May 12 1130 data breach 411

Presented By:

v

vPresented By:

Presented By:

vv

vPresented By: 2

Presented By:

Data Breach 411 –Are You Prepared?

May 12, 2015

Shannon Couffer, Esq.Darlene Quashie Henry, Esq.

Gretchen Herault, Esq.Scott L. Vernick, Esq.

Presented By:

Topics For Discussion

• Data breach statistics

• Data governance program

• Preparing for a data security breach

• Lessons learned from handling a data security

breach

• Regulatory and litigation update

4

Presented By:

2014 Statistics

• In 2014, there were 783 reported data breaches, which represents a 27.5% increase in the number of data breaches reported in 2013.– Hacking (29%)– Subcontractor or third-party involvement (15.1%)– Insider theft (12.5%)– Accidental exposure (11.5%)– Data in transit (7.9%)– Employee error/negligence (9.5%)

Source: Identity Theft Resource Center. 5

Presented By:

2014 Statistics

• In 60% of breaches, attackers were able to compromise an organization within minutes.

• 23% of recipients open phishing emails.– Median time-to-first-click was 1 minute and 22

seconds.• Yet, in more than 25% of breaches, it took victim

organizations weeks, or even months to contain the breaches.

Source: Verizon’s 2015 Data Breach Investigations Report. 6

Presented By:

2014 Statistics

• A survey of more than 1,000 information technology professionals found:– 54% experienced more pressure to secure their

organizations’ networks in 2014 than in 2013– 61% felt pressure from boards of directors, owners and

executives– 84% wanted to increase the size of their IT security team– 47% ranked cloud computing as the technology they felt

the most pressure to adopt• 40% said cloud computing posed the greatest security risks

Source: 2015 Security Pressures Report, Trustwave Holdings Inc.7

Presented By:

Cost Of A Data Security Breach

• Based upon data gathered in 2014, the forecasted cost of a data breach is as follows:

Source: Verizon’s 2015 Data Breach Investigations Report.

8

Number of Records Total Forecasted Cost

100 $25,450

1,000 $67,480

10,000 $178,960

1,000,000 $1,258,670

10,000,000 $3,338,020

100,000,000 $8,852,540

Presented By:

Cost Of A Data Security Breach

• Costs include:– Direct costs (communications, investigations, legal); and

• Litigation settlements: $15 million by Sony in 2014 and $10 million by Target in 2015

– Indirect costs (lost business, public relations, expenses to preserve and restore reputation).

• Target reports that the cost of its data breach totaled $145 million for the 2014 fiscal year.

• Compare to costs of having preventative measures in place (e.g., policies related to passwords, firewalls, mobile devices, anti-virus software), training employees and encrypting sensitive information.

9

Presented By:

Types Of Data Security Breaches

• Hacking

• Devices are lost or stolen

• Insider or employee misuse

• Unintended disclosure

• Security patches are not installed

• Malware10

Presented By:

What is the Objective? Fill In The Gap

• Protection/Security• Compliance (i.e. Getting Your House In Order)• Audits

• Criminal prosecution• Civil liability

How to Manage the Data Security Breach

11

Presented By:

Why Do You Need A Response Plan?

Thoughtful and Prepared Reaction

Better Decision Making

Minimized Risk and Loss

12

Presented By:

Collect Relevant Information

• Data location lists• Confidentiality agreements• Customer contracts• Third-party vendor contracts• Privacy policy

• Information security policy• Ethics policy• Litigation hold template• Incident response plan• Response team contact

list

13

Presented By:

Create A First Response Team

• Information technology (computer & technology resources)

• Information security (physical security & access)

• Human resources (private employee information - health & medical, SSN(s), payroll, tax, retirement)

14

Presented By:

Create A First Response Team

• Legal counsel (in-house and/or outside counsel)

• Compliance

• Business heads (consumer and customer information)

• Public relations/investor relations

15

Presented By:

Assign Tasks To Members Of The First Response Team

• Establish a point person

• Identify key personnel for each task

• Prioritize and assign tasks

• Calculate timelines and set deadlines

• Communicate with management

• Establish attorney-client privilege for investigation and communications

Project Management Is Critical

16

Presented By:

Determine The Nature And Scope Of The Breach

• Investigate facts

• Interview witnesses

• Notify law enforcement, FBI, USSS, State AG(s)

Preserve Company’s Assets, Reputation and Integrity

17

Presented By:

Determine The Nature And Scope Of The Breach

• Determine type of information that may have been compromised; ongoing threat

• Identify and assess potential kinds of liability

• Identify individuals potentially at risk and determine state or country of residence

Preserve Company’s Assets, Reputation and Integrity

18

Presented By:

Understand DataBreach Notice Laws

• State laws:– What constitutes personal information?– When is a notice required?– Who must be notified? (e.g., State Attorney General)– Timing?– What information must be included in the notice?– Method of delivering notice?– Other state-specific requirements?

• Applicable industry-specific laws • Applicable international laws

19

Presented By:

Determine Appropriate Notices

• Consumers• Employees• Law enforcement

(Federal/State)• Federal regulatory

agencies

• State agencies (State Attorney General)

• Consumer reporting agencies• Business partners• Insurers• Media

20

Presented By:

Data SecurityBreach Notification

• Alabama, New Mexico and South Dakota are the only states that do not have a data security breach notification statute.

• California statute served as a model for later state statutes.– State involvement began in California, after series of

breaches received national attention.– Passed in 2002, went into effect in mid-2003.

21

Presented By:

Data Security Breach Notification

• “A person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of security of the system following discovery or notification of the breach in the security of the data to a resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”

See Cal. Civ. Code § 1798.82.

22

Presented By:


• “Personal information”– First name or initial and last name with one or

more of the following (when either name or data element is not encrypted):

• Social Security number; • Driver’s license number; or• Account number, credit or debit card number, in

combination with any required security code, access code, or password that would permit access to a financial account.

23

Presented By:


• Some states have expanded the definition of “personal information” to include:– California: medical information, health insurance

information, and user name or email address with password or security question and answer.

– Iowa: biometric data.– North Dakota: date of birth, mother’s maiden

name, and electronic signature.

24

Presented By:


• “Breach of the security of the system”– Some states expressly require notice of

unauthorized access to non-computerized data:• Hawaii: includes “personal information in any form

(whether computerized, paper, or otherwise).”• Indiana: includes computerized data that has been

transferred to another medium, including paper, microfilm, or a similar media, even if the transferred data are no longer in a computerized format.

25

Presented By:


• Generally, only need “reasonable” belief the information has been acquired by unauthorized person to trigger notification requirements.– Certain states require harm:

• Arkansas: no notice if “after a reasonable investigation the person or business determines that there is no reasonable likelihood of harm to customers.”

• Michigan: no notice if “not likely to cause substantial loss or injury to, or result in identity theft.”

26

Presented By:


• Distinguish between entity that “owns or licenses” data and entity that “maintains” data.– Data owner has ultimate responsibility to notify

consumers of a breach.– Non-owners required to notify owners.

27

Presented By:


• Recent amendments to breach notification statutes:– Montana (effective Oct. 1, 2015)

• “Personal information” also includes: (i) medical record information; (ii) tax payer identification number; and (iii) identity theft protection personal information number issued by the IRS.

• Mandatory notification to AG’s Consumer Protection Office

• AG notification must include:

– Copy of notification letter sent to consumers;

– Number of affected individuals; and

– Date and distribution method of notice to consumers.

28

Presented By:


• Recent amendments to breach notification statutes:– Wyoming (effective July 1, 2015)

• “Personal information” also includes: (i) shared (login) secrets or security tokens known to be used for data based authentication purposes; (ii) birth or marriage certificate; (iii) medical information; (iv) health insurance information; (v) biometric data; and (vi) taxpayer identification number.

