchased there, or visited Defendant’s stores or website, had they

known that Defendant would not adequately protect their personal and financial

information.

CLASS ACTION ALLEGATIONS

70. Plaintiffs seek relief in their individual capacity and seek to represent a

class consisting of all others who are similarly situated. Pursuant to Fed. R. Civ. P.

23(a) and (b)(2) and/or (b)(3), Plaintiffs seek certification of a class initially defined as

follows:

All persons whose personal and/or financial information was disclosed in the data incursion affecting Neiman Marcus in 2013. Excluded from the Class areDefendant’s officers, directors, and employees; any entity in which Defendanthas a controlling interest; and the affiliates, legal representatives, attorneys, successors, heirs, and assigns of Defendant. Excluded also from the Class are members of the judiciary to whom this case is assigned, their families and



members of their staff.

71. Numerosity. Fed. R. Civ. P. 23(a)(1). The members of the Class are so

numerous that the joinder of all members is impractical. While the exact number of

Class members is unknown to Plaintiffs at this time, based on information and belief, it

is in the millions.

72. Commonality. Fed. R. Civ. P. 23(a)(2) and (b)(3). There are questions

of law and fact common to the Class, which predominate over any questions affecting

only individual Class members. These common questions of law and fact include,

without limitation:

a. Whether Defendant unlawfully used, maintained, lost or disclosed Class

members’ personal and/or financial information;

b. Whether Defendant unreasonably delayed in notifying affected customers

of the Data Breach and whether the belated notice was adequate;

c. Whether Defendant failed to implement and maintain reasonable security

procedures and practices appropriate to the nature and scope of the

information compromised in the Data Breach;

d. Whether Defendant’s conduct was negligent;

e. Whether Defendant’s conduct violated New York General Business Law

§ 349;

f. Whether Defendant’s conduct violated 815 ILCS 505/1;

g. Whether Defendant entered into an implied contract with Plaintiffs and

Class Members containing a term to safeguard their Private Information;

h. Whether Defendant violated the requirements of California Civil Code §



1798.80 et seq.;

i. Whether Defendant’s conduct violated California Business & Professions

Code § 17200, et seq.;

j. Whether Defendant’s conduct constituted conversion under California

law;

k. Whether Defendant breached its bailment duty under California law;

l. Whether Defendant acted willfully and/or with oppression, fraud, or

malice;

m. Whether Defendant’s conduct constituted Intrusion under California law;

n. Whether Defendant’s conduct constituted Public Disclosure of Private

Facts under California law;

o. Whether Defendant’s conduct constituted Misappropriation of Likeness

and Identity under California law;

p. Whether Defendant’s conduct violated Class members’ California

Constitutional Right to Privacy;

q. Whether Defendant willfully and/or negligently violated the Fair Credit

Reporting Act, 15 U.S.C. § 1681, et seq.; and

r. Whether Plaintiffs and the Class are entitled to damages, civil penalties,

punitive damages, and/or injunctive relief.

73. Typicality. Fed. R. Civ. P. 23(a)(3). Plaintiffs’ claims are typical of

those of other Class members because Plaintiffs’ information, like that of every other

class member, was misused and/or disclosed by Defendant.

74. Adequacy of Representation. Fed. R. Civ. P. 23(a)(4). Plaintiffs will



fairly and adequately represent and protect the interests of the members of the Class.

Plaintiffs’ Counsel are competent and experienced in litigating class actions.

75. Superiority of Class Action. Fed. R. Civ. P. 23(b)(3). A class action is

superior to other available methods for the fair and efficient adjudication of this

controversy since joinder of all Class members is impracticable. Furthermore, the

adjudication of this controversy through a class action will avoid the possibility of

inconsistent and potentially conflicting adjudication of the asserted claims. There will

be no difficulty in the management of this action as a class action.

76. Damages for any individual class member are likely insufficient to justify

the cost of individual litigation, so that in the absence of class treatment, Defendant’s

violations of law inflicting substantial damages in the aggregate would go un-remedied

without certification of the Class.

77. Defendant has acted or refused to act on grounds that apply generally to

the class, as alleged above, and certification is proper under Rule 23(b)(2).

FIRST COUNT

Negligence(On Behalf of Plaintiffs and All Other Similarly Situated United States Consumers)

78. Plaintiffs incorporate the substantive allegations contained in all previous

paragraphs as if fully set forth herein.

79. Plaintiffs bring this claim individually and on behalf of the nationwide

Class.

80. Defendant knowingly collected, came into possession of and maintained

Plaintiffs’ Private Information, and had a duty to exercise reasonable care in

safeguarding, securing and protecting such information from being compromised, lost,



stolen, misused, and/or disclosed to unauthorized parties.

81. Defendant had and continues to have a duty to timely disclose that

Plaintiffs’ Private Information within its possession might have been compromised and

precisely the types of information that were compromised.

82. Defendant had a duty to have procedures in place to detect and prevent

the loss or unauthorized dissemination of Plaintiffs’ Private Information.

83. Defendant systematically failed to provide adequate security for data in

its possession.

84. Defendant, through its actions and/or omissions, unlawfully breached its

duty to Plaintiffs by failing to exercise reasonable care in protecting and safeguarding

Plaintiffs’ Private Information within Defendant’s possession.


duty to Plaintiffs by failing to have appropriate procedures in place to detect and prevent

dissemination of Plaintiffs’ Private Information.


duty to timely disclose to Plaintiffs and Class members the fact that their Private

Information within its possession might have been compromised and precisely the type

of information compromised.

87. Defendant’s breach of duties owed to Plaintiffs and the Class proximately

caused Plaintiffs’ and Class members’ Private Information to be compromised.

88. As a result of Defendant’s ongoing failure to notify consumers regarding

what type of PII has been compromised, consumers are unable to take the necessary

precautions to mitigate their damages by preventing future fraud.



89. Defendant’s breaches of duty caused Plaintiffs to overpay for goods,

purchase goods they would not otherwise have purchased, suffer fraud on their credit or

debit cards, identity theft, phishing, temporary loss of use of their debit cards and access

to the funds therein, loss of time and money associated with resolving the fraudulent

charges on their cards, loss of time to monitor and cancel additional cards or accounts,

loss of time and money monitoring their finances for additional fraud, diminished value

of the services they received, and loss of control over their PCD and/or PII.

90. As a result of Defendant’s negligence and breach of duties, Plaintiffs’

Private Information was compromised, obtained by a third party, and used by a third

party to cause Frank and Kao to incur fraudulent charges, to spend time clearing up

those charges, and to be without the use of their debit cards for a period of time.

91. Additionally, Plaintiffs are in danger of imminent harm that their PII,

which is still in the possession of third parties, will be used for fraudulent purposes.

92. Plaintiffs seek the award of actual damages on behalf of the Class.

93. In failing to secure Plaintiffs’ and Class members’ Private Information

and promptly notifying them of the Data Breach, Defendant was guilty of oppression,

fraud, or malice, in that Defendant acted or failed to act with a willful and conscious

disregard of Plaintiffs’ and Class Members’ rights. Plaintiffs therefore, in addition to

seeking actual damages, seek punitive damages on behalf of themselves and the Class.

94. Plaintiffs seek injunctive relief on behalf of the Class in the form of an

order (1) compelling Defendant to institute appropriate data collection and safeguarding

methods and policies with regard to consumer information and (2) compelling

Defendant to provide detailed and specific disclosure of what types of PII have been



compromised as a result of the data breach.

SECOND COUNT

Breach of Implied Contract(On Behalf of Plaintiffs and All Other Similarly Situated United States Consumers)



96. Defendant required customers who intended to make In Store Purchases

with debit or credit cards to provide their cards’ magnetic strip data for payment

verification.

97. In providing such information, Plaintiffs and other Class members

entered into an implied contract with Defendant whereby Defendant became obligated to

reasonably safeguard their sensitive and non-public information.

98. Defendant breached the implied contract with Plaintiffs and Class

Members by failing to take reasonable measures to safeguard their financial data.

Plaintiffs and Class Members suffered and will continue to suffer damages including,

but not limited to, actual identity theft, fraud and/or phishing, loss of money and costs

incurred as a result of increased risk of identity theft, and loss of their PCD and PII, all

of which have ascertainable value to be proved at trial.

THIRD COUNT

Unjust Enrichment(On Behalf of Plaintiffs and All Other Similarly Situated United States Consumers)


paragraphs as if fully set forth herein

100. Plaintiffs hereby plead in the alternative to the Second Count.



101. Plaintiffs and Class Members conferred a monetary benefit on Defendant.

Defendant received and retained money belonging to Plaintiffs and the Class.

102. Defendant appreciates or has knowledge of such benefit.

103. Under principles of equity and good conscience, Defendant should not be

permitted to retain the money belonging to Plaintiffs and Class members, which Defendant

has unjustly received as a result of its unlawful actions.

104. As a result of Defendant’s conduct, Plaintiffs and the Class suffered and

will continue to suffer actual damages including, but not limited to, the release of their Private

Information; expenses and/or time spent on credit monitoring and identity theft insurance;

time spent scrutinizing bank statements, credit card statements, and credit reports; and, time

spent initiating fraud alerts. Plaintiffs and Class members suffered and will continue to suffer

other forms of injury and/or harm including, but not limited to, other economic and non-

economic losses.

FOURTH COUNT

Unfair and Deceptive Business Practices

(On Behalf of Plaintiffs and All Other Similarly Situated United States Consumers)



106. Plaintiffs bring this Count individually, and on behalf of all similarly

situated residents of each of the 50 States and the District of Columbia, for violations of

the respective statutory consumer protection laws, as follows:

a. the Alabama Deceptive Trade Practices Act, Ala.Code 1975, § 8–19–1,et seq.

b. the Alaska Unfair Trade Practices and Consumer Protection Act, AS §



45.50.471, et seq.;

c. the Arizona Consumer Fraud Act, A.R.S §§ 44-1521, et seq.;

d. the Arkansas Deceptive Trade Practices Act, Ark.Code §§ 4-88-101, et seq.;

e. the California Unfair Competition Law, Bus. & Prof. Code §§17200, et seq. and 17500 et seq.;

f. the California Consumers Legal Remedies Act, Civil Code §1750, et seq.;

g. the Colorado Consumer Protection Act, C.R.S.A. §6-1-101, et seq.;

h. the Connecticut Unfair Trade Practices Act, C.G.S.A. § 42-110, et seq.;

i. the Delaware Consumer Fraud Act, 6 Del. C. § 2513, et seq.;

j. the D.C. Consumer Protection Procedures Act, DC Code § 28-3901, et seq.;

k. the Florida Deceptive and Unfair Trade Practices Act, FSA § 501.201, et seq.;

l. the Georgia Fair Business Practices Act, OCGA § 10-1-390, et seq.;

m. the Hawaii Unfair Competition Law, H.R.S. § 480-1, et seq.;

n. the Idaho Consumer Protection Act, I.C. § 48-601, et seq.;

o. the Illinois Consumer Fraud and Deceptive Business Practices Act, 815 ILCS 501/1 et seq.;

p. the Indiana Deceptive Consumer Sales Act, IN ST § 24-5-0.5-2, et seq.

q. The Iowa Private Right of Action for Consumer Frauds Act, Iowa Code Ann. § 714H.1, et seq.;

r. the Kansas Consumer Protection Act, K.S.A. § 50-623, et seq.;

s. the Kentucky Consumer Protection Act, KRS 367.110, et seq.;

t. the Louisiana Unfair Trade Practices and Consumer Protection Law, LSA-R.S. 51:1401, et seq.;



u. the Maine Unfair Trade Practices Act, 5 M.R.S.A. § 205-A, et seq.;

v. the Maryland Consumer Protection Act, MD Code, Commercial Law, § 13-301, et seq.;

w. the Massachusetts Regulation of Business Practices for Consumers Protection Act, M.G.L.A. 93A, et seq.;

x. the Michigan Consumer Protection Act, M.C.L.A. 445.901, et seq.;

y. the Minnesota Prevention of Consumer Fraud Act, Minn. Stat. § 325F.68, et seq.;

z. the Mississippi Consumer Protection Act, Miss. Code Ann. § 75-24-1, et seq.

aa. the Missouri Merchandising Practices Act, V.A.M.S. § 407, et seq.;

bb. the Montana Unfair Trade Practices and Consumer Protection Act of 1973, Mont. Code Ann. § 30-14-101, et seq.;

cc. the Nebraska Consumer Protection Act, Neb.Rev.St. §§ 59-1601, et seq.;

dd. the Nevada Deceptive Trade Practices Act, N.R.S. 41.600, et seq.

ee. the New Hampshire Regulation of Business Practices for Consumer Protection, N.H.Rev.Stat. § 358-A:1, et seq.;

ff. the New Jersey Consumer Fraud Act, N.J.S.A. 56:8, et seq.;

gg. the New Mexico Unfair Practices Act, N.M.S.A. §§ 57-12-1, et seq.;

hh. the New York Consumer Protection from Deceptive Acts and Practices, N.Y. GBL (McKinney) § 349, et seq.;

ii. the North Carolina Unfair and Deceptive Trade Practices Act, N.C. Gen Stat. § 75-1.1, et seq.;

jj. the North Dakota Consumer Fraud Act, N.D. Cent.Code Chapter 51-15, et seq.;

kk. the Ohio Consumer Sales Practices Act, R.C. 1345.01, et seq.;

ll. the Oklahoma Consumer Protection Act, 15 O.S.2001, §§ 751, et seq.;



mm. the Oregon Unlawful Trade Practices Act, ORS 646.605, et seq.;

nn. the Pennsylvania Unfair Trade Practices and Consumer Protection Law, 73 P.S. § 201-1, et seq.;

oo. the Rhode Island Deceptive Trade Practices Act, G.L.1956 § 6-13.1-5.2(B), et seq.;

pp. the South Carolina Unfair Trade Practices Act, SC Code 1976, §§ 39-5-10, et seq.;

qq. the South Dakota Deceptive Trade Practices and Consumer Protection Act, SDCL § 37-24-1, et seq.;

rr. the Tennessee Consumer Protection Act, T.C.A. § 47-18-101, et seq.;

ss. the Texas Deceptive Trade Practices-Consumer Protection Act, V.T.C.A., Bus. & C. § 17.41, et seq.;

tt. the Utah Consumer Sales Practices Act, UT ST § 13-11-1, et seq.;

uu. the Vermont Consumer Fraud Act, 9 V.S.A. § 2451, et seq.;

vv. the Virginia Consumer Protection Act of 1977, VA ST § 59.1-196, et seq.;

ww. the Washington Consumer Protection Act, RCWA 19.86.010, et seq.;

xx. the West Virginia Consumer Credit And Protection Act, W.Va.Code § 46A-1-101, et seq.;

yy. the Wisconsin Deceptive Trade Practices Act, WIS.STAT. § 100.18, et seq.; and

zz. the Wyoming Consumer Protection Act, WY ST § 40-12-101, et seq.

107. Defendant violated the statutes set forth (collectively, the “Consumer

Protection Acts”) above by failing to properly implement adequate, commercially

reasonable security measures to protect Plaintiffs and Class Members’ PII, and by

allowing third parties to access Plaintiffs’ and Class Members’ PII.



108. Defendant further violated the Consumer Protection Acts by failing to

disclose to the consumers that its data security practices were inadequate, thus inducing

consumers to make purchases at Neiman Marcus.

109. Defendant’s acts and/or omissions constitute fraudulent, deceptive,

and/or unfair acts or omissions under the Consumer Protection Acts.

110. Plaintiffs and other Class Members were deceived by Defendant’s failure

to properly implement adequate, commercially reasonable security measures to protect

their PII.

111. Defendant intended for Plaintiffs and other Class Members to rely on

Defendant to protect the information furnished to it in connection with debit and credit

card transactions and/or otherwise collected by Defendant, in such manner that

Plaintiffs’ PII would be protected, secure and not susceptible to access from

unauthorized third parties.

112. Defendant instead handled Plaintiffs’ and other Class Members’

information in such manner that it was compromised.

113. Defendant failed to follow industry best practices concerning data

security or was negligent in preventing the Data Breach from occurring.

114. It was foreseeable that Defendant’s willful indifference or negligent

course of conduct in handling PII it collected would put that information at the risk of

compromise by data thieves.

115. On information and belief, Defendant benefited from mishandling the PII

of customers, In Store Visitors and Online Shoppers because, by not taking effective

measures to secure this information, Defendant saved on the cost of providing data



security.

116. Defendant’s fraudulent and deceptive acts and omissions were intended

to induce Plaintiffs’ and Class Members’ reliance on Defendant’s deception that their

Private Information was secure.

117. Defendant’s conduct offends public policy and constitutes unfair acts or

practices under the Consumer Protection Acts because Defendant caused substantial

injury to Class Members that is not offset by countervailing benefits to consumers or

competition, and is not reasonably avoidable by consumers.

118. Defendant’s acts or practice of failing to employ reasonable and

appropriate security measures to protect Private Information constitute violations of the

Federal Trade Commission Act, 15 U.S.C. § 45(a), which the courts consider when

evaluating claims under the Consumer Protection Acts, including 815 ILCS 505/2.

119. Defendant’s conduct constitutes unfair acts or practices as defined in the

Consumer Protection Acts because Defendant caused substantial injury to Class

members, which injury is not offset by countervailing benefits to consumers or

competition and was not reasonably avoidable by consumers.

120. Defendant also violated 815 ILCS 505/2 by failing to immediately notify

affected customers of the nature and extent of the Data Breach pursuant to the Illinois

Personal Information Protection Act, 815 ILCS 530/1, et. seq., which provides, at

Section 10:

Notice of Breach.

(a) Any data collector that owns or licenses personal information concerning an Illinois resident shall notify the resident at no charge that there has been a breach of the security of the system data following discovery or notification of the breach. The disclosure notification shall be made in the most expedient time



possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security and confidentiality of the data system.

121. 815 ILCS 530/20 provides that a violation of 815 ILCS 530/10

“constitutes an unlawful practice under the Consumer Fraud and Deceptive Business

Practices Act.”

122. Plaintiffs and other Class Members have suffered injury in fact and actual

damages including lost money and property as a result of Defendant’s violations of the

Consumer Protection Acts.

123. Defendant’s fraudulent and deceptive behavior proximately caused

Plaintiffs’ and Class Members’ injuries, and Defendant conducted itself with reckless

indifference toward the rights of others, such that an award of punitive damages is

appropriate.

124. Defendant violated the Consumer Protection Acts, which laws do not

materially differ from that of Illinois, or conflict with each other for purposes of this

action.

125. Defendant’s failure to disclose information concerning the Data Breach

directly and promptly to affected customers, constitutes a separate fraudulent act or

practice in violation of the Consumer Protection Acts, including California Business &

Professions Code § 17200, et seq.

126. The California Plaintiffs seek restitution pursuant to the Consumer

Protection Acts, including California Business & Professions Code § 17203, and

injunctive relief on behalf of the Class.

127. Plaintiffs seek attorney’s fees and damages to the fullest extent permitted



under the Consumer Protection Acts, including N.Y. G.B.L. § 349(h).

FIFTH COUNT

Invasion of Privacy - Intrusion, Public Disclosure of Private Facts, Misappropriation of Likeness and Identity, and California Constitutional Right to Privacy

(On Behalf of Plaintiffs Farnoush and Kao and All Other Similarly Situated California Consumers)

128. The California Plaintiffs incorporate the substantive allegations contained in all

previous paragraphs as if fully set forth herein.

129. The California Plaintiffs had a reasonable expectation of privacy in the Private

Information Defendant mishandled.

130. By failing to keep the California Plaintiffs’ Private Information safe, and by

misusing and/or disclosing said information to unauthorized parties for unauthorized use,

Defendant invaded California Plaintiffs’ privacy by:

a. Intruding into California Plaintiffs’ private affairs in a manner that

would be highly offensive to a reasonable person;

b. Publicizing private facts about the California Plaintiffs, which is highly

offensive to a reasonable person;

c. Using and appropriating California Plaintiffs’ identity without their

consent; and

d. Violating California Plaintiffs’ right to privacy under California

Constitution, Article 1, Section 1, through the improper use of their

Private Information properly obtained for a specific purpose for another

purpose, or the disclosure of it to some third party.



131. Defendant knew, or acted with reckless disregard of the fact that, a reasonable

person in California Plaintiffs’ position would consider Defendant’s actions highly offensive.

132. Defendant invaded California Plaintiffs’ right to privacy and intruded into

California Plaintiffs’ private affairs by misusing and/or disclosing their private information

without their informed, voluntary, affirmative, and clear consent.

133. As a proximate result of such misuse and disclosures, California Plaintiffs’

reasonable expectation of privacy in their Private Information was unduly frustrated and

thwarted. Defendant’s conduct amounted to a serious invasion of California Plaintiffs’

protected privacy interests.

134. In failing to protect California Plaintiffs’ Private Information, and in misusing

and/or disclosing their Private Information, Defendant has acted with malice and oppression

and in conscious disregard of California Plaintiffs and the Class Members’ rights to have such

information kept confidential and private. The California Plaintiffs, therefore, seek an award

of damages, including punitive damages, on behalf of themselves and the Class.

SIXTH COUNTViolation of State Data Breach Acts

(On Behalf of Plaintiffs and All Other Similarly Situated United States Consumers)



136. Defendant owns, licenses and/or maintains computerized data that includes

Plaintiffs’ and Class Members’ PII.

137. Defendant was required to, but failed, to take all reasonable steps to dispose, or

arrange for the disposal, of records within its custody or control containing personal

information when the records were no longer to be retained, by shredding, erasing, or



otherwise modifying the personal information in those records to make it unreadable or

undecipherable through any means.

138. Defendant’s conduct, as alleged above, violated the data breach statutes of

many states, including:

a. California, Cal. Civ. Code §§ 1798.80 et. seq.;

b. Hawaii, Haw. Rev. Stat. § 487N-1–4 (2006);

c. Illinois, 815 Ill. Comp Stat. Ann. 530/1–/30 (2006);

d. Louisiana, La. Rev. Stat. § 51:3071-3077 (2005), and L.A.C. 16:III.701;

e. Michigan, Mich. Comp. Laws Ann. §§ 445.63, 445.65, 445.72 (2006);

f. New Hampshire, N.H. Rev. Stat. Ann. §§ 359-C:19–C:21, 358-A:4 (2006).,

332-I:1–I:610;

g. New Jersey, N.J. Stat. Ann. § 56:8-163–66 (2005);

h. North Carolina, N.C. Gen. Stat. §§ 75-65 (2005); as amended (2009);

i. Oregon, Or. Rev. Stat. §§ 646A.602, 646A.604, 646A.624 (2011);

j. Puerto Rico, 10 L.P.R.A. § 4051; 10 L.P.R.A. § 4052 (2005), as amended

(2008);

k. South Carolina, S.C. Code § 1-11-490 (2008); S.C. Code § 39-1-90 (2009);

l. Virgin Islands, 14 V.I.C. § 2208, et seq. (2005);

m. Virginia, Va. Code Ann. § 18.2-186.6 (2008); Va. Code Ann. § 32.1– 127.1:05

(2011); and

n. the District of Columbia, D.C. Code § 28-3851 to 28-3853 (2007) (collectively,

the “State Data Breach Acts”).

139. Defendant was required to, but failed, to implement and maintain reasonable



security procedures and practices appropriate to the nature and scope of the information

compromised in the Data Breach.

140. The Data Breach constituted a “breach of the security system” within the

meaning of section 1798.82(g) of the California Civil Code, and other State Data Breach Acts.

141. The information compromised in the Data Breach constituted “personal

information” within the meaning of section 1798.80(e) of the California Civil Code, and other

State Data Breach Acts.

142. Like other State Data Breach Acts, California Civil Code § 1798.80(e) requires

disclosure of data breaches “in the most expedient time possible and without unreasonable

delay . . . .”

143. Defendant violated Cal. Civ. Code § 1798.80(e) and other State Data Breach

Acts by unreasonably delaying disclosure of the Data Breach to Plaintiffs and other Class

Members, whose PII was, or was reasonably believed to have been, acquired by an

unauthorized person.

144. Upon information and belief, no law enforcement agency instructed Defendant

that notification to Plaintiffs and Class Members would impede a criminal investigation.

145. As a result of Defendant’s violation of State Data Breach Acts, including Cal.

Civ. Code § 1798.80, et seq., Plaintiffs and Class Members incurred economic damages,

including expenses associated with monitoring their personal and financial information to

prevent further fraud.

146. Plaintiffs, individually and on behalf of the Class, seek all remedies available

under Cal. Civ. Code § 1798.84 and under the other State Data Breach Acts, including, but not

limited to: (a) actual damages suffered by Class Members as alleged above; (b) statutory



damages for Defendant’s willful, intentional, and/or reckless violation of Cal. Civ. Code §

1798.83; (c) equitable relief; and (d) reasonable attorneys’ fees and costs under Cal. Civ. Code

§1798.84(g).

147. Because Defendant was guilty of oppression, fraud or malice, in that it failed to

act with a willful and conscious disregard of Plaintiffs’ and Class Members’ rights, Plaintiffs

also seek punitive damages, individually and on behalf of the Class.

PRAYER FOR RELIEF

WHEREFORE Plaintiffs pray for judgment as follows:

A. For an Order certifying this action as a class action and appointing Plaintiffs

and their Counsel to represent the Class;

B. For equitable relief enjoining Defendant from engaging in the wrongful

conduct complained of herein pertaining to the misuse and/or disclosure of Plaintiffs’ and

Class Members’ Private Information, and from refusing to issue prompt, complete and

accurate disclosures to Plaintiffs and Class Members;

C. For equitable relief compelling Defendant to utilize appropriate methods and

policies with respect to consumer data collection, storage and safety and to disclose with

specificity the type of PII compromised during the Data Breach;

D. For equitable relief requiring restitution and disgorgement of the revenues

wrongfully retained as a result of Defendant’s wrongful conduct;

E. Ordering Defendant to pay for not less than three years of credit card

monitoring services for Plaintiffs and the Class;

F. Ordering Defendant to disseminate individualized notice of the Data Breach to

all Class members and to post notice of the Breach in all affected stores;



G. For an award of actual damages, compensatory damages, statutory damages,

and statutory penalties, in an amount to be determined;

H. For an award of punitive damages, as allowable by law;

I. For an award of attorneys’ fees and costs, including expert witness fees;

J. Pre- and post-judgment interest on any amounts awarded; and

K. Such other and further relief as this court may deem just and proper.

Dated: May 16, 2014 SIPRUT PC

/s/ Joseph J. SiprutJoseph J. SiprutMelanie K. NelsonGregg M. BarbakoffGregory W. Jones17 North State Street, Suite 1600Chicago, IL 60602Tel: (312) 236-0000Fax: (312) 267-1906

AHDOOT & WOLFSON, PCTina Wolfson, (pro hac vice application to be filed)Robert Ahdoot, (pro hac vice application to be filed)Theodore W. Maya, (pro hac vice application to be filed)Bradley K. King, (pro hac vice application to be filed)1016 Palm AvenueWest Hollywood, California 90069Tel: (310) 474-9111Fax: (310) 474-8585

John A. Yanchunis, Sr., (pro hac vice application to be filed)MORGAN & MORGANCOMPLEX LITIGATION GROUP201 N. Franklin Street, 7th FloorTampa, Florida 33602Tel: (813) 223-5505Fax: (813) 223-5402



W. Lewis Garrison, (pro hac vice application to be filed)HENINGER GARRISON DAVIS, LLC2224 First Avenue NorthBirmingham, AL 35203Tel: (205) 326-3336Fax: (205) 380-8085

Paul C. Whalen, (pro hac vice application to be filed)LAW OFFICES OF PAUL C. WHALEN P.C.768 Plandome Road, Suite 212Manhasset, NY 11030Telephone: (516) 627-5610Facsimile: (212) 658-9685

Lionel Z. Glancy, (pro hac vice application to be filed)GLANCY BINKOW & GOLDBERG LLP1925 Century Park East, Suite 2100Los Angeles, CA 90067Tel: (310) 201-9150Fax: (310) 201-9160

Brian P. Murray, (pro hac vice application to be filed)GLANCY BINKOW & GOLDBERG LLP122 E. 42nd Street, Suite 2920New York, NY 10168Tel: (212) 682-5340Fax: (212) 884-0988

Abbas Kazerounian, (pro hac vice application to be filed)KAZEROUNI LAW GROUP, APC245 Fischer Avenue, Suite D1Costa Mesa, CA 92646Tel: (800) 400-6808Fax: (800) 520-5523

Joshua B. Swigart, Esq. , (pro hac vice application to be filed)HYDE & SWIGART2221 Camino Del Rio South, Suite 101San Diego, CA 92108Tel: (619) 233-7770Fax: (619) 297-1022

4823-0539-4203, v. 1



1 Case No.: 13-CV-05226-LHK ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT ADOBE SYSTEM INC.’S MOTION TO DISMISS

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

UNITED STATES DISTRICT COURT

NORTHERN DISTRICT OF CALIFORNIA

SAN JOSE DIVISION

IN RE ADOBE SYSTEMS, INC. PRIVACY LITIGATION

)) ) ) ) ) ) )

Case No.: 13-CV-05226-LHK ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT ADOBE SYSTEMS INC.’S MOTION TO DISMISS

In this consolidated litigation, Plaintiffs Christian Duke (“Duke”), Joseph Kar (“Kar”),

Christina Halpain (“Halpain”), Jacob McHenry (“McHenry”), Anne McGlynn (“McGlynn”), and

Marcel Page (“Page”), individually and on behalf of those similarly situated (collectively,

“Plaintiffs”) bring claims against Defendant Adobe Systems, Inc. (“Adobe”) arising out of an

intrusion into Adobe’s computer network in 2013 and the resulting data breach. Consol. Compl.

(“Compl.”) ECF No. 39. Pending before the Court is Adobe’s Motion to Dismiss, in which Adobe

seeks dismissal of all of Plaintiffs’ claims. (“Mot.”) ECF No. 45. Plaintiffs have filed an

Opposition, (“Opp’n”) ECF No. 47, and Adobe has filed a Reply, (“Reply”) ECF No. 50. Having

considered the submissions of the parties and the relevant law, the Court hereby GRANTS IN

PART and DENIES IN PART Adobe’s Motion to Dismiss.

Case5:13-cv-05226-LHK Document55 Filed09/04/14 Page1 of 41


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

I. BACKGROUND

A. Factual Allegations

Except where indicated, the facts in this section are taken from Plaintiffs’ Complaint and

accepted as true for the purposes of this Motion.

1. Adobe’s Products and Services

Adobe is a multinational software company that sells and licenses printing, publishing,

multimedia, and graphics software. Compl. ¶ 17. Adobe sells a wide range of products, including

Photoshop (a widely-used digital imaging program) and ColdFusion (used by web developers to

build websites and Internet applications). Id. ¶ 19. Adobe’s products and services are available in

two forms. Some Adobe software, such as ColdFusion, is sold through licenses, where customers

pay a single licensing fee to use the software. Id. Other Adobe products are available through

Adobe’s subscription-based “Creative Cloud,” where customers pay a monthly fee to use Adobe’s

products and services. Id.

Adobe collects a variety of customer information. Customers of licensed-based products

must register their products, which requires customers to provide Adobe with their e-mail

addresses and create a username and password for Adobe’s website. Id. Some of these customers

purchased their licenses online from Adobe directly, and thus also provided Adobe with their credit

card numbers and expiration dates, as well as other billing information. E.g., id. ¶¶ 19, 78, 96.

Creative Cloud customers are required to keep an active credit card on file with Adobe, which is

charged automatically according to the customer’s subscription plan. Id. ¶ 19. In addition, some

Creative Cloud customers store their files and work products in Adobe’s “cloud.” E.g., id. ¶ 84. As

a result of the popularity of Adobe’s products, Adobe has collected personal information in the

form of names, e-mail and mailing addresses, telephone numbers, passwords, credit card numbers

and expiration dates from millions of customers. Id. ¶¶ 22, 50-55.

All customers of Adobe products, including Creative Cloud subscribers, are required to

accept Adobe’s End-User License Agreements (“EULA”) or General Terms of Use. Id. ¶ 29. Both

incorporate Adobe’s Privacy Policy, which provides in relevant part: “[Adobe] provide[s]



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

reasonable administrative, technical, and physical security controls to protect your information.

However, despite our efforts, no security controls are 100% effective and Adobe cannot ensure or

warrant the security of your personal information.” (“Agreement”) ECF No. 46-2 at 4. Adobe’s

Safe Harbor Privacy Policy, which supplements Adobe’s Privacy Policy, similarly provides that

“Adobe . . . uses reasonable physical, electronic, and administrative safeguards to protect your

personal information from loss; misuse; or unauthorized access, disclosure, alteration, or

destruction.” Compl. ¶ 32. Adobe makes similar representations regarding its security practices on

its websites. Id. ¶¶ 33-39.

2. The 2013 Data Breach

In July 2013, hackers gained unauthorized access to Adobe’s servers. Id. ¶ 48. The hackers

spent several weeks inside Adobe’s network without being detected. Id. By August 2013, the

hackers reached the databases containing customers’ personal information, as well as the source

code repositories for Adobe products. Id. The hackers then spent up to several weeks removing

customer data and Adobe source code from Adobe’s network, all while remaining undetected. Id.

The data breach did not come to light until September, when independent security researchers

discovered stolen Adobe source code on the Internet. Id. ¶ 49. Adobe announced the data breach on

October 3, 2013. Id. ¶ 50. Adobe announced that the hackers accessed the personal information of

at least 38 million customers, including names, login IDs, passwords, credit and debit card

numbers, expiration dates, and mailing and e-mail addresses. Id. ¶¶ 50-52. Adobe confirmed that

the hackers copied the source code for a number of its products, including ColdFusion. Id. ¶ 53.

Adobe subsequently disclosed that the hackers were able to use Adobe’s systems to decrypt

customers’ credit card numbers, which had been stored in an encrypted form. Id. ¶ 57. The Court

will refer to this sequence of events as the “2013 data breach.”

Following the 2013 data breach, researchers concluded that Adobe’s security practices were

deeply flawed and did not conform to industry standards. Id. ¶ 59. For example, though customers’

passwords had been stored in encrypted form, independent security researchers analyzing the

stolen passwords discovered that Adobe’s encryption scheme was poorly implemented, such that



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

the researchers were able to decrypt a substantial portion of the stolen passwords in short order. Id.

¶ 63. Adobe similarly failed to employ intrusion detection systems, properly segment its network,

or implement user or network level system controls. Id. ¶ 62. As a result of the 2013 data breach,

Adobe offered its customers one year of free credit monitoring services and advised customers to

monitor their accounts and credit reports for fraud and theft. Id. ¶¶ 54, 56.

3. The Plaintiffs

Plaintiffs are customers of Adobe licensed products or Creative Cloud subscribers who

provided Adobe with their personal information. Plaintiffs Kar and Page purchased licensed

products directly from Adobe and provided Adobe with their names, email addresses, credit card

numbers, other billing information, and other personal information. Id. ¶¶ 77-78, 95-96. Plaintiff

McHenry purchased an Adobe licensed product, and provided Adobe with a username and

password. Id. ¶¶ 98-99. Plaintiffs Duke, Halpain, and McGlynn subscribed to Adobe’s products,

and provided Adobe with their names, email addresses, credit card numbers, other billing

information, and other personal information. Id. ¶¶ 74-75, 83-84, 90. Plaintiffs Duke, Kar, Halpain,

and McGlynn are California citizens and residents. Id. ¶¶ 10-12, 14. Adobe informed all Plaintiffs

that their personal information had been compromised as a result of the 2013 data breach. Id. ¶¶ 76,

80, 85, 92, 97, 100. Following the 2013 data breach, Plaintiffs Kar and Halpain purchased

additional credit monitoring services. Id. ¶¶ 81, 86.

B. Procedural History

The seven cases underlying this consolidated action were filed in this Court between

November 2013 and January 2014. See ECF No. 1; Case No. 13-CV-5611, ECF No. 1; Case No.

13-CV-5596, ECF No. 1; Case No. 13-CV-5930, ECF No. 1; Case No. 14-CV-14, ECF No. 1;

Case No. 14-CV-30, ECF No. 1; Case No. 14-CV-157, ECF No. 1. The Court related the

individual cases in December 2013 and January 2014, ECF Nos. 19, 22, 26,1 and consolidated them

on March 13, 2014, ECF No. 34. Plaintiffs filed their Consolidated Complaint on April 4, 2014.

ECF No. 39. Adobe filed its Motion to Dismiss on May 21, 2014, ECF No. 45, with an

1 Unless otherwise noted, all remaining ECF citations refer to Case Number 13-CV-5226.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

accompanying Request for Judicial Notice, (“Def. May 21 RJN”) ECF No. 46. Plaintiffs filed their

Opposition on June 11, 2014, ECF No. 47, with an accompanying Request for Judicial Notice,

(“Pl. RJN”) ECF No. 48. Adobe filed its Reply on July 2, 2014, ECF No. 50, along with a second

Request for Judicial Notice, (“Def. July 2 RJN”) ECF No. 51.2

II. LEGAL STANDARDS

A. Rule 12(b)(1)

A defendant may move to dismiss an action for lack of subject matter jurisdiction pursuant

to Federal Rule of Civil Procedure 12(b)(1). A motion to dismiss for lack of subject matter

jurisdiction will be granted if the complaint on its face fails to allege facts sufficient to establish

subject matter jurisdiction. See Savage v. Glendale Union High Sch., 343 F.3d 1036, 1039 n.2 (9th

Cir. 2003). If the plaintiff lacks standing under Article III of the U.S. Constitution, then the court

lacks subject matter jurisdiction, and the case must be dismissed. See Steel Co. v. Citizens for a

Better Env’t, 523 U.S. 83, 101-02 (1998). In considering a Rule 12(b)(1) motion, the Court “is not 2 Although a district court generally may not consider any material beyond the pleadings in deciding a Rule 12(b)(6) motion, the Court may take judicial notice of documents referenced in the complaint, as well as matters in the public record, without converting a motion to dismiss into one for summary judgment. See Lee v. City of L.A., 250 F.3d 668, 688-89 (9th Cir. 2001). A matter may be judicially noticed if it is either “generally known within the trial court’s territorial jurisdiction,” or “can be accurately and readily determined from sources whose accuracy cannot reasonably be questioned.” Fed. R. Evid. 201(b).

Here, Adobe requests that the Court take judicial notice of the transcript of the case management conference hearing held before this Court on March 13, 2014. Def. May 21 RJN Ex. A. This transcript is an appropriate subject for judicial notice, as it is a matter of public record. Adobe also requests that the Court take judicial notice of Adobe’s Privacy Policies of May 7, 2012 and December 20, 2013, id. Exs. B, C; Adobe’s General Terms of Use, id. Ex. D; and the subscription terms for Adobe’s Creative Cloud, id. Ex. E. These documents are referenced and quoted in the Complaint, e.g., Compl. ¶¶ 5, 29, 30-32, 84, 91, 99, 119-120, 129, and the Court may therefore take judicial notice of these documents under the doctrine of incorporation by reference. See, e.g., Knievel v. ESPN, 393 F.3d 1068, 1076 (9th Cir. 2005) (district court may consider “documents whose contents are alleged in a complaint and whose authenticity no party questions, but which are not physically attached to the [plaintiff’s] pleading” (alteration in original) (internal quotation marks omitted)). Finally, Adobe requests that the Court take judicial notice of three newspaper articles discussing Adobe’s security problems. Def. July 2 RJN Exs. A, B, C. The Court may take judicial notice of the existence of these reports as indication of what was in the public realm, but not for the veracity of any arguments or facts contained within. See Von Saher v. Norton Simon Museum of Art at Pasadena, 592 F.3d. 954, 960 (9th Cir. 2010). Accordingly, the Court GRANTS Adobe’s Requests for Judicial Notice dated May 21, 2014 and July 2, 2014.

Plaintiffs request that the Court take judicial notice of one of Adobe’s End User License Agreements (“EULA”). Pl. RJN Ex. A. The EULA is referenced in the Complaint, see, e.g., Compl. ¶¶ 29-32, 41, 105, and is publicly available on Adobe’s website. Accordingly, the Court GRANTS Plaintiffs’ Request for Judicial Notice. See Knievel, 393 F.3d at 1076.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

restricted to the face of the pleadings, but may review any evidence, such as affidavits and

testimony, to resolve factual disputes concerning the existence of jurisdiction.” McCarthy v. United

States, 850 F.2d 558, 560 (9th Cir. 1988). Once a party has moved to dismiss for lack of subject

matter jurisdiction under Rule 12(b)(1), the opposing party bears the burden of establishing the

court’s jurisdiction, see Chandler v. State Farm Mut. Auto. Ins. Co., 598 F.3d 1115, 1122 (9th Cir.

2010), by putting forth “the manner and degree of evidence required” by whatever stage of the

litigation the case has reached, Lujan v. Defenders of Wildlife, 504 U.S. 555, 561 (1992); see also

Barnum Timber Co. v. Envtl. Prot. Agency, 633 F.3d 894, 899 (9th Cir. 2011) (at the motion to

dismiss stage, Article III standing is adequately demonstrated through allegations of “specific facts

plausibly explaining” why the standing requirements are met).

B. Rule 8(a)

Rule 8(a)(2) of the Federal Rules of Civil Procedure requires a complaint to include “a

short and plain statement of the claim showing that the pleader is entitled to relief.” A complaint

that fails to meet this standard may be dismissed pursuant to Federal Rule of Civil Procedure

12(b)(6). The Supreme Court has held that Rule 8(a) requires a plaintiff to plead “enough facts to

state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570

(2007). “A claim has facial plausibility when the plaintiff pleads factual content that allows the

court to draw the reasonable inference that the defendant is liable for the misconduct alleged.”

Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). “The plausibility standard is not akin to a probability

requirement, but it asks for more than a sheer possibility that a defendant has acted unlawfully.” Id.

(internal quotation marks omitted). For purposes of ruling on a Rule 12(b)(6) motion, a court

“accept[s] factual allegations in the complaint as true and construe[s] the pleadings in the light

most favorable to the nonmoving party.” Manzarek v. St. Paul Fire & Marine Ins. Co., 519 F.3d

1025, 1031 (9th Cir. 2008).

However, the Court need not accept as true allegations contradicted by judicially noticeable

facts, Shwarz v. United States, 234 F.3d 428, 435 (9th Cir. 2000), and the “[C]ourt may look

beyond the plaintiff’s complaint to matters of public record” without converting the Rule 12(b)(6)



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

motion into one for summary judgment, Shaw v. Hahn, 56 F.3d 1128, 1129 n.1 (9th Cir. 1995).

Nor is the Court required to “‘assume the truth of legal conclusions merely because they are cast in

the form of factual allegations.’” Fayer v. Vaughn, 649 F.3d 1061, 1064 (9th Cir. 2011) (per

curiam) (quoting W. Mining Council v. Watt, 643 F.2d 618, 624 (9th Cir. 1981)). Mere “conclusory

allegations of law and unwarranted inferences are insufficient to defeat a motion to dismiss.”

Adams v. Johnson, 355 F.3d 1179, 1183 (9th Cir. 2004); accord Iqbal, 556 U.S. at 678.

Furthermore, plaintiffs may plead themselves out of court if they “plead facts which establish that

[they] cannot prevail on [their] . . . claim.” Weisbuch v. Cnty. of L.A., 119 F.3d 778, 783 n.1 (9th

Cir. 1997) (internal quotation marks and citation omitted).

C. Rule 9(b)

Claims sounding in fraud or mistake are subject to the heightened pleading requirements of

Federal Rule of Civil Procedure 9(b), which requires that a plaintiff alleging fraud “must state with

particularity the circumstances constituting fraud.” Fed. R. Civ. P. 9(b); see Kearns v. Ford Motor

Co., 567 F.3d 1120, 1124 (9th Cir. 2009). To satisfy Rule 9(b)’s heightened standard, the

allegations must be “specific enough to give defendants notice of the particular misconduct which

is alleged to constitute the fraud charged so that they can defend against the charge and not just

deny that they have done anything wrong.” Semegen v. Weidner, 780 F.2d 727, 731 (9th Cir.

1985). Thus, claims sounding in fraud must allege “an account of the time, place, and specific

content of the false representations as well as the identities of the parties to the misrepresentations.”

Swartz v. KPMG LLP, 476 F.3d 756, 764 (9th Cir. 2007) (per curiam) (internal quotation marks

omitted). “The plaintiff must set forth what is false or misleading about a statement, and why it is

false.” In re Glenfed, Inc. Sec. Litig., 42 F.3d 1541, 1548 (9th Cir. 1994) (en banc), superseded by

statute on other grounds as stated in Ronconi v. Larkin, 253 F.3d 423, 429 n.6 (9th Cir. 2001).

D. Leave to Amend

If the Court determines that the complaint should be dismissed, it must then decide whether

to grant leave to amend. Under Rule 15(a) of the Federal Rules of Civil Procedure, leave to amend

“should be freely granted when justice so requires,” bearing in mind that “the underlying purpose



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

of Rule 15 . . . [is] to facilitate decision on the merits, rather than on the pleadings or

technicalities.” Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000) (en banc) (internal quotation

marks omitted). Nonetheless, a court “may exercise its discretion to deny leave to amend due to

‘undue delay, bad faith or dilatory motive on part of the movant, repeated failure to cure

deficiencies by amendments previously allowed, undue prejudice to the opposing party . . . , [and]

futility of amendment.’” Carvalho v. Equifax Info. Servs., LLC, 629 F.3d 876, 892-93 (9th Cir.

2010) (alterations in original) (quoting Foman v. Davis, 371 U.S. 178, 182 (1962)).

III. DISCUSSION

Plaintiffs assert four causes of action in their Complaint. Adobe seeks dismissal of all four

claims. The Court will address each claim and Adobe’s corresponding objections in turn.

A. Customer Records Act Claim

Plaintiffs’ first cause of action is for injunctive relief on behalf of the California Plaintiffs

for violations of Sections 1798.81.5 and 1798.82 of the California Civil Code (“CRA”).3 The CRA

provides in relevant part that:

A business that owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

Cal. Civ. Code § 1798.81.5(b). Section 1798.82, for its part, requires businesses to “disclose any

breach of the security of the system following discovery or notification of the breach . . . in the

most expedient time possible and without unreasonable delay.” Cal. Civ. Code § 1798.82(a).

Plaintiffs allege that Adobe did not and does not maintain “reasonable security practices” to protect

customer data, in violation of Section 1798.81.5 of the CRA, and did not promptly notify

3 Adobe refers to Sections 1798.81.5 and 1798.82 as the “California Data Breach Notification Act,” see Mot. at 6, whereas Plaintiffs refer to those sections as the “California Customer Records Act,” see Opp’n at 6. The Court agrees with Plaintiffs that Section 1798.81.5 deals with more than notification in the event of a breach. See Cal. Civ. Code § 1798.81.5(d) (“[T]he purpose of this section is to encourage businesses that own or license personal information about Californians to provide reasonable security for that information.”). Accordingly, the Court will refer to these sections as the Customer Records Act (“CRA”), after the name of the Title under which they appear. See Cal. Civ. Code tit. 1.81 (“Customer Records”).



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

customers following the 2013 data breach, in violation of Section 1798.82 of the CRA. Compl.

¶¶ 112-113.

Plaintiffs request injunctive relief pursuant to Section 1798.84(e) of the CRA, which

provides that “[a]ny business that violates, proposes to violate, or has violated this title may be

enjoined.” Plaintiffs also base their request for relief on the “unlawful” prong of California’s

Unfair Competition Law (“UCL”), Cal. Bus. & Prof. Code §§ 17200 et seq., which allows

plaintiffs to “borrow” violations of other laws and treat them as unlawful competition that is

independently actionable. Cel-Tech Commcn’s, Inc. v. L.A. Cellular Tel. Co., 20 Cal. 4th 163, 180

(1999).

Adobe argues that Plaintiffs do not allege injury-in-fact resulting from Adobe’s alleged

violation of the CRA and thus do not have Article III standing to bring their CRA claim. Mot. at 6-

7. For the same reasons, Adobe contends that Plaintiffs do not have statutory standing under

Section 1798.84(e), which also requires a showing of injury. Id. As a result, Adobe contends that

Plaintiffs’ CRA claim must be dismissed for lack of jurisdiction. The Court addresses both

contentions in turn, beginning, as it must, with Article III standing.

1. Article III Standing

To have Article III standing, a plaintiff must plead and prove that she has suffered sufficient

injury to satisfy the “case or controversy” requirement of Article III of the United States

Constitution. See Clapper v. Amnesty Int’l USA, --- U.S. ---, 133 S. Ct. 1138, 1146 (2013) (“‘One

element of the case-or-controversy requirement’ is that plaintiffs ‘must establish that they have

standing to sue.’” (quoting Raines v. Byrd, 521 U.S. 811, 818 (1997))). To satisfy Article III

standing, a plaintiff must therefore allege: (1) injury-in-fact that is concrete and particularized, as

well as actual or imminent; (2) that the injury is fairly traceable to the challenged action of the

defendant; and (3) that the injury is redressable by a favorable ruling. Monsanto Co. v. Geertson

Seed Farms, 561 U.S. 139, 149 (2010); Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC),

Inc., 528 U.S. 167, 180-81 (2000). “The party invoking federal jurisdiction bears the burden of



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

establishing these elements . . . with the manner and degree of evidence required at the successive

stages of the litigation.” Lujan, 504 U.S. at 561.

In a class action, named plaintiffs representing a class “must allege and show that they

personally have been injured, not that injury has been suffered by other, unidentified members of

the class to which they belong and which they purport to represent.” Warth v. Seldin, 422 U.S. 490,

502 (1975). “[I]f none of the named plaintiffs purporting to represent a class establishes the

requisite of a case or controversy with the defendants, none may seek relief on behalf of himself or

any other member of the class.” O’Shea v. Littleton, 414 U.S. 488, 494 (1974).

In the instant case, Plaintiffs allege that they have all suffered at least one of three types of

cognizable injuries-in-fact: (1) increased risk of future harm; (2) cost to mitigate the risk of future

harm; and/or (3) loss of the value of their Adobe products. Opp’n at 7-11. The Court begins by

assessing the adequacy Plaintiffs’ alleged injuries. The Court will then address Adobe’s argument

that even if Plaintiffs have Article III standing to bring a claim based on Adobe’s alleged violation

of Section 1798.81.5 (the “reasonable” security measures provision), Plaintiffs do not have

standing to bring a claim based on Adobe’s alleged violation of Section 1798.82 (the notification

provision), because Plaintiffs do not allege that they suffered any particular injury stemming from

Adobe’s failure to reasonably notify Plaintiffs of the 2013 data breach. Mot. at 7.

a. Increased Risk of Harm

Plaintiffs claim that they are all at increased risk of future harm as a result of the 2013 data

breach. Opp’n at 7. Adobe counters that such “increased risk” is not a cognizable injury for Article

III standing purposes. Mot. at 10. The Ninth Circuit addressed Article III standing in the context of

stolen personal information in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010). In

Krottner, a thief stole a laptop from Starbucks containing the unencrypted names, addresses, and

social security numbers of roughly 97,000 Starbucks employees. Id. at 1140. Some of the affected

employees subsequently sued Starbucks for negligence and breach of implied contract. Id.

Starbucks argued that the employees did not have standing because there was no indication that

any of the employees’ personal information had been misused or that the employees had suffered



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

any economic loss as a result of the theft. Id. at 1141-42. The Ninth Circuit disagreed, holding

instead that “the possibility of future injury may be sufficient to confer standing” where the

plaintiff is “immediately in danger of sustaining some direct injury as the result of the challenged

conduct.” Id. at 1142 (alteration omitted) (internal quotation marks omitted). As to the specific

facts before it, the Ninth Circuit held that the Starbucks employees alleged “a credible threat of real

and immediate harm stemming from the theft of a laptop containing their unencrypted personal

data.” Id. at 1143. Based on this “credible threat of real and immediate harm,” the Ninth Circuit

found that the employees “sufficiently alleged an injury-in-fact for purposes of Article III

standing.” Id.

Adobe does not dispute that Krottner is directly on point. See Mot. at 11; Reply at 3.

However, Adobe contends that subsequent Supreme Court authority forecloses the approach the

Ninth Circuit took to standing in Krottner. Reply at 3. Specifically, Adobe claims that the Supreme

Court’s decision in Clapper v. Amnesty International USA expressly rejected “[a]llegations of

possible future injury” as a basis for Article III standing, requiring instead that a “threatened injury

[] be certainly impending to constitute injury in fact.” Mot. at 10 (citing Clapper, 133 S. Ct. at

1147). Adobe argues that following Clapper district courts in data breach cases regularly conclude

that increased risk of future harm is insufficient to confer Article III standing under the “certainly

impending” standard. Id. (citing In re Sci. Applications Int’l Corp. Backup Tape Data Theft Litig.

(“SAIC”), --- F. Supp. 2d ---, 2014 WL 1858458 (D.D.C. May 9, 2014); Strautins v. Trustwave

Holdings, Inc., --- F. Supp. 2d ---, 2014 WL 960816 (N.D. Ill. Mar. 12, 2014); Galaria v.

Nationwide Mut. Ins. Co., --- F. Supp. 2d ---, 2014 WL 689703 (S.D. Ohio Feb. 10, 2014); Polanco

v. Omnicell, Inc., 988 F. Supp. 2d 451 (D.N.J. 2013); In re Barnes & Noble Pin Pad Litig., No. 12-

8617, 2013 WL 4759588 (N.D. Ill. Sep. 3, 2013); Yunker v. Pandora Media, Inc., No. 11-3113,

2013 WL 1282980 (N.D. Cal. Mar. 26, 2013)). Adobe claims that the only case to hold otherwise,

In re Sony Gaming Networks & Customer Data Security Breach Litigation, --- F. Supp. 2d ---,

2014 WL 223677 (S.D. Cal. Jan 21, 2014), has been “relegated to a ‘but see’ reference.” Mot. at 11

(citing SAIC, 2014 WL 1858458, at *8). Adobe encourages this Court to conclude that Clapper



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

implicitly overruled Krottner and to join the district courts that have rejected the “increased risk of

harm” theory of standing in Clapper’s wake. Id. at 10-11. For the following reasons, the Court

declines to do so.

Clapper addressed a challenge to Section 702 of the Foreign Intelligence Surveillance Act

of 1978 (“FISA”), 50 U.S.C. § 1881a. 133 S. Ct. at 1142. Respondents were U.S.-based attorneys,

human rights, labor, legal, and media organizations who alleged that their work required them to

communicate with individuals outside the United States who were likely to be targets of

surveillance under Section 702. Id. at 1145. The respondents asserted injury based on “an

objectively reasonable likelihood that their communications [would] be acquired [under FISA] at

some point in the future.” Id. at 1146. As an initial matter, the Supreme Court held that the

“objectively reasonable likelihood” standard was inconsistent with precedent requiring that

“threatened injury must be certainly impending to constitute injury in fact.” Id. at 1147 (emphasis

added) (quoting Whitmore v. Arkansas, 495 U.S. 149, 158 (1990)). The Supreme Court emphasized

that “allegations of possible future injury are not sufficient.” Id. (internal quotation marks omitted).

Turning to the respondents’ theory of injury, the Supreme Court found that it was both too

speculative to constitute “certainly impending” injury and too attenuated to be “fairly traceable” to

Section 702. Id. at 1147-48.

As the Supreme Court noted, the respondents did not allege that any of their

communications had actually been intercepted, or even that the Government sought to target them

directly. Id. at 1148. Rather, the respondents’ argument rested on the “highly speculative fear” that:

(1) the Government will decide to target the communications of non-U.S. persons with whom they communicate; (2) in doing so, the Government will choose to invoke its authority under [Section 702] rather than utilizing another method of surveillance; (3) the Article III judges who serve on the Foreign Intelligence Surveillance Court will conclude that the Government’s proposed surveillance procedures satisfy [Section 702]’s many safeguards and are consistent with the Fourth Amendment; (4) the Government will succeed in intercepting the communications of respondents’ contacts; and (5) respondents will be parties to the particular communications that the Government intercepts

Id. The Supreme Court held that this “highly attenuated” chain of possibilities did not result in a

“certainly impending” injury. Id. The Court observed that the first three steps of the chain



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

depended on the independent choices of the Government and the Foreign Intelligence Surveillance

Court, yet the respondents could only speculate as to what decision those third parties would take

at each step. Id. at 1149-50 (“[W]e have been reluctant to endorse standing theories that require

guesswork as to how independent decisionmakers will exercise their judgment. . . .”). Moreover,

respondents could not show with any certainty that their communications with the foreign persons

allegedly under surveillance would be intercepted. Id. As a result, the overall chain of inferences

was “too speculative” to constitute a cognizable injury. Id. at 1143.

The Supreme Court acknowledged that its precedents “do not uniformly require plaintiffs to

demonstrate that it is literally certain that the harms they identify will come about” in order to have

standing. Id. at 1150 n.5 (emphasis added). Rather, in some cases, the Supreme Court has found

standing “based on a ‘substantial risk’ that the harm will occur, which may prompt plaintiffs to

reasonably incur costs to mitigate or avoid that harm.” Id. (citing Monsanto, 561 U.S. at 153-54;

Pennell v. City of San Jose, 485 U.S. 1, 8 (1988); Blum v. Yaretsky, 457 U.S. 991, 1000-01 (1982);

Babbitt v. Farm Workers, 442 U.S. 289, 298 (1979)). The Supreme Court declined to overrule that

line of cases. However, the Court concluded in Clapper that “to the extent that the ‘substantial risk’

standard is relevant and is distinct from the ‘clearly impending’ requirement, respondents fall short

of even that standard, in light of the attenuated chain of inferences necessary to find harm here.” Id.

Clapper did not change the law governing Article III standing. The Supreme Court did not

overrule any precedent, nor did it reformulate the familiar standing requirements of injury-in-fact,

causation, and redressability.4 Accord Sony, 2014 WL 223677, at *8-9 (“[T]he Supreme Court’s

decision in Clapper did not set forth a new Article III framework, nor did the Supreme Court’s

decision overrule previous precedent . . . .”). Clapper merely held that the Second Circuit had

strayed from these well-established standing principles by accepting a too-speculative theory of

future injury. See 133 S. Ct. at 1146 (characterizing the Second Circuit’s view of standing as

“novel”). In the absence of any indication in Clapper that the Supreme Court intended a wide- 4 Indeed, the “certainly impending” language can be traced back to a 1923 decision, Pennsylvania v. West Virginia, 262 U.S. 553, 593 (1923), and has been cited numerous times in U.S. Supreme Court cases addressing standing in the intervening decades. See, e.g., Lujan, 504 U.S. at 564 n.2; Whitmore, 495 U.S. at 158; Babbitt, 442 U.S. at 298.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

reaching revision to existing standing doctrine, the Court is reluctant to conclude that Clapper

represents the sea change that Adobe suggests. Moreover, Clapper’s discussion of standing arose

in the sensitive context of a claim that other branches of government were violating the

Constitution, and the U.S. Supreme Court itself noted that its standing analysis was unusually

rigorous as a result. Id. at 1147 (“Our standing inquiry has been especially rigorous when reaching

the merits of the dispute would force us to decide whether an action taken by one of the other two

branches of the Federal Government was unconstitutional.” (alteration omitted) (internal quotation

marks omitted)).

“[D]istrict courts should consider themselves bound by [] intervening higher authority and

reject the prior opinion of [the Ninth Circuit] as having been effectively overruled” only when the

intervening higher authority is “clearly irreconcilable with [the] prior circuit authority.” Miller v.

Gammie, 335 F.3d 889, 900 (9th Cir. 2003) (en banc). The Court does not find that Krottner and

Clapper are clearly irreconcilable. Krottner did use somewhat different phrases to describe the

degree of imminence a plaintiff must allege in order to have standing based on a threat of injury,

i.e., “immediate[] [] danger of sustaining some direct injury,” and a “credible threat of real and

immediate harm.” 628 F.3d at 1142-43. On the other hand, Clapper described the harm as

“certainly impending.” 133 S. Ct. at 1147. However, this difference in wording is not substantial.

At the least, the Court finds that Krottner’s phrasing is closer to Clapper’s “certainly impending”

language than it is to the Second Circuit’s “objective reasonable likelihood” standard that the

Supreme Court reversed in Clapper. Given that Krottner described the imminence standard in

terms similar to those used in Clapper, and in light of the fact that nothing in Clapper reveals an

intent to alter established standing principles, the Court cannot conclude that Krottner has been

effectively overruled.

In any event, even if Krottner is no longer good law, the threatened harm alleged here is

sufficiently concrete and imminent to satisfy Clapper. Unlike in Clapper, where respondents’

claim that they would suffer future harm rested on a chain of events that was both “highly

attenuated” and “highly speculative,” 133 S. Ct. at 1148, the risk that Plaintiffs’ personal data will



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

be misused by the hackers who breached Adobe’s network is immediate and very real. Plaintiffs

allege that the hackers deliberately targeted Adobe’s servers and spent several weeks collecting

names, usernames, passwords, email addresses, phone numbers, mailing addresses, and credit card

numbers and expiration dates. Compl. ¶¶ 48, 50. Plaintiffs’ personal information was among the

information taken during the breach. Id. ¶¶ 76, 80, 85, 92, 97, 100. Thus, in contrast to Clapper,

where there was no evidence that any of respondents’ communications either had been or would be

monitored under Section 702, see 133 S. Ct. at 1148, here there is no need to speculate as to

whether Plaintiffs’ information has been stolen and what information was taken.

Neither is there any need to speculate as to whether the hackers intend to misuse the

personal information stolen in the 2013 data breach or whether they will be able to do so. Not only

did the hackers deliberately target Adobe’s servers, but Plaintiffs allege that the hackers used

Adobe’s own systems to decrypt customer credit card numbers. Compl. ¶ 57. Some of the stolen

data has already surfaced on the Internet, and other hackers have allegedly misused it to discover

vulnerabilities in Adobe’s products. Id. ¶¶ 49, 70. Given this, the danger that Plaintiffs’ stolen data

will be subject to misuse can plausibly be described as “certainly impending.” Indeed, the

threatened injury here could be more imminent only if Plaintiffs could allege that their stolen

personal information had already been misused. However, to require Plaintiffs to wait until they

actually suffer identity theft or credit card fraud in order to have standing would run counter to the

well-established principle that harm need not have already occurred or be “literally certain” in

order to constitute injury-in-fact.5 Clapper, 133 S. Ct. at 1150 n.5; see also, e.g., Monsanto, 561

5 The Court further notes that requiring Plaintiffs to wait for the threatened harm to materialize in order to sue would pose a standing problem of its own, because the more time that passes between a data breach and an instance of identity theft, the more latitude a defendant has to argue that the identity theft is not “fairly traceable” to the defendant’s data breach. Indeed, Adobe makes this very argument in its Motion. Specifically, Adobe speculates that Plaintiff Halpain may also have been a victim of recent data breaches involving Target and Neiman Marcus, and thus that Halpain’s allegation that her personal data appeared on “black market websites” is not fairly traceable to Adobe’s 2013 data breach. Mot. at 9 & n.8. This argument fails, given that there is no factual basis for Adobe’s speculation that Halpain was a customer of either Target or Neiman Marcus, let alone that Halpain’s personal data was compromised in data breaches involving these companies.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

U.S. at 153-54 (finding that a “substantial risk of gene flow” from genetically engineered alfalfa

crops to non-genetically engineered alfalfa crops was sufficient to confer Article III standing).6

The cases Adobe cites in which district courts have relied on Clapper to dismiss data

breach cases on standing grounds are factually distinct from the present case. In SAIC, the case on

which Adobe most heavily relies, a thief broke into a car in San Antonio, Texas and stole the car’s

GPS and stereo, as well as encrypted backup data tapes containing personal medical information

for over four million U.S. military members and their families. 2014 WL 1858458, at *2. As the

SAIC court found, the thief would need to have recognized the data tapes for what they were,

obtained specialized equipment to read the tapes, broken the encryption protecting the data on the

tapes, and then obtained specialized software to read the data, all before being in any position to

misuse the data. Id. at *6. Such a chain of possibilities, the SAIC court held, was as attenuated as

the chain the Supreme Court rejected in Clapper, especially given the more likely possibility that

the thief had simply sold the GPS and stereo and discarded the data tapes “in a landfill somewhere

in Texas.” Id. The facts of SAIC stand in sharp contrast to those alleged here, where hackers

targeted Adobe’s servers in order to steal customer data, at least some of that data has been

successfully decrypted, and some of the information stolen in the 2013 data breach has already

surfaced on websites used by hackers.

Adobe’s other authorities are similarly distinct. The thief in Polanco also stole a laptop out

of a car. 988 F. Supp. 2d at 456. Again, there was no allegation that the thief targeted the laptop for

the data contained therein, and the plaintiff “essentially concede[d]” that she had not alleged “any

misuse of her [personal information] or [] that she [wa]s now at an increased risk for the misuse of

her information in the future based on the theft of the laptop.” Id. at 467. In both Strautins and

Barnes & Noble, it was unclear if the plaintiffs’ information had been taken at all. 2014 WL

960816, at *6-7; 2013 WL 4759588, at *4. Finally, in Yunker, the plaintiff did not allege that he

6 It is also worth noting that Clapper was decided on summary judgment, see 133 S. Ct. at 1146, which requires that a plaintiff come forward with a greater degree of evidentiary proof to support her standing allegations than is required at the motion to dismiss stage, see Lujan, 504 U.S. at 561.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

had provided any sensitive information (such as a credit card number or a social security number)

or that anyone had breached the defendant’s servers. 2013 WL 1282980, at *5.

The case with facts closest to those at issue here is Galaria. In that case, hackers obtained a

variety of personal information, though not credit card information, from the servers of an

insurance company. Galaria, 2014 WL 689703, at *1. The court declined to find standing based on

increased risk of future harm, reasoning that whether plaintiffs would be harmed depended on the

decision of the unknown hackers, who may or may not attempt to misuse the stolen information.

Id. at *6. The Court finds this reasoning unpersuasive—after all, why would hackers target and

steal personal customer data if not to misuse it?—and declines to follow it. Regardless, Galaria’s

reasoning lacks force here, where Plaintiffs allege that some of the stolen data has already been

misused. See Compl. ¶¶ 49, 70.

In sum, the Court finds that Plaintiffs’ allegations of a concrete and imminent threat of

future harm suffice to establish Article III injury-in-fact at the pleadings stage under both Krottner

and Clapper.

b. Cost to Mitigate

In addition, Plaintiffs allege that Plaintiffs Halpain and Kar have standing based on the

reasonable costs they incurred to mitigate the increased risk of harm resulting from the 2013 data

breach. Opp’n at 10; see Compl. ¶¶ 80-81, 86-87 (alleging that Halpain and Kar paid for data

monitoring services). The Supreme Court held in Clapper that plaintiffs “cannot manufacture

standing merely by inflicting harm on themselves based on their fears of hypothetical future harm

that is not certainly impending.” 133 S. Ct. at 1151. In so holding, the Supreme Court rejected the

Clapper respondents’ argument that they had standing because they had taken on costly and

burdensome measures to protect the confidentiality of their communications. Id. Even where the

fear of harm was not “fanciful, paranoid, or otherwise unreasonable,” the Supreme Court noted,

plaintiffs cannot secure a lower standard for standing “simply by making an expenditure based on

[that] fear.” Id.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

As this last quote indicates, the Supreme Court’s primary concern was that the Article III

standing standard would be “water[ed] down” if a plaintiff who otherwise lacked standing could

manufacture an injury-in-fact “for the price of a plane ticket.” Id. (internal quotation marks

omitted); accord SAIC, 2014 WL 1858458, at *7 (“Put another way, the [Supreme] Court has held

that plaintiffs cannot create standing by ‘inflicting harm on themselves’ to ward off an otherwise

speculative injury.” (quoting Clapper, 133 S. Ct. at 1151)). Therefore, in order for costs incurred in

an effort to mitigate the risk of future harm to constitute injury-in-fact, the future harm being

mitigated must itself be imminent.7 As the Court has found that all Plaintiffs adequately alleged

that they face a certainly impending future harm from the theft of their personal data, see supra

Part III.A.1.a, the Court finds that the costs Plaintiffs Halpain and Kar incurred to mitigate this

future harm constitute an additional injury-in-fact.8

For the foregoing reasons, the Court finds that Plaintiffs have plausibly alleged that the

substantial risk of harm Plaintiffs face following the 2013 data breach constitutes a cognizable

injury-in-fact. The costs Plaintiffs Halpain and Kar incurred to mitigate this risk of harm constitute

an additional cognizable injury. The Court further finds that Plaintiffs plausibly allege both that

these injuries are “fairly traceable” to Adobe’s alleged failure to maintain “reasonable” security

measures in violation of Section 1798.81.5 and that the relief sought would redress these injuries. 7 The precise degree of imminence required is somewhat uncertain. While a “certainly impending” risk of future harm would undoubtedly be sufficiently imminent to confer standing on a plaintiff who took costly measures to mitigate that risk, Clapper did not overrule prior cases that have found standing where a plaintiff incurs costs in order to mitigate a risk of harm that is “substantial.” 133 S. Ct. at 1150 n.5 (there can be standing “based on a ‘substantial risk’ that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm”). The Clapper Court declined, however, to determine whether a “substantial” risk of future harm is meaningfully different from a “certainly impending” risk of future harm. See id. (“But to the extent that the ‘substantial risk’ standard is relevant and is distinct from the ‘clearly impending’ requirement, respondents fall short of even that standard, in light of the attenuated chain of inferences necessary to find harm here.”). This Court need not resolve whether there is any practical difference between the two formulations either, as the Court finds that Plaintiffs’ allegations meet the “certainly impending” standard. 8 Plaintiffs additionally allege that they suffered economic injury in the form of lost value, both because the software Plaintiffs paid for is now “highly vulnerable to attacks,” and because Plaintiffs Halpain and McGlynn would not have subscribed to Creative Cloud had they known of Adobe’s substandard security practices. See Opp’n at 10. As the Court has already found that all Plaintiffs have Article III standing to pursue their CRA claims based on an increased risk of harm and, in the case of Plaintiffs Halpain and Kar, costs incurred to mitigate that risk of harm, the Court need not address this additional theory of standing.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

The Court therefore concludes that Plaintiffs have adequately pleaded that they have Article III

standing to bring a CRA claim for violations of Section 1798.81.5.

c. Section 1798.82

Adobe argues that even if Plaintiffs have adequately alleged injury-in-fact stemming from

Adobe’s alleged failure to implement reasonable security measures, Plaintiffs have not alleged any

injury traceable to Adobe’s alleged failure to reasonably notify customers of the 2013 data breach

in violation of Section 1798.82, because Plaintiffs do not allege that they suffered any incremental

harm as a result of the delay. Mot. at 7. The Court agrees that Plaintiffs do not allege any harm

resulting from the delay in their Complaint, and Plaintiffs do not address this argument in their

Opposition except to argue that they have statutory (as opposed to Article III) standing to bring a

Section 1798.82 claim. See Opp’n at 11.

Article III’s standing requirements are mandatory and separate from any statutory standing

requirements. Article III standing is also claim- and relief-specific, such that a plaintiff must

establish Article III standing for each of her claims and for each form of relief sought. See

DaimlerChrysler Corp. v. Cuno, 547 U.S. 332, 352 (2006) (“[O]ur standing cases confirm that a

plaintiff must demonstrate standing for each claim he seeks to press.”); id. (“We have insisted . . .

that a plaintiff must demonstrate standing separately for each form of relief sought.” (internal

quotation marks omitted)). Plaintiffs’ claim that Adobe failed to reasonably notify its customers of

the 2013 data breach is distinct from Plaintiffs’ claim that Adobe failed to maintain reasonable data

security measures—in that the claims arise under different statutory provisions and challenge

different Adobe conduct—and Plaintiffs seek different injunctive relief to remedy each violation.

Compare Compl. ¶ 116 (seeking injunction ordering Adobe to implement various security

measures), with id. ¶ 117 (seeking injunction ordering Adobe to notify customers affected by the

2013 data breach who have not yet received notice that their data was stolen). Thus, the Court

concludes that Plaintiffs must separately establish Article III standing under Section 1798.82.

However, by failing to allege any injury resulting from a failure to provide reasonable notification

of the 2013 data breach, Plaintiffs have not plausibly alleged that they have standing to pursue a



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

Section 1798.82 claim. Accordingly, the Court GRANTS Adobe’s Motion to Dismiss Plaintiffs’

Section 1798.82 claim for lacking of Article III standing. Because Plaintiffs may be able to cure

this deficiency in an amended complaint, this dismissal is without prejudice.

2. Statutory Standing

The CRA also contains a statutory standing requirement. Section 1798.84, the remedies

provision of the CRA, provides that “[a]ny customer injured by a violation of this title may

institute a civil action to recover damages,” Cal. Civ. Code § 1798.84(b), and the California Court

of Appeal has held that this injury requirement applies “regardless of the remedies [a plaintiff]

seek[s],” Boorstein v. CBS Interactive, Inc., 222 Cal. App. 4th 456, 466-67 (2013); accord Murray

v. Time Inc., 554 F. App’x 654, 655 (9th Cir. 2014). Therefore, where a plaintiff fails to allege a

cognizable injury, the plaintiff “lacks statutory standing” to bring a claim under Section 1798.84,

“regardless of whether [the] allegations are sufficient to state a violation of the [statute].”

Boorstein, 222 Cal. App. 4th at 467 (internal quotation marks omitted).