• Notice to consumers must include:

– Types of PII– Description of incident– Date of incident– Action taken to prevent future breaches– Whether law enforcement investigation caused delay in notification

29

Presented By:

Prepare State Law Notices

• General description of the incident• Type of information that may have been

compromised• Steps to protect information from further

unauthorized access• Contact information (e.g., email address; 1-800

number)• Advice to affected individuals (e.g., credit

reporting agency, review account activity)30

Presented By:

PrepareState Law Notices

• Delivery method (e.g., certified letters, email, website, publication in state-wide or nation-wide media)

• Timing of notices• Tailor notices based on recipient• Use single-fact description for all notices

31

Presented By:

Prepare Answers To Inquiries

• Draft FAQs with responses• Establish hotline• Assign group of contact employees• Train employees to respond to inquiries• Develop clear escalation path for difficult

questions• Track questions and answers

32

Presented By:

Prepare Press Release

• Include the following information:– Facts surrounding the incident– Actions to prevent further unauthorized access– Steps to prevent future data security breaches– Contact information for questions

• Review by legal counsel

33

Presented By:

Consider OfferingAssistance To Affected Individuals

• Free credit reporting• Free credit monitoring with alerts• ID theft insurance• Access to fraud resolution specialists• Toll-free hotline

34

Presented By:

Federal Legislation Update

• In April 2015, the House passed:– Protecting Cyber Networks Act (H.R. 1560)

• Allow companies to share voluntarily information on cyber-threat indicators while requiring them to remove any personal information before sending the information to the government.

• Companies that share information with government in good faith receive protection from private and regulatory actions.

– National Cybersecurity Protection Advancement Act (H.R. 1731)

• Provides liability protections for companies that share information about cyber-attacks with DHS’ National Cybersecurity and Communications Integration Center and the private sector. 35

Presented By:

Federal Legislation Update

• Personal Data Notification and Protection Act (H.R. 1704)– Alert consumers within 30 days of discovering the incident

• When does clock start ticking?

– Preemption debate:• Clear up burden created by 47 different state notification

statutes?

• Provide less protection than certain robust state notification statutes (e.g., California, Massachusetts)?

36

Presented By:

Regulatory UpdateCalifornia’s Do-Not-Track Law

• Went into effect on Jan. 1, 2014

• First state in the country to adopt do-not-track disclosure law

• Requires operators of websites and mobile applications to amend privacy policies to include:

– Information about do-not-track procedures; and

– Whether third parties are able to collect information about users.

37

Presented By:


• In May 2014, the AG issued a best practices guide titled “Making Your Privacy Practices Public: Recommendations on Developing a Meaningful Privacy Policy.”– Not a regulation, mandate or legal opinion, but

resource to help businesses comply with CA law.

– Guidance about how to draft privacy policies (not limited to do-not-track requirements).

38

Presented By:


• Recommendations:– Prominently label the section of privacy policy that deals

with on-line tracking.– Describe how website or app responds to do-not-track

signal.– State whether third parties are able to collect PII.– Describe what PII is collected, how used and how long

retained.– Explain consumers’ options with respect to collection, use

and sharing of PII.– Use plain, straightforward language.

39

Presented By:

Regulatory UpdateCalifornia’s Data Breach Report

• On an annual basis, the California AG releases a report that provides a summary of the types of breaches reported to her office during the previous year, as well as recommendations about how to decrease the likelihood of experiencing a data breach.

• Most recent report released in October 2014.

40

Presented By:


• 2014 Key Findings:– 167 data breaches reported in 2013

• Up from 131 data breaches in 2012

– Records containing personal information of more than 18.5 million CA residents

• Skewed by Target and LivingSocial breaches

• Up from 2.5 million records in 2012

41

Presented By:


• 2014 Key Findings (cont’d):– Retail industry reported most breaches (26% of total

breaches reported).– More than half of the total breaches were caused by

computer intrusions (malware and hacking).– In 29% of breaches of Social Security or driver’s

license numbers, where a mitigation service such as credit monitoring or a security freeze would have been helpful to provide early notice to consumers of any misuse, the breached entity did not offer such services.