Although Section 1798.84 does not define what qualifies as an injury under the statute,

other courts in the Ninth Circuit have found that an injury that satisfies Article III’s injury-in-fact

standard suffices to establish statutory injury under the CRA. See, e.g., Miller v. Hearst Commc’ns,

Inc., No. 12-733, 2012 WL 3205241, at *6 (C.D. Cal. Aug. 3, 2012); Boorstein v. Men’s Journal

LLC, No 12-771, 2012 WL 2152815, at *3-4 (C.D. Cal. June 14, 2012). As Adobe does not

contend, and as the Court has no reason to believe, that the CRA’s statutory standing requirements

are more stringent than Article III’s, the Court finds that Plaintiffs’ allegations of injury-in-fact

satisfy the CRA’s statutory standing requirement for the same reasons these allegations satisfy

Article III. See supra Part III.A.1.

In summary, the Court DENIES Adobe’s Motion to Dismiss Plaintiffs’ CRA claim for

violations of Section 1798.81.5. The Court GRANTS Adobe’s Motion to Dismiss Plaintiffs’ CRA

claim for violations of Section 1798.82 without prejudice.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

B. Declaratory Relief

Plaintiffs’ second cause of action is for declaratory relief on behalf of all Plaintiffs. Compl.

¶¶ 118-124. As a preliminary matter, the parties disagree over whether the federal Declaratory

Judgment Act, 28 U.S.C. § 2201, applies, as Adobe contends, or if the California Declaratory

Relief Act, Cal. Civ. Proc. Code § 1060, applies, as Plaintiffs contend. Compare Reply at 5 n.4,

with Opp’n at 14.

The Court finds that the federal Declaratory Judgment Act governs in this case. Although

district courts in the Ninth Circuit have at times applied the California Declaratory Relief Act when

sitting in diversity, see Valley Forge Ins. Co. v. APL Co. Pte. Ltd., No. 09-9323, 2010 WL 960341,

at *4 n.5 (C.D. Cal. Mar. 16, 2010) (citing cases), other district courts apply the federal Act, see,

e.g., DeFeo v. Procter & Gamble Co., 831 F. Supp. 776, 779 (N.D. Cal. 1993) (“The propriety of

granting declaratory relief in federal court is a procedural matter. . . . Therefore, the Declaratory

Judgment Act is implicated even in diversity cases . . . .” (citations omitted)). For its part, the Ninth

Circuit has indicated, although not explicitly held, that the federal Declaratory Judgment Act

should apply. In Golden Eagle Insurance Co. v. Travelers Cos., 103 F.3d 750, 753 (9th Cir. 1996),

overruled on other grounds by Gov’t Emps. Ins. Co. v. Dizol, 133 F.3d 1220 (1998) (en banc), the

Ninth Circuit stated that although “[t]he complaint [plaintiff] filed in state court was for declaratory

relief under California’s declaratory relief statute,” “[w]hen [defendant] removed the case to

federal court, based on diversity of citizenship, the claim remained one for declaratory relief, but

the question whether to exercise federal jurisdiction to resolve the controversy became a procedural

question of federal law.” Finally, the U.S. Supreme Court has emphasized the procedural nature of

the Declaratory Judgment Act, which further supports the conclusion that the federal Act applies.

See Skelly Oil Co. v. Phillips Petroleum Co., 339 U.S. 667, 671 (1950) (“‘[T]he operation of the

Declaratory Judgment Act is procedural only.’” (quoting Aetna Life Ins. Co. v. Haworth, 200 U.S.

227, 240 (1937))). The Court will therefore consider Plaintiffs’ declaratory relief claim under the

federal Declaratory Judgment Act. In any event, as Plaintiffs acknowledge, whether the state or



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

federal statute applies makes little difference as a practical matter, as the two statutes are broadly

equivalent.9 See Opp’n at 14.

The federal Declaratory Judgment Act provides that “[i]n a case of actual controversy

within its jurisdiction . . . any court of the United States . . . may declare the rights and other legal

relations of any interested party seeking such declaration, whether or not further relief is or could

be sought.” 28 U.S.C. § 2201(a). To fall within the Act’s ambit, the “case of actual controversy”

must be “‘definite and concrete, touching the legal relations of parties having adverse legal

interests,’ . . . ‘real and substantial’ and ‘admi[t] of specific relief through a decree of a conclusive

character, as distinguished from an opinion advising what the law would be upon a hypothetical

state of facts.’” MedImmune, Inc. v. Genentech, Inc., 549 U.S. 118, 127 (2007) (alteration in

original) (quoting Aetna Life, 300 U.S. at 240-241). Plaintiffs seek a declaration that: (a) Adobe

fails to fulfill its existing contractual obligation to provide reasonable security measures; and (b) to

comply with its contractual obligations, Adobe must implement specified additional security

measures. Compl. ¶ 124.

Adobe moves to dismiss Plaintiff’s declaratory relief claim on three grounds. First, Adobe

asserts that Plaintiffs have not suffered an injury-in-fact and therefore lack standing. Mot. at 13.

Second, Adobe contends that what Plaintiffs actually seek is an impermissible advisory opinion

that lays the foundation for future litigation, rather than adjudication of an actual controversy

between the parties. Id. at 13-14. Third, Adobe argues that Plaintiffs’ declaratory relief claim is

actually a breach of contract claim in disguise, and that the claim fails because Plaintiffs have

failed to plead all the elements of a breach of contract claim. Id. at 15. The Court addresses each

contention in turn.

9 Compare 28 U.S.C. § 2201 (“In a case of actual controversy within its jurisdiction . . . any court of the United States, upon the filing of an appropriate pleading, may declare the rights and other legal relations of any interested party seeking such declaration, whether or not further relief is or could be sought.”), with Cal. Civ. Proc. Code § 1060 (“Any person interested under a written instrument . . . or under a contract . . . may, in cases of actual controversy relating to the legal rights and duties of the respective parties, bring an original action . . . for a declaration of his or her rights and duties . . . . [T]he court may make a binding declaration of these rights or duties, whether or not further relief is or could be claimed at the time.”).



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

1. Article III Standing

Adobe first claims that, just as the California Plaintiffs fail to allege injury-in-fact for

purposes of their CRA claim, the California Plaintiffs fail to allege a cognizable injury-in-fact for

purposes of declaratory relief. Mot. at 13; see also Dizol, 133 F.3d at 1222-23 (“A lawsuit seeking

federal declaratory relief must first present an actual case or controversy within the meaning of

Article III, section 2 of the United States Constitution. . . . It must also fulfill statutory

jurisdictional prerequisites.” (citation omitted)). In addition, Adobe claims that the non-California

Plaintiffs do not allege any injury whatsoever. Mot. at 13. Adobe argues that therefore none of the

Plaintiffs alleges injury-in-fact that is fairly traceable to Adobe’s failure to abide by its contractual

obligations. Id.

The Court finds that Plaintiffs have adequately pleaded that they have Article III standing to

bring a claim for declaratory relief. First, as discussed above, the Court finds that all Plaintiffs have

plausibly alleged that they face a substantial, “certainly impending” risk of harm from the 2013

data breach. See supra Part III.A.1.a. This alleged injury is fairly traceable to Adobe’s failure to

abide by its contractual obligation to provide “reasonable . . . security controls,” Agreement at 4,

and will plausibly be redressed by the declaratory relief Plaintiffs seek. Accordingly, the Court

declines to dismiss Plaintiffs’ declaratory relief claim for lack of Article III standing.

2. Presence of an Actionable Dispute

Adobe next seeks dismissal of Plaintiffs’ declaratory relief claim on the ground that

Plaintiffs do not fulfill the Declaratory Judgment Act’s statutory jurisdictional requirements. Adobe

contends that there is no actionable dispute over whether Adobe is in breach of its contractual

obligation to provide “reasonable . . . . security controls,” given that the Agreement expressly

provides that no security measure is “100%” effective and that “Adobe cannot ensure or warrant

the security of your personal information.” Mot. at 14. Adobe further contends that Plaintiffs do not

allege that a declaration of rights is necessary at this time. Id. Adobe asserts that Plaintiffs’ claim is

consequently unripe, and is instead a request for an impermissible advisory opinion. Id. Adobe



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

contends that what Plaintiffs actually seek is an advantage for future litigation by obtaining an

“advance ruling.” Id.

A claim for relief under the Declaratory Judgment Act requires a dispute that is: (1)

“definite and concrete, touching the legal relations of parties having adverse legal interests”; (2)

“real and substantial”; and (3) “admit[ting] of specific relief through a decree of a conclusive

character, as distinguished from an opinion advising what the law would be upon a hypothetical

state of facts.” MedImmune, 549 U.S. at 127 (internal quotation marks omitted). The Supreme

Court has admitted that “not . . . the brightest of lines” separates cases that satisfy the statutory

jurisdictional requirements and those that do not. Id. The central question, however, is whether

“‘the facts alleged, under all the circumstances, show that there is a substantial controversy,

between parties having adverse legal interests, of sufficient immediacy and reality to warrant the

issuance of a declaratory judgment.’” Id. (quoting Md. Cas. Co. v. Pac. Coal & Oil Co., 312 U.S.

270, 273 (1941)).

The Court finds that Plaintiffs have adequately alleged the existence of an actionable

dispute for purposes of the Declaratory Judgment Act. Plaintiffs have plausibly alleged the

existence of a “definite and concrete” dispute over the meaning and the scope of Adobe’s

contractual obligation to provide “reasonable” security measures. See Compl. ¶¶ 120-123.

According to the Complaint, although “Adobe maintains that its security measures were adequate

and remain adequate,” there were in fact a number of standard industry practices that Adobe failed

to follow. Id. ¶¶ 62, 123-124. Although Adobe contends that there can be no actionable dispute

concerning the adequacy of Adobe’s security controls because the Agreement expressly provides

that no security measure is “100%” effective, Mot. at 14, this disclaimer does not relieve Adobe of

the responsibility (also contained in the Agreement) to provide “reasonable” security, see

Agreement at 4; Compl. ¶ 120.

The remaining jurisdictional prerequisites for a declaratory relief claim are met here as

well. The dispute over the reasonableness of Adobe’s security controls touches on the parties’ legal

relations, and the parties’ legal interests are adverse. See MedImmune, 549 U.S. at 127. Plaintiffs



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

plausibly allege that they face a substantial risk of future harm if Adobe’s security shortcomings

are not redressed, making this dispute sufficiently real and immediate,10 and the dispute underlying

Plaintiffs’ declaratory relief claim concerns Adobe’s current security practices, rather than a

hypothetical set of acts or omissions.11 See id.

Adobe contends that Plaintiffs seek an impermissible advisory opinion, claiming that

Plaintiffs admit that declaratory relief is necessary “only so that users . . . who suffer identity theft

. . . will not have to individually re-litigate the technical issue of Adobe’s security obligations.”

Mot. at 14 (emphasis removed) (citing Compl. ¶ 5). Adobe is correct that declaratory relief claims

brought solely for the purpose of gaining an advantage for future litigation are impermissible. See

Calderon v. Ashmus, 523 U.S. 740, 747 (1998). However, Plaintiffs are not seeking an advance

ruling on whether Adobe’s security practices in 2013 were reasonable at that time. Rather, the

dispute is over Adobe’s current practices. Compl. ¶ 124 (“Plaintiffs . . . seek a declaration [] that

Adobe’s existing security measures do not comply with its contractual obligations . . . .” (emphasis

added)). Thus, the Court finds that Plaintiffs’ declaratory relief claim does not merely seek an

advisory opinion for use in future breach of contract actions.

The Court concludes that Plaintiffs have plausibly alleged that they satisfy the statutory

jurisdictional requirements for obtaining declaratory relief. Adobe is not entitled to dismissal of

Plaintiffs’ claim on this basis.

10 Adobe contends that Plaintiffs do not allege “any adverse consequences of sufficient immediacy and reality [] in the absence of their requested judicial declarations.” Mot. at 14 (emphasis removed). However, Plaintiffs’ complaint specifically alleges that “Adobe’s customers will remain at risk of attack until the company completely revamps its security practices.” Compl. ¶ 66. Plaintiffs then substantiate this allegation of threatened harm by listing a number of Adobe’s allegedly unreasonable security practices, id. ¶ 62, and identifying previous instances in which Adobe has allegedly inadequately responded to security threats, id. ¶¶ 43, 55. 11 Adobe resists this conclusion on the grounds that the remedial security measures Plaintiffs propose do not take into account the evolving meaning of “reasonable” and are not sufficiently specific or definitive because they refer to “industry standards” and similar undefined terms. Reply at 6. This is unpersuasive. For one thing, the Court is not bound to adopt the precise wording of any potential declaration set forth in a plaintiff’s complaint in deciding how to award declaratory relief, and in any event, Adobe’s objections would not prevent the Court from declaring that Adobe’s current security practices are unreasonable. Such a decree would constitute “specific relief” that would conclusively address the real dispute surrounding the scope of Adobe’s existing contractual obligations.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

3. Breach of Contract Claim in “Disguise”

Adobe’s third and final challenge to Plaintiffs’ declaratory relief claim is that Plaintiffs are

“seeking a declaration that Adobe has breached its contractual obligations” without having alleged

all the elements of a breach of contract claim. Mot. at 15. Relying on Gamble v. GMAC Mortgage

Corp., No. 08-5532, 2009 WL 400359 (N.D. Cal. Feb. 18, 2009), and Household Financial

Services, Inc. v. Northern Trade Mortgage Corp., No. 99-2840, 1999 WL 782072 (N.D. Ill. Sept.

27, 1999), Adobe contends that Plaintiffs’ claim therefore falls outside the scope of the Declaratory

Judgment Act. Id.

Adobe mischaracterizes Plaintiffs’ declaratory relief claim. In both Gamble and Household

Financial, the plaintiffs sought a judicial decree stating that the defendants had breached their

contractual obligations. Gamble, 2009 WL 400359, at *2 (“[P]laintiffs want the court to issue a

declaratory judgment declaring that defendants breached the forbearance agreements”); Household

Fin., 1999 WL 782072, at *3 (“Plaintiff does not request the court to clarify the parties’ rights

under the loan purchase agreement. Rather, plaintiff requests a judicial declaration that defendant

breached the agreement.”). That is not what Plaintiffs seek here. As discussed above, Plaintiffs

seek a declaration clarifying Adobe’s ongoing contractual obligation to provide reasonable

security. Opp’n at 15; Compl. ¶ 124 (“Plaintiffs . . . seek a declaration [] that Adobe’s existing

security measures do not comply with its contractual obligations . . . .” (emphasis added)).

Plaintiffs’ claim thus requests precisely the type of relief that the Declaratory Judgment Act is

supposed to provide: a declaration that will prevent future harm from ongoing and future violations

before the harm occurs. See, e.g. Minn. Min. & Mfg. Co. v. Norton Co., 929 F.2d 670, 673 (Fed.

Cir. 1991) (“In promulgating the Declaratory Judgment Act, Congress intended to prevent

avoidable damages from being incurred by a person uncertain of his rights and threatened with

damage by delayed adjudication.”). As the Court finds that Plaintiffs are not seeking a declaration

that Adobe was in breach of a contract at the time of the 2013 data breach, the Court concludes that

Plaintiffs are not required to plead the elements of a breach of contract claim. The Court therefore

declines to dismiss Plaintiffs’ declaratory relief claim on this basis.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

For the foregoing reasons, the Court finds that Plaintiffs have plausibly pleaded that they

fulfill both Article III’s standing requirements and the statutory jurisdictional requirements of the

Declaratory Judgment Act. The Court also finds that Plaintiffs have plausibly stated a claim for

declaratory relief. Accordingly, the Court DENIES Adobe’s Motion to Dismiss Plaintiffs’

declaratory relief claim.

C. UCL Injunction Claim

Plaintiffs’ third cause of action is for injunctive relief under the UCL on behalf of all

Plaintiffs (“UCL injunction claim”). See Compl. ¶¶ 125-132. The UCL creates a cause of action for

business practices that are: (1) unlawful, (2) unfair, or (3) fraudulent. Cal. Bus. & Prof. Code

§§ 17200 et seq. The UCL’s coverage is “sweeping,” and its standard for wrongful business

conduct is “intentionally broad.” In re First Alliance Mortg. Co., 471 F.3d 977, 995 (9th Cir. 2006)

(internal quotation marks omitted). Each prong of the UCL provides a separate and distinct theory

of liability. Lozano v. AT & T Wireless Servs., Inc., 504 F.3d 718, 731 (9th Cir. 2007). To assert a

UCL claim, a private plaintiff must have “suffered injury in fact and . . . lost money or property as

a result of the unfair competition.” Rubio v. Capital One Bank, 613 F.3d 1195, 1203 (9th Cir.

2010) (quoting Cal. Bus. & Prof. Code § 17204). Plaintiffs assert claims under both the “unfair”

and “unlawful” prongs of the UCL. Compl. ¶ 126.

Adobe seeks dismissal of Plaintiffs’ UCL injunction claim on three grounds. First, Adobe

contends that Plaintiffs lack standing to bring this claim. Mot at 16. Second, Adobe contends that

Plaintiffs impermissibly seek a contract remedy without bringing a breach of contract claim. Id.

Finally, Adobe contends that Plaintiffs have failed to allege any conduct that is unfair or unlawful

within the meaning of the UCL. Id. The Court addresses each of Adobe’s contentions below.

1. Standing

Adobe argues that, just as with Plaintiffs’ CRA and declaratory relief claims, Plaintiffs lack

Article III standing to bring their UCL injunction claim because no Plaintiff has suffered an injury-

in-fact. Id. For the same reason, Adobe contends that Plaintiffs lack statutory standing to bring a

claim under the UCL. Id. The Court finds that Plaintiffs have Article III standing to bring their



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

UCL injunction claim for the same reasons that Plaintiffs have Article III standing to bring their

CRA and declaratory relief claims. See supra Part III.A.1; Part III.B.1.

Adobe further argues that Plaintiffs lack statutory standing under the UCL. Mot. at 16. In

order to establish standing for a UCL claim, plaintiffs must show they personally lost money or

property “as a result of the unfair competition.” Cal. Bus. & Prof. Code § 17204; Kwikset Corp. v.

Superior Court, 51 Cal. 4th 310, 330 (2011). “There are innumerable ways in which economic

injury from unfair competition may be shown. A plaintiff may (1) surrender in a transaction more,

or acquire in a transaction less, than he or she otherwise would have; (2) have a present or future

property interest diminished; (3) be deprived of money or property to which he or she has a

cognizable claim; or (4) be required to enter into a transaction, costing money or property, that

would otherwise have been unnecessary.” Id. at 323.

Four of the six Plaintiffs allege they personally spent more on Adobe products than they

would had they known Adobe was not providing the reasonable security Adobe represented it was

providing. See Compl. ¶ 79 (“Had Mr. Kar known that Adobe’s security practices were inferior to

industry standard security practices, he would not have purchased [a] license online . . . .”); id. ¶ 84

(“Had Ms. Halpain known that Adobe employed substandard security practices, she would not

have subscribed to the Creative Cloud service.”); id. ¶ 91 (“Had Ms. McGlynn known that Adobe

employed substandard security practices, she would not have subscribed to the Creative Cloud

Service.”); id. ¶¶ 98-99 (“McHenry purchased Adobe Illustrator . . . for approximately $579.99

. . . . [He] relied on Adobe’s Privacy Policy and believed that Adobe would provide reasonable

security . . . .”). Only Plaintiffs Duke and Page do not allege this or any other UCL injury.

The Court finds plausible Plaintiffs Kar, Halpain, McGlynn, and McHenry’s allegations

that they relied on Adobe’s representations regarding security to their detriment. The parties agree

that every Plaintiff was required to accept Adobe’s Privacy Policy before creating an account or

providing Adobe with their personal information. Compl. ¶¶ 31-32; Mot. at 3. In that policy,

Adobe represented that it would provide reasonable measures to protect customers’ personal

identifying and financial information. See Mot. at 12. It is also plausible that a company’s



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

reasonable security practices reduce the risk of theft of customer’s personal data and thus that a

company’s security practices have economic value. See Kwikset, 51 Cal. 4th at 330 (Plaintiffs can

establish UCL standing by alleging they paid more than they actually valued the product); see also

In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1072 (N.D. Cal. 2012) (finding UCL

standing was adequately pleaded where plaintiffs claimed they paid more for iPhones than they

would if they had known of defendant’s alleged misrepresentations or omissions).

Accordingly, the Court finds that Plaintiffs Kar, Halpain, McGlynn, and McHenry have

plausibly pleaded that they have standing to bring their UCL injunction claim. Plaintiffs Duke and

Page, however, have not, though the Court cannot conclude they would be unable to cure this

deficiency in an amended complaint. Accordingly, the Court GRANTS Adobe’s Motion to Dismiss

Plaintiffs’ UCL injunction claim as to Plaintiffs Duke and Page without prejudice. As to the

remaining Plaintiffs, Adobe is not entitled to dismissal of Plaintiffs’ UCL injunction claim on the

basis of standing.

2. Contract Remedy

Adobe additionally argues that Plaintiffs’ UCL injunction claim, like Plaintiffs’ declaratory

relief claim, is actually a contract claim in disguise. Mot. at 17. Specifically, Adobe claims that the

UCL injunction claim is, in reality, a claim for specific performance of the Agreement. Id.

(“Plaintiffs’ claim . . . is that Adobe should be ordered to ‘honor the terms of its contracts’ . . . .

Thus, what Plaintiffs seek is the contract remedy of specific performance.” (quoting Compl.

¶ 129)). As specific performance is a contract remedy, Adobe contends that Plaintiffs need to plead

a breach of contract claim in order to seek specific performance. Id. (citing Forever 21, Inc. v.

Nat’l Stores Inc., No. 12-10807, 2014 WL 722030, at *5 (C.D. Cal. Feb. 24, 2014); Guidiville

Rancheria of Cal. v. United States, --- F. Supp. 2d ---, 2013 WL 6512788, at *13 (N.D. Cal. Dec

12, 2013)). Plaintiffs have not done so, and thus Adobe contends that Plaintiffs’ UCL injunction

claim fails as a matter of law. Id.

Plaintiffs acknowledge that they have not pleaded a breach of contract claim. Opp’n at 21.

Nevertheless, Plaintiffs contend that their request for an injunction is just that—a request for an



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

injunction under the UCL, not one for the contract remedy of specific performance. Id. As

Plaintiffs are not seeking a contract remedy, Plaintiffs contend they do not need to plead the

elements of breach of contract. Id.

The Court agrees with Plaintiffs that their request is indeed a request for an injunction

under the UCL, and not one for specific performance. Plaintiffs do not allege that Adobe violated

the UCL solely on the grounds that Adobe failed to “honor the terms of its contracts.” See Compl.

¶¶ 128-131. While Plaintiffs do allege “systematic breach of [] contracts” as one of Adobe’s

allegedly unlawful practices, Plaintiffs also allege that Adobe’s actions are independently unlawful

because they violate the duty California imposes on businesses to reasonably safeguard customers’

data under the CRA. Compl. ¶ 130; accord Opp’n at 21 (“Adobe’s duties arose from promises it

made in its contracts and elsewhere, and from statute.” (emphasis added)). The Court has already

determined that Plaintiffs have standing to bring claims under this statute. See supra Part III.A.

Thus, contrary to Adobe’s assertion, Plaintiffs have alleged a basis for a UCL violation other than

breach of contract. The Court therefore concludes that Plaintiffs’ request is for an injunction to

remedy Adobe’s alleged UCL violations, and not to remedy an unalleged breach of contract.

3. Unlawful or Unfair

Adobe further challenges Plaintiffs’ UCL injunction claim on the ground that Plaintiffs do

not plead any “unlawful” or “unfair” conduct that violates the UCL. Mot. at 18-19. The Court first

considers Plaintiffs’ “unlawful” allegations, then turns to Plaintiffs’ “unfair” allegations.

a. Unlawful

The “unlawful” prong of the UCL prohibits “anything that can properly be called a business

practice and that at the same time is forbidden by law.” Cel-Tech, 20 Cal. 4th at 180 (internal

quotation marks omitted). By proscribing “any unlawful” business practice, the UCL permits

injured consumers to “borrow” violations of other laws and treat them as unlawful competition that

is independently actionable. Id. As predicates for their claim under the UCL’s “unlawful” prong,

Plaintiffs allege that Adobe: (1) violated the CRA, (2) systematically breached contracts, and (3)

“failed to comport with a reasonable standard of care and California public policy” as embodied in



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

a number of California statutes. Compl. ¶ 130 (citing the CRA, the Online Privacy Protection Act

(“OPPA”), Cal. Bus. & Prof. Code § 22576, and the Information Practices Act (“IPA”), Cal. Civ.

Code §§ 1798 et seq.).

Adobe argues that none of these allegations are adequate to sustain a UCL claim. As to

Plaintiffs’ CRA allegation, Adobe contends that because Plaintiffs lack standing to bring a CRA

claim, Plaintiffs similarly lack standing to pursue a UCL claim premised on a violation of the CRA.

Mot. at 18. However, the Court has found that Plaintiffs do have standing to bring their CRA

claim, and thus standing presents no barrier to Plaintiffs’ efforts to base their UCL unlawful claim

on Adobe’s alleged violation of the CRA. Accordingly, the Court finds that Plaintiffs have

adequately alleged unlawful conduct that may serve as a basis for a claim under the UCL’s

unlawful prong, and Adobe is therefore not entitled to dismissal of the UCL unlawful claim on this

basis. Because Adobe’s alleged CRA violation is sufficient to sustain Plaintiffs’ UCL unlawful

claim, the Court need not address Adobe’s arguments concerning Plaintiffs’ additional allegations

of unlawful conduct.

b. Unfair

The “unfair” prong of the UCL creates a cause of action for a business practice that is

unfair even if not proscribed by some other law. Korea Supply Co. v. Lockheed Martin Corp., 29

Cal. 4th 1134, 1143 (2003). “The UCL does not define the term ‘unfair.’ . . . [And] the proper

definition of ‘unfair’ conduct against consumers ‘is currently in flux’ among California courts.”

Davis v. HSBC Bank Nev., N.A., 691 F.3d 1152, 1169 (9th Cir. 2012) (citing Lozano, 504 F.3d at

735). Nevertheless, there are at least two possible tests: (1) the “tethering test,” which requires

“that the public policy which is a predicate to a consumer unfair competition action under the

‘unfair’ prong of the UCL must be tethered to specific constitutional, statutory, or regulatory

provisions,” and (2) the “balancing test,” which examines whether the challenged business practice

is “immoral, unethical, oppressive, unscrupulous or substantially injurious to consumers and

requires the court to weigh the utility of the defendant’s conduct against the gravity of the harm to



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

the alleged victim.”12 Drum v. San Fernando Valley Bar Ass’n, 182 Cal. App. 4th 247, 257 (2010).

As predicates for their claim under the UCL’s “unfair” prong, Plaintiffs allege that Adobe’s

conduct fails the “balancing test” because the conduct was “immoral, unethical, . . . or substantially

injurious” and caused harm that outweighed the conduct’s utility. Compl. ¶ 131. Plaintiffs further

allege that Adobe’s conduct fails the “tethering test” because the conduct violated public policy as

embodied in the CRA, the OPPA, and the IPA. Id.

Adobe contends that Plaintiffs’ claim under the “balancing test” is “conclusory and

formulaic.” Mot. at 19. Specifically, Adobe claims that Plaintiffs do not allege any injuries

stemming from Adobe’s allegedly unfair conduct and thus that there is no “harm” to balance

against any “utility.” Reply at 9-10. As to the “tethering test,” Adobe contends that Plaintiffs’

allegations fail because Plaintiffs do not allege any violations of the OPPA or the IPA, Mot. at 19,

or any effects that are “comparable to . . . a violation of” those statutes, Reply at 9 (quoting Cel-

Tech, 20 Cal. 4th at 187).

Adobe’s argument that Plaintiffs’ “balancing test” allegations are insufficient is

unpersuasive. Adobe appears to object that Plaintiffs do not allege any injuries resulting from

Adobe’s allegedly unfair conduct in the precise paragraph of the Complaint asserting a claim under

the “balancing test.” Mot. at 19. However, while Plaintiffs are required to plead enough facts in

support of their claims, the pleading standard is not so rigid as to insist that each count repeat every

factual allegation. Rather, the complaint must be specific and clear enough as a whole such that the

Court can evaluate the plausibility of each claim and the defendant is placed on notice as to the

basis for the plaintiff’s claims. See, e.g., McVicar v. Goodman Global, Inc., --- F. Supp. 2d ---,

2014 WL 794585, at *7 (C.D. Cal. Feb. 25, 2014) (“[T]he thrust of [defendant’s] argument is

12 In Williamson v. Reinalt-Thomas Corp., No. 11-3548, 2012 WL 1438812, at *11 (N.D. Cal. Apr. 25, 2012), this Court recognized that the “balancing test” is sometimes construed as two separate tests. In Williamson, this Court noted that some California appellate courts have interpreted the balancing test to require only that a court “weigh the utility of the defendant’s conduct against the gravity of the harm to the alleged victim.” S. Bay Chevrolet v. Gen. Motors Acceptance Corp., 72 Cal. App. 4th 861, 886 (1999). On the other hand, other appellate state courts have applied a slightly different version of the balancing test, which mandates that plaintiffs show that a practice is “immoral, unethical, oppressive, unscrupulous, or substantially injurious to consumers.” Bardin v. Daimlerchrysler Corp., 136 Cal. App. 4th 1255, 1260 (2006)).



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

simply to point out that under the section entitled ‘Count One: Violation of [the UCL],’ the

[plaintiffs] do not specifically reference the other sections of the Complaint that identify unlawful

business practices. . . . The UCL does not create such a formalistic pleading requirement.”).

Elsewhere in the Complaint, Plaintiffs allege that Adobe’s conduct placed Plaintiffs at a substantial

risk of future harm and caused Plaintiffs to overpay for Adobe products and services. See, e.g.,

Compl. ¶¶ 67-73, 139. The Court has already found that these allegations of injury are sufficient

for Plaintiffs to have standing to bring their UCL injunction claim. See supra Part III.C.1. For the

same reasons, the Court finds that Plaintiffs have set forth enough factual allegations of injury to

bring a claim under the “balancing test.”

Turning to the “tethering test,” the Court notes that contrary to Adobe’s assertion, Plaintiffs

do not need to plead any direct violations of a statute to bring a claim under the UCL’s unfair

prong. Instead, Plaintiffs need merely to show that the effects of Adobe’s conduct “are comparable

to or the same as a violation of the law, or otherwise significantly threaten[] or harm[]

competition.” Cel-Tech, 20 Cal. 4th at 187. Plaintiffs argue that the OPPA, the IPA, and the CRA

collectively reflect California’s public policy of “protecting customer data.” Opp’n at 20. The

Court agrees that California legislative intent is clear on this point, and thus finds that Plaintiffs

have adequately alleged that Adobe’s conduct is “comparable” to a violation of law. See, e.g., Cal.

Civ. Code § 1798.1 (“The Legislature declares that . . . all individuals have a right of privacy in

information pertaining to them. . . . The increasing use of computers . . . has greatly magnified the

potential risk to individual privacy that can occur from the maintenance of personal information.”);

Cal. Civ. Code § 1798.81.5(a) (“It is the intent of the Legislature to ensure that personal

information about California residents is protected.”); Cal. Bus. & Prof. Code § 22578 (explaining

that the Legislature’s intent was to have a uniform policy state-wide regarding privacy policies on

the Internet). Accordingly, the Court concludes that Plaintiffs have pleaded adequate facts to bring

a claim under the “tethering test” of the UCL’s “unfair” prong.

In sum, the Court concludes that Plaintiffs Duke and Page have not adequately pleaded that

they have standing to bring a claim under the UCL. The Court therefore GRANTS Adobe’s Motion



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

to Dismiss this claim as to Plaintiffs Duke and Page without prejudice. However, the Court finds

that Plaintiffs Halpain, McGlynn, Kar, and McHenry have adequately pleaded both standing and

the necessary elements to bring their UCL injunction claim. Accordingly, the Court DENIES

Adobe’s Motion to Dismiss this claim as to those Plaintiffs.

D. UCL Restitution Claim

Plaintiffs’ fourth and final cause of action is for restitution under the UCL on behalf of

purchasers of Adobe’s ColdFusion and Creative Cloud products and services (“UCL restitution

claim”). See Compl. ¶¶ 133-140. Plaintiffs assert claims under both the “fraudulent” and “unfair”

prongs of the UCL on the basis that Adobe “fail[ed] to disclose that it does not enlist industry

standard security practices.” Compl. ¶ 135. Adobe objects to Plaintiffs’ UCL restitution claim on

three grounds. First, Adobe contends that the proposed representatives of a restitution class,

Plaintiffs Halpain and McGlynn, lack standing to represent ColdFusion customers as both allege

only that they subscribed to Creative Cloud. Mot. at 20. Second, Adobe contends that Plaintiffs

have not adequately pleaded an omission under the “fraudulent” prong of the UCL. Id. Third,

Adobe contends that Plaintiffs have not adequately pleaded a claim under the “unfair” prong of the

UCL. Id. at 25.

1. Standing to Bring Restitution Claims for ColdFusion Customers

Some courts reserve the question of whether plaintiffs may assert claims based on products

they did not buy until ruling on a motion for class certification. See, e.g., Forcellati v. Hyland’s,

Inc., 876 F. Supp. 2d 1155, 1161 (C.D. Cal. 2012); Cardenas v. NBTY, Inc., 870 F. Supp. 2d 984,

992 (E.D. Cal. 2012). Others “hold that a plaintiff may have standing to assert claims for unnamed

class members based on products he or she did not purchase so long as the products and alleged

misrepresentations are substantially similar.” Miller v. Ghirardelli Chocolate Co., 912 F. Supp. 2d

861, 869 (N.D. Cal. 2012) (citing cases); see also, e.g., Colucci v. ZonePerfect Nutrition Co., No.

12-2907, 2012 WL 6737800, at *4 (N.D. Cal. Dec. 28, 2012); Astiana v. Dreyer’s Grand Ice

Cream, Inc., No. 11-2910, 2012 WL 2990766, at *11-13 (N.D. Cal. July 20, 2012). Still other

courts have dismissed claims for lack of standing when the plaintiff did not purchase the product



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

on which the claim is based. See, e.g., Granfield v. NVIDIA Corp., No. 11-5403, 2012 WL

2847575, at *6 (N.D. Cal. July 11, 2012) (“[W]hen a plaintiff asserts claims based both on

products that she purchased and products that she did not purchase, claims relating to products not

purchased must be dismissed for lack of standing.”); Carrea v. Dreyer’s Grand Ice Cream, Inc.,

No. 10-1044, 2011 WL 159380, at *3 (N.D. Cal. Jan. 10, 2011), aff’d on other grounds, 475 F.

App’x 113 (9th Cir. 2012).

This Court has previously applied the “substantially similar” approach and will do so again

here. E.g., Werdebaugh v. Blue Diamond Growers, No. 12-2724, 2013 WL 5487236, at *12 (N.D.

Cal. Oct. 2, 2013); Brazil v. Dole Food Co., No. 12-1831, 2013 WL 5312418, at *7 (N.D. Cal. Sep

23, 2013). Under this approach, both the products themselves and the misrepresentations the

plaintiff challenges must be similar, though not identical. In this case, the misrepresentations and

omissions at issue are the same for both ColdFusion and Creative Cloud, as all Adobe products are

governed by the same privacy policy. See Compl. ¶¶ 29-32. Adobe contends, however, that

ColdFusion and Creative Cloud are sufficiently dissimilar as products that Plaintiffs lack standing

to assert claims as to ColdFusion. Drawing from the Complaint, Adobe identifies the following

differences between the two products: (1) ColdFusion is licensed-based whereas Creative Cloud is

subscription-based; (2) customers use ColdFusion to build dynamic web sites whereas Adobe uses

Creative Cloud to sell software subscriptions; and (3) ColdFusion costs up to several thousand

dollars per license whereas Creative Cloud plans cost “between $19.99 and $79.99” a month. Mot.

at 20 n.11 (citing Compl. ¶¶ 19-20). The Court notes, however, that Plaintiff Halpain alleges that

she uses Creative Cloud to build websites, Compl. ¶ 89, thus suggesting that both Creative Cloud

and ColdFusion can be used for website development. Therefore, assuming the Complaint’s

allegations are true, as the Court must on a motion to dismiss, the Court is not persuaded by

Adobe’s second-identified difference.

The Court finds that the remaining two differences between ColdFusion and Creative Cloud

are not significant enough to prevent the products from being “substantially similar” for purposes

of the claims alleged here. Plaintiffs’ theory of harm for their UCL restitution claim is that



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

ColdFusion and Creative Cloud are “heavily security-dependent” products that Plaintiffs either

would not have purchased or for which Plaintiffs would not have paid as much had Plaintiffs

known the truth about Adobe’s inadequate security practices. Opp’n at 17; Compl. ¶¶ 136-139.