42

Presented By:


• 2014 Recommendations (all industries):– Conduct risk assessments at least annually and

update privacy and security practices based upon the findings.

– Use strong encryptions to protect personal information in transit.

– Improve the readability of breach notices.

43

Presented By:


• 2014 Recommendations (retailers):– Move promptly to update POS terminals so that they are

chip-enabled.

– Implement appropriate encryption and tokenization solutions to payment card data.

– Respond promptly to data breaches and notify affected individuals in the most expedient time possible.

– Improve substitute notices regarding payment card breaches by making it more likely that consumers will view the notice and including in the notice information about how consumers can protect themselves.

44

Presented By:


• 2014 Recommendations (legislature):– Consider legislation to amend the breach notice law to

strengthen substitute notice procedure, clarify the roles and responsibilities of entities that “own” data versus those that “maintain” data and require a final breach report (including corrective actions taken) to the AG.

– Consider legislation to provide funding to support system upgrades for small CA retailers.

45

Presented By:


• Impact of Recommendations:– 2013 Report contained 5 recommendations.

– 2 out of 5 have since been enacted as amendments to data breach notification law.

• Online account credentials included in definition of “personal information; and

• Requires the “source” of the breach to offer 12 months of mitigation services at no cost to victims of breaches of Social Security numbers or driver’s license numbers.

– Effective January 2015.

46

Presented By:

Regulatory UpdateNY Proposed Data Security Act

• New York Data Security Act:– Proposed in the Senate and the Assembly.

– Save harbor from liability for companies that adopt and obtain certification that they have implemented certain data security standards.

• Must “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of private information, including the disposal of data.”

– Administrative Safeguards (e.g., employee training).

– Technical Safeguards (e.g., assess risks in network and software design).

– Physical Safeguards (e.g., dispose of information after no longer needed).

• Rebuttal presumption of compliance if company obtains an independent, third-party audit and certification annually.

– Proactive approach (instead of reactive approach). 47

Presented By:

Types of Enforcement Actions

• Federal Trade Commission – Section 5 of FTC Act– Enforce privacy policies and challenge data security

practices deemed “deceptive” or “unfair”

• Federal Communications Commission – Sections 201(b) and 222(a) of the Communications Act– Requires all “practices” to be “just and reasonable”

– Must “protect the confidentiality of proprietary information” of customers

48

Presented By:

Types of Enforcement Actions

• State Attorney General – State Notification Statutes– Virginia: “The Attorney General may bring an action to

address violations.” Moreover, “nothing in this section shall limit an individual from recovering direct economic damages.”

• Litigation in federal and state courts

49

Presented By:

Federal Trade Commission

• In June 2012, the FTC instituted litigation in federal court against Wyndham Worldwide Corporation.

• Pending in the U.S.D.C. for the District of New Jersey (Civ. A. No. 13-01887).

• FTC alleges that, from April 2008 through January 2010, cybercriminals hacked into Wyndham’s computer network exposing credit card information of hotel guests.

50

Presented By:


• The FTC alleges that hackers compromised administrator accounts and installed memory-scraping malware to access credit card information.

• The FTC contends that hackers compromised more than 619,000 credit card account numbers and that the incidents caused more than $10.6 million in fraud losses.

51

Presented By:


• Under Section 5 of the FTC Act, which prohibits “unfair and deceptive acts or practices,” the FTC alleges that:– Wyndham’s data security protections amounted to

“unfair” trade practices because they were not “reasonable and appropriate.”

– Wyndham “deceived” consumers by stating on its website that it used “commercially reasonable efforts” to secure credit card information that it collects from consumers.