Neither the cost of a product nor whether the product is license- or subscription-based is relevant to

the inquiry here, i.e., whether purchasers of the products valued security, and thus whether they

overpaid for their Adobe products in light of Adobe’s alleged misrepresentations and omissions

regarding security. This distinguishes this case from cases applying the substantially similar

approach in the food mislabeling context, where differences in the products could be expected to

have an impact on whether the customer purchased the product in reliance on the defendant’s

misrepresentations. See, e.g., Larsen v. Trader Joe’s Co., No. 11-5188, 2012 WL 5458396, at *1, 4

(N.D. Cal. June 14, 2012) (plaintiffs lacked standing to challenge label statements on products

plaintiffs did not purchase where products at issue were as disparate as cinnamon rolls, ricotta

cheese, apple juice, and sandwich cookies). Accordingly, the Court concludes that Plaintiffs have

pleaded sufficient facts to establish that Plaintiffs Halpain and McGlynn, the proposed

representatives of a restitution class, have standing to assert claims related to both Creative Cloud

and ColdFusion.

2. Fraudulent

For an omission to be actionable under the UCL, “the omission must be contrary to a

representation actually made by the defendant, or an omission of a fact the defendant was obliged

to disclose.” Daugherty v. Am. Honda Motor Co., 144 Cal. App. 4th 824, 835 (2006); see also

Berryman v. Merit Prop. Mgmt., Inc., 152 Cal. App. 4th 1544, 1557 (2007) (“[A] failure to disclose

a fact one has no affirmative duty to disclose is [not] ‘likely to deceive’ anyone within the meaning

of the UCL.” (quoting Daugherty, 144 Cal. App. 4th at 838)). The California Courts of Appeal

have held that there are four circumstances in which a duty to disclose may arise: “(1) when the

defendant is the plaintiff’s fiduciary; (2) when the defendant has exclusive knowledge of material

facts not known or reasonably accessible to the plaintiff; (3) when the defendant actively conceals

a material fact from the plaintiff; [or] (4) when the defendant makes partial representations that are



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

misleading because some other material fact has not been disclosed.” Collins v. eMachines, Inc.,

202 Cal. App. 4th 249, 255 (2011). “[A] fact is deemed ‘material,’ and obligates an exclusively

knowledgeable defendant to disclose it, if a ‘reasonable [consumer]’ would deem it important in

determining how to act in the transaction at issue.” Id. at 256 (citing Engalla v. Permanente Med.

Grp., Inc., 15 Cal. 4th 951, 977 (1997)). Plaintiffs claim that Adobe had exclusive knowledge of

the fact that its security practices fell short of industry standards, and that this fact was material.

Opp’n at 17-18. Accordingly, Plaintiffs claim that Adobe had a duty to disclose this fact, and that

Adobe’s failure to do so is an actionable omission under the UCL. Id.

Adobe does not dispute that facts regarding its security practices are material. Rather,

Adobe contends that Adobe did not have exclusive knowledge of its security practices because

Adobe’s security shortcomings were widely reported in the press before the 2013 data breach. Mot.

at 21-22; Reply at 11-13. Specifically, Adobe notes that its security problems were detailed in

articles published by CNN Money, the New York Times, the Wall Street Journal, and Reuters,

Reply at 12, and further that Plaintiffs knew of these reports, id. (noting that the original individual

complaints cite some of these reports); see Compl. ¶¶ 42-46 (listing security problems prior to the

2013 data breach under the heading “Adobe’s Abysmal Security Record”). Adobe notes that courts

in other cases have found that defendants did not have “exclusive knowledge” of the alleged

omission when the allegedly omitted fact was widely reported in similarly reputable news sources.

Reply at 11-12 (citing Herron v. Best Buy Co., 924 F. Supp. 2d 1161, 1175-76 (E.D. Cal. 2013)

(finding that defendants did not have exclusive knowledge of battery testing conditions when those

conditions had been reported in Newsweek); Gray v. Toyota Motor Sales, U.SA., No. 08-1690,

2012 WL 313703, at *8 (C.D. Cal. Jan. 23, 2012) (finding that defendant did not have exclusive

knowledge of discrepancy between EPA estimate of car’s gas mileage and real-world results when

discrepancy was reported in Consumer Reports and USA Today)). Adobe contends that “as a matter

of law and logic,” Adobe could not have exclusive knowledge of the fact that it “had not

implemented several industry-standard security measures.” Id. at 11 (internal quotation marks

omitted).



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

The Court is not convinced. It is one thing to have a poor reputation for security in general,

but that does not mean that Adobe’s specific security shortcomings were widely known. None of

the press reports Adobe identifies discusses any specific security deficiencies, and Plaintiffs

expressly allege that the extent of Adobe’s security shortcomings were revealed only after the 2013

data breach. Compl. ¶ 59. Given that prior reports of Adobe’s security problems were highly

generic, the Court cannot say that Adobe did not have exclusive knowledge of its failure to

implement industry-standard security measures.13 Furthermore, the exact nature of what was in the

public domain regarding Adobe’s security practices is a question of fact not properly resolved on a

motion to dismiss.

Adobe further argues that even if Plaintiffs identify an actionable omission, Plaintiffs

cannot allege that they relied on that omission, as is required for a claim under the “fraudulent”

prong of the UCL. Mot. at 23 (citing In re Facebook PPC Adver. Litig., No. 09-3043, 2010 WL

3341062, at *9 (N.D. Cal. Aug. 25, 2010)). Adobe reasons that both Halpain and McGlynn could

have cancelled their subscriptions to Creative Cloud upon learning of Adobe’s security

deficiencies. Mot. at 24. Neither did so, and indeed, Halpain re-subscribed to Creative Cloud after

her subscription had terminated. Id. Adobe argues that Plaintiffs’ actions are therefore inconsistent

with their allegations that they would not have subscribed to Creative Cloud had they known of

Adobe’s security deficiencies. Id. (citing Noll v. eBay, Inc., No, 11-4585, 2013 WL 2384250, at *4

(N.D. Cal. May 30, 2013)).

The Court disagrees. Plaintiffs allege that they would not have subscribed to Creative Cloud

in the first instance had they known of Adobe’s allegedly unsound security practices. Compl. ¶¶ 84,

91. Having invested time, money, and energy in Creative Cloud, however, Plaintiffs allege that the

costs to switch to another product—which include early cancellation fees, id. ¶¶ 88, 93—are now

13 Adobe’s reliance on Herron and Gray is misplaced. In both those cases, the press had widely reported the exact omission for which the plaintiffs sought to hold the defendant liable. See Herron, 924 F. Supp. 2d at 1175-76 (no actionable omission where both the defendant and the press had reported the testing conditions used to measure a laptop’s battery life); Gray, 2012 WL 313703, at *8 (no actionable omission where press reported that the EPA’s gas mileage estimates for the Toyota Prius were significantly higher than real-world experience). There is no such specificity here.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

too high to justify abandoning their Creative Cloud subscriptions. See Opp’n at 19 (citing Compl.

¶ 137). This is a plausible allegation. Moreover, a plaintiff need not allege that a product became

totally worthless to her once the defendant’s misrepresentation came to light in order to plead

actionable reliance. Rather, it is enough to allege that the product is worth less to the plaintiff in

light of the misrepresentation. See Kwikset, 51 Cal. 4th at 330 (plaintiff may establish reliance by

alleging that she “paid more than . . . she actually valued the product”). Thus, Plaintiffs need not

have concluded that Creative Cloud is completely worthless, and thus have canceled their

subscriptions, in order to have detrimentally relied on Adobe’s alleged misrepresentations or

omissions regarding security.14 Accordingly, the Court finds that Plaintiffs have not pleaded

themselves out of court by alleging that they did not cancel their Creative Cloud subscriptions upon

learning of Adobe’s omissions regarding security.

For these reasons, the Court concludes that Plaintiffs have adequately pleaded that Adobe

had a duty to disclose that its security practices were not up to industry standards, that this

omission was material, and that Plaintiffs relied on this omission to their detriment. Thus, Plaintiffs

have adequately pleaded their UCL restitution claim under the UCL’s “fraudulent” prong, and

Adobe is not entitled to dismissal of this claim.

3. Unfair

Plaintiffs also assert two claims under the UCL’s “unfair” prong for their UCL restitution

claim. First, Plaintiffs allege that Adobe’s competition invested in industry-standard security

practices, and therefore Adobe gained an unfair competitive advantage to the extent that Adobe did

not. Compl. ¶ 138. Plaintiffs contend that this conduct was “unethical, unscrupulous, and

14 Adobe’s authority is not to the contrary. In Noll, the plaintiffs alleged that defendant eBay failed to disclose that listing fees automatically recurred every 30 days. 2013 WL 2384250, at *2. Critically, the Noll plaintiffs did not allege that they would incur any costs, direct or hidden, if they cancelled their listings. Id. Yet the Noll plaintiffs continued to pay the listing fees even after they discovered that the fees recurred automatically. Id. Their behavior after discovering the omission was therefore exactly the same as their behavior before they knew of the omission, logically foreclosing any allegations of reliance. Id. at *4. Here, in contrast, Plaintiffs plausibly allege that they faced costs to cancelling their subscriptions and to not re-subscribing that they did not face when deciding whether to subscribe to Creative Cloud in the first place.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

substantially injurious.” Id. Second, Plaintiffs allege that Adobe’s conduct undermined California

public policy as embodied in the OPPA, the IPA, and the CRA. Id.

Adobe’s objection to these claims again is that Plaintiffs did not include all of the factual

allegations supporting these claims in the section of the Complaint that lays out the UCL restitution

claim. See Mot. at 25; Reply at 15. As previously discussed, see supra Part III.C.3.b., the pleading

standard does not require that every factual allegation needs to be repeated for every cause of

action, e.g. McVicar, 2014 WL 794585, at *7. Elsewhere in the Complaint, Plaintiffs identify a

number of specific industry-standard security measures that Adobe allegedly did not implement,

Compl. ¶ 62, and allege that Adobe’s competitors did invest in these measures, id. ¶ 138; see also

id. ¶ 60 (“[C]ompanies like Adobe that do business with major financial institutions or credit card

issues must certify that their security measures and protocols are compliant with [an industry

standard].”). Plaintiffs therefore plausibly allege that Adobe gained an unfair competitive

advantage by not spending money on security the way its competitors did. Plaintiffs also plausibly

allege that they were injured by Adobe’s conduct in that they overpaid for Adobe products as a

result. Id. ¶ 139.

Adobe also repeats the argument that Plaintiffs’ “public policy” allegations are flawed

because Plaintiffs do not plead violations of the OPPA, the IPA, and the CRA. Mot. at 25. As

previously discussed, see supra Part III.C.3.b, the “unfair” prong does not require Plaintiffs to

plead direct violations of these statutes. Instead, the Court has already found that Plaintiffs

plausibly allege that the OPPA, the IPA, and the CRA reflect California’s policy objective of

reasonably securing customer data. See supra Part III.C.3.b. Plaintiffs further plausibly allege that

Adobe’s purported failure to provide industry-standard security undermines that policy objective.

The Court therefore finds that Plaintiffs have pleaded with sufficient specificity all the necessary

elements of a claim under the UCL’s “unfair” prong for their UCL restitution claim, and Adobe is

not entitled to dismissal of the claim on that basis.

For the foregoing reasons, the Court DENIES Adobe’s Motion to Dismiss Plaintiffs’ UCL

restitution claim.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Uni

ted

Stat

es D

istr

ict C

ourt

Fo

r the

Nor

ther

n D

istri

ct o

f Cal

iforn

ia

IV. CONCLUSION

For the reasons discussed above, the Court:

1. GRANTS Adobe’s Motion to Dismiss Plaintiffs’ CRA claim for violations of

Section 1798.82 without prejudice;

2. GRANTS Adobe’s Motion to Dismiss Plaintiffs’ UCL injunction claim as to

Plaintiffs Duke and Page without prejudice; and

3. DENIES the remainder of Adobe’s Motion to Dismiss.

Should Plaintiffs elect to file a Second Amended Complaint curing the deficiencies

identified herein, Plaintiffs shall do so within thirty days of the date of this Order. Failure to meet

the thirty-day deadline to file an amended complaint or failure to cure the deficiencies identified in

this Order will result in a dismissal with prejudice. Plaintiffs may not add new causes of actions or

parties without leave of the Court or stipulation of the parties pursuant to Federal Rule of Civil

Procedure 15.

IT IS SO ORDERED.

Dated: September 4, 2014 _________________________________ LUCY H. KOH United States District Judge


1

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF ILLINOIS

EASTERN DIVISION HILARY REMIJAS, MELISSA FRANK, DEBBIE FARNOUSH, and JOANNE KAO, individually and on behalf of all others similarly situated, Plaintiff, v. THE NEIMAN MARCUS GROUP, LLC, a Delaware limited liability company, Defendant.

No. 14 C 1735 Judge James B. Zagel

MEMORANDUM OPINION AND ORDER

Plaintiffs Hilary Remijas, Melissa Frank, Debbie Farnoush, and Joanne Kao, individually

and on behalf of all others similarly situated, have brought this action against Defendant Neiman

Marcus for negligence, breach of implied contract, unjust enrichment, unfair and deceptive

business practices, invasion of privacy, and violation of several state data breach acts. Defendant

now moves to dismiss pursuant to Fed.R.Civ.P. 12(b)(1) for lack of Article III standing, and

pursuant to Fed.R.Civ.P. 12(b)(6) for failure to state a claim. For the following reasons,

Defendant’s motion to dismiss is granted for lack of standing.

BACKGROUND

Defendant is a high-end department store. In 2013, hackers breached Defendant’s

servers, resulting in the potential disclosure of 350,000 customers’ payment card data and

personally identifiable information. At some point following the breach, it became clear that, of

the payment cards that may have been affected, at least 9,200 were subsequently used

fraudulently elsewhere. Plaintiffs are among the 350,000 customers, and they have brought this


2

lawsuit against Defendant for failing to adequately protect against such a security breach, and for

failing to provide timely notice of the breach once it happened.

Plaintiffs assert that they have been injured in that Defendant’s alleged misconduct

exposed them to an increased risk of future fraudulent credit card charges, and an increased risk

of identity theft. Plaintiffs also assert present injuries, including the loss of time and money

associated with resolving fraudulent charges, the loss of time and money associated with

protecting against the risk of future identity theft, the financial loss they suffered from having

purchased products that they wouldn’t have purchased had they known of Defendant’s

misconduct, and the loss of control over and value of their private information. Defendant

argues that none of these asserted injuries is sufficient to establish Article III standing.

DISCUSSION

It is a plaintiff’s burden to establish Article III standing. Apex Digital, Inc. v. Sears,

Roebuck, & Co., 572 F.3d 440, 443 (7th Cir. 2009). This requires the plaintiff to demonstrate:

(1) an “injury in fact” that is concrete and particularized and either actual or imminent; (2) that

the injury is fairly traceable to the challenged action by the defendant; and (3) that it is likely, as

opposed to merely speculative, that the injury will be redressed by a favorable decision. Clapper

v. Amnesty Int’l USA, 133 S.Ct. 1138, 1147 (2013). Because standing is not a mere pleading

requirement, but rather an indispensable part of the plaintiff’s case, it must be supported in the

same way as any other matter on which the plaintiff bears the burden of proof, i.e., with the

manner and degree of evidence required at the successive stages of the litigation. Apex Digital,

572 F.3d at 443. Plaintiffs assert four principal categories of injury. I address each in turn.

A. The Increased Risk of Future Harm

Allegations of future potential harm may suffice to establish Article III standing, but the


3

future harm must be “certainly impending.” See Clapper, 133 S.Ct. at 1147 (collecting cases).

Three courts in this District have recently taken up the question of standing and the increased

risk of future harm plaintiffs encounter in the context of such cyber-attacks. See Moyer v.

Michaels Stores, Inc., 2014 WL 3511500 (N.D.Ill. July 14, 2014); Strautins v. Trustwave

Holdings, Inc., 2014 WL 960816 (N.D.Ill. March 12, 2014); In re Barnes & Noble Pin Pad

Litigation, 2013 WL 4759588 (N.D.Ill. Sept. 3, 2013).

The courts in Strautins and Barnes & Noble both held that the alleged increased risk of

future harm was insufficient to establish standing. Defendant argues that this case is like

Strautins and Barnes & Noble. In Moyer, the Court held that the alleged increased risk of future

harm was sufficient to establish standing, but Defendant contends that this holding was premised

on a misreading of relevant case law, and it should not be followed. The differing outcomes in

Strautins and Barnes & Noble on the one hand, and Moyer on the other are in part attributable to

conflicting readings of the Supreme Court’s recent decision in Clapper.

The Strautins Court concluded that Clapper implicitly overruled a facially more relaxed

standard for evaluating standing in this context articulated in Pisciotta v. Old Nat. Bancorp, 499

F.2d 629, 634 (7th Cir. 2007). In Pisciotta, the Court held that “the injury-in-fact requirement

can be satisfied by a threat of future harm or by an act which harms the plaintiff only by

increasing the risk of future harm that the plaintiff would have otherwise faced, absent the

defendant's actions.” Id. The Strautins Court held that, by emphasizing the “certainly

impending” standard, the Supreme Court “seems rather plainly to reject the premise, implicit in

Pisciotta [ ], that any marginal increase in risk is sufficient to confer standing.” Strautins, 2014

WL 960816, at *5. The Barnes & Noble Court relied on Clapper’s “certainly impending”

analysis without reference to Pisciotta.


4

The Moyer Court, by contrast, understood Clapper to have applied a particularly rigorous

standing analysis to a claim that particularly called for it – a claim that implicated the actions of

the political branches of government in the fields of intelligence gathering and foreign affairs,

and that argued that an action taken by one of the other two branches of the federal government

was unconstitutional. See Moyer, 2014 WL 3511500, at *5; see also Strautins, 2014 WL

960816, at *5 n. 11. These cyber-attack/credit card cases implicate neither questions of national

security nor the constitution. The Moyer Court concluded that there was room for Clapper and

Pisciotta to co-exist. See Moyer, 2014 WL 3511500, at *6.

For my part, I note that the “certainly impending” standard pre-dates Clapper, see Babbitt

v. Farm Workers, 442 U.S. 289, 298 (1979), though I also note that the Clapper Court itself

acknowledged that the underlying facts called for an “especially rigorous” standing inquiry, see

Clapper, 133 S.Ct. at 1147. Those facts are not present here. Read literally, Pisciotta could be

understood to have held that any marginal increase in the risk of future injury is sufficient to

confer Article III standing. That would be difficult to square with Clapper, which sets a

threshold that an increase in the risk of harm must meet in order to confer standing. Id. But in

my view, it is hard to imagine that that is what the Pisciotta Court intended, and such a literal

reading of Pisciotta would not be reasonable. The Pisciotta Court raised the issue of standing

sua sponte, and was not prompted to thoroughly discuss it. Though it does not expressly say so,

Pisciotta was constrained by the “certainly impending” standard, first articulated 27 years earlier

in Babbit, and I read that standard into the opinion.

Legal standards aside, the underlying facts in Pisciotta, Strautins, Barnes & Noble, and

the instant case materially differ with respect to standing. First, in Pisciotta, it appears as though

the plaintiffs’ data were actually stolen (at the very least, the Court’s analysis assumed as much).


5

See Pisciotta, 499 F.3d at 634. At issue with respect to the plaintiffs’ injury, then, was whether

and how likely the stolen data would actually be misused. Id. This is distinct from Strautins and

Barnes & Noble, where the respective Courts found that the plaintiffs had alleged merely that

there was a possibility that their data had been stolen. See Strautins, 2014 WL 960816, at *4, *6;

Barnes & Noble, 2013 WL 4759588, at *4. Compared to the facts in Pisciotta, the fact that any

given plaintiff’s data may not have even been stolen yielded a much weaker inference that the

data were actually at a sufficiently increased risk of being misused. In my view, this is a

principled distinction that could justify holding that Pisciotta satisfied the “certainly impending”

standard (albeit under a less rigorous application of the standard outside the national

security/constitutional context) while holding that Strautins and Barnes & Noble did not.

The facts in the instant case present a third permutation. Here, the overwhelming

majority of the plaintiffs allege only that their data may have been stolen. In this sense, the

instant case is like Strautins and Barnes & Noble. Unlike Strautins and Barnes & Noble,

however, Plaintiffs also allege (and Defendant acknowledges) that 9,200, or approximately 2.5%

of these customers have actually had fraudulent charges appear on their credit cards. In other

words, these customers’ data were actually stolen and were actually misused. This allegation

permits several inferences of varying strength with respect to Plaintiffs’ claims to standing.

First, it certainly permits the inference that these 9,200 customers did indeed have their

data stolen as a result of the cyber-attack on Defendant. That is an injury in fact, the sufficiency

of which for purposes of standing will be addressed below. Second, it permits a weaker, though

in my view still plausible, inference that others among the 350,000 customers are at a “certainly

impending” risk of seeing similar fraudulent charges appear on their credit cards as a result of the

cyber-attack on Defendant. The significance of that potential future injury for purposes of


6

standing will also be discussed below. I do not believe, however, that this allegation permits a

plausible inference that any of the 350,000 customers are at a “certainly impending” risk of the

other future injury claimed by Plaintiffs – identity theft.

It is not clear to me that the “fraudulent charge” injury alleged to have been incurred by

the 9,200 customers, or, a fortiori, the risk that the same injury may befall others among the

350,000 customers at issue, is an injury sufficient to confer standing. To satisfy their burden to

establish standing, plaintiffs must show that their injury is concrete, particularized, and, if not

actual, at least imminent. See Clapper, 133 S.Ct. at 1147. As discussed above, I am satisfied

that the potential future fraudulent charges are sufficiently “imminent” for purposes of standing.

But of course, even having conceded imminence, both injuries (present and future) must still be

concrete. Here, as common experience might lead one to expect, Plaintiffs have not alleged that

any of the fraudulent charges were unreimbursed. On these pleadings, I am not persuaded that

unauthorized credit card charges for which none of the plaintiffs are financially responsible

qualify as “concrete” injuries. See Barnes & Noble, 2013 WL 4759588, at *6; Hammond v.

Bank of N.Y. Mellon Corp., 2010 WL 2643307, *8 (S.D.N.Y. June 25, 2010). Without a more

detailed description of some fairly substantial attendant hardship, I cannot agree with Plaintiffs

that such “injuries” confer Article III standing.

Next, as noted above, I am not persuaded that the 350,000 customers at issue are at a

certainly impending risk of identity theft. Unlike the Pisciotta plaintiffs, the plaintiffs here do

not allege that data belonging to all of the customers at issue were in fact stolen. They allege that

approximately 2.5% of the customers at issue saw fraudulent charges on their credit cards,

supporting a strong inference that those customers’ data were stolen as a result of Defendant’s

data breach. And again, I accept the inference from this that additional customers are at a


7

“certainly impending” risk of future fraudulent charges on their credit cards. But to assert on this

basis that either set of customers is also at a certainly impending risk of identity theft is, in my

view, a leap too far.1 The complaint does not adequately allege standing on the basis of

increased risk of future identity theft.

B. Time and Money Spent to Mitigate the Risk of Future Fraud and Identity Theft

Plaintiffs also claim the time and money allegedly spent toward mitigating the risk of

future fraudulent charges and identity theft constitutes injury sufficient to confer standing. The

cost of guarding against a risk is an injury sufficient to confer standing only if the underlying

harm the plaintiff is seeking to avoid is itself a cognizable Article III injury. See Moyer, 2014

WL 3511500, at *4 n. 1. As discussed above, however, on these pleadings I am not satisfied that

either of the future injuries claimed in the complaint are themselves sufficient to confer standing.

The “fraudulent charge” injury, absent unreimbursed charges or other allegations of some

substantial attendant hardship, is not in my view sufficiently concrete to establish standing. In

any event, the complaint contains no meaningful allegations as to what precisely the costs

incurred to mitigate the risk of future fraudulent charges were. Generally, when one sees a

fraudulent charge on a credit card, one is reimbursed for the charge, and the threat of future

charges is eliminated by the issuance of a new card, perhaps resulting in a brief period where one

is without its use. If the complaint is to credibly claim standing on this score, it must allege

something that goes beyond such de minimis injury.

As discussed above, the complaint does not adequately allege that the risk of identity

theft is sufficiently imminent to confer standing. So long as that is the case, the “time and money

1 I note that one plaintiff allegedly received a “phishing” phone call as a result of the cyber-attack on Defendant which, if she had disclosed private information, might have led to future identity theft. In my view, this allegation is sufficient neither to establish a “certainly impending” risk of identity theft, nor to qualify as a “concrete” injury for purposes of standing.


8

spent to mitigate” claim as to the risk of identity theft, which may well be more substantial than

the same claim as to the risk of fraudulent credit card charges, is not a cognizable Article III

injury.

C. The Financial Injury For Having Purchased Defendant’s Products

Plaintiffs also assert that they paid a premium for the retail goods purchased at

Defendant’s stores, a portion of which Defendant was required to allocate to adequate data

breach security measures. Because Defendant did not do so, Plaintiffs allege, Plaintiffs overpaid

for their respective purchases and would not have otherwise made them. As Plaintiffs would

have it, this financial injury establishes standing.

The argument is creative, but unpersuasive. All of the cases to which Plaintiffs cite in

support of this proposition involved products which possessed some sort of deficiency. Plaintiffs

purchased bottled water and it turned out to be municipal tap water. Chicago Faucet Shoppe,

Inc. v. Nestle Waters N. Am Inc., 2014 WL 541644, *3 (N.D.Ill. Feb. 11, 2014). Plaintiffs

purchased children’s toys and they turned out to be toxic. In re Aqua Dots Prods. Liab. Litig.,

654 F.3d 748, 751 (7th Cir. 2011). As the Seventh Circuit noted, the fact that members of the

class in such a case did not suffer physical injury did not mean that they were not injured. “The

plaintiffs’ loss is financial: they paid more for the toys [or water] than they would have.” Id.

In my view, a vital limiting principle to this theory of injury is that the value-reducing

deficiency is always intrinsic to the product at issue. Under Plaintiffs’ theory, however, the

deficiency complained of is extrinsic to the product being purchased. To illustrate the problem

this creates: suppose a retail store does not allocate a sufficient portion of its revenues to

providing adequate in-store security. A customer who is assaulted in the parking lot after

patronizing the store may well have a negligence claim against the store owner. But could he or


9

she really argue that she overpaid for the products that she purchased? Or even more to the

point: even if no physical injury actually befell the customer, under Plaintiffs’ theory, the

customer still suffered financial injury because he or she paid a premium for adequate store

security, and the store security was not in fact adequate.

As set forth in Aqua Dots, this theory of injury is plainly sensible. In my view, however,

expanding it to include deficiencies extrinsic to the purchased product would effectively render it

meaningless.

D. The Loss of Control Over and Value of Plaintiffs’ Private Information

Finally, I am also unpersuaded by Plaintiffs’ claim to standing based on the loss of

control over and value of their private information. Again, the injury as pled is not sufficiently

concrete. Cf. Barnes & Noble, 2013 WL 4759588 (no actual injury of this sort where plaintiffs

do not allege that their personal information was sold or that the plaintiffs themselves could have

sold it).

CONCLUSION

For the foregoing reasons, Defendant’s motion to dismiss for lack of Article III standing

is granted.

ENTER:

James B. Zagel United States District Judge

DATE: September 16, 2014


FINANCIAL CYBER-RISK: BANKING AND PAYMENTS

Presented by: Arian Colachis, General Counsel, Washington Federal, N.A.

Wendy Beth Oliver, Principal, Policy and Compliance Advisors

Cyber-Risk Management for the General Business Lawyer November 7, 2014

1

I. Corporate Account Takeover

A. What is it? How does it happen?

1. Phishing and Pharming

B. Who ‘s liable?

1. Consumer protection regulations don't apply to business accounts

2. UCC Article 4A and Breach of Contract

a. Commercially reasonable security measures, good faith acceptance in

compliance with measures and consistent with instructions from client

b. Choice Escrow and Land Title, LLC v. BancorpSouth Bank, 754 F.3d 611 (8th

Cir. 2014)

3. Tort

C. How do you protect yourself?

1. NACHA Corporate Account Takeover Resource Center:

2

https://www.nacha.org/content/corporate-account-takeover-resource-

center

2. Texas Bankers Electronic Crimes Task Force: Best Practices-Reducing the

Risks of Corporate Account Takeovers

http://www.ectf.dob.texas.gov/ectfrecomend.htm

3. Create a cyber security planner through the FCC website:

http://www.fcc.gov/cyberplanner

II. Payment Processing

A. The Target story

1. Malware introduced through vendor

2. Capture of customer card data

B. Payment Card Industry Data Security Standards (PCI DSS)

1. https://www.pcisecuritystandards.org/security_standards/index.php

2. Compliance levels

3. PCI Data Security Standard – High Level Overview

Build and Maintain a Secure Network and Systems

1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

4. Audits (validation and assessment)

https://www.nacha.org/content/corporate-account-takeover-resource-center%202



http://www.ectf.dob.texas.gov/ectfrecomend.htm

http://www.fcc.gov/cyberplanner

https://www.pcisecuritystandards.org/security_standards/index.php

3

5. Self-Assessment Questionnaire

C. Breach of Customer Personal Information

1. State law requirement to provide notice

a. RCW 19.255.010 (See Appendix A)

b. Idaho Code, Title 28, Chaper 51 and ORS 646A.600 et seq.

c. http://www.mintz.com/newsletter/2007/PrivSec-

DataBreachLaws-02-07/state_data_breach_matrix.pdf

2. Notification of customers

a. Mailing

b. Website

3. Offering credit monitoring

4. Regulatory investigation

5. Reporting to Merchant Bank and Credit Card Associations

a. Merchant bank agreement

b. Credit card association regulations

1. http://usa.visa.com/download/about_visa/15-October-2014-

Visa-Rules-Public.pdf

2. http://www.mastercard.com/us/merchant/pdf/SPME-

Entire_Manual_public.pdf

c. Fines and assessments from card associations

d. Forensic investigation by Payment Card Industry Forensic

Investigator

D. Outsourcing Payment Processing

1. Effect of breach of vendor/merchant bank on merchant

2. Vendor management

a. Auditing vendor

b. Contractual protections

3. Payment vendors providing indemnification

http://www.mintz.com/newsletter/2007/PrivSec-DataBreachLaws-02-07/state_data_breach_matrix.pdf

http://www.mintz.com/newsletter/2007/PrivSec-DataBreachLaws-02-07/state_data_breach_matrix.pdf

http://usa.visa.com/download/about_visa/15-October-2014-Visa-Rules-Public.pdf

http://usa.visa.com/download/about_visa/15-October-2014-Visa-Rules-Public.pdf

4

5

APPENDIX A RCW 19.255.010

Disclosure, notice — Definitions — Rights, remedies.

(1) Any person or business that conducts business in this state and that owns or licenses

computerized data that includes personal information shall disclose any breach of the security of

the system following discovery or notification of the breach in the security of the data to any

resident of this state whose unencrypted personal information was, or is reasonably believed to

have been, acquired by an unauthorized person. The disclosure shall be made in the most

expedient time possible and without unreasonable delay, consistent with the legitimate needs of

law enforcement, as provided in subsection (3) of this section, or any measures necessary to

determine the scope of the breach and restore the reasonable integrity of the data system.

(2) Any person or business that maintains computerized data that includes personal

information that the person or business does not own shall notify the owner or licensee of the

information of any breach of the security of the data immediately following discovery, if the

personal information was, or is reasonably believed to have been, acquired by an unauthorized

person.

(3) The notification required by this section may be delayed if a law enforcement agency

determines that the notification will impede a criminal investigation. The notification required by

this section shall be made after the law enforcement agency determines that it will not

compromise the investigation.

(4) For purposes of this section, "breach of the security of the system" means unauthorized

acquisition of computerized data that compromises the security, confidentiality, or integrity of

personal information maintained by the person or business. Good faith acquisition of personal

information by an employee or agent of the person or business for the purposes of the person or

business is not a breach of the security of the system when the personal information is not used

or subject to further unauthorized disclosure.

(5) For purposes of this section, "personal information" means an individual's first name or

first initial and last name in combination with any one or more of the following data elements,

when either the name or the data elements are not encrypted:

(a) Social security number;

(b) Driver's license number or Washington identification card number; or

(c) Account number or credit or debit card number, in combination with any required security

code, access code, or password that would permit access to an individual's financial account.

(6) For purposes of this section, "personal information" does not include publicly available

information that is lawfully made available to the general public from federal, state, or local

6

government records.

(7) For purposes of this section and except under subsection (8) of this section, "notice" may

be provided by one of the following methods:

(a) Written notice;

(b) Electronic notice, if the notice provided is consistent with the provisions regarding

electronic records and signatures set forth in 15 U.S.C. Sec. 7001; or

(c) Substitute notice, if the person or business demonstrates that the cost of providing notice

would exceed two hundred fifty thousand dollars, or that the affected class of subject persons to

be notified exceeds five hundred thousand, or the person or business does not have sufficient

contact information. Substitute notice shall consist of all of the following:

(i) E-mail notice when the person or business has an e-mail address for the subject persons;

(ii) Conspicuous posting of the notice on the web site page of the person or business, if the

person or business maintains one; and

(iii) Notification to major statewide media.

(8) A person or business that maintains its own notification procedures as part of an

information security policy for the treatment of personal information and is otherwise consistent

with the timing requirements of this section is in compliance with the notification requirements

of this section if the person or business notifies subject persons in accordance with its policies in

the event of a breach of security of the system.

(9) Any waiver of the provisions of this section is contrary to public policy, and is void and

unenforceable.

(10)(a) Any customer injured by a violation of this section may institute a civil action to

recover damages.

(b) Any business that violates, proposes to violate, or has violated this section may be

enjoined.

(c) The rights and remedies available under this section are cumulative to each other and to

any other rights and remedies available under law.

(d) A person or business under this section shall not be required to disclose a technical breach

of the security system that does not seem reasonably likely to subject customers to a risk of

criminal activity.

[2005 c 368 § 2.]

7

ORS § 646A.604

Notice of breach of security

• delay

• methods of notification

• contents of notice

• application of notice requirement

(1) Any person that owns, maintains or otherwise possesses data that includes a consumers

personal information that is used in the course of the persons business, vocation, occupation or

volunteer activities and was subject to a breach of security shall give notice of the breach of

security following discovery of such breach of security, or receipt of notification under

subsection (2) of this section, to any consumer whose personal information was included in the

information that was breached. The disclosure notification shall be made in the most expeditious

time possible and without unreasonable delay, consistent with the legitimate needs of law

enforcement as provided in subsection (3) of this section, and consistent with any measures

necessary to determine sufficient contact information for the consumers, determine the scope of

the breach and restore the reasonable integrity, security and confidentiality of the data.

(2) Any person that maintains or otherwise possesses personal information on behalf of another

person shall notify the owner or licensor of the information of any breach of security

immediately following discovery of such breach of security if a consumers personal information

was included in the information that was breached.

(3) The notification to the consumer required by this section may be delayed if a law

enforcement agency determines that the notification will impede a criminal investigation and that

agency has made a written request that the notification be delayed. The notification required by

this section shall be made after that law enforcement agency determines that its disclosure will

not compromise the investigation and notifies the person in writing.

(4) For purposes of this section, notification to the consumer may be provided by one of the

following methods:

(a) Written notice.

(b) Electronic notice if the persons customary method of communication with the consumer is by

electronic means or is consistent with the provisions regarding electronic records and signatures

set forth in the Electronic Signatures in Global and National Commerce Act (15 U.S.C. 7001) as

that Act existed on October 1, 2007.

(c) Telephone notice, provided that contact is made directly with the affected consumer.

(d) Substitute notice, if the person demonstrates that the cost of providing notice would exceed

$250,000, that the affected class of consumers to be notified exceeds 350,000, or if the person

8

does not have sufficient contact information to provide notice. Substitute notice consists of the

following:

(A) Conspicuous posting of the notice or a link to the notice on the Internet home page of the

person if the person maintains one; and

(B) Notification to major statewide television and newspaper media.

(5) Notice under this section shall include at a minimum:

(a) A description of the incident in general terms;

(b) The approximate date of the breach of security;

(c) The type of personal information obtained as a result of the breach of security;

(d) Contact information of the person subject to this section;

(e) Contact information for national consumer reporting agencies; and

(f) Advice to the consumer to report suspected identity theft to law enforcement, including the

Federal Trade Commission.

(6) If a person discovers a breach of security affecting more than 1,000 consumers that requires

disclosure under this section, the person shall notify, without unreasonable delay, all consumer

reporting agencies that compile and maintain reports on consumers on a nationwide basis of the

timing, distribution and content of the notification given by the person to the consumers. In no

case shall a person that is required to make a notification required by this section delay any

notification in order to make the notification to the consumer reporting agencies. The person

shall include the police report number, if available, in its notification to the consumer reporting

agencies.

(7) Notwithstanding subsection (1) of this section, notification is not required if, after an

appropriate investigation or after consultation with relevant federal, state or local agencies

responsible for law enforcement, the person determines that no reasonable likelihood of harm to

the consumers whose personal information has been acquired has resulted or will result from the

breach. Such a determination must be documented in writing and the documentation must be

maintained for five years.