52

Presented By:


• The FTC focused, in part, on the following “data security insufficiencies”– Failing to employ firewalls

– Storing payment card data in clear, readable text

– Failing to implement adequate information security policies and procedures

– Failing to require strong user IDs and passwords

– Failing to “adequately inventory” network computers

53

Presented By:


• In an unprecedented move, Wyndham refused to settle this dispute and filed a motion to dismiss the complaint.– Wyndham argues that the FTC is overreaching its

authority because “Section 5’s prohibition on ‘unfair’ trade practices does not give the FTC authority to prescribe data-security standards for all private businesses.”

– Wyndham argues that, because Congress has not yet passed data security legislation, the FTC has the authority to regulate data security in limited contexts (e.g., Gramm-Leach-Bliley Act).

54

Presented By:


• Wyndham (cont’d)– Wyndham further argues that Section 5 of the FTC Act

“provides no meaningful notice to regulated parties” because it does not contain any guidance about what practices might be deemed “unfair” or “deceptive.”

– Similarly, the FTC has not published any rules or regulations “explaining what data security practices a company must adopt to be in compliance with the statute.”

– As such, “businesses are left to guess as to what they must do to comply with the law.”

55

Presented By:


• On April 7, 2014, the Court denied Wyndham’s motion to dismiss.‒ The Court’s opinion expressly states:

• The Court has not rendered a “decision on liability” and “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.”

• Instead, the Court “denies a motion to dismiss given the allegations in this complaint – which must be taken as true at this stage.”

‒ Wyndham appealed the decision, and the appeal is pending before the U.S. Court of Appeals for the Third Circuit. 56

Presented By:


• In its opinion, the Trial Court:‒ Refused “to carve out a data-security exception to the

FTC’s unfairness authority.”‒ Held that “the FTC’s unfairness authority over data

security can co-exist with the existing data-security regulatory scheme.”

‒ Stated that the analysis of an unfairness claim must be “flexible” and apply “the facts of particular cases arising out of unprecedented situations.”• Court also relies upon the “FTC’s many public complaints

and consent agreements, as well as its statements and business guidance brochure.”

57

Presented By:


• In the Matter of Snapchat, Inc., No. 132 3078 – On Dec. 31, 2014, the FTC instituted an enforcement action

against Snapchat.

– In its complaint, the FTC alleges that:

• The company deceived consumers about the amount of personal data it collected and the measures taken to protect such data from misuse or disclosure.

• The company’s failure to secure its “Find Friends” feature resulted in a breach that allowed attackers to obtain access to usernames and phone numbers of 4.6 million users.

– Enforcement action pending – no reported settlement yet.

58

Presented By:


• In the Matter of Fandango, No. 132 3089– In August 2014, the FTC approved a settlement with

Fandango.– In its complaint, the FTC alleged that, despite its

security representations, Fandango failed to take reasonable steps to secure its mobile application, leaving consumers’ personal information at risk.

• Fandango disabled a critical default process known as SSL certificate validation.

• As a result, hackers were able to intercept personal information submitted through the app.

59

Presented By:


• In the Matter of Fandango, No. 132 3089 (cont’d)– Terms of the settlement:

• Establish comprehensive information security program to address the risks associated with developing mobile applications.

• Undergo independent security assessments every other year for the next 20 years.

• Prohibited from misrepresenting the level of privacy or security in their products and services.

60

Presented By:


• In the Matter of Accretive Health, No. 122 3077– In 2013, the FTC instituted an enforcement action

against Accretive Health alleging that, in July 2011, an employee’s laptop computer was stolen from his car.

– The laptop computer contained personal information (including sensitive health information) relating to 23,000 of Accretive’s patients.

61

Presented By:


• In the Matter of Accretive Health, No. 122 3077 (cont’d)– The FTC alleges that Accretive:

• Created unnecessary risks by transporting laptops that contained personal information in a way that left them vulnerable to theft.