(8) This section does not apply to:

(a) A person that complies with the notification requirements or breach of security procedures

that provide greater protection to personal information and at least as thorough disclosure

requirements pursuant to the rules, regulations, procedures, guidance or guidelines established by

the persons primary or functional federal regulator.

9

(b) A person that complies with a state or federal law that provides greater protection to personal

information and at least as thorough disclosure requirements for breach of security of personal

information than that provided by this section.

(c) A person that is subject to and complies with regulations promulgated pursuant to Title V of

the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. 6801 to 6809) as that Act existed on October 1,

2007. [2007 c.759 §3]

1

Insurance Coverage for Cyber Risks—A Primer and Toolkit for the Business Lawyer

Frank Cordell

2

Three Things to Take from this Session

Know the basic commercial insurance policies and concepts—and the malpractice traps!

Understand the MANY obstacles to coverage for data breaches under traditional commercial policies.

Have a working knowledge of the new cyber-liability insurance products now being offered in the marketplace—including the persistent problems and gaps in coverage.

Commercial Insurance Toolkit

Types of insurance:

“First Party”: Protects against loss to insured’s property, person: Commercial “All Risk” property policies; business interruption; commercial crime.

“Third Party” or “Liability” Insurance: Protects against liability to third parties Commercial General Liability policies: bodily injury,

property damage, “personal injury”; “advertising injury” Directors & Officers—Coverage for “Wrongful Acts” Professional Liability/”E&O”—”Wrongful Acts”

3

Insurance Toolkit, cont’d

Types of Insurance: “Occurrence”-Based

Triggering event is the harm

Notice requirements: “prejudice rule”

Claims-Made and Claims-Made-and-Reported Basis

Triggering event is the claim and the notice to the insurer

Notice requirement: unforgiving

Notice of potential claim

Insurance Toolkit, cont’d

Contractual “suit limitation” terms

Fixture in first-party policies

Period runs from when loss was or should have been discovered

NO PREJUDICE RULE—forfeiture of claim is real possibility

WAC 284-30-380(5): Notification required only where insured not represented by counsel

4

Cyber-Risk Claims Under Standard Policies—Obstacles and Exclusions

CGL, All-Risk policy forms in use since the 1960s.

Case study: Zurich Am. Ins. Co. v. Sony Corp. of Am. (N.Y. Sup. Ct.).

2011 cyber attack on PlayStation Network

Data breach; user personal, financial data stolen

Over 60 user lawsuits against Sony

CGL policies issued by Zurich

Zurich v. Sony, cont’d

CGL Coverage Applied to Cyber Risks: Typically no Bodily Injury or Property Damage

“Personal and Advertising Injury” Coverage? Insurer “will pay those sums that the insured becomes

legally obligated to pay as damages because of ‘personal and advertising injury’, which is caused by an offense arising out of [the insured’s] business.”

5


“Personal and Advertising Injury . . . offenses” include: “oral or written publication, in any manner, of material that violates a person’s right of privacy.”

Zurich’s arguments: No “publication” of data

“Publication” was not done by Sony, but by attackers

Exclusion for insureds whose business is “an internet search, access, content, or service provider.”


NY trial court ruling: “Publication”? YES—hackers “opening the box”

Internet/media exclusion apply? NO—must be insured’s sole business.

Must “publication” by done by the insured? YES—and here, cyberattackers, not Sony, caused the publication.

NO COVERAGE.

Decision on appeal.

6

Coverage Under Property Policies?

Loss of data, reconstruction costs?

Is loss of electronic data “physical damage”? “Direct physical loss” for business interruption coverage?

Am. Guarantee v. Ingram Micro: YES

NMS Services v. Hartford: YES

Summary: Cyber Coverage Under Traditional Policies?

Insurers will fight hard

Rise of broad exclusions—insurers driving business to cyber-risk products

Takeaway: Insureds cannot rely on traditional business coverages for cyber risks.

7

Cyber-Risk Products

Hot marketplace—insurance industry has capacity and is eagerly marketing “Cyber” this and “e-Media” that.

“The Wild, Wild West”: Lack of standardization in policy forms

Much room for negotiation and customization—both “modular” cyber-products and via manuscript endorsements.

Expert broker/consulting assistance is critical.

Cyber-Risk Products

Third-Party Coverages:

Privacy Liability

Network Security Liability

Media Liability

Regulatory Liability

8

Cyber-Risk Products

First-Party Coverages:

Remediation Costs—Data Breach

Loss/Reconstruction of Data; Business Interruption

Network Interruption

Extortion

Pitfalls in the New Policies

“Negligence” exclusions? First- and Third-Party

First Party: Requirement of a wrongful act on the insured’s part—

maybe not just a hack?

No coverage for economic value of data if no recovery?

No coverage for insured’s breach of contractual obligations resulting from attack/loss

9

Pitfalls in New Policies

Third-Party Infringements of IP rights (non-media policies)

“Documented wrongful act”

Contract liability

Unencrypted data

PCI penalty

BI and PD

Rogue employees

NETPROTECT 360

THIS IS A CLAIMS MADE POLICY AND, SUBJECT TO ITS PROVISIONS, APPLIES ONLY TO CLAIMS FIRST MADEAGAINST THE INSURED DURING THE POL¡CY PERIOD AND REPORTED IN ACCORDANCE WITH SECTION VI.CONDITIONS, PARAGRAPH B. CLAIM EXPENSES ARE WITHIN THE LIMIT OF LIABILITY. PLEASE REVIEW THEPOLICY CAREFULLY AND DISCUSS THE COVERAGE WITH YOUR INSURANCE AGENT OR BROKER.

ln consideration of the payment of the premium and in reliance upon all statements made in the Application furnished tothe lnsurer designated in the Declarations, a stock insurance corporation (the "lnsurer"), the lnsurer and the lnsuredsagree as follows:

I. INSURING AGREEMENTS

A. ENTERPRISE LIABILITY COVERAGES

lf the lnsuring Agreement has been purchased, as indicated in the Declarations, the lnsurer will pay on behalf ofthe lnsured all sums, in excess of the retention and up to the applicable limit of liability, that the lnsured shallbecome legally obligated to pay:

1. Media Liability

as Damages and Glaim Expenses resultrng from liability imposed by law or Assumed Under Contractresulting from any Claim first made against the lnsured during the Policy Period, or any Extended ReportingPeriod, if applicable, alleging Wrongful Acts by the lnsured, or by someone for whose Wrongful Acts thelnsured is legally liable;

2. Network Security Liability

as Damages and Claim Expenses resulting from any Claim first made against the lnsured during the PolicyPeriod, or any Extended Reporting Period, if applicable, alleging Wrongful Acts by the lnsured or bysomeone (including a Rogue Employee or Third Party Gustodian) for whose Wrongful Acts the lnsured is

legally liable;

3. Privacy lnjury Liability

as Damages and Glaim Expenses resulting from any Claim first made against the lnsured during the PolicyPeriod, or any Extended Reporting Period, if applicable, alleging Wrongful Acts by the lnsured or bysomeone (including a Rogue Employee or Third Party Custodian) for whose Wrongful Acts the lnsured is

legally liable;

4. Privacy Regulation Proceeding

as Damages (including Privacy Regulation Fines) and Glaim Expenses resulting from any PrivacyRegulation Proceeding first made against the lnsured during the Policy Period, or any Extended ReportingPeriod, if applicable, alleging Wrongful Acts by the lnsured or by someone (including a Rogue Employee orThird Party Gustodian) for whose Wrongful Acts the lnsured is legally liable.

B. REIMBURSEMENT COVERAGES

lf the lnsuring Agreement has been purchased, as indicated in the Declarations, the lnsurer will reimburse thelnsured Entity:

1. Privacy Event Expense Reimbursement

ÇNA 742?1 XX (Ëd 9/13)F'.: r-1e 1

Copyriqltt G) 2013 CNA. /\ll Rights Reserved.

CNA

for Privacy Event Expenses, up to the Privacy Event Expenses limit of liability and in excess of thePrivacy Event Expenses retention;

2. Extortion Demand Reimbursement

for Extortion Payments up to the Extortion Payment limit of liability and in excess of the ExtortionPayment retention;

3. Privacy Regulation Investigation Reimbursement

for Privacy Regulation Investigation Expense up to the Privacy Regulation lnvestigation Expense limitof liability and in excess of the Privacy Regulation lnvestigation Expense retentron;

4. Crisis Response Reimbursement

for Crisis Response Expenses up to the Crisis Response Expense limit of liability and in excess of theCrisis Response Expense retention.

C. FIRST PARTY INSURING AGREEMENTS

lf the lnsuring Agreement has been purchased, as indicated in the Declarations, the lnsurer will pay the lnsuredEntity all sums in excess of any applicable retention and up to the applicable limit of insurance that the lnsuredEntity incurs:

1. BUSINESS INTERRUPTION COVERAGE AND EXTRA EXPENSE

for Business lncome and Extra Expense resulting from an Exploit that first causes Network lmpairmentduring the Policy Period;

2. LOSS OF OR DAMAGE TO INSURED ENTITY'S NETWORK

for the lnsured Entity's reasonable and necessary expenses resulting from an Exploit that first causesNetwork lmpairment during the Policy Period, that are required to restore the Network or informationresiding on the Network to substantially the form in which it existed immediately prior to such Exploit;

3. BASIC E-THEFT

for loss of the lnsured Entity's Money, Securities or Goods, including loss resulting from alteration,resulting from Electronic Theft of the lnsured Entity's Money, Securities or Goods perpetrated directlyagainst the lnsured Entity by a third party during the Policy Period.

D. HOW COVERAGE APPLIES

1. The coverages provided under paragraph A. above apply only if:

prior to the inception date of this Policy or the first such policy issued and continuously renewed by thelnsurer, of which this Policy is a renewal, whichever is earlier;

1. no Executive Officer knew or should have known that any such Wrongful Act, or Related WrongfulActs, might result in such Claim;

2. such Wrongful Act has not been the subject of any notice given under any prior policy;

b. such Wrongful Act occurred on or after the applicable Retroactive Date as set forth in the Declarationsand prior to the end of the Policy Period; and,

a

ÇNA74291XX (9/13)Page

2

Copyright (O 2013 CNA. All Rights Reserved.

c. the G|aim is reported to the lnsurer in accordance with Section Vl. CONDITIONS, paragraph B. NOTICEOF CLAIM OR CIRCUMSTANCE/PRE.CLAIMS ASSISTANCE/DATE OF CLAIM.

2. The coverages provided under paragraph B. above apply only if:

a. the Privacy Event is first discovered, the Extortion Demand is first made or Privacy RegulationInvestigation is first initiated during the Policy Period; and,

b. the Privacy Event Expenses, Extortion Payments or Privacy Regulation lnvestigation Expenses areincurred within twelve months after the date that the Insured reports the Privacy Event, PrivacyRegulation lnvestigation or Extortion Demand in accordance with Section Vl. CONDITIONS,paragraph B. NOTICE OF CLAIM OR CIRCUMSTANCE/PRE-CLAIMS ASSISTANCE/DATE OF CLAIM,and such amounts are consented to in writing by the lnsurer, such consent not to be unreasonablywithheld.

E. V¡CARIOUS LIABILITY

1. Third Party Vicarious Liability Goverage

Any entity or natural person the lnsured Entity is required by written contract to include as an insured forliability of such entity or natural person for an lnsured's Wrongful Acts shall be insured under this Policy butsolely to the extent that a Claim is made against such entity or natural person for a Wrongful Act of anlnsured, and only so long as the written contract is entered into before such Claim occurs, provided:

a. there shall be no coverage afforded to such entity or natural person for its WrongfulActs; and,

b. nothing herein shall serve to confer any rights or duties to such person or entity under this Policy, otherthan as provided in this paragraph.

2. Assumed Liability of lnsured

The lnsured Entity is insured for liability it assumes in a written contract or agreement under which itassumes the tort liability (liability that would be imposed by law in the absence of any contract or agreement)of another party incurred by such third party as a result of an lnsured's Wrongful Act provided the WrongfulAct gives rise to a Claim and occurs subsequent to the execution of such contract or agreement. Solely forthe purposes of liability assumed by the Insured Entity in such contract or agreement reasonable attorneyfees and necessary litigation expenses incurred by or for a party other than an lnsured are deemed to beDamages provided:

a. liability to such party for, or for the cost of, that party's defense has also been assumed in such contract oragreement; and,

b. such attorney fees and litigation expenses are for defense of that party against a civil or alternativedispute resolution proceeding in which Damages to which this insurance applies are alleged.

Any coverage afforded by this paragraph is subject always to all of the Policy's terms, conditions and exclusions.

The following defined words shall have the same meaning throughout this Policy, whether expressed in the singular orthe plural.

Application means all signed applications, any attachments to such applications, other materials submitted therewithor incorporated therein, and any other documents submitted in connection with the undenryriting of this Policy by the

cNA 742e1 XX (e/13)Page

J

Copyright O 2013 CNA. AII Rights Reserved.

lnsurer, or any other policy underwritten by the lnsurer or its affiliates of which this Policy is a direct or indirect renewalor replacement.

Assumed Under Gontract means liability of others, for Matter furnished by the lnsured, that the lnsured agrees toassume under a hold harmless or indemnity agreement but only to the extent such liability arises out of any WrongfulAct.

Business lncome and Extra Expense means:

A. the amount of net income, before interest, tax, depreciation or amortization, that the lnsured Entity would haveearned during the Period of Restoration but for the Network lmpairment; and,

B. Extra Expense.

However, Business Income and Extra Expense does not include:

1. ordinary operating expenses incurred by the lnsured Entity during the Period of Restoration;

2. costs or expenses to update, upgrade, enhance, or replace the Insured's Network beyond that which existedprior to the occurrence of the Network lmpairment;

3. costs or expenses the lnsured Entity incurs to prove or document First Party Loss;

4. Privacy Event Expenses and Extortion Payments.

Business lnterruption Loss means the amount of net income, before interest, tax, depreciation or amortization, thatthe Insured Entity would have earned during the Period of Restoration but for the Network lmpairment.

However, Business lnterruption Loss does not include:

'1. ordinary operating expenses incurred by the Insured Entity during the Period of Restoration;

2. costs or expenses to update, upgrade, enhance, or replace the lnsured's Network beyond that which existedprior to the occurrence of the Network lmpairment;

3. costs or expenses the lnsured Entity incurs to prove or document First Pafi Loss;

4. Privacy Event Expenses, Crisis Response Expenses and Extortion Payments.

Claim means:

A. a written demand (other than an Extortion Demand) for monetary damages or non-monetary relief, including ademand for injunctive or declaratory relief;

B. a civil proceeding in a court of law or equity or any alternative dispute resolution proceeding;

C. a Privacy Regulation Proceeding,

against an Insured alleging a WrongfulAct, including any appeal therefrom.

Claim also means a written request received by the lnsured to toll or waive a statute of limitations in connection witha Claim as defined by paragraphs B. and C. above.

However, a Glaim does not include any criminal proceeding or criminal or civil investigation. Nor does a Glaim includeany regulatory proceeding except if the regulatory proceeding is a Privacy Regulation Proceeding.

cNA 742e1 XX (9/13)Page

4

Copyriglrt O 2013 CNA. All Rìghts Reserved.

Claim Expenses mean:

A. fees charged by attorneys designated by the lnsurer or by the lnsured with the written consent of the lnsurer;

B. all other reasonable and necessary fees, costs and expenses resulting from the investigation, adjustment,defense and appeal of a Claim if incurred by the lnsurer including, but not limited to, premiums for any appealbond, attachment bond or similar bond but without any obligation of the lnsurer to apply for or furnish any suchbond.

ln the event the lnsured is entitled by law to select independent counsel to defend the lnsured at the lnsurer'sexpense, Claim Expenses also include fees the lnsurer must pay to such counsel provided that such fees are limitedto fees charged in accordance with the rates the lnsurer actually pays to counsel the lnsurer retains in the ordinarycourse of business in the defense of similar Claims in the community where the Claim is being defended.

However, Claim Expenses do not include fees and expenses of independent adjusters or salaries of the lnsurer'sofficials or employees.

Commerce Operations means the lnsured Entity's income producing activities.

Consumer Redress Amounts means a sum of money which the lnsured is legally obligated to deposit in a fund asequitable relief for the payment of consumer claims due to an adverse judgment or settlement of a PrivacyRegulation Proceeding. Consumer Redress Amounts do not include any sums paid which constitute taxes, fines,penalties, injunctions or sanctions.

Crisis Event means a Wrongful Act of an lnsured or someone whom the insured is legally liable or an Exploit of anlnsured Entity's Network, which, in the reasonable opinion of an Executive, is causing reputational damage to theInsured Entity.

Crisis Response Expenses means the fees, costs and expenses incurred by the Insured Entity in response to aCrisis Event and consented to in advance by the lnsurer (such consent not to be unreasonably withheld), includingfees costs and expenses to retain an outside law firm, public relation firm, crisis management firm, forensic firm orsecurity firm to:

A. manage relationships with governmental regulatory authorities;

B. manage press coverage, publicity and press relationships;

C. advise lnsured Entity on measures required in order to comply with applicable laws.

Crisis Response Expenses do not include Privacy Event Expenses.

Damages mean:

A. settlements, judgments (including any award of pre-judgment and post-judgment interest on a covered judgment),or other amounts for which the lnsured is legally obligated to pay on account of a covered Claim;

B. punitive and exemplary damages and the multiplied portion of multiplied awards (subject to this Policy's otherterms, conditions and limitations). Enforceability of this paragraph shall be governed by such applicable law thatmost favors coverage for such punitive, exemplary and multiplied amounts;

C. Consumer Redress Amounts with respect to lnsuring Agreement A.5. Privacy Regulation Proceeding only.

However, Damages do not include:

1. civil or criminal fines, penalties, taxes, sanctions or forfeitures, imposed on an lnsured, except that this does notapply to Privacy Regulation Fines and Gonsumer Redress Amounts;

cNA 74291 XX (9/13)Page

5

Copyriglrt O 2013 CNA. All Rights Reserved.

2. fees, costs and expenses paid or incurred or charged by any lnsured, no matter whether claimed as restitution ofspecific funds, financial loss, mitigation expenses, set-off amounts or payments in the form of service credits orcoupons or other non-cash consideration;

3. liquidated damages pursuant to a written contract or agreement in excess of the lnsured's liability caused by theWrongfulAct;

4. the lnsured's production costs, or the lnsured's cost of reprinting, recalling, recovering, shipping, mailing,correcting, reprocessing, restoring, repairing, replacing, or reproducing erroneous, damaged or lost tangibleproperty or Matter;

5. any amount attributable to the cost of any non-monetary relief, including without limitation any costs associatedwith compliance with any injunctive relief of any kind or nature;

6. funds, monies, or securities that an Insured transferred or failed to transfer;

7. any loss of investment income;

8. any amounts assessed as royalty fees or payments;

9. any amount for which an Insured is absolved from payment by reason of any covenant, agreement or court order;

10. plaintiffs attorney fees or expenses associated with items l. through 9. above.

Domestic Partner means any spouse and any person qualifying as a domestic partner under any federal, state,foreign or other law (including common law), statute or regulation or under the lnsured Entity's employee benefitplans.

Denial of Service Attack means an attack executed over one or more Networks or the internet, which attack isdesigned and intended to disrupt the operation of one or more Networks and render the Networks inaccessible toauthorized users.

Electronic lnfection means the transmission of a computer virus.

Electronic Theft means:

A. a disbursement or transfer of the lnsured Entity's Money or Securities to a person or entity that is notauthorized to receive them;

B. delivery of the Insured Entity's Goods to a person or entity that is not authorized to receive them,

including all continuations or repetitions of such events, caused solely and directly by the transmission of informationthrough or to the lnsured Entity's Network and which is created or caused by someone who is not an employee,director or officer of an Insured Entity.

ER|SA or any Similar Act means the Employee Retirement lncome Security Act of 1974, as amended, or any similarcommon or statutory law of the United States, Canada or their states, territories or provinces or any other jurisdictionanywhere in the world.

Executive Officer means:

A. any duly elected or appointed Chief Executive Officer, Chief Financial Officer, Chief lnformation Officer, ChiefPrivacy Officer, Chief Security Officer, Chief Risk Officer, Chief Legal Officer, Risk Manager, General Counsel, in-house attorney designated to be in charge of litigation, or the functional equivalent of any of the foregoing, of theNamed lnsured;

cNA 74291 XX (?/13)Page

6

CopyrÍght Cc) 2013 Cf\lA. All Rights Reserved.

B. an official in an lnsured Entity organized and operated in a Foreign Jurisdiction who is holding a position that isequivalent to an executive position listed in A. above.

Exploit means Unauthorized Access, Electronic lnfection or a Denial of Service.

Extortion Demand means an incident or series of related incidents occurring during the Policy Period where anlnsured Entity receives a threat to launch an attack on, to suspend, or to othen¡vise disrupt a Network, disrupt ordeface the lnsured Entity's website or release or use Protected lnformation in the lnsured Entity's care, unlessmonies are paid or specified action is taken, and an Executive Officer believes there is an imminent and probabledanger of such action. An Extortion Demand does not include any demand seeking monies from the lnsured Entitythat are allegedly due and owing pursuant to contract or operation of law.

Extortion Payment means all reasonable and necessary expenses incurred by the lnsured Entity with the lnsurer'sprior consent, in order to respond to an Extortion Demand, including payment of monies demanded by anextortionist. Extortion Payments do not include such expenses to the extent the Insured Entity has recovered suchexpenses or been reimbursed for them from any other source.

Extra Expense means any reasonable and necessary expenses, in excess of the lnsured Entity's normal operatingexpenses, that the lnsured Entity incurs during the Period of Restoration associated with restoring and resumingCommerce Operations, including:

A. reasonable expense incurred to minimize the interruption of Gommerce Operations not covered elsewhere inthis Policy;

B. reasonable expense incurred to resume Commerce Operations on a temporary basis, including thoseassociated with securing temporary third party lnternet Service Provider services, temporary website and/or e-mail hosting services, rental of temporary Networks, other temporary equipment or service contracts.

C. reasonable expense incurred to engage a third party security expert to:

f . investigate, minimize and stop damage to the Network caused by the Exploit while such Exploit is ongoing;

2. collect, analyze and preserve forensic evidence of an Exploit for use in identifying the perpetrator responsiblefor the disruption to Gommerce Operations.

First Party Loss means all amounts which the lnsurer is obligated to pay as set forth in the FIRST PARTYINSURING AGREEMENT, Section l. C.

Foreign Jurisdiction means any jurisdiction, other than the United States or any of its territories or possessions.

Goods means tangible physical property that:

A. has economic value;

B. is held by the lnsured Entity in its inventory for sale;

C. is shipped by the lnsured Entity to its customers via land, sea or air; and,

D. is sold or exchanged by the lnsured Entity in trade or commerce.

lnsured means the Insured Entity and:

A. any natural person who was, is or becomes an employee (including leased and temporary employees), director,officer, trustee, manager, member or partner of the lnsured Entity but solely with respect to a Wrongful Actcommitted within the scope of such individual's duties on behalf of the lnsured Entity;

cNA 74291 XX (9/13)ftage

'l

Copyright (s) 2013 CNA. All Rights Reserved

B. any natural person independent contractor of the lnsured Entity but solely with respect to a Wrongful Actcommitted within the scope of such individual's duties on behalf of the lnsured Entity;

C. any natural person of an lnsured Entity organized and operated in a Foreign Jurisdiction who is holding aposition that is equivalent to an executive position listed in A. above.

lnsured Entity means the Named lnsured and any Subsidiary including any such entity:

A. as a joint venturer but only with respect to such lnsured Entity's interest in such joint venture;

B. as a debtor in possession under United States bankruptcy law or an equivalent status under the law of any othercountry.

Management Control means owning interests representing more than 50% of the voting, appointment or designationpower for the selection of a majority of, or having the right, pursuant to written contract or the by-laws, charter,operating agreement or similar documents, to elect, appoint or designate a majority of the Board of Directors of acorporation; the management committee members of a joint venture; or the members of the management board of alimited liability company, the general partners of a limited partnership or the partnership managers of a generalpartnership or the Foreign Jurisdiction equivalent of any such entity.

Matter means any content regardless of its nature or form.

Money means the following, but only to the extent that they exist solely in a digital or electronic format:

A. cash, currency, bank notes, or other negotiable instruments in current use and having face value;

B. travelers checks, registered checks and money orders held for sale to the public;

C. a record of credit in the lnsured Entity's account held by another; and

D. a record of an amount owed to the lnsured Entity by another

However, Money does not include Securities or Intangible Property or any item identified in above which do notexist solely in a digital or electronic format.

Named lnsured means any entity named as such in the Declarations.

Network means a network owned or operated by or on behalf of or for the benefit of the Insured Entity, provided,however, Network does not include the lnternet, telephone company networks, electrical grids, or other publicinfrastructure network.

Network lmpairment means the disruption, modification, destruction or damage to the Insured Entity's Networkthat results in the impairment of the Insured Entity's Network to such an extent that the Insured Entity is

substantially unable to conduct Gommerce Operations.

Nonpublic Corporate lnformation means proprietary and confidential information including trade secrets, of a third-party entity.

Period of Restoration means the period of time that:

A. begins with the date and time that Gommerce Operations have first been interrupted by a Network lmpairmentand after application of the Business lnterruption Waiting Period Retention, as specified in the Declarations; and,

B. ends with the earlier of:

cNA 74291 XX (9/13)Page

ICopyright lÒ 2013 CNA. All R.ights Reserved

1. the date and time Gommerce Operations are restored to substantially the level of operation that existed priorto the Network lmpairment; or,

2. the date and time Commerce Operations would have been restored to substantially the level of operationthat existed prior to the Network lmpairment if the lnsured Entity exercised due diligence in remediatingsuch Network lmpairment.

Personal lnformation means any information relating to an identified or identifiable natural person.

Policy Period means the period from the effective date of this Policy to the Policy expiration date stated in theDeclarations, or its earlier cancellation date.

Pollutants means any substance exhibiting hazardous characteristics as is or may be defined or identified on any listof hazardous substances issued by the United States Environmental Protection Agency or any state, local or foreigncounterpart. Pollutants also means, without limitation, any solid, liquid, gaseous or thermal irritant or contaminant,including smoke, vapor, soot, fumes, acids, alkalis, chemicals or waste (including materials to be recycled,reconditioned or reclaimed), as well as any air emission, odor, waste water, oil or oil products, infectious or medicalwaste, asbestos, or asbestos products or any noise.

Privacy Event means any act, error or omission which, in the reasonable opinion of an Executive Officer did causeor is reasonably likely to result in the unauthorized disclosure or the unauthorized use of Protected lnformation.

Privacy Event Expenses means all reasonable and necessary fees, costs and expenses incurred by the lnsuredEntity and consented to by the lnsurer:

A. to provide voluntary notification to individuals or entities whose Protected Information may have been subject toa Privacy Event;

B. to directly effect compliance with a Security Breach Notice Law including notification to individuals or entitieswho are required to be notified;

C. to hire a computer forensics firm to investigate the existence and cause of a Privacy Event and to determine theextent such Protected lnformation has been or may have been disclosed;

D. to hire an attorney or expert to negotiate with regulators and determine the applicability of and the actionsnecessary to comply with Security Breach Notice Laws;

E. to minimize harm to the lnsured Entity's reputation from a Privacy Event, including but not limited to the costs toset up a call center or provide a credit and identity monitoring services for those impacted by a Privacy Event.

F. to remediate any deficiencies that gave rise to the Privacy Event.

Privacy Event Expenses do not include Grisis Response Expenses

Privacy lnjury means:

A. unauthorized collection, disclosure, use, access, destruction or modification of Protected lnformation;

B. failure to implement, maintain, or comply with policies and procedures stating the lnsured's obligations withregard to Protected Information.

Privacy Regulation Fines means civil fines, sanctions or penalties insurable under applicable law and imposedunder any Privacy Regulation Proceeding for a violation of any Security Breach Notice Law or any law, statute orregulation governing Protected lnformation.

cNA 74291 XX (9/13)Page

9

Copyright O 2013 CNA. All Rights Reserued.

Privacy Regulation lnvestigation means a civil, administrative or regulatory investigation or written request forinformation by a federal, state, local or foreign governmental authority in connection with any law governing Protectedlnformation or any Security Breach Notice Law, and that is reasonably likely to give rise to a covered Glaim.

Privacy Regulation lnvestigation Expenses means all reasonable and necessary expenses incurred by thelnsured Entity with the lnsurer's prior consent, in order to respond to or effectuate compliance with a PrivacyRegulation lnvestigation. Privacy Regulation lnvestigation Expenses shall not include Privacy Event Expenses.

Privacy Regulation Proceeding means a civil, administrative or regulatory proceeding by a federal, state, local orforeign governmental authority, alleging a Wrongful Act as defined in paragraph D. of the definition of Wrongful Act.

Property Damage means

A. physical injury to tangible property including all resulting loss of use of that property. All such loss of use shall bedeemed to occur at the time of the physical injury that caused it;

B. loss of use of tangible property that is not physically damaged which is caused by an accident, includingcontinuous or repeated exposure to substantially the same general harmful conditions.

Tangible property does not include electronic data. As used in this definition, electronic data means information, factsor programs stored as or on, created or used on, or transmitted to or from computer software, including systems andapplications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any othermedia which are used with electronically controlled equipment.

Protected lnformation means Nonpublic Corporate lnformation or Personal Information.

Related Glaims mean all Claims based upon or arising out of a single Wrongful Act or any Related Wrongful Acts.

Related Wrongful Act means all Wrongful Acts that are logically or causally connected by any common fact,circumstance, situation, transaction, event, advice or decision.

Retroactive Date means the date set forth in the Declarations

Rogue Employee means a past, present or future employee of the Insured Entity who acts outside of his or herscope of employment.

Security Breach Notice Law means any statute or regulation that requires an entity that maintains ProtectedInformation to provide notice to specified individuals of any actual or potential unauthorized disclosure or potentialdisclosure of such Protected lnformation.

Subsidiary means any entity in which the Named lnsured has Management Control directly or indirectly throughone or more other Subsidiaries:

A. on or before the effective date of this Policy;

B. after the effective date of this Policy by reason of being created or acquired by the lnsured Entity after such date,if and to the extent coverage with respect to the entity is afforded pursuant to Section Vl. CONDITIONS,paragraph K. COVERAGE FOR NEW SUBSIDIARIES.

Takeover means:

A. the acquisition of Management Control of the Named lnsured by another entity or person, or group of entities orpersons acting in concert;

B. the merger of the Named lnsured into another entity such that the Named lnsured is not the surviving entity; or

cNA 74291 XX (9/13)Page

10

Copyright (Ð 2013 CNA. All Rishts Reserved

C. the consolidation of the Named lnsured with another entity.

Third Party Custodian means any third party to whom the lnsured Entity entrusts Protected lnformation, includinga Business Associate as defined by the Health lnsurance Portability and Accountability Act.

Unauthorized Access means any accessing of the lnsured Entity's Network or information residing on the InsuredEntity's Network by unauthorized persons or by authorized persons accessing or using lnsured Entity's Network orinformation thereupon in an unauthorized manner.

WrongfulAct means:

A. with respect to Insuring Agreement A.1 Media Llabllity only, Wrongful Act means:

'1. gathering, acquiring, obtaining, researching, developing, editing, preparing, producing, filming, videotapingand recording Matter; or

2. the dissemination or utterance of Matter, through any medium and by any means, including:

a. publishing, printing, advertising, marketing, promoting, exhibiting;

b. broadcasting, telecasting, webcasting, cablecasting;

c. syndicating, selling, leasing, licensing, distributing, serializing or releasing;

d. public appearances or performances;

e. blogging, tweeting or other forms of online, digital or electronic dissemination,

that results in:

i. any form of defamation or other tort related to disparagement or harm to the character, reputation or feelingsof any person or organization, including but not limited to libel, slander, product disparagement or trade libel;

¡¡. any form of invasion, infringement or interference with rights of privacy or publicity, including but not limited tofalse light, public disclosure of private facts, intrusion and commercial appropriation of name or likeness;

iii. wrongful entry or eviction, trespass, eavesdropping or other invasion of the right of private occupancy;

iv. false arrest, detention or imprisonment, abuse of process or malicious prosecution;

v. infringement of title, slogan, logo, trademark, trade name, trade dress, service mark or service name;

vi. infringement of copyright or any plagiarism, violation of moral rights (droit moral) or passing off, piracy,misappropriation of ideas under implied contract or other misappropriation of property rights, ideas orinformation;

vii. infliction of emotional distress, outrage or outrageous conduct, or any prima facie tort;

viii. negligence in connection with the content of Matter;

ix. unfair competition or unfair trade practices alleged in conjunction with paragraphs i. through viii. above,including but not limited to dilution, confusion, deceptive trade practices or unfair trade practices, civil actionsfor consumer fraud, false, disruptive or misleading advertising or misrepresentation in advertising; or

x. negligent supervision of an employee alleged in conjunction with paragraphs i. through viii. above;

cNA 74291 XX (e/13)F'age

l1

Copyright O 2013 CNA. All Rights Reserved

B. with respect to lnsuring Agreement A.2. Network Security Liability only, Wrongful Act means any actual oralleged act, error or omission that results in a breach of security of the Network and gives rise to:

1. an unscheduled or unplanned inability of an authorized third party user to gain access to the Network tocommunicate with the lnsured Entity or other computers or computer networks (other than any lnternetservice provider i nterruptions) ;

2. disruption or degradation of a network owned or operated by or on behalf of or for the benefit of a person orentity other than the lnsured Entity (other than lnternet, telephone company networks, electrical grids, orother public infrastructure network) including but not limited to the infection of a third party network withmalware or viruses; or

3. the unauthorized use, disclosure, disruption, modification or destruction of or unauthorized access to anyinformation (other than software) resident on the Network or the unauthorized use, modification or destructionof any software resident on the Network;

C. with respect to Insuring Agreement A.3. Privacy lnjury Liability only, Wrongful Act means any Privacylnjury;

D. with respect to lnsuring Agreement A. 4. Privacy Regulation Proceeding only, Wrongful Act means anyactual or alleged act, error or omission that results in a violation of any statute or regulation governing Protectedlnformation or any violation of a Security Breach Notice Law.

This Policy does not apply to any Glaim

A. ASSUMED LIABILITY

based upon or arising out of any assumption of the liability of others under any contract or agreement, except thatthis exclusion does not apply to liability arising under Section l. INSURING AGREEMENTS, Paragraph E.

VICARIOUS LIABILITY or, with respect to lnsuring Agreement A.1. Media Liability, liability Assumed UnderContract;

B. BODILY INJURY/PROPERTY DAMAGE

based upon or arising out of any actual or alleged bodily injury (including death), sickness, disease, emotionaldistress, mental anguish, of any person, or Property Damage, provided however that this exclusion does notapply to:

1. allegations of emotionaldistress or mentalanguish brought under lnsuring AgreementA.l. Media Liability;

2. the wrongful infliction of emotional distress or mental anguish arising out of Privacy lnjury;

C. CLAIMS BY INSUREDS

by or on behalf of any lnsured provided, however that this exclusion does not apply to:

1. any Glaim that is in the form of a crossclaim, third-party claim or othenruise for contribution or indemnity whichis part of and results directly from a Claim which is not otherwise excluded under this Policy;

2. any Claim brought or maintained by or on behalf of a bankruptcy or insolvency trustee, examiner, liquidator,receiver or rehabilitator for an lnsured Entity or any assignee of such trustee, examiner, liquidator, receiveror rehabilitator;

cNA 74291 XX (9/13)Page

12

Copyright O 2013 CNA. All Rights Reserved.

3. any Cla¡m by an lnsured (other than an lnsured Entity) that alleges Privacy lnjury;

D. DELIBERATE ACTS/COMMINGLING OR MISAPPROPRIATION OF FUNDS

based upon or arising out of any dishonest, fraudulent, criminal or malicious act or omission, commingling,misappropriation or misuse of funds, intentional wrongdoing or knowing violation of any contract or agreement byor on behalf of an lnsured. The lnsurer shall pay Glaim Expenses of such Claims unless or until a finaljudgment, ruling or other finding of fact in any proceeding establishes that such act, omission, commingling,misappropriation, misuse or violation was committed. lf such act, or such commingling, misappropriation, misuseor violation is so determined to have been committed, the lnsured will reimburse the lnsurer for all ClaimExpenses paid. The lnsurer will not defend any criminal act which was the subject of a criminal prosecution inwhich the lnsured was found guilty or pleaded guilty, nolo contendere or no contest. Criminal proceedings are notcovered under this Policy regardless of the allegations made against any lnsured. Provided, however, that solelywith respect to lnsuring Agreement A.l. Media Liabillty, this exclusion does not apply to any such act if anattorney for the lnsured Entity approves of such act in advance based upon a good faith belief that such act isprotected by the First Amendment to the United States Constitution or any similar law of another jurisdiction;

For purposes of determining the applicability of this excluslon:

1. the facts pertaining to and knowledge possessed by any natural person lnsured shall not be imputed to anyother natural person lnsured; and,

2. only facts pertaining to and knowledge possessed by any Executive Officer shall be imputed to the lnsuredEntities;

E. DISCRIMINATION

based upon or arising out of any actual or alleged discrimination, humiliation, harassment or misconduct thatrelate to an individual's race, creed, color, age, sex, national origin, religion, handicap, marital status or sexualpreference except that this exclusion does not apply to Claims brought under lnsuring Agreement 4.1. MediaLiability;

F. ERISA OR ANY SIMILAR ACT

based upon or arising out of any actual or alleged vrolation of the responsibilities, obligations or duties imposedupon fiduciaries by ERISA or any Similar Act;

G. GOVERNMENTALORDERS

as a direct result of any action or order by any domestic or foreign law enforcement, administrative, regulatory orjudicial body or other governmental authority;

H. LICENSING AND OWNERSHIP OF MATERIAL

by any joint venturer or on behalf of such party based upon or arising out of ownership disputes relating to Mattersupplied;

I. MECHANICAL OR ELECTRICAL FAILURE AND SERVICE INTERRUPTIONS

based upon or arising out of any failure of:

1. electrical infrastructure;

2. telecommunications infrastructure; or

cNA 74291 XX (9/13)Page

13

Copyright aO 20f3 CNA. All Rights Reserved

3. any satellite,

which is not under the Insured Entity's operational control;

J. OVER-REDEMPTION

based upon or arising out of price discounts, prizes, awards, coupons or any other valuable consideration given in

excess of the total contracted or expected amount;

K. OWNED ENTITY

made against an lnsured by any entity, if at the time of the Wrongful Act giving rise to such Claim:

1. any lnsured controlled, owned, operated or managed such entity;

2. any Insured was an owner, partner, director, officer or employee of such entity;

For the purpose of this exclusion, a 5o/o or more owner of the voting stock of a publicly held corporation or a 40%or more owner of the voting stock of a privately held corporation shall be deemed to own such entity;

L. PATENT INFRINGEMENT

based upon or arising out of actual or alleged infringement of patent;

M. POLLUTION/NUCLEAR

based upon or arising out of: any actual or alleged nuclear reaction, radiation or contamination, or any actual,alleged or threatened discharge, release, escape, or disposal of, or exposure to, Pollutants; any request,direction or order that any of the lnsureds test for, monitor, clean up, remove, contain, treat, detoxify, neutralizeor in any way respond to or assess the effect of Pollutants or nuclear reaction, radiation or contamination, or anyvoluntary decision to do so; or any actual or alleged Property Damage, or bodily injury, sickness, disease ordeath of any person, or financial loss to the lnsured Entity, their security holders, or their creditors resulting fromany of the aforementioned matters;

N. PRIORWRONGFUL ACTS OF SUBSIDIARIES

based upon or arising out of any Wrongful Act:

1. by or on behalf of any Subsidiary whether such Subsidiary qualified as such prior to the inception date ofthe Policy, or after the inception date of this Policy by virtue of paragraph 1. of Section Vl. CONDITIONS,paragraph K. Goverage for New Subsidiaries or by natural person Insureds of any such Subsidiary, wheresuch Wrongful Act occurred in whole or in part before the date the Insured Entity first had ManagementControl;

2. occurring on or after the date the lnsured Entity first had Management Gontrol of any Subsidiary describedin paragraph L above, which, togetherwith anyWrongful Actsdescribed in paragraph 1. above, would beconsidered Related Wrongful Acts;

O. SECURITIES AND INVESTMENT CLAIMS

based upon or arising out of any actual or alleged:

1. filing of any registration statement under the Securities Acts of 1933, or the Securities Exchange Act of 1934,any State Blue Sky Law, or any other state or local securities law;

cNA74291XX (9/13)

Paget4

Copyrlglrt O 2013 CNA. All Rights Reserved

2, violation of the lnvestment Advisers Act of 1940, the Securities Act of 1933, the Securities and Exchange Actof 1934, rules or regulations of the Securities Exchange Commission under either or both acts, similarsecurities laws or regulations of state, or any laws of any state relating to any transaction arising out of,

involving, or relating to the public offering of securities;

Provided however that this exclusion does not apply to any Glaim for Privacy lnjury;

P. TRADESECRETS

based upon or arising out of any actual or alleged misappropriation of trade secrets obtained by any naturalperson Insured prior to commencing employment with an lnsured Entity;

Q. ANTITRUST CLAIMS/RICO CLAIMS

based upon or arising out of any actual or alleged:

1. charges of price fixing, monopolization or restraint of trade;

2. violation of:

a. the FederalTrade Commission Act;

b. the Sherman Act, the Clayton Act, or any federal statutory provision regarding anti{rust, monopoly, pricefixing, price discrimination, predatory pricing or restraint of trade;

c. the Racketeer lnfluenced and Corrupt Organizations Act;

d. any rules or regulations promulgated under or in connection with the above statutes, or any similarprovision of any federal, state, foreign or other law (including common law) or statute,

provided, however, this exclusion shall not apply to lnsuring Agreement l. Media Liability and 3. Privacy lniuryLiability;

R. UNSOLICITEDCOMMUNICATIONS

for:

1. any actual or alleged violation by an lnsured of any federal or state anti-spam statute or regulation, includingthe CAN-SPAM Act of 2003; or

2. any actual or alleged violation by an lnsured of any federal or state statute or regulation prohibiting thedissemination of unsolicited communications, including any violation of the Telephone Consumer ProtectionAct of 2001.

This Policy does not apply to any First Party Loss, regardless of any other cause or event that contributesconcurrently or in any sequence to the First Party Loss, caused by or resulting from:

A. DEFECTS IN DATA AND SOFTWARE AND NETWORK

any defect of design, implementation, operation, incompatibility or any other fault of data and software or thelnsured Entity's Network, or any part thereof where such defect or fault is introduced by the lnsured Entity's:

cNA74291XX (9/13)Page

15

Copyriqht @ 2013 CNA. All Rights Reserved.

1. use of a third party product, including but not limited to software and equipment, in a manner inconsistent withthe manufacturer's intended use;

2. modification of a third parly product or integration of components in violation of the manufacturer's warranty orother license terms;

3. integration of components in a manner inconsistent with any of the components' intended use as establishedby its manufacturer;

B. DELIBERATE ACTS

any deliberately dishonest, fraudulent or criminal act or omission, or any willful violation of any statute orregulation, by or on behalf of an Executive Officer;

C. GOODWILL

any adverse impact on goodwill, reputation or potential future income;

D. GOVERNMENTALORDERS

any action or order by any domestic or foreign law enforcement, administrative, regulatory or judicial body or othergovernmental authority;

E. PROPERW DAMAGE

direct physical loss of or damage to property;

F. VALUEOFSTOCKS

any change in value of shares, stock or securities;

G. VENDORACTS

unauthorized and deliberate malicious act or omission by a vendor or other third party authorized by the lnsuredEntity to perform services on the lnsured Entity's Network.

A. POLICYAGGREGATE

The amount set forth as the Policy Aggregate Limit of Liability in the Declarations shall be the maximumaggregate limit of liability of the lnsurer for all Damages, Glaim Expenses, Privacy Event Expenses, ExtortionPayments, Privacy Regulation lnvestigation Expenses, Crisis Response Expenses and First Party Lossunder this Policy. The Scheduled Limits of Liability set forth in the Coverage Schedule in the Declarations aresub-limits which further limit and do not increase the lnsurer's limit of liability under this Policy Aggregate Limit.The limits of liability set forth in paragraph B. below are subject always to this Policy Aggregate.

B. INSURING AGREEMENTS LIMITS OF L¡ABILIW

Each lnsuring Agreement limit of liability set forth in the Coverage Schedule of the Declarations applies asfollows:

1. All G|aims in the Aggregate

cN\742el XX (e/13)Page

t6


The amount set forth in the Coverage Schedule in the Declarations is the limit of liability for all Damages andGlaim Expenses for all applicable Glaims/Privacy Regulation Proceedings combined.

2. Privacy Regulation Fines Sublimit of Llability

The amount set forth in the Coverage Schedule in the Declarations as the Privacy Regulation FinesSublimit of Liability, is the limit of liability for all Privacy Regulation Fines, which limit is a sublimit of, andnot in addition to, the Privacy Regulation Proceeding limit of liability set forth in the Declarations.

3. Privacy Regulation lnvestigation Limit of Liability

The amount set forth in the Coverage Schedule in the Declarations as the Privacy Regulation lnvestigationSublimit of Liability, is the limit of liability for all Privacy Regulation Investigation Expense, which limit is asublimit of, and not in addition to, the Privacy Regulation Proceeding limit of liability set forth in theDeclarations.

4. First Party Limit of Liability

The amount set forth in the Coverage Schedule in the Declarations as the First Party Loss limit of Liabillty, is

the limit of liability for all First Party Loss, regardless of the number of Network lmpairments that occurduring the Policy Period.

5. All Privacy Event Expenses, Extortion Payments, Privacy Regulation lnvestigation Expenses andGrisis Response Expenses in the Aggregate

The amount set forth in the Coverage Schedule in the Declarations for Privacy Event Expenses. ExtortionPayments, Privacy Regulation lnvestigation Expenses and Grisis Response Expenses is the limit ofliability for all covered Privacy Event Expenses, Extortion Payments, Privacy Regulation lnvestigationExpenses and Crisis Response Expenses, as applicable.

C. RETENTIONS

1. Retentions set forth in the Declarations shall apply for each lnsuring Agreement as set forth in theDeclarations. A separate retention applies to each Claim in the amount and as specified in declarations. Thelnsurer shall pay Damages and Glaim Expenses in excess of any retention as it becomes due and payableto the Insureds.

2. The lnsurer's obligation to pay Damages and Glaim Expenses is in excess of any applicable retention. Thelnsurer will have no obligation to pay all or any portion of any applicable retention. Should the lnsurer, in itssole discretron, pay any retention, then the Named lnsured shall have the obligation to reimburse the lnsurerfor such amounts.

3. A separate retention applies to each Privacy Event, Extortion Demand, Privacy Regulation Investigationand Crisis Event in the amount and as specified in declarations. The lnsurer shall only be liable for theamount of Privacy Event Expenses, Extortion Payments, Privacy Regulation Investigation Expenses orCrisis Event in excess of the applicable retention amounts.

4. A separate retention applies to each Network lmpairment or Electronic Theft under each First PartyBusiness lnterruption Coverage And Extra Expense lnsuring Agreement in the amount and as specified in

declarations. The lnsurer shall only be liable for the amount of First Party Loss which is in excess of theapplicable retention amounts.

5. ln the event more than one retention applies, the maximum total retention amount applicable shall be thehighest of such applicable retentions.

cNA 74291 XX (9/13)Paqe

l7

Cr:pyright O 2û13 CNA. All Ríghts Reserved.

D. RELATED CLAIMS AND RELATED PRIVACY EVENT, EXTORTION DEMAND, PRIVACY REGULATIONINVESTIGATION, OR NETWORK IMPAIRMENT

1. lf Related Claims are subsequently made against the lnsured and reported to the lnsurer, all such RelatedGlaims, whenever made, shall be considered a single Claim subject to the limit of liability applicable to theearliest such Glaim first reported to the lnsurer.

2. lf there is more than one Privacy Event, Extortion Demand, Privacy Regulation lnvestigation, CrisisEvent or Network lmpairment involving the same act, error or omission or acts, errors or omissions that arelogically or causally connected by any common fact, circumstance, situation, transaction, event, advice ordecision, then each such Privacy Event, Extortion Demand, Privacy Regulation lnvestigation, CrisisEvent or Network lmpairment shall be considered as one Privacy Event, Extortion Demand, PrivacyRegulation Investigation, Crisis Event or Network lmpairment which shall be subject to the PrivacyEvent, the Extortion Demand, the Privacy Regulation Investigation, or the Network lmpairment limitapplicable to the earliest such Privacy Event, Extortion Demand, Privacy Regulation lnvestigation, GrisisEvent or Network lmpairment reported to the lnsurer under this Policy or under any prior policy.

E. MULTIPLE INSUREDS, CLAIMS AND CLAIMANTS

The limits of liability shown in the Declarations and subject to the provisions of this Policy is the amount thelnsurer will pay for Damages, CIaim Expenses, Privacy Event Expenses, Extortion Payments, PrivacyRegulation lnvestigation Expenses, Crisis Response Expenses and First Party Loss regardless of thenumber of lnsureds, Claims made, Privacy Events, Extortion Demands, Grisis Response Expenses,Privacy Regulation lnvestigations, persons or entities making Claims.

v¡. coNDtTtoNs

A. SETTLEMENT/DEFENSE OF CLAIMS

1. Defense/Settlement

The lnsurer shall have the right and duty to defend in the lnsured's name and on the lnsured's behalf aClaim, other than a Privacy Regulation Proceeding, even if any of the allegations of the Glaim aregroundless, false or fraudulent. The lnsurer has the right to make such investigation and conduct negotiationsand enter into such settlement of any Claim as the lnsurer deems necessary. The lnsureds and not the lnsurerhave the duty to defend any Privacy Regulation Proceedings. The lnsurer shall be entitled to effectivelyassociate in the defense and the negotiation of any settlement of any Privacy Regulation Proceeding thatinvolves or appears reasonably likely to involve the lnsurer. Each Insured shall give the lnsurer fullcooperation and shall furnish the lnsurer with copies of reports, investigations, pleadings, and all relatedpapers, and such other information and assistance as the lnsurer may reasonably request.

2. Consent to Settlement

The lnsurer shall not settle any Glaim without the prior written consent of the Named Insured. lf however, theNamed lnsured refuses to consent to such settlement or compromise recommended by the lnsurer andagreed to by the claimant, the lnsurer's duty to defend shall then cease and the Named Insured shallthereafter at the Named Insured's own expense negotiate or defend such Glaim independently of thelnsurer, and the lnsurer's limit of liability for such Claim shall be reduced to:

a. the amount of the proposed settlement plus Claim Expenses incurred up to the date of the Namedlnsured's refusal to consent to such proposed settlement;

plus

cNA 74291 XX (9i13)F'a c.¡e

18

Copyrlght (ç) 2013 CNA. All Rights R.eserved.

b. fifty percent (50%) of Glaim Expenses and Damages, in excess of the amount referenced in paragraph

a. above;

but such limit shall never exceed the applicable limit of liability set forth on the Declarations.

3. Exhaustion of Limits

The lnsurer shall not be obligated to investigate, defend, pay or settle, or continue to investigate, defend, pay

or settle a Glaim after the applicable limit of liability has been exhausted by payment of Damages or GlaimExpenses, or any combination thereof. ln such case, the lnsurer shall have the right to withdraw from the

further investigation, defense, payment or settlement of such Claim by tendering control of said investigation,

defense or settlement of the Claim to the lnsured.

B. NOTICE OF CLAIM, CIRCUMSTANCE OR NETWORK IMPAIRMENT/PRE-CLAIMS ASSISTANCE/DATE OF

CLAIM

1. Notice of Claim, Extortion Demand, Privacy Event or Privacy Regulation Investigation

The lnsured, as a condition precedent to the obligations of the lnsurer shall give written notice of any Claim,Extortion Demand, Crisis Event or Privacy Event to the lnsurer as soon as reasonably practicable after

any Executive Officer learns of such Glaim, Extortion Demand, Privacy Event, Crisis Event or PrivacyRegulation lnvestigation but in no event later than ninety (90) days after termination or expiration of the

Policy Period or any subsequent renewal Policy Period in an uninterrupted series of renewals, or prior tothe expiration of the Extended Reporting Period, if applicable. Failure to give such notice as soon as

reasonably practicable shall not invalidate coverage of such Claim, unless the failure to provide timely noticehas prejudiced the lnsurer or unless the notice is provided ninety (90) days after termination or expiration of

the Policy Period or any subsequent renewal Policy Period in an uninterrupted series of renewals, or prior

to the expiration of the Extended Reporting Period, if applicable.

2. Notice of Circumstance

lf during the Policy Period the lnsureds first become aware of any facts or circumstances which may

reasonably be expected to give rise to a Claim and during such Policy Period give written notice to the

lnsurer of:

a. the allegations anticipated as the basis of the potential Claim and the names of any potential claimants;

b. the identity of the specific lnsureds allegedly responsible for such specific facts and circumstances;

c. the consequences which have resulted or may result from such specific facts and circumstances;

d. the amount of the potential monetary damages or the nature of non-monetary relief which may be soughtin consequence of such specific facts and circumstances; and

e. the circumstances by which lnsureds first became aware of such specific facts and circumstances,

then any such covered Claim which is subsequently made and which arises out of such facts and

circumstances shall be deemed to have been first made against the lnsured and reported to the lnsurer by

the lnsureds at the time such written notice was received by the lnsurer.

3. Notice of Network lmpairment

lf a Network lmpairment takes place or is reasonably likely to take place, the Insured Entity must do the

following:

cNA74291 XX (e/13)Page

t9

Copyright G) 2013 CNA. All Rights Reserved.

a. provide notice to the lnsurer as soon as practicable;

b. such notice should include particular details as to the nature of the Network lmpairment; and,

c. immediately fonruard to the lnsurer all information the lnsured Entity possesses or receives in connectionwith the Network lmpairment.

4. Pre-GlaimsAssistance

a lnsu rer's Discretionary lnvestigation

Until the date a Claim is made, the lnsurer may pay for all costs or expenses it incurs, at its solediscretion and without any obligation, as a result of investigating a circumstance that the lnsured reportsin accordance with subparagraph 2. Notice of Circumstance above. Such costs and expenses areoutside the limits or liability and not subject to the retention.

b. lnsurer's Discretionary Remediation

lf the lnsurer elects to investigate a circumstance pursuant to paragraph 4.a. above, and suchinvestigation results in recommended remediation measures that both the lnsurer and the NamedInsured mutually agree to undertake, the lnsurer shall reimburse the lnsured for reasonable costs and

expenses to enact such recommended remediation measures if such costs and expenses were approvedby the lnsurer in advance. Such costs and expenses are within the limits of liability, subject to theretention and the coinsurance percentage provided below and subject to a sublimit of liability in theamount of 1Oo/o of the aggregate limit of liability.

The lnsureds shall bear uninsured the percentage provided on the declarations as a coinsurancepercentage applied to all costs and expenses incurred pursuant to this paragraph b. The coinsurancepercentage is in addition to the applicable retention and the lnsurer is only liable to pay the remainingpercentage of costs and expenses in excess of the applicable retention and coinsurance percentage.

5. When a Claim is Deemed Made

Except as provided in subparagraph 2. Notice of Circumstance, above, a Claim shall be deemed made:

a. in the case of a written demand for monetary damages or non-monetary relief, on the earlier of theExecutive Officer's or lnsurer's receipt of notice of such demand;

b. in the case of a civil proceeding in a court of law or equity or arbitration, on the date of service upon orother receipt by any Executive Officer a complaint against the lnsured in such proceeding or arbitration;

c. in the case of a Privacy Regulation Proceeding, on the date of receipt by such Executive Officer of awritten notice from the investigating authority identifying such Insured as an individual or entity againstwhom a proceeding will be commenced.

6. To Whom Notices are Sent

The lnsureds shall give written notice to the lnsurer under this Policy as specified in the Declarations, lfmailed, the date the lnsurer receives such notice shall constitute the date such notice was given. Proof ofmailing shall be sufficient proof of notice.

C. CANGELLATION

1. lnsurer's Right to Gancel

cNA 742e1 XX (9/13)Page

20

Copyright O 2013 CNA. All Rights Reserved.

The lnsurer shall not cancel this Policy except for non-payment of any premium when due. The lnsurer shallprovide to the Named lnsured written notice of such cancellation stating when, not less than fifteen (15) daysthereafter, such cancellation shall be effective, except that non-payment of premium due at inception of thisPolicy will result in the policy being cancelled effective as of the inception date.

2. Named Insured's Right to Gancel

The lnsureds grant the exclusive authority to cancel this Policy to the Named lnsured. The Named lnsuredmay cancel this Policy by providing the lnsurer written notice stating when thereafter such cancellation shallbe effective. The mailing or delivery of such notice shall be sufficient. The unearned premium shall becomputed on a pro-rata basis.

D. EXTENDED REPORTING PERIOD

1. Automatic Extended Reporting Period

The Named Insured shall have the right to a period of sixty (60) days following the effective date of suchcancellation or non-renewal, in which to give written notice to the lnsurer of Claims first made against thelnsured during said sixty (60) days period for any Wrongful Act committed prior to the end of the PolicyPeriod and otherwise covered by this Policy.

2. Optional Extended Reporting Period

lf the Named lnsured or lnsurer cancels or non-renews this Policy, the Named lnsured shall have the rightto purchase, upon payment of an additional premium, an extension of this Policy, for any Glaim first made ordeemed to be first made during such period for Wrongful Acts committed before the earlier of the end of thePolicy Period or the effective date of any Takeover.

3. Payment of Extended Reported Period Premium

As a condition precedent to the right to purchase the Optional Extended Reporting Period, the total premiumfor this Policy must have been paid. The right to purchase such Optional Extended Reporting Period shall endunless the lnsurer receives written notice of the Named lnsured's election to purchase such OptionalExtended Reporting Period and full payment of the premium for such period within sixty (60) days after theend of the Policy Period.

4. Non-Cancelable/Premium Fully Earned

lf the Optional Extended Reporting Period is purchased, it is non-cancelable and the entire premium shall bedeemed fully earned at its commencement without any obligation by the lnsurer to return any portion thereof.

5. No Separate Limit

There is no separate or additional limit of liability for any Extended Reporting Period

E. TERRITORY

Coverage shall apply to Glaims made and WrongfulActs committed anywhere.

F. APPLICATION

The lnsureds represent and acknowledge that the statements contained in the Application and any materialssubmitted or required to be submitted therewith (which shall be maintained on file by the lnsurer and be deemedattached to and incorporated into this Policy as if physically attached), are true and accurate and:

cNA74291XX (9i13)Page

2t

Copyright G) 2013 CNA. All Rights Reserved.

1. are the basis of this Policy and are to be considered as incorporated into and constituting a part of this Policy;and,

2. shall be deemed material to the acceptance of this risk or the hazard assumed by the lnsurer under thisPolicy.

This Policy is issued in reliance upon the truth and accuracy of such representations. ln the event the statements,representations or information in the Application, including materials submitted or required to be submittedtherewith, contains any misrepresentation or omission which materially affects either the acceptance of the risk orthe hazard assumed by the lnsurer under this Policy, this Policy shall be null and void.

G. OTHER INSURANCE

The lnsurer will have no duty to defend any Glaim that any other insurer has a duty to defend. lf no other insurerdefends, the lnsurer will undertake to do so; but it will be entitled to the lnsured's rights against all those otherinsurers. This Policy applies to the Damages or Claim Expenses that exceed the available limit of liability andany self insured retentions or retention amounts of any other insurance available to the lnsured. lf there is suchother insurance covering the same Damages or Glaim Expenses, the lnsurer will pay only for the amount ofcovered Damages or Glaim Expenses in excess of the amount due from that other insurance, but it will not pay

more than the applicable Limit of Liability. This paragraph does not apply to any other insurance that was boughtspecifically to apply in excess of the Limits of Liability shown in the Declarations of this Policy.

H. ESTATES, LEGAL REPRESENTATIVES AND DOMESTIC PARTNERS

The estates, heirs, legal representatives and any Domestic Partner of a natural person lnsured shall beconsidered lnsureds under this Policy; provided, however, coverage is afforded to such estates, heirs, legalrepresentatives and Domestic Partners only for a Claim arising solely out of their status as such and, in the caseof a Domestic Partner, where such Glaim seeks Damages from marital community property, jointly held propertyor property transferred from such lnsured to the Domestic Partner. No coverage is provided for any act, error oromission of an estate, heir, legal representative or Domestic Partner. All terms and conditions of this Policy,including without limitation the retention, applicable to Damages or Claim Expenses incurred by the lnsuredshall also apply to Damages and Claim Expenses incurred by such estates, heirs, legal representatives, assignsand Domestic Partners.

I. NO ACTION AGAINST INSURER

No action shall be taken against the lnsurer unless, as a condition precedent, there shall have been fullcompliance with all the provisions of this Policy nor until the amount of the lnsureds obligation to pay shall havebeen finally determined either by final and nonappealable judgment against the lnsureds after trial or by writtenagreement of the Insureds, the claimant and the lnsurer

No person or organization shall have any right under this Policy to join the lnsurer as a party to any Claim againstthe lnsureds to determine the lnsureds liability, nor shall the lnsurer be impleaded by the lnsureds or their legalrepresentatives in any such Glaim.

J. ASSIGNMENT OF INTEREST

Assignment of interest under this Policy does not bind the lnsurer unless the lnsurer's consent to suchassignment is endorsed to this Policy.

K. COVERAGE FOR NEW SUBSIDIARIES

1. Other than an entity described in paragraph 2. below, if, after the effective date of this Policy the lnsuredEntity first has Management Gontrol of any entity then such entity and its subsidiaries, directors, officers,

cNA 74291 XX (9/13)t'aqe

22


trustees, managers, members, partners or employees who otherwise would thereby become an lnsured,shall be covered under this Policy, subject to its terms and conditions.

2. lf, after the etfective date of this Policy, the lnsured Entity first has Management Control of an entity wherethe total revenues (as reflected in the most recent audited consolidated financial statements of such entityand the lnsured Entity)exceedsten percent (10o/o) of thecombined totalrevenuesof all lnsured Entities, as

of the inception date of this Policy, then the lnsurer, at its sole option upon submission of such information as

the lnsurer may require, and payment of any additional premium or amendment of the provisions of thePolicy, may agree to provide coverage for such entity and its subsidiaries, directors, officers, managers,members, partners or employees.

L. CHANGE OF STATUS OF INSUREDS

1. Takeover of the Named lnsured

ln the event of a Takeover of the Named lnsured, coverage under this Policy shall continue until this Policyis otherwise terminated, but only with respect to Claims for Wrongful Acts occurring before the effective dateof the Takeover, unless:

a. the lnsurer is notified in writing of the Takeover prior to the Takeover effective date and agrees in writingto provide coverage for Wrongful Acts occurring on or after such effective date; and,

b. the Named lnsured accepts any additional terms, conditions and exclusions and pays any additionalpremium charge required by the lnsurer.

2. Cessation of Subsidiary

lf any organization ceases to be a Subsidiary, coverage under this Policy or any renewal of this Policy, shallcontinue until this Policy is othen¡vise terminated, but only with respect to Claims for Wrongful Acts occurringbefore the effective date of such cessation, unless:

a. the lnsurer is notified in writing of such cessation prior to the effective date thereof and agrees in writingto provide coverage for Wrongful Acts occurring on or after such effective date; and,

b. the Insured Entity accepts any special terms, conditions and exclusions and pays any additionalpremium charge required by the lnsurer.

M. SUBROGATION AND RECOVERY

To the extent it pays any Damages or Glaim Expenses, the lnsurer shall be subrogated to all the lnsureds rightsof recovery therefor, including without limitation an lnsureds right to indemnification or advancement from thelnsured Entity. The lnsureds shall execute all papers necessary to secure such rights, including executing anydocuments necessary to enable the lnsurer effectively to bring suit in their name, and shall take no action whichimpairs the lnsurer's rights of subrogation or recovery.

N- NOTICES TO THE NAMED INSURED

Any notices to the Named lnsured under this Policy shall be provided to the Named lnsured at the last knownaddress and to its last known insurance agent or broker. lf properly mailed to the Named Insured at suchaddress, the date of mailing shall constitute the date such notice was given.

O. CHANGES

Notice to or knowledge possessed by any agent or other person acting on behalf of the lnsurer does not effect a

waiver or a change in any part of this Policy or stop the lnsurer from asserting any right under the provisions of

cNA 74291 XX (9/13)

Page23

Copyright Q 2013 CNA. All Rights Reserued.

this Policy, nor shall the provisions be waived or changed except by written endorsement issued to form a part ofthis Policy.

P. INSUREDAUTHORIZATION

The lnsureds agree that the Named lnsured will act on behalf of the lnsureds with respect to giving of all

notices to the lnsurer (except notices provided in Section Vl. CONDITIONS, paragraph B. NOTICE OF CLAIM,CIRCUMSTANCE OR NETWORK IMPAIRMENT/PRE-CLAIMS ASSISTANCE/DATE OF CLAIM) the receipt ofnotices from the lnsurer, the payment of the premiums, the receipt of any return premiums that may become due

under this Policy, and the agreement to and acceptance of endorsements.

Q. VALUATION

All premiums, limits, retentions, and other amounts under this Policy are expressed and payable in United Statesof America currency. lf any judgment, settlement or any part thereof are expressed or calculated in any othercurrency, payment of such amount due under this Policy will be made in the currency of the United States ofAmerica, at the rate of exchange published in The Wall Street Journal on the date the lnsurer's obligation to pay

such is established, or, if not published on that date, on the date of next publication.

R. BANKRUPTCY

Bankruptcy or insolvency of any lnsured does not relieve the lnsurer of any of its obligations hereunder.

lf a liquidation or reorganization proceeding is commenced by the Named lnsured and/or any other InsuredEntity (whether voluntarily or involuntarily) under Title 1l of the United States Code (as amended), or any similarstate, local or foreign law (collectively "Bankruptcy Law") then, in regard to a covered Glaim under this Policy, thelnsureds hereby:

1. waive and release any automatic stay or injunction to the extent it may apply in such proceeding to theproceeds of this Policy under such Bankruptcy Law; and,

2. agree not to oppose or object to any efforts by the lnsurer or any lnsured to obtain relief from any stay orinjunction applicable to the proceeds of this Policy as a result of the commencement of such liquidation orreorganization proceedi ng.

S. CONFIDENTIAL SOURCE/RETRACTION OF MATTERS

Solely with respect to a Claim under lnsuring Agreement A.1. Media Liability, the Insured's rights under thisPolicy shall not be prejudiced by the Insured's refusal to reveal the identity of a confidential source or to disclosedocuments or information obtained by the lnsured during the course of any Wrongful Act as set forth inparagraph B. of the definition of Wrongful Act. The lnsured shall have full discretion to retract or clarify all

Matter.

T. TRADE AND ECONOMIC SANCTIONS

This Policy does not provide coverage for lnsureds, transactions or that part of Damages or Claim Expensesthat is uninsurable under the laws or regulations of the United States concerning trade or economic sanctions.

U. PROOF, VALUATION AND PAYMENT OF FIRST PARTY LOSS

1. Proof of First Party Loss

The Named lnsured must submit a written proof of First Party Loss providing details relating to theparticulars and composition of the amounts claimed in the event of a Network lmpairment. The proof of loss

shall be submitted with reasonable promptness, but in no event later than 6 months after the date initial notice

cNA 742e1 XX {e/13)F'aqe

24

Copyright (Ð 2013 CNA. All Rights Reserved

of Network lmpairment was submitted to the lnsurer. The amount of First Party Loss shall be payable bythe lnsurer, to the Named lnsured, within 60 days after the lnsurer's formal agreement to the amountsclaimed in the proof of loss

2. Examination of the lnsured Books and Records

Solely with respect to verification of First Party Loss, the lnsured agrees to allow the lnsurer to examine andaudit the lnsured Entity's books and records that relate to this Policy, at any time during the Policy Periodand up to 3 years thereafter.

3. Inspections and Surveys

The lnsurer has the right but is not obligated to do the following, on its own or through its independentcontractors:

a. make remote electronic scan inspections of all or any part of the lnsured Entity's Network or of theNetwork of any entities newly acquired by the lnsured at any time;

b. give the lnsured reports on the conditions the lnsurer fìnds;

c. recommend changes to the lnsured Entity's Network; or,

d. conduct loss control and prevention activity

Any inspections, surveys, reports, or recommendations relates only to insurability and the premiums to becharged. The lnsurer, by such inspections, surveys, reports, or recommendations, does not warrant that thelnsured Entity's Network is safe or in compliance with laws, regulations, codes or standards, domestic orforeign. This condition applies not only to the lnsurer, but also to any rating, advisory, rate service, or similarorganization which makes insurance inspections, surveys, reports or recommendations.

Such inspections or surveys will be arranged with mutual consent of the Insured Entity and lnsurer.

4. First Party Loss and Arbitration

lf the lnsured and the lnsurer disagree on the amount of First Party Loss sustained, either may make awritten demand for an appraisal of such First Party Loss. lf such demand is made, each party will select anappraiser. The appraisers will state separately the amount of First Party Loss sustained. lf they fail to agree,the lnsured and the lnsurer will submit their differences to an impartial third appraiser jointly selected by boththe lnsured Entity and the lnsurer. A decision agreed to by any two will be binding. The lnsured Entity andthe lnsurer will each bear their own costs with respect to the selection and retention of their appraisals andany disputes arising out of the payment of First Party Loss. The lnsurer and the lnsured Entity shall jointlybear the costs of the third appraiser.

Any appraisal of First Party Loss shall still be subject to all other terms, conditions and exclusions of thispolicy.

V- HEADINGS

The descriptions in the headings of this Policy are solely for convenience, and form no part of the terms andconditions of coverage.

lN WITNESS WHEREOF, the lnsurer has caused this Policy to be signed by its Chairman and Secretary at Chicago,lllinois, but the same shall not be binding upon the lnsurer unless countersigned by a duly authorized representative of thelnsurer.

cNA742e1 XX (9/13)F'age

25

Copyright O 2013 CNA. A{l Rights Reserved

Ghairman

ct{A 74291 XX (9/13)Page

b"l,tdZ¿do^

Secretary

-l

26

C<lpyright lÐ 2013 CNA. All Rights Reserued

© David G. Ries 2014. All rights reserved.

SAFEGUARDING CONFIDENTIAL INFORMATION

Attorneys’ Ethical and Legal Obligations

David G. Ries Clark Hill PLC Pittsburgh, PA

October, 2014

Contents

......................................................................................................................... 2 Introduction

.......................................................................................................................... 2 The Threats

................................................................................................................ 9 Duty to Safeguard

............................................................................................................ 10 1. Ethics Rules

...................................................................................................... 12 2. Ethics Opinions

............................................................ 14 3. Ethics Rules – Electronic Communications

...................................................... 15 4. Ethics Opinions – Electronic Communications

.............................................................................................. 17 5. Common Law Duties

.......................................... 18 6. Laws and Regulations Covering Personal Information

................................................................................................ 20 7. Summary of Duties

............................................................................................... 20 Information Security Basics

...................................................................................................... 22 Reasonable Safeguards

......................................................................................................................... 24 Conclusion

...................................................................................................... 24 Additional Information

oneilr

Text Box

Reprinted by permission from the author

2

Introduction1

Confidential data in computers and information systems, including those used by attorneys and law firms, faces greater security threats today than ever before. They take a variety of forms, ranging from e-mail phishing scams and social engineering attacks to sophisticated technical exploits resulting in long term intrusions into law firm networks. They also include inside threats, from malicious, to untrained, to inattentive personnel. These threats are a particular concern to attorneys because of their duty of confidentiality. Attorneys have ethical and common law duties to take competent and reasonable measures to safeguard information relating to clients. They also often have contractual and regulatory duties to protect client information and other types of confidential information.

Effective information security requires an ongoing, comprehensive process that addresses people, policies and procedures, and technology. It also requires an understanding that security is everyone’s responsibility and constant security awareness by all users of technology.

The Threats

For years, technology attorneys and information security professionals warned lawyers that it was not a question of whether law firms would become victims of successful hacking attacks - it was a matter of when. They pointed to numerous law firm incidents of dishonest insiders and lost or stolen laptops and portable media, but there were not disclosed incidents of successful hacking attacks. It has now reached the “when” – over the last several years, there have been increasing reports in the popular, legal, and security media of successful attacks on attorneys and law firms. They have occurred and are occurring - and attorneys and law firms need to comprehensively address security.

A December 2009 FBI alert warned that law firms and public relations firms were being targeted with spear phishing e-mails2 containing malicious payloads.3 In January 2010, the FBI issued another alert, this time warning law firms about counterfeit check schemes that used e-mails to lure them into relationships with fraudulent overseas “clients.”4

1 Parts of this paper are adapted from prior materials prepared by the author, including David G. Ries, “Safeguarding Confidential Data: Your Ethical and Legal Obligations,” Law Practice (July/August 2010) and David G. Ries, “Cybersecurity for Attorneys: Understanding the Ethical Obligations,” Law Practice TODAY (March 2012).

2 “Spear phishing” is fraudulent e-mail that falsely appears to be from a trusted source and targets a specific organization or individual, seeking unauthorized access to confidential data.

3 FBI Release, “Spear Phishing E-mails Target U.S. Law Firms and Public Relations Firms (November 17, 2009). 4 FBI Release, “New Twist on Counterfeit Check Schemes Targeting U.S. Law Firms” (January 21, 2010)

3

The news reports started with a February, 2010, Wired Magazine article that reported on advanced persistent threats (APTs), a particularly nasty form of coordinated and extended hacking attack. It discussed an example of a 2008 APT attack on a law firm that was representing a client in Chinese litigation:5

The attackers were in the firm’s network for a year before the firm learned from law enforcement that it had been hacked. By then, the intruders harvested thousands of e-mails and attachments from mail servers. They also had access to every other server, desktop workstation and laptop on the firm’s network.

This attack was investigated by Mandiant, a leading information security firm that specializes in investigation of data breaches.6 Mandiant discovered that the network had been breached for more than a year before the law firm was tipped off to the breach by law enforcement. They could not determine the initial attack vector because the law firm did not have system logs available. The intruders at the law firm were able to obtain more than 30 sets of user credentials, compromise approximately three dozen workstations, and gain full access to all servers and computers on the network for an extended time.

A National Law Journal article in March, 2010, reported that Mandiant assisted over 50 law firms after security breaches.7 A Mandiant forensics specialist stated in an interview that Mandiant spent approximately 10% of its time in 2010 investigating data breaches at law firms.8

The same month, an article in the San Francisco Chronicle, “Law Firms Are Lucrative Targets of Cyberscams,” discussed recent attacks on attorneys, ranging from phishing scams to intrusions into law firm networks to steal lawsuit-related information.9 It reported:

Security experts said criminals gain access into law firms’ networks using highly tailored schemes to trick attorneys into downloading customized malware into their computers. It is not uncommon for them to remain undetected for long periods of time and come and go as they please, they said.

5 Kim Zetter, “Report Details Hacks Targeting Google, Others,” Wired Magazine (February 3,

2010).

6 See Mandiant’s M-Trends [the advanced persistent threat] (2010).

7 Karen Sloan, “Firms Slow to Awaken to Cybersecurity Threat,” The National Law Journal (March 8, 2010) www.nationallawjournal.com/id=1202445679728?slreturn=20140103163537.

8 Kelly Jackson, “Law Firms under Siege,” Dark Reading (April 6, 2011) www.darkreading.com/attacks-breaches/law-firms-under-siege/229401089.

9 Alejandro Martínez-Cabrera, “Law Firms Are Lucrative Targets of Cyberscams,” San Francisco Chronicle (March 20, 2010).

http://www.nationallawjournal.com/id=1202445679728?slreturn=20140103163537

http://www.darkreading.com/attacks-breaches/law-firms-under-siege/229401089

4

In November, 2011, the FBI held a meeting for the 200 largest law firms in New York to advise them about the increasing number of attacks. Bloomberg News reported: 10

Over snacks in a large meeting room, the FBI issued a warning to the lawyers: Hackers see attorneys as a back door to the valuable data of their corporate clients.

“We told them they need a diagram of their network; they need to know how computer logs are kept,” Galligan [the head of the FBI cyber division in New York City] said of the meeting. “Some were really well prepared; others didn’t know what we were talking about.”

Successful attacks on law firms have continued. Bloomberg News published “China-Based Hackers Target Law Firms to Get Secret Deal Data” in January, 2012.11 It described a group of major hacking incidents in which attackers successfully targeted 7 Canadian law firms and 2 Canadian government agencies to get information about a transaction involving the sale of potash mines in Western Canada. The article reports that Mandiant estimated that 80 major law firms were hacked during 2011.

The SANS Institute, a highly regarded information security research, education, and certification organization, has published an interview with the managing partner and IT partner of a New York law firm that had been hacked.12 The attorneys said that the FBI told the law firm that “our files had been found on a server in another country. The server was used as a way station for sending data to a large Asian country.”

Effective information security is now a requirement for attorneys. In June, 2012, the Wall Street Journal published “Client Secrets at Risk as Hackers Target Law Firms.” It started with:

Think knowing how to draft a contract, file a motion on time and keep your mouth shut fulfills your lawyerly obligations of competence and confidentiality?

Not these days. Cyberattacks against law firms are on the rise, and that means attorneys who want to protect their clients’ secrets are having to reboot their skills for the digital age.

Security threats to law firms continue to grow. In February, 2013, an FBI agent gave a keynote presentation on law firm security threats at LegalTech New York. In an

10 Michael A. Riley and Sophia Pearson, “China-Based Hackers Target Law Firms to Get Secret Deal Data” Bloomberg News (January 31, 2012). www.bloomberg.com/news/2012-01-31/china-based-hackers-target-law-firms.html

11 Id.

12 SANS Institute, “Conversations About Cybersecurity,” www.sans.org/security-resources/cybersecurity-conversations.

http://www.bloomberg.com/news/2012-01-31/china-based-hackers-target-law-firms.html

http://www.sans.org/security-resources/cybersecurity-conversations

5

article reporting on it, the special agent in charge of the FBI’s cyber operations in New York City is quoted as stating:13

“We have hundreds of law firms that we see increasingly being targeted by hackers. …We all understand that the cyberthreat is our next great challenge. Cyber intrusions are all over the place, they’re dangerous, and they’re much more sophisticated” than they were just a few years ago.

In August, 2013, ILTA (the International Legal Technology Association) presented "The FBI and Experts Present Security Updates and Strategies for Firms of All Sizes" at its Annual Conference. An FBI speaker called it “a paradigm shift” and noted that attackers are “already in the system.” Another speaker observed that several practice areas appear to be most vulnerable to attack, including oil and gas, technology, and technology patents.14

Last year, Shane McGee, the general counsel and vice president of legal affairs at Mandiant Corp., is quoted in a September, 2013 ABA Journal article as follows:15

Law firms need to understand that they’re being targeted by the best, most advanced attackers out there … These attackers will use every resource at their disposal to compromise law firms because they can, if successful, steal the intellectual property and corporate secrets of not just a single company but of the hundreds or thousands of companies that the targeted law firm represents. Law firms are, in that sense, ‘one-stop shops’ for attackers.

The information on these law firm data breaches is consistent with breaches generally- many are found by third-parties and many are discovered after an extended time. The Verizon 2013 Data Breach Investigation Report, reporting on data breaches in 2012 generally, reports that 70% were discovered by a third party and 66% were detected after months or years.16

While the large scale hacking attacks make attention-grabbing headlines, law firms also continue to face smaller scale, yet still serious, security incidents, like lost or stolen laptops, tablets, smartphones, and USB drives. For example, a Maryland law firm lost an unencrypted portable hard drive containing medical information when an

13 Evan Koblenz, “LegalTech Day Three: FBI Security Expert Urges Law Firm Caution,” Law Technology News (February 1, 2013), www.lawtechnologynews.com/id=1202586539710?slreturn=20140103164728.

14 Monica Bay, “Bring in the FBI: Your Paranoia is Justified,” Law Technology News (August 26, 2013).

15 Joe Dysart, “New hacker technology threatens lawyers’ mobile devices,” ABA Journal Law News Now (September 1, 2103). www.abajournal.com/magazine/article/new_hacker_technology_threatens_lawyers_mobile_devices.

16 www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report- 2013_en_xg.pdf.

http://www.lawtechnologynews.com/id=1202586539710?slreturn=20140103164728

http://www.abajournal.com/magazine/article/new_hacker_technology_threatens_lawyers_mobile_devices

http://www.abajournal.com/magazine/article/new_hacker_technology_threatens_lawyers_mobile_devices

http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-%20%202013_en_xg.pdf

http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-%20%202013_en_xg.pdf

6

employee left it on a light rail train.17 The idea was good – take it offsite for backup – but the execution was a security risk – it wasn’t encrypted.

It happened again in June, 2014. A Georgia-based criminal defense firm reported that a backup drive containing personal information, including Social Security numbers, was stolen from an employee’s locked trunk.18 It was not encrypted.

In addition to threats from criminals and hackers, law firms, like other businesses and enterprises, also face threats from the inside. The insider threat includes a spectrum of trusted employees and third-parties with access, ranging from criminal, to malicious, to disgruntled, to untrained, to careless, to bored, to honestly mistaken. It even includes dedicated employees who just want to use their own technology to do their jobs better. Unauthorized hardware, software, and services can be a threat from insiders in any of these groups. A recent international survey of IT security professionals reported that 41% of those surveyed viewed rogue employees as the biggest threats to their organizations.19

A recent survey reported the following on the scope of the risk from employee use of their own technology:20

It's out there: lurking in cubicles, infiltrating boardrooms, pulsing through desktops and laptops and tablets. Viral. Relentless. Unstoppable.

Rogue IT is the name given to the informal, ad hoc software and devices brought by employees into the workplace. If you've ever taken your own iPad to work or used cloud-based software like Evernote or Dropbox in the office, you may well be an offender. And you're not alone. Some 43% of businesses report that their employees are using cloud services independently of the IT department, according to a recent survey of 500 IT decision makers.

A recognized security consultant has summarized the accidental insider threat this way:21

17 Tricia Bishop, “Law Firm Loses Hard Drive with Patient Records,” Baltimore Sun (October 10, 2010) http://articles.baltimoresun.com/2011-10-10/news/bs-md-stent-hard-drive-20111010_1_patient-records-law-firm-medical-records.

18 Adam Greenberg, “Backup hard drive stolen from law firm contained personal information,” SC Magazine (August 27, 2014) www.scmagazine.com/backup-hard-drive-stolen-from-law-firm-contained-personal-info/article/368427/. 19 Avetco Press Release (June 7, 2013) www.avecto.com/news-events/press-releases/80-of-it-security-professionals-say-their-greatest-threats-are-from-rogue-employees,-malware-exploits-or-unauthorized-software .

20 Ryan Holmes, "’Rogue IT’ is About to Wreak Havoc at Work,” Fortune (August 9, 2012) http://tech.fortune.cnn.com/2012/08/09/rogue-it.

21 Tom Field, “Insider Threat: 'You Can't Stop Stupid,'” BankInfoSecurity, Interview with Eric Cole (July 28, 2010) www.bankinfosecurity.com/insider-threat-you-cant-stop-stupid-a-2789/op-1.

http://www.rackspace.com/blog/rouge-it-cloud-lock-in-dominate-cloud-concerns-infographic/

http://www.rackspace.com/blog/rouge-it-cloud-lock-in-dominate-cloud-concerns-infographic/

http://articles.baltimoresun.com/2011-10-10/news/bs-md-stent-hard-drive-20111010_1_patient-records-law-firm-medical-records

http://articles.baltimoresun.com/2011-10-10/news/bs-md-stent-hard-drive-20111010_1_patient-records-law-firm-medical-records

http://www.scmagazine.com/backup-hard-drive-stolen-from-law-firm-contained-personal-info/article/368427/

http://www.scmagazine.com/backup-hard-drive-stolen-from-law-firm-contained-personal-info/article/368427/

http://www.avecto.com/news-events/press-releases/80-of-it-security-professionals-say-their-greatest-threats-are-from-rogue-employees,-malware-exploits-or-unauthorized-software



http://tech.fortune.cnn.com/2012/08/09/rogue-it

http://www.bankinfosecurity.com/insider-threat-you-cant-stop-stupid-a-2789/op-1

http://www.bankinfosecurity.com/insider-threat-you-cant-stop-stupid-a-2789/op-1

7

Much is misunderstood today about the evolving insider threat. …In particular, senior leaders need to realize that their greatest risks aren't from rogue employees looking to cause damage, but rather from inadvertent breaches caused by staffers who simply stumble into costly mistakes.

The FBI’s Chief Information Security Officer expressed the same concern in a presentation on the FBI’s insider threat program at the 2013 RSA Security Conference.22 The FBI’s program was created after the 2001 Robert Hanssen incident in which an FBI agent was caught stealing information and selling it to the Russians. The CISO noted that authorized users with a level of organizational trust, who are doing legitimate activities with malicious intent, pose the biggest threat. But a quarter of the incidents that the FBI tracks in its systems on an annual basis are from "knucklehead" problems: unintentional acts in which employees compromise systems by not following procedures, losing equipment and sensitive data, clicking on spam, inappropriate emails or Web links, or mishandling passwords and accounts. He said the FBI spends about 35% of its response time on these types of incidents.

Insider security incidents are often not publicly disclosed unless they lead to criminal prosecution or required data breach notices. For this reason, the availability of statistics and examples is limited. The incident of the hard drive left on the light rail is an example of the insider threat in a law firm – most likely from a lack of security procedures, inadequate training, or both.

There are also older examples of intentional insider threats in law firms that illustrate the risks. A former Manhattan paralegal was sentenced to prison after pleading guilty to downloading his firm’s 400 page electronic trial plan for an asbestos case and offering to sell it to opposing counsel.23 In another example, a college student who worked for a service provider at a law firm pled guilty to theft of intellectual property.24 The student was brought in to help by his uncle, an employee of the service provider, because they were behind on the job. The firm represented DirectTV in litigation with one of its security vendors. The student worked in a secure area in the law firm’s offices, where he copied paper and electronic data for production in the litigation. He found the technology that controlled access by customers to DirectTV, copied it to a CD, and posted it on a hacker bulletin board. In a third example, a former IT employee of a large law firm pled guilty to theft of 156 computers and monitors from the law firm that he sold on eBay for over $74,000.25 More recently, a Pennsylvania

22 Ericka Chickowski, “5 Lessons from the FBI Insider Threat Program,” Dark Reading (March 1, 2013) www.darkreading.com/insider-threat/5-lessons-from-the-fbi-insider-threat-pr/240149745.

23 U.S. Department of Justice Press Release, “Manhattan Paralegal Sentenced for Theft of Litigation Trial Plan,” (January 30, 2002).

24 U.S. Department of Justice Press Release, “L.A. Man Pleads Guilty to Theft of Trade Secrets for Stealing Information to DirecTV ‘Smart Card,’” (April 28, 2003).

25 U.S. Department of Justice Press Release, “Second Former Law Firm Employee Sentenced in Connection with Theft of Computers from Law Firm,” (April 20, 2009).

http://www.darkreading.com/insider-threat/5-lessons-from-the-fbi-insider-threat-pr/240149745

http://www.darkreading.com/insider-threat/5-lessons-from-the-fbi-insider-threat-pr/240149745

8

law firm sued a former attorney, alleging that he took thousands of client files using Dropbox.26

As these examples of security incidents of all kinds demonstrate, law firm data faces substantial and real threats. The American Bar Association’s 2014 Technology Survey reports that 13.8% of all responding attorneys reported that their firm had suffered a security breach at some time, broken down by size of firm as follows:

Solo 11.7%

2-9 13.3%

10-49 18.8%

50-99 15.0%

100-499 9.5%

500 or More

17.2%

All Firms 13.8%

A number of responding attorneys reported that they didn’t know whether their firm had suffered a security breach in the past – 67.2% of large firms and 25.7% of all firms.

In addition to these other growing threats, a current concern for security and confidentiality for attorneys, particularly those representing foreign clients or engaged in international transactions, is government surveillance – both by the U.S. government and foreign governments. In August of 2013, the ABA adopted a resolution, recommended by the ABA Cybersecurity Legal Task Force, condemning intrusions into attorneys’ systems and networks, including those by governments.27 It included the following:

RESOLVED, That the American Bar Association condemns unauthorized, illegal governmental, organizational and individual intrusions into the computer systems and networks utilized by lawyers and law firms.

In February of 2014, the New York Times reported that documents leaked by Edward Snowden showed that an American law firm had been monitored by the Australian Signals Directorate, an NSA ally, while the law firm was representing a foreign

26 Debra Cassens Weiss, “Suit Claims Ex-Partner Installed Software Allowing Continued Access to Law Firm Files, ABA Journal Law News Now (February 13, 2012).

27 Available at www.americanbar.org/content/dam/aba/administrative/law_national_security/resolution_118.authcheckdam.pdf

http://www.americanbar.org/content/dam/aba/administrative/law_national_security/resolution_118.authcheckdam.pdf

http://www.americanbar.org/content/dam/aba/administrative/law_national_security/resolution_118.authcheckdam.pdf

9

government in trade disputes with the U.S.28 Following this report, ABA President James Silkenat wrote to the Director and General Counsel of the NSA about this incident, including:29

I write to express our concerns over allegations raised in recent press reports concerning possible foreign government surveillance of American lawyers’ confidential communications with their overseas clients, the subsequent sharing of privileged information from those communications with the National Security Agency (“NSA”), and the possible use of that information by the U.S. Government or third parties.”

NSA Director, General Keith Alexander, responded, noting:30

NSA is firmly committed to the rule of law and the bedrock legal principle of attorney-client privilege, which as you noted, is one of the oldest recognized privileges for confidential communications.

*** Let me be absolutely clear: NSA has afforded, and will continue to afford, appropriate protection to privileged attorney-client communications acquired during its lawful foreign intelligence mission in accordance with privacy procedures required by Congress, approved by the Attorney General, and, as appropriate, reviewed by the Foreign Intelligence Surveillance Court.”

Security threats to lawyers and law firms continue to be substantial, real, and growing – data breaches and security incidents have occurred and are occurring. It is critical for attorneys and law firms to recognize them and address them through comprehensive information security programs.

Duty to Safeguard

Attorneys’ use of technology presents special ethics challenges, particularly in the areas of competence and confidentiality. Attorneys also have common law duties to protect client information and may have contractual and regulatory duties. These duties to safeguard information relating to clients are minimum standards with which attorneys are required to comply. Attorneys should aim for even stronger safeguards as a matter of sound professional practice and client service.

28 James Risen and Laura Poitras, “Spying by N.S.A Ally Entangles U.S. Law Firm,” New York Times (February 15, 2014), www.nytimes.com/2014/02/16/us/eavesdropping-ensnared-american-law-firm.html?_r=0.

29 Letter dated February 20, 2014, www.americanbar.org/content/dam/aba/uncategorized/GAO/2014feb20_privilegedinformation_l.authcheckdam.pdf.

30 Letter dated March 10, 2014, www.americanbar.org/content/dam/aba/images/abanews/nsa_response_03102014.pdf.

http://www.nytimes.com/2014/02/16/us/eavesdropping-ensnared-american-law-firm.html?_r=0

http://www.americanbar.org/content/dam/aba/uncategorized/GAO/2014feb20_privilegedinformation_l.authcheckdam.pdf

http://www.americanbar.org/content/dam/aba/uncategorized/GAO/2014feb20_privilegedinformation_l.authcheckdam.pdf

http://www.americanbar.org/content/dam/aba/images/abanews/nsa_response_03102014.pdf

10

1. Ethics Rules

The duty of competence (ABA Model Rule 1.1) requires attorneys to know what technology is necessary and how to use it. The duty of confidentiality (ABA Model Rule 1.6) is one of an attorney’s most fundamental ethical responsibilities. Together, these rules require attorneys using technology to take competent and reasonable measures to safeguard client data. This duty extends to all use of technology, including computers, mobile devices, networks, technology outsourcing, and cloud computing.

Model Rule 1.1 covers the general duty of competence. It provides that “A lawyer shall provide competent representation to a client.” This “requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” It includes competence in selecting and using technology. It requires attorneys who lack the necessary technical competence for security (many, if not most attorneys) to consult with qualified people who have the requisite expertise.

Model Rule 1.4, Communications, also applies to attorneys’ use of technology. It requires appropriate communications with clients “about the means by which the client's objectives are to be accomplished,” including the use of technology. It requires keeping the client informed and, depending on the circumstances, may require obtaining “informed consent.” It requires notice to a client of compromise of confidential information relating to the client.

Model Rule 1.6 generally defines the duty of confidentiality. It begins as follows:

A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b). . . .

Rule 1.6 broadly requires protection of “information relating to the representation of a client;” it is not limited to confidential communications and privileged information. Disclosure of covered information generally requires express or implied client consent (in the absence of special circumstances like misconduct by the client).

The ABA Commission on Ethics 20/20 conducted a review of the ABA Model Rules of Professional Conduct and the U.S. system of lawyer regulation in the context of advances in technology and global legal practice developments. One of its core areas of focus was technology and confidentiality. Its Revised Draft Resolutions in this area were adopted by the ABA at its Annual Meeting in August of 2012.31

The amendments include addition of the following highlighted language to the Comment to Model Rule 1.1 Competence:

31 See, www.americanbar.org/groups/professional_responsibility/aba_commission_on_ethics_20_20.html.

http://www.americanbar.org/groups/professional_responsibility/aba_commission_on_ethics_20_20.html

http://www.americanbar.org/groups/professional_responsibility/aba_commission_on_ethics_20_20.html

11

[8] To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with technology, …

The amendments also added the following new subsection (highlighted) to Model Rule 1.6 Confidentiality of Information:

(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.

This requirement covers two areas – inadvertent disclosure and unauthorized access. Inadvertent disclosure includes threats like leaving a briefcase, laptop, or smartphone in a taxi or restaurant, sending a confidential e-mail to the wrong recipient, producing privileged documents or data, or exposing confidential metadata. Unauthorized access includes threats like hackers, criminals, malware, and insider threats.

The amendments also include the following changes to Comment [18] to this rule:

Acting Competently to Preserve Confidentiality

[18] Paragraph (c) requires a A lawyer must to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons or entities who are participating in the representation of the client or who are subject to the lawyer’s supervision or monitoring. See Rules 1.1, 5.1 and 5.3. The unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forego security measures that would otherwise be required by this Rule. Whether a lawyer may be required to take additional steps to safeguard a client’s information in order to comply with other law, such as state and federal laws that govern data privacy or that impose notification requirements upon the loss of, or unauthorized access to, electronic information, is beyond the scope of these Rules.

12

Significantly, these revisions are clarifications rather than substantive changes. They add additional detail that is consistent with the then existing rules and comments, ethics opinions, and generally accepted information security principles.32

Model Rule 5.3 (Responsibilities Regarding Nonlawyer Assistants) was amended to expand its scope. “Assistants” was expanded to “Assistance,” extending its coverage to all levels of staff and outsourced services ranging from copying services to outsourced legal services. This requires attorneys to employ reasonable safeguards, like due diligence, contractual requirements, supervision, and monitoring, to insure that nonlawyers inside and outside a law firm provide services in compliance with attorneys’ duty of confidentiality.

2. Ethics Opinions

A number of state ethics opinions have addressed professional responsibility issues related to security in attorneys’ use of various technologies. Consistent with the subsequent Ethics 20/20 amendments, they generally require competent and reasonable safeguards. It is important for attorneys to consult the rules, comments, and ethics opinions in the relevant jurisdiction(s).

An early example is State Bar of Arizona, Opinion No. 05-04 (July 2005) (Formal Opinion of the Committee on the Rules of Professional Conduct). It requires “competent and reasonable steps to assure that the client’s confidences are not disclosed to third parties through theft or inadvertence” and “competent and reasonable measures to assure that the client’s electronic information is not lost or destroyed.” It further explains that “an attorney must either have the competence to evaluate the nature of the potential threat to the client’s electronic files and to evaluate and deploy appropriate computer hardware and software to accomplish that end, or if the attorney lacks or cannot reasonably obtain that competence, to retain an expert consultant who does have such competence.”

Additional examples include New Jersey Advisory Committee on Professional Ethics, Opinion 701, “Electronic Storage and Access of Client Files” (April, 2006), State Bar of Arizona, Opinion No. 09-04 (December, 2009): “Confidentiality; Maintaining Client Files; Electronic Storage; Internet” (Formal Opinion of the Committee on the Rules of Professional Conduct), State Bar of California, Standing Committee on Professional Responsibility and Conduct, Formal Opinion No. 2010-179, and New York State Bar Association Opinion 1019, “Confidentiality; Remote Access to Client Electronic Files” (August 6, 2014).

Significantly, California Formal Opinion No. 2010-179 advises attorneys that they must consider security before using a particular technology in the course of representing a client. It notes that attorneys “must take appropriate steps to

32 “This duty is already described in several existing Comments, but the Commission concluded that, in light of the pervasive use of technology to store and transmit confidential client information, this existing obligation should be stated explicitly in the black letter of Model Rule 1.6.” ABA Commission on Ethics 20/20, Report to Resolution 105A Revised, Introduction (2012).

13

evaluate,” among other considerations, “the level of security attendant to the use of that technology, including whether reasonable precautions may be taken when using the technology to increase the level of security.” The opinion covers use of a firm-issued laptop and use of public and home wireless networks.

Attorneys need to stay up to date as technology changes and new threats are identified. For example, following news reports that confidential information had been found on digital copiers that were ready for resale,33 The Florida Bar issued Professional Ethics of the Florida Bar Opinion 10-2 (September, 2010) that addresses this risk. Its conclusion states:

In conclusion, when a lawyer chooses to use Devices that contain Storage Media, the lawyer must take reasonable steps to ensure that client confidentiality is maintained and that the Device is sanitized before disposition. These reasonable steps include: (1) identification of the potential threat to confidentiality along with the development and implementation of policies to address the potential threat to confidentiality; (2) inventory of the Devices that contain Hard Drives or other Storage Media; (3) supervision of nonlawyers to obtain adequate assurances that confidentiality will be maintained; and (4) responsibility for sanitization of the Device by requiring meaningful assurances from the vendor at the intake of the Device and confirmation or certification of the sanitization at the disposition of the Device.

There are now multiple ethics opinions on attorneys’ use of cloud computing services like online file storage and software as a service (SaaS).34 For example, New York Bar Association Committee on Professional Ethics Opinion 842 “Using an outside online storage provider to store client confidential information” (September, 2010), consistent with the general requirements of the ethics opinions above, concludes:

A lawyer may use an online data storage system to store and back up client confidential information provided that the lawyer takes reasonable care to ensure that confidentiality is maintained in a manner consistent with the lawyer's obligations under Rule 1.6. A lawyer using an online storage provider should take reasonable care to protect confidential information, and should exercise reasonable care to prevent others whose services are utilized by the lawyer from disclosing or using confidential information of a client. In addition, the lawyer should stay abreast of technological advances to ensure that the storage system remains sufficiently advanced to protect the client's information, and the

33 E.g., Armen Keteyian, “Digital Copiers Loaded with Secrets,” CBS Evening News (April 19, 2010). www.cbsnews.com/news/digital-photocopiers-loaded-with-secrets.

34 The ABA Legal Technology Resource Center has published a summary with links, “Cloud Ethics Opinions Around the U.S.,” available at www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/cloud-ethics-chart.html.

http://www.cbsnews.com/news/digital-photocopiers-loaded-with-secrets

http://www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/cloud-ethics-chart.html

http://www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/cloud-ethics-chart.html

14

lawyer should monitor the changing law of privilege to ensure that storing information in the "cloud" will not waive or jeopardize any privilege protecting the information.

Additional examples are Pennsylvania Bar Association, Committee on Legal Ethics and Professional Responsibility, Formal Opinion 2011-200, “Ethical Obligations for Attorneys Using Cloud Computing/Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property” (November, 2011) and North Carolina State Bar 2011 Formal Ethics Opinion 6, “Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property” (January, 2012).

The key professional responsibility requirements from these various opinions on attorneys’ use of technology are competent and reasonable measures to safeguard client data, including an understanding of limitations in attorneys’ competence, obtaining appropriate assistance, continuing security awareness, appropriate supervision, and ongoing review as technology, threats, and available security evolve.

3. Ethics Rules – Electronic Communications

E-mail and electronic communications have become everyday communications forms for attorneys and other professionals. They are fast, convenient, and inexpensive, but also present serious risks. It is important for attorneys to understand and address these risks.

In addition to adding the requirement of reasonable safeguards to protect confidentiality, the Ethics 2000 revisions to the Model Rules, over 10 years ago, also added Comment 17 [now 19] to Rule 1.6. This comment requires reasonable precautions to safeguard and preserve confidential information during electronic transmission. This Comment, as amended in accordance with the Ethics 20/20 recommendations (highlighted), provides:

[19] When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer's expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this Rule. Whether a lawyer may be required to take additional steps in order

15

to comply with other law, such as state and federal laws that govern data privacy, is beyond the scope of these Rules.

This Comment requires attorneys to take “reasonable precautions” to protect the confidentiality of electronic communications. It is often viewed as providing that attorneys never need to use “special security measures” like encryption. 35 While it does state that “special security measures” are not generally required, it contains qualifications and notes that “special circumstances” may warrant “special precautions.” It includes the important qualification - “if the method of communication affords a reasonable expectation of privacy.” As discussed below, there are questions about whether Internet e-mail affords a reasonable expectation of privacy.

4. Ethics Opinions – Electronic Communications

An ABA ethics opinion in 1999 and several state ethics opinions have concluded that special security measures, like encryption, are not generally required for confidential attorney e-mail.36

However, these opinions should be carefully reviewed because, like Comment 19, they contain qualifications that limit their general conclusions.

For example, New York Bar Association Committee on Professional Ethics Opinion 709 “Use of Internet to advertise and to conduct law practice focusing on trademarks; use of Internet e-mail; use of trade names” (September, 1998) concludes:

We therefore conclude that lawyers may in ordinary circumstances utilize unencrypted Internet e-mail to transmit confidential information without breaching their duties of confidentiality … to their clients, as the technology is in use today. Despite this general conclusion, lawyers must always act reasonably in choosing to use e-mail for confidential communications, as with any other means of communication. Thus, in

35 Encryption is a process that translates a message into a protected electronic code.

The recipient (or anyone intercepting the message) must have a key to decrypt it and make it readable. E-mail encryption has become easier to use over time. Transport layer security (TLS) encryption is available to automatically encrypt e-mail between two e-mail gateways. If a law firm and client each have their own e-mail gateways, TLS can be used to automatically encrypt all e-mails between them.

A virtual private network is an arrangement in which all communications between two networks or between a computer and a network are automatically protected with encryption. See, David G. Ries and John W. Simek, “Encryption Made Simple for Lawyers,” GPSolo Magazine (November/December 2012).

36 E.g., ABA Formal Opinion No. 99-413, Protecting the Confidentiality of Unencrypted E-Mail (March 10, 1999) (“based upon current technology and law as we are informed of it …a lawyer sending confidential client information by unencrypted e-mail does not violate Model Rule 1.6(a)…” “…this opinion does not, however, diminish a lawyer's obligation to consider with her client the sensitivity of the communication, the costs of its disclosure, and the relative security of the contemplated medium of communication. Particularly strong protective measures are warranted to guard against the disclosure of highly sensitive matters.”) and District of Columbia Bar Opinion 281, “Transmission of Confidential Information by Electronic Mail,” (February, 1998), (“In most circumstances, transmission of confidential information by unencrypted electronic mail does not per se violate the confidentiality rules of the legal profession. However, individual circumstances may require greater means of security.”).

16

circumstances in which a lawyer is on notice for a specific reason that a particular e-mail transmission is at heightened risk of interception, or where the confidential information at issue is of such an extraordinarily sensitive nature that it is reasonable to use only a means of communication that is completely under the lawyer's control, the lawyer must select a more secure means of communication than unencrypted Internet e-mail.

A lawyer who uses Internet e-mail must also stay abreast of this evolving technology to assess any changes in the likelihood of interception as well as the availability of improved technologies that may reduce such risks at reasonable cost. It is also sensible for lawyers to discuss with clients the risks inherent in the use of Internet e-mail, and lawyers should abide by the clients’ wishes as to its use.

There are serious questions about the confidentiality of Internet e-mail. Respected security professionals for years have compared e-mail to postcards or postcards written in pencil.37

A June 2014 post by Google on the Google Official Blog38 and a July 2014 New York Times article39 use the same analogy – comparing unencrypted e-mails to postcards. Encryption is being increasingly required in areas like banking and health care. New laws in Nevada40

and Massachusetts41

(which apply to attorneys as well as others) require defined personal information to be encrypted when it is electronically transmitted. As the use of encryption grows in areas like these, it will become difficult for attorneys to demonstrate that confidential client data needs lesser protection.

37 E.g., B. Schneier, E-Mail Security - How to Keep Your Electronic Messages Private, (John Wiley & Sons, Inc. 1995) p. 3; B. Schneier, Secrets & Lies: Digital Security in a Networked Work, (John Wiley & Sons, Inc. 2000) p. 200 ("The common metaphor for Internet e-mail is postcards: Anyone – letter carriers, mail sorters, nosy delivery truck drivers - who can touch the postcard can read what's on the back."); and Larry Rogers, Email – A Postcard Written in Pencil, Special Report, (Software Engineering Institute, Carnegie Mellon University 2001).

38 “Transparency Report: Protecting Emails as They Travel Across the Web,” Google Official Blog (June 3, 2014) (“…we send important messages in sealed envelopes, rather than on postcards. …Email works in a similar way. Emails that are encrypted as they’re routed from sender to receiver are like sealed envelopes, and less vulnerable to snooping—whether by bad actors or through government surveillance—than postcards.”) http://googleblog.blogspot.com/2014/06/transparency-report-protecting-emails.html.

39 Molly Wood, “Easier Ways to Protect Email From Unwanted Prying Eyes,” New York Times (July 16, 2014) (“Security experts say email is a lot more like a postcard than a letter inside an envelope, and almost anyone can read it while the note is in transit. The government can probably read your email, as can hackers and your employer.”)

www.nytimes.com/2014/07/17/technology/personaltech/ways-to-protect-your-email-after- you-send-it.html?_r=0.

40 Nev. Rev. Stat. 603A.010, et seq.

41 Mass. Gen. Laws Ch. 93H, regulations at 201 CMR 17.00.

http://googleblog.blogspot.com/2014/06/transparency-report-protecting-emails.html

http://www.nytimes.com/2014/07/17/technology/personaltech/ways-to-protect-your-email-after-%20%20you-send-it.html?_r=0

http://www.nytimes.com/2014/07/17/technology/personaltech/ways-to-protect-your-email-after-%20%20you-send-it.html?_r=0

17

Consistent with these questions about the security of e-mail, some ethics opinions express a stronger view that encryption may be required. For example, New Jersey Opinion 701 (April, 2006), discussed above, notes at the end: “where a document is transmitted to [the attorney]… by email over the Internet, the lawyer should password a confidential document (as is now possible in all common electronic formats, including PDF), since it is not possible to secure the Internet itself against third party access.”42

California Formal Opinion No. 2010-179, also discussed above, notes that “encrypting email may be a reasonable step for an attorney in an effort to ensure the confidentiality of such communications remain so when circumstances call for it, particularly if the information at issue is highly sensitive and the use of encryption is not onerous.”

An Iowa opinion on cloud computing suggests the following as one of a series of questions that attorneys should ask when determining appropriate protection: “Recognizing that some data will require a higher degree of protection than others, will I have the ability to encrypt certain data using higher level encryption tools of my choosing?” Iowa Ethics Opinion 11-01.

The recent Pennsylvania ethics opinion on cloud computing, discussed above, concludes that “attorneys may use email but must, under appropriate circumstances, take additional precautions to assure client confidentiality.” It discusses encryption as an additional precaution that may be required when using services like web mail. Pennsylvania Formal Opinion 2011-200.

In addition to complying with any legal requirements that apply, the most prudent approach to the ethical duty of protecting confidentiality is to have an express understanding with clients about the nature of communications that will be (and will not be) sent electronically and whether or not encryption and other security measures will be utilized.

It has now reached the point (or at least is reaching it) where most attorneys should have encryption available for use in appropriate circumstances.

5. Common Law Duties

Along with these ethical duties, there are also parallel common law duties defined by case law in the various states. The Restatement (3rd) of the Law Governing Lawyers (2000) summarizes this area of the law. See, Section 16(2) on competence and diligence, Section 16(3) on complying with obligations concerning client’s confidences, and Chapter 5, “Confidential Client Information.” Breach of these duties can result in a malpractice action.

42 File password protection in some software, like current versions of Microsoft Office, Adobe Acrobat, and WinZip uses encryption to protect security. It is generally easier to use than encryption of e-mail and attachments. However, the protection can be limited by use of weak passwords that are easy to break or “crack.”

18

There are also instances when lawyers have contractual duties to protect client data. This is particularly the case for clients in regulated industries, such as health care and financial services, that have regulatory requirements to protect privacy and security. Clients are recognizing that law firms may be the weak links in protecting their confidential information and are increasingly requiring specified safeguards, providing questionnaires about a law firm’s security, and even requiring security audits.43

6. Laws and Regulations Covering Personal Information

In addition to the ethical and common law duties to protect client information, various state and federal statutes and regulations require protection of defined categories of personal information. Some of these are likely to apply to lawyers who possess any specified personal information about their employees, clients, clients’ employees or customers, opposing parties and their employees, or even witnesses.

At least 10 states now have general security laws that require reasonable measures to protect defined categories of personal information (including California, Massachusetts, Maryland, New Jersey and Rhode Island). While the scope of coverage, the specificity of the requirements and the definitions vary among these laws, personal information is usually defined to include general or specific facts about an identifiable individual. The exceptions tend to be information that is presumed public and does not have to be protected (e.g., a business address).

There are now a number of state laws that require specific safeguards for defined types of personal information as well. They generally cover Social Security numbers, driver’s license numbers and financial account numbers, but some also cover health information. They include laws requiring reasonable security, breach notices and secure disposal.

The most comprehensive law of this type to date is a recent Massachusetts law, M.G.L. c. 93H, which applies to “persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts.”

43 Jessica Silver-Greenberg and Matthew Goldstein, “After JPMorgan Chase Breach, Push to Close Wall St. Security Gaps, New York Times (October 21, 2014) (“need to bolster fortifications around a critical area of cybersecurity: outside vendors, which include law firms, accounting and marketing firms and even janitorial companies”) http://dealbook.nytimes.com/2014/10/21/after-jpmorgan-cyberattack-a-push-to-fortify-wall-street-banks/?_php=true&_type=blogs&_php=true&_type=blogs&_r=1; Jennier Smith and Emily Glazer, “Banks Demand that Law Firms Harden Cyberattack Defenses,” Wall Street Journal (October 26, 2014) (“law firms big and small are getting security audits”) http://online.wsj.com/articles/banks-demand-that-law-firms-harden-cyberattack-defenses-1414354709 and Sharon D. Nelson & John W. Simek, “Clients Demand Law Firm Cyber Audits,” Law Practice (November/December 2013) www.americanbar.org/publications/law_practice_magazine/2013/november-december/hot-buttons.html.

http://dealbook.nytimes.com/2014/10/21/after-jpmorgan-cyberattack-a-push-to-fortify-wall-street-banks/?_php=true&_type=blogs&_php=true&_type=blogs&_r=1

http://dealbook.nytimes.com/2014/10/21/after-jpmorgan-cyberattack-a-push-to-fortify-wall-street-banks/?_php=true&_type=blogs&_php=true&_type=blogs&_r=1

http://online.wsj.com/articles/banks-demand-that-law-firms-harden-cyberattack-defenses-1414354709

http://online.wsj.com/articles/banks-demand-that-law-firms-harden-cyberattack-defenses-1414354709

http://www.americanbar.org/publications/law_practice_magazine/2013/november-december/hot-buttons.html

http://www.americanbar.org/publications/law_practice_magazine/2013/november-december/hot-buttons.html

19

Covered “personal information” includes Social Security numbers, driver’s license numbers, state-issued identification card numbers, financial account numbers and credit card numbers.

The implementing regulation became effective March 1, 2010. With its broad coverage of “persons,” this law may well be applied to persons nationwide, including attorneys and law firms, when they have sufficient contacts with Massachusetts to satisfy personal jurisdiction requirements.

It requires covered persons to “develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards.” In addition to requiring a risk assessment, the regulation contains detailed requirements for the information security program and detailed computer system security requirements. The security requirements include:

Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly; and

Encryption of all personal information stored on laptops or other portable devices.

Additional system security requirements are secure user authentication, secure access control, reasonable monitoring to detect unauthorized access, reasonably up-to-date firewall protection, reasonably up-to-date security software (including current patches and virus definitions), and education and training of employees.

Lawyers and law firms should think about and understand the consequences of the Massachusetts law, as some observers believe that it will become a model for comprehensive protection of personal information.

Nevada also has laws that require “reasonable security measures” and encryption (NRS 603A.210 and NRS 597.970), although they are much less detailed than the Massachusetts law. Note, too, that encryption is already required for federal agencies that have information about individuals on laptops and portable media. As encryption becomes a security standard, it is likely to become the standard of what is reasonable for lawyers.

The obligations don’t stop, however, at protecting the confidentiality of information. Forty-seven states and the District of Columbia and the Virgin Islands have laws that require notification concerning data breaches (all but Mississippi, New Mexico and South Dakota),. While there are differences in their scope and requirements, they generally require entities that own, license or possess defined categories of personally identifiable information about consumers to notify affected consumers if there is a breach. Like the reasonable security laws, many of these laws apply to covered information “about” residents of the state. Some require notice to a state agency in addition to notice to consumers.

In addition to these state laws, a number of bills have been introduced in Congress during the last several years to set minimum federal standards for protection of personal information and breach notice. While there appears to be strong support for

20

a federal solution, nothing has been enacted because of factors like disagreement about details of a solution and overlapping committee jurisdiction. Following the recent high profile Target data breach, legislation has again been introduced, with requirements like requiring the Federal Trade Commission (FTC) to issue security standards for companies that hold consumers’ personal and financial information and setting uniform federal standards for breach notification. For example, several Senators introduced the Personal Data Privacy and Security Act, the fourth time it was introduced since 2005, others introduced the Data Security and Breach Notification Act, and another group introduced the Personal Data Protection and Breach Accountability Act.

To add to the web of issues involved, at least 19 states also now have laws that require secure disposal of paper and electronic records that contain defined personal information. The Federal Trade Commission’s Disposal Rule, 16 C.F.R. Part 682, has similar requirements for consumer credit reports and information derived from them.

Also on the federal level, an attorney who receives protected individually identifiable health information (PHI) from a covered entity under the Health Insurance Portability & Accountability Act (HIPAA) will generally be a “business associate” and be required to comply with the HIPAA security requirements. The 2009 HIGHTECH Act enhanced HIPAA security requirements, extended them directly to business associates, and added a new breach notification requirement. See, 45 CFR Parts 160 and 164.

7. Summary of Duties

The ethics rules and common law duties require attorneys to take competent and reasonable measures to safeguard client data, including an understanding of limitations in attorneys’ competence, obtaining appropriate assistance, continuing security awareness, appropriate supervision, and ongoing review as technology, threats, and available security evolve. These ethical and common law duties, as well as any applicable contractual and regulatory duties, are minimum standards of conduct. Attorneys should aim for even stronger safeguards as a matter of sound professional practice and client service. While the risks of disciplinary proceedings, malpractice claims, and regulatory actions arising from security breaches are real, the greatest risks are often dissatisfied clients (or former clients) and harm to professional reputation.

Information Security Basics

Information security is a process to protect the confidentiality, integrity, and availability of information. Comprehensive security must address people, policies and procedures, and technology. While technology is a critical component of effective security, the other aspects must also be addressed. As explained by Bruce Schneier, a highly respected security professional, "[i]f you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology."44 The best technical security is likely to fail without adequate

44 Bruce Schneier, Secrets and Lies - Digital Security in a Networked World (John Wiley & Sons, Inc. 2000) at p. xii.

21

attention to people and policies and procedures. Many attorneys incorrectly think that security is just for the IT department or consultants. While IT has a critical role, everyone, including management, all attorneys, and all support personnel, must be involved for effective security.

An equally important concept is that security requires training and ongoing attention. It must go beyond a onetime “set it and forget it” approach. A critical component of a law firm security program is constant vigilance and security awareness by all users of technology. As a recent ABA report aptly put it:45

Lawyers must commit to understanding the security threats that they face, they must educate themselves about the best practices to address those threats, and they must be diligent in implementing those practices every single day.

(Emphasis added.)

Security starts with a risk assessment to identify anticipated threats to the information assets, including an inventory of information assets to determine what needs to be protected. The next step is development and implementation of a comprehensive information security program to employ reasonable physical, administrative, and technical safeguards to protect against identified risks. This is the most difficult part of the process. It must address people, policies and procedures, and technology. It needs to include policies, assignment of responsibility, training, ongoing security awareness, monitoring for compliance, and periodic review and updating.

At the ABA Annual Meeting in August, 2014, the ABA adopted a resolution on cybersecurity that is consistent with this general approach:46

RESOLVED, That the American Bar Association encourages all private and public sector organizations to develop, implement, and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations and is tailored to the nature and scope of the organization and the data and systems to be protected.

It recommends an appropriate cybersecurity program for all private and public sector organizations, which includes law firms.

The requirement for lawyers is reasonable security, not absolute security. New Jersey Ethics Opinion 701 states “’[r]easonable care,’ however, does not mean that the lawyer absolutely and strictly guarantees that the information will be utterly invulnerable against all unauthorized access. Such a guarantee is impossible…” Recognizing this concept, the Ethics 20/20 amendments to the Comment to Rule 1.6 include “…[t]he unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.”

45 Joshua Poje, “Security Snapshot: Threats and Opportunities,” ABA TECHREPORT 2013 (ABA Legal Technology Resource Center 2013). 46 Available at

www.americanbar.org/content/dam/aba/images/abanews/2014am_hodres/109.pdf.

http://www.americanbar.org/content/dam/aba/images/abanews/2014am_hodres/109.pdf

22

Security involves thorough analysis and often requires balancing and trade-offs to determine what risks and safeguards are reasonable under the circumstances. Considerations include the sensitivity of the information, the risks, and available safeguards (including their cost, difficulty of implementation, and effect on usability of the technology). There is frequently a trade-off between security and usability. Strong security often makes technology very difficult to use, while easy to use technology is frequently insecure. The challenge is striking the correct balance among all of these often competing factors. This aspect of security is also recognized by the Ethics 20/20 amendments.

Reasonable Safeguards

The greatest challenge for lawyers in establishing cybersecurity programs is deciding what security measures are necessary and then implementing them. Determining what constitute “competent and reasonable measures” can be difficult. The Ethics 20/20 amendments, discussed above, provide some high level guidance. As discussed above, the following factors are applied for determining reasonable and competent safeguards:

Factors to be considered in determining the reasonableness of the lawyer’s efforts include the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).

A number of organizations have published security standards that can be used in determining reasonable security for a law firm. Examples include The SANS Institute’s Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, currently in Version 4.0,47 the National Institute of Standards and Technology’s (NIST) standards in many areas, including “Small Business Information Security: the Fundamentals,” NISTIR-7621 (October 2009),48 and the International Organization for Standardization (ISO),49 27000 series security standards, including ISO/IEC 27001:2013, Information Technology—Security Techniques—Information Security Management System—Requirements, ISO/IEC 27002:2013, Information Technology—Code of Practice for Information Security Management, and others. The CERT Coordination Center at Carnegie Mellon University,50 US-CERT (part of the U.S. Department of Homeland Security),51 and the Center for Internet Security52 are additional sources of information for measuring “reasonable” safeguards.

47 Available at www.sans.org/critical-security-controls.

48 Available at http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf.

49 www.iso.org/iso/home.html.

50 www.cert.org.

51 www.us-cert.gov.

http://www.sans.org/critical-security-controls

http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf

http://www.iso.org/iso/home.html

http://www.cert.org/

http://www.us-cert.gov/

23

ILTA (the International Legal Technology Association) has established the LegalSEC initiative, which is analyzing and adapting current standards and delivering a set of security policy and procedures templates tailored to law firms.53

As a final example of guidance, the ABA President appointed the ABA Cybersecurity Legal Task Force in 2012.54 Its focus includes security for law firms and clients, critical infrastructure security, and international cybersecurity issues. It has been working on security and data breach guidance for attorneys.

Protection of laptops, smartphones, tablets, and other mobile devices presents a good example of application of the requirement of “reasonable efforts” to a specific category of technology. Mobile devices present a great security risk because they can be easily lost or stolen. The Verizon 2014 Data Breach Investigation Report (covering 2013) explains the risk and a solution to it – encryption – this way:55

PHYSICAL THEFT AND LOSS RECOMMENDED CONTROLS The primary root cause of incidents in this pattern is carelessness of one degree or another. Accidents happen. People lose stuff. People steal stuff. And that’s never going to change. But there are a few things you can do to mitigate that risk.

Encrypt devices Considering the high frequency of lost assets, encryption is as close to a no-brainer solution as it gets for this incident pattern. Sure, the asset is still missing, but at least it will save a lot of worry, embarrassment, and potential lawsuits by simply being able to say the information within it was protected.

While each attorney and law firm have to determine what is reasonable in their circumstances, this raises the question, does failure to use encryption for mobile devices - a no-brainer solution – comply with the duty to employ reasonable safeguards?

Significantly, the Verizon 2013 Data Breach Investigation Report (covering 2012) reports that 78% of breaches were of low or very low difficulty for initial compromise.56 This suggests that basic and intermediate safeguards may have prevented many of them.

52 www.cisecurity.org.

53 www.iltanet.org, click on “Publications,” then “LegalSEC.”

54 www.americanbar.org/groups/leadership/office_of_the_president/cybersecurity.html.

55 www.verizonenterprise.com/DBIR/2014/.

56 www.verizonenterprise.com/DBIR/2013.

http://www.cisecurity.org/

http://www.iltanet.org/

http://www.americanbar.org/groups/leadership/office_of_the_president/cybersecurity.html

http://www.verizonenterprise.com/DBIR/2013/

24

Conclusion

Attorneys have ethical and common law obligations to take competent and reasonable measures to safeguard information relating to clients. They also often have contractual and regulatory requirements. Compliance with these duties requires developing and implementing a comprehensive information security program. Important considerations for attorneys include understanding limitations in their competence, obtaining appropriate qualified assistance, continuing security training, and ongoing review and updating as technology, threats, and available security evolve over time. Particularly important is constant security awareness by all users of technology – every day, every time they’re using technology.

Additional Information

American Bar Association, Legal Technology Resource Center www.americanbar.org/groups/departments_offices/legal_technology_resources.html

American Bar Association, A Playbook for Cyber Events (American Bar Association 2013)

American Bar Association, Section of Science and Technology Law, Information Security Committee http://apps.americanbar.org/dch/committee.cfm?com=ST230002

ILTA (International Legal Technology Association), LegalSEC www.iltanet.org, click on “Publications,” then “LegalSEC.”

National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (February 2014) www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

Sharon D. Nelson, David G. Ries and John W. Simek, Locked Down: Information Security for Lawyers (American Bar Association 2012)

Jill D. Rhodes and Vincent I. Polley, The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals (American Bar Association 2013)

Thomas J. Shaw, Editor, Information Security and Privacy: A Practical Guide for Global Executives, Lawyers and Technologists (American Bar Association 2011)

http://www.americanbar.org/groups/departments_offices/legal_technology_resources.html

http://apps.americanbar.org/dch/committee.cfm?com=ST230002

http://www.iltanet.org/

http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

1

AMERICAN BAR ASSOCIATION

EXCERPTS FROM THE MODEL RULES OF PROFESSIONAL CONDUCT

RULE 1.1 COMPETENCE

A lawyer shall provide competent representation to a client. Competent representation requires the legal

knowledge, skill, thoroughness and preparation reasonably necessary for the representation.

Comment 1

In determining whether a lawyer employs the requisite knowledge and skill in a particular matter, relevant

factors include the relative complexity and specialized nature of the matter, the lawyer’s general

experience, the lawyer’s training and experience in the field in question, the preparation and study the

lawyer is able to give the matter and whether it is feasible to refer the matter to, or associate or consult

with, a lawyer of established competence in the field in question. In many instances, the required

proficiency is that of a general practitioner. Expertise in a particular field of law may be required in some

circumstances.

Comment 8

To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its

practice, including the benefits and risks associated with relevant technology, engage in continuing study

and education and comply with all continuing legal education requirements to which the lawyer is subject.

RULE 1.6 CONFIDENTIALITY OF INFORMATION

(a) A lawyer shall not reveal information relating to the representation of a client unless the client gives

informed consent, the disclosure is impliedly authorized in order to carry out the representation or the

disclosure is permitted by paragraph (b).

(b) A lawyer may reveal information relating to the representation of a client to the extent the lawyer

reasonably believes necessary:

(1) to prevent reasonably certain death or substantial bodily harm;

(2) to prevent the client from committing a crime or fraud that is reasonably certain to result in

substantial injury to the financial interests or property of another and in furtherance of which the

client has used or is using the lawyer’s services;

(3) to prevent, mitigate or rectify substantial injury to the financial interests or property of

another that is reasonably certain to result or has resulted from the client’s commission of a crime

or fraud in furtherance of which the client has used the lawyer’s services;

2

(4) to secure legal advice about the lawyer’s compliance with these Rules;

(5) to establish a claim or defense on behalf of the lawyer in a controversy between the lawyer

and the client, to establish a defense to a criminal charge or civil claim against the lawyer based

upon conduct in which the client was involved, or to respond to allegations in any proceeding

concerning the lawyer’s representation of the client;

(6) to comply with other law or a court order; or

(7) to detect and resolve conflicts of interest arising from the lawyer’s change of employment

or from changes in the composition or ownership of a firm, but only if the revealed information

would not compromise the attorney-client privilege or otherwise prejudice the client.

(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or

unauthorized access to, information relating to the representation of a client.

Comment 18

Paragraph (c) requires a lawyer to act competently to safeguard information relating to the representation

of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure

by the lawyer or other persons who are participating in the representation of the client or who are subject to

the lawyer’s supervision. See Rules 1.1, 5.1 and 5.3. The unauthorized access to, or the inadvertent or

unauthorized disclosure of, information relating to the representation of a client does not constitute a

violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.

Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not

limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not

employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and

the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making

a device or important piece of software excessively difficult to use). A client may require the lawyer to

implement special security measures not required by this Rule or may give informed consent to forgo

security measures that would otherwise be required by this Rule. Whether a lawyer may be required to take

additional steps to safeguard a client’s information in order to comply with other law, such as state and

federal laws that govern data privacy or that impose notification requirements upon the loss of, or

unauthorized access to, electronic information, is beyond the scope of these Rules. For a lawyer’s duties

when sharing information with nonlawyers outside the lawyer’s own firm, see Rule 5.3, Comments [3]-[4].

Comment 19

When transmitting a communication that includes information relating to the representation of a client, the

lawyer must take reasonable precautions to prevent the information from coming into the hands of

unintended recipients. This duty, however, does not require that the lawyer use special security measures if

the method of communication affords a reasonable expectation of privacy. Special circumstances,

however, may warrant special precautions. Factors to be considered in determining the reasonableness of

the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which

3

the privacy of the communication is protected by law or by a confidentiality agreement. A client may require

the lawyer to implement special security measures not required by this Rule or may give informed consent

to the use of a means of communication that would otherwise be prohibited by this Rule. Whether a lawyer

may be required to take additional steps in order to comply with other law, such as state and federal laws

that govern data privacy, is beyond the scope of these Rules.

RULE 5.3 RESPONSIBILITIES REGARDING NONLAWYER ASSISTANCE

With respect to a nonlawyer employed or retained by or associated with a lawyer:

(a) a partner, and a lawyer who individually or together with other lawyers possesses comparable

managerial authority in a law firm shall make reasonable efforts to ensure that the firm has in effect

measures giving reasonable assurance that the person’s conduct is compatible with the professional

obligations of the lawyer;

(b) a lawyer having direct supervisory authority over the nonlawyer shall make reasonable efforts to

ensure that the person’s conduct is compatible with the professional obligations of the lawyer; and

(c) a lawyer shall be responsible for conduct of such a person that would be a violation of the Rules of

Professional Conduct if engaged in by a lawyer if:

(1) the lawyer orders or, with the knowledge of the specific conduct, ratifies the conduct

involved; or

(2) the lawyer is a partner or has comparable managerial authority in the law firm in which the

person is employed, or has direct supervisory authority over the person, and knows of the conduct

at a time when its consequences can be avoided or mitigated but fails to take reasonable remedial

action.

Comment 3

A lawyer may use nonlawyers outside the firm to assist the lawyer in rendering legal services to the client.

Examples include the retention of an investigative or paraprofessional service, hiring a document

management company to create and maintain a database for complex litigation, sending client documents

to a third party for printing or scanning, and using an Internet-based service to store client information.

When using such services outside the firm, a lawyer must make reasonable efforts to ensure that the

services are provided in a manner that is compatible with the lawyer’s professional obligations. The extent

of this obligation will depend upon the circumstances, including the education, experience and reputation of

the nonlawyer; the nature of the services involved; the terms of any arrangements concerning the

protection of client information; and the legal and ethical environments of the jurisdictions in which the

services will be performed, particularly with regard to confidentiality. See also Rules 1.1 (competence), 1.2

(allocation of authority), 1.4 (communication with client), 1.6 (confidentiality), 5.4(a) (professional

independence of the lawyer), and 5.5(a) (unauthorized practice of law). When retaining or directing a

4

nonlawyer outside the firm, a lawyer should communicate directions appropriate under the circumstances

to give reasonable assurance that the nonlawyer’s conduct is compatible with the professional obligations

of the lawyer.

Comment 4

Where the client directs the selection of a particular nonlawyer service provider outside the firm, the lawyer

ordinarily should agree with the client concerning the allocation of responsibility for monitoring as between

the client and the lawyer. See Rule 1.2. When making such an allocation in a matter pending before a

tribunal, lawyers and parties may have additional obligations that are a matter of law beyond the scope of

these Rules.

Advisory Opinion: 2215 Year Issued: 2012 RPC(s): RPC 1.1, 1.6, 1.15ASubject: Cloud Computing

This opinion addresses certain ethical obligations related to the use of online data storage managed by third party vendors to store confidential client documents.

Illustrative Facts:

Law Firm contracts with third-party vendor to store client files and documents online on remote server so that Lawyer and Client could access the documents over the Internet from any remote location.

Rules of Professional Conduct Implicated:

RPC 1.1, 1.6, 1.15A

Analysis:

Various service providers are offering data storage systems on remote servers that can be accessed by subscribers from any location over the Internet. This is one aspect of so-called “cloud computing,” and lawyers may be interested in using these services to store confidential client documents and other data. Use of these third party storage systems, however, means that confidential client information is outside of the direct control of the lawyer and raises particular ethical questions.

Under RPC 1.6, a lawyer owes a client the duty to keep all client information confidential, unless the information falls within a specified exception. The duty of confidentiality extends beyond deliberate revelations of client information and requires a lawyer to protect client information against all disclosure. Comment 16 to RPC 1.6 states: “A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision. See Rules 1.1, 5.1 and 5.3.” In order to use online data storage, a lawyer is under a duty to ensure that the confidentiality of all client data will be maintained.

In addition to client confidentiality, the lawyer is also under a duty to protect client property, under RPC 1.15A. A lawyer using online data storage of client documents is therefore under a duty to ensure that the documents will not be lost.

Page 1 of 3Opinion 2215

10/27/2014http://mcle.mywsba.org/IO/print.aspx?ID=1662

It is impossible to give specific guidelines as to what security measures should be in place with a third party service provider of online data storage in order to provide adequate protection of client material, because the technology is changing too rapidly and any such advice would be quickly out of date. It is also impractical to expect every lawyer who uses such services to be able to understand the technology sufficiently in order to evaluate a particular service provider’s security systems. A lawyer using such a service must, however, conduct a due diligence investigation of the provider and its services and cannot rely on lack of technological sophistication to excuse the failure to do so. While some lawyers may be able to do more thorough evaluations of the services available, best practices for a lawyer without advanced technological knowledge could include:

1. Familiarization with the potential risks of online data storage and review of available general audience literature and literature directed at the legal profession, on cloud computing industry standards and desirable features.

2. Evaluation of the provider’s practices, reputation and history.

3. Comparison of provisions in service provider agreements to the extent that the service provider recognizes the lawyer’s duty of confidentiality and agrees to handle the information accordingly.

4. Comparison of provisions in service provider agreements to the extent that the agreement gives the lawyer methods for retrieving the data if the agreement is terminated or the service provider goes out of business.

5. Confirming provisions in the agreement that will give the lawyer prompt notice of any nonauthorized access to the lawyer’s stored data.

6. Ensure secure and tightly controlled access to the storage system maintained by the service provider.

7. Ensure reasonable measures for secure backup of the data that is maintained by the service provider.

A lawyer has a general duty of competence under RPC 1.1, which includes the duty “to keep abreast of changes in the law and its practice.” RPC 1.1 Comment 6. To the extent that a lawyer uses technology in his or her practice, the lawyer has a duty to keep informed about the risks associated with that technology and to take reasonable precautions. The lawyer’s duties discussed in this opinion do not rise to the level of a guarantee by the lawyer that the information is secure from all unauthorized access. Security breaches are possible even in the physical world, and a lawyer has always been under a duty to make reasonable judgments when protecting client property and information. Specific practices regarding protection of client property and information have always been left up to individual lawyers’ judgment, and that same approach applies to the use of online data storage. The lawyer must take reasonable steps, however, to evaluate the risks involved with that practice and to ensure that steps taken to protect the information are up to a reasonable standard of care.

Because the technology changes rapidly, and the security threats evolve equally rapidly, a



lawyer using online data storage must not only perform initial due diligence when selecting a provider and entering into an agreement, but must also monitor and regularly review the security measures of the provider. Over time, a particular provider’s security may become obsolete or become substandard to systems developed by other providers.

Conclusion

A lawyer may use online data storage systems to store and back up client confidential information as long as the lawyer takes reasonable care to ensure that the information will remain confidential and that the information is secure against risk of loss.

Advisory Opinions are provided for the education of the Bar and reflect the opinion of the Rules of Professional Conduct Committee. Advisory Opinions are provided pursuant to the authorization granted by the Board of Governors, but are not individually approved by the Board and do not reflect the official position of the Bar association. Laws other than the Washington State Rules of Professional Conduct may apply to the inquiry. The Committee's answer does not include or opine about any other applicable law than the meaning of the Rules of Professional Conduct. Advisory Opinions are based upon facts of the inquiry as presented to the committee.



Advisory Opinion: 2216 Year Issued: 2012 RPC(s): RPC 1.4(a)(2), 1.6(a), 3.4(a), 4.4(a), 4.4(b), 8.4(d), RCW 5.50.060(2)(a)Subject: Metadata

This opinion addresses certain ethical obligations related to the transmission and receipt, in the course of a legal representation, of electronic documents containing “metadata.” Metadata is the “data about data” that is commonly embedded in electronic documents and may include the date on which a document was created, its author(s), date(s) of revision, any review comments inserted into the document, and any redlined changes made in the document [note 1]. Specifically, this opinion addresses: 1) an attorney’s ethical obligation to protect metadata when disclosing documents; 2) an attorney’s ethical obligation when receiving another party’s documents in which metadata is readily accessible and has therefore been disclosed; and, 3) the ethical propriety of an attorney using special forensic software to recover – from another party’s documents – metadata that is not otherwise readily accessible through standard word processing software.

Illustrative Facts:

1. Lawyer A is preparing a written agreement to settle a lawsuit. The electronic document containing the agreement is circulated amongst attorneys in Lawyer A’s law firm for review and comment. In reviewing the agreement, the firm attorneys insert comments into the document about the terms of the agreement, as well as the factual and legal strengths and weaknesses of the client’s position. A preliminary draft of the agreement is finalized internally, and Lawyer A sends the agreement electronically, for review and approval, to Lawyer B, who represents the opposing party. Lawyer A does not “scrub” the metadata from the document containing the agreement before sending it to Lawyer B. Using standard word processing features, Lawyer B is therefore able to view the changes that were made to, and comments that were inserted into, the document by attorneys at Lawyer A’s firm (i.e., Lawyer B can readily access the metadata contained in the document).

2. Same facts as #1, except that shortly after opening the document and discovering the readily accessible metadata, Lawyer B receives an urgent email from Lawyer A stating that the metadata had been inadvertently disclosed and asking Lawyer B to immediately delete the document without reading it.

3. Same facts as #1, except that Lawyer A makes reasonable efforts to “scrub” the document and thereby eliminates any readily accessible metadata before sending the document to Lawyer B. Lawyer B possesses special forensic software designed to circumvent metadata removal tools and recover metadata Lawyer A believes has been “scrubbed” from the document. Lawyer B wants to use this software on Lawyer A’s document to determine if it contains any metadata that may be useful in representing his own client.

Analysis:

1. Lawyer A’s ethical obligations: Lawyer A has an ethical duty to “act competently” to protect from disclosure the confidential information that may be reflected in a document’s metadata, including making reasonable efforts to “scrub” metadata reflecting any protected information from the document before sending it electronically to Lawyer B. Rule of Professional Conduct (“RPC”) 1.6 (a) requires Lawyer A to “not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is [explicitly] permitted by paragraph (b)” of RPC 1.6 (emphasis added). This rule of confidentiality applies to “all information relating to the representation, whatever its source” and extends to disclosures that, although they may not “themselves reveal protected information …[,] could reasonably lead to the discovery of [confidential] information by a third person.” Comments 3 & 4 to RPC 1.6. Metadata embedded in electronic documents that reflects attorney-client communications, attorney work product and/or other confidential information related to a representation falls squarely within the protections of RPC 1.6 [note 2]. As such, a lawyer must “act competently” to safeguard such metadata “against inadvertent or unauthorized disclosure[.]” [note 3]. Comment 16 to RPC 1.6. Lawyer A, therefore, must make reasonable efforts to ensure that electronic metadata reflecting protected information is not disclosed in conjunction with the exchange of documents related to a representation – i.e., that it is not readily accessible to the receiving party. Lawyer A can do this by disclosing documents in formats that do not include metadata – e.g., in hard copy, via fax, or in Portable Document Format (“PDF”) created by mechanically scanning hard copies – or by “scrubbing” the metadata from electronic documents using software utilities designed for that purpose [note 4]. Note, however, that in the context of discovery production, where certain metadata



may have evidentiary value, RPC 3.4(a) specifically prohibits a lawyer from “alter[ing], destroy[ing] or conceal[ing] a document or other material having potential evidentiary value[,]” or assisting another person in doing so [note 5].

Lawyer B’s ethical obligations: Upon discovery, Lawyer B has an ethical duty to “promptly notify” Lawyer A that the disclosed document contains readily accessible metadata. RPC 4.4(b) requires a “lawyer who receives a document relating to the representation of the lawyer’s client and knows or reasonably should know that the document was inadvertently sent … [to] promptly notify the sender.” For the purposes of the rule, “‘document’ includes e-mail or other electronic modes of transmission subject to being read or put in readable form.” Comment 2 to RPC 4.4. As metadata is embedded electronic documents – i.e., “electronic modes of transmission” – it falls within the protections RPC 4.4(b). Here, where the metadata disclosed by Lawyer A includes attorney work product otherwise protected in litigation, Lawyer B knows or reasonably should know the metadata was inadvertently disclosed. As such, Lawyer B’s duty to notify Lawyer A is triggered here.

2. Lawyer B’s ethical obligations: Under the ethical rules, Lawyer B is not required to refrain from reading the document, nor is Lawyer B required to return the document to Lawyer A. See Comments 2 & 3 to RPC 4.4. Lawyer B may, however, be under a legal duty separate and apart from the ethical rules to take additional steps with respect the document [note 6]. See id. If Lawyer B is not under such a separate legal duty, the “decision to voluntarily return such a document is a matter of professional judgment ordinarily reserved to the lawyer[,]” in consultation with the client. Comment 3 to RPC 4.4; see also RPC 1.4(a)(2) (requiring an attorney to “reasonably consult with the client about the means by which the client’s objectives are to be accomplished”).

3. Lawyer B’s ethical obligations: The ethical rules do not expressly prohibit Lawyer B from utilizing special forensic software to recover metadata that is not readily accessible or has otherwise been “scrubbed” from the document. Such efforts would, however, in the opinion of this committee, contravene the prohibition in RPC 4.4(a) against “us[ing] methods of obtaining evidence that violate the legal rights of [third persons]” and would constitute “conduct that is prejudicial to the administration of justice” in contravention of RPC 8.4(d). To the extent that efforts to mine metadata yield information that intrudes on the attorney-client relationship, such efforts would also violate the public policy of preserving confidentiality as the foundation of the attorney-client relationship. See RCW 5.60.060(2)(a), Dietz v. Doe, 131 Wn.2d 835, 842 (1997), and Comments 2 & 3 to RPC 1.6. As such, it is the opinion of this committee that the use of special software to recover, from electronic documents, metadata that is not readily accessible does violate the ethical rules.

Endnotes

1. See Joshua J. Poje, Metadata Ethics Opinions Around the U.S., American Bar Association, available at: http://www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/metadatachart.html, last visited February 20, 2012. Note that Mr. Poje’s chart does not reflect the opinion recently issued by the Oregon State Bar Association, Formal Opinion No. 2011-187 (“Competency: Disclosure of Metadata”).

2. If the metadata reflects confidential information pertaining to a former client – as may occur when attorneys reuse template documents over time – it is protected by RPC 1.9(c)(2).

3. RPC 1.1, moreover, requires Lawyer A to provide competent representation to a client, which includes possessing “the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” The duty to competently represent a client includes the duty to possess, obtain or recruit sufficient skill to ensure that confidential information reflected in metadata is not inadvertently disclosed.

4. For a discussion of mechanical alternatives for protecting metadata in the disclosure process, see David Hricik and Chase Edward Scott, Metadata: The Ghosts Haunting e-Documents, Georgia Bar Journal, February 2008, available at: http://gabar.org/public/pdf/gbj/feb08.pdf, last visited February 22, 2012, and Jembaa Cole, When Invisible Ink Leaves Red Faces: Tactical, Legal and Ethical Consequences of the Failure to Remove Metadata, 1 Shidler J. L. Com. & Tech. 8 (Feb. 2, 2005), available at: http://digital.law.washington.edu/dspace-law/bitstream/handle/1773.1/360/vol1_no2_art8.pdf?sequence=1, last visited February 20, 2012. As technology evolves, of course, what constitutes “competent” representation in this context necessarily evolves.

5. See also O’Neill v. City of Shoreline, 170 Wn.2d 138 (2010) (holding metadata is subject to disclosure pursuant to the Public Records Act).

6. See e.g., Fed. R. Civ. P. 26(b)(5)(B) and Washington State Superior Court Civil Rule (“CR”) 26(b)(6) (governing claims of privilege or protection for information produced in discovery), Fed. R. Civ. P. 45(d)(2)(B) and CR 45(d)(2)(B) (governing claims of privilege or protection for



information produced pursuant to subpoena), and Fed. R. Evid. 502(b) and Washington State Rule of Evidence 502(e) (governing claims of privilege or protection and waiver of same). Where the parties have entered into an agreement, such as a protective order, that addresses inadvertent disclosures, that agreement may also place additional obligations on the attorney in these circumstances.




Advisory Opinion: 2229 Year Issued: 2012 RPC(s): RPC 1.6, 1.6(b)(1). 1.6(b)(2), 1.7, 1.16(a)(1)Subject: Reporting Client to Authorities and Client Confidentiality

Facts:

Attorney has an individual client who is involved in an ongoing financial scam (a confidence game or other fraudulent scheme), the facts of which attorney believes would constitute a crime under applicable state and/or federal law. Attorney learned of the scam in the course of representing the client, but attorney is not directly involved in the scam, nor does attorney believe the client has used his legal services to further the scam. Attorney has never represented the client in any formal proceeding before a tribunal. Attorney wants to volunteer information related to his client’s scam to the appropriate law enforcement authorities. May he ethically do so?

Analysis:

RPC 1.6(b)(2) states:

(b) A lawyer to the extent the lawyer reasonably believes necessary:

(2) may reveal information relating to the representation of a client to prevent the client from committing a crime. . . .

Comment [20] to RPC 1.6 provides:

Washington's Rule 1.6(b)(2), which authorizes disclosure to prevent a client from committing a crime, is significantly broader than the corresponding exception in the Model Rule. While the Model Rule permits a lawyer to reveal information relating to the representation to prevent the client from "committing a crime . . . that is reasonably certain to result in substantial injury to the financial interests or property of another and in furtherance of which the client has used the lawyer's services," Washington's Rule permits the lawyer to reveal such information to prevent the commission of any crime.


Paragraph (b) permits disclosure only to the extent the lawyer reasonably believes the disclosure is necessary to accomplish one of the purposes specified. Where practicable, the lawyer should first seek to persuade the client to take suitable action to obviate the need for disclosure. In any case, a disclosure adverse to the client’s interest should be no greater than the lawyer reasonably believes necessary to accomplish the purpose.




. . . A lawyer must make every effort practicable to avoid unnecessary disclosure of information relating to a representation, to limit disclosure to those having the need to know it, and to obtain protective orders or make other arrangements minimizing the risk of avoidable disclosure.

Conclusion:

On these facts, where the client’s financial scam does not appear to carry the risk of reasonably certain substantial bodily harm, the Rules of Professional Conduct do not require the attorney to disclose information about the scam to law enforcement. See RPC 1.6(b)(1). RPC 1.6(b)(2) does, however, allow the attorney to disclose information about the scam to law enforcement, as long as the attorney only shares that information he reasonably believes necessary to accomplish the law enforcement purpose of the disclosure. See Comments 14 and 23 to RPC 1.6. Here, it may not be “practicable” for the attorney to attempt to avoid disclosure by counseling the client to take “suitable action to obviate the need for disclosure,” and – in fact – any such attempt by the attorney may undercut the law enforcement purpose of the disclosure.

In these circumstances, it is likely that the attorney will be compelled to withdraw from continued representation of the client per RPC 1.16(a)(1), which provides that the attorney must withdraw if:

(a) . . .

(1) the representation will result in violation of the Rules of Professional Conduct or other law; . . .

Here, if the attorney elects to disclose information about the client’s scam, the attorney’s disclosure is likely to create a concurrent conflict of interest under RPC 1.7, in that it would likely create a substantial risk that his representation of the client would be materially limited by the attorney’s responsibility to a third person (e.g., law enforcement and/or victims of the client’s scam) and/or by the personal interest of the attorney (in determining to make the disclosure to law enforcement).