• Failed to employ reasonable procedures to ensure that employees removed consumers’ personal information from their computers after they no longer needed such information.

• Failed to adequately restrict employee access to consumers’ personal information.

– On Dec. 31, 2013, Accretive Health agreed to settle the action. 62

Presented By:

Federal Communications Commission

• In the Matter of TerraCom, Inc. and YourTelAmerica, Inc., No. 13-9175– In October 2014, the FCC instituted its first enforcement

action in the field of data security.

– Imposed $10 million fine for allegedly placing personal information of 300,000 consumers at risk by storing Social Security numbers, names, addresses and other sensitive information on “unprotected” Internet servers.

63

Presented By:

Federal Communications Commission

• In the Matter of TerraCom, Inc. and YourTelAmerica, Inc., No. 13-9175 (cont’d)– The FCC alleges that:

• Privacy policies stated that companies had “technology and security features to safeguard the privacy of your customer specific information from unauthorized access.”

• Despite their representations, the companies’ data security practices exposed the data to the public and put consumers at an increased risk of identity theft and fraud.

• Companies’ alleged failure to notify all potentially affected individuals further harmed consumers because they could not take steps to protect their information from misuse.

64

Presented By:

State Attorney General Actions

• JPMorgan Chase & Co.– In January 2015, 15 State AGs launched an

investigation of a data breach that occurred at JPMorgan Chase in 2014.

– Compromised names, addresses, phone numbers and email addresses for approximately 76 million households and 7 million small businesses.

65

Presented By:


• JPMorgan Chase & Co. (cont’d)– State AGs sent letter requesting the following:

• Facts and circumstances of breach• Types of personal information maintained by JPMorgan

Chase• Types of personal information subject to the breach• The basis for statement that there is “no evidence that

account numbers, passwords, user IDs, date of birth or Social Security numbers were compromised during this attack”

• Number of consumers affected (by state)• Identify any fraudulent activity as a result of breach

66

Presented By:


• JPMorgan Chase & Co. (cont’d)– State AGs sent letter requesting the following:

• Describe safeguards in place at time of breach• Identify any additional safeguards adopted and contemplated

to prevent future breaches• Provide a copy of any and all compliance materials including,

but not limited to, privacy policies• Provide a copy of any internal or third-party investigative

report or audit related to breach– This type of letter is becoming more common in State AG

investigations• First used in May 2013 with LivingSocial

67

Presented By:


• TD Bank– In October 2014, North Carolina AG reached a

settlement with TD Bank related to the Bank’s loss of unencrypted backup tapes that contained personal information belonging to 260,000 TD Bank customers nationwide.

• Included 1,009 North Carolina residents.

68

Presented By:

State AttorneyGeneral Actions

• TD Bank (cont’d)– TD Bank agreed to:

• Pay $850,000;• Improve security policies to protect personal

information and prevent similar breaches in the future;

• Review existing policies related to personal information twice a year; and

• Provide better security training for its employees.

69

Presented By:


• Home Depot Inc.– In September 2014, Home Depot announced a breach of

its payment data systems that affected approximately 56 million debit and credit cards.

– Almost immediately, a group of State AGs began investigating the data breach at Home Depot.

– Connecticut AG leading the multistate investigation to “identify the circumstances and the causes of the breach as well as the manner in which the . . . retailer has dealt with affected shoppers.”

70

Presented By:

Litigation Typical Claims By Plaintiffs

• Consumers or employees typically allege:– Negligence, breach of contract, breach of implied covenant

or breach of fiduciary duty.– Violations of state consumer protection statutes –

deceptive/unfair trade practices acts.– Violations of Computer Fraud and Abuse Act, Electronic

Communications Privacy Act or Stored Communications Act.

• Banks, credit unions and other financial institutions also assert claims.

71

Presented By:

LitigationPlaintiffs Lack Standing

• Historically, courts dismissed data breach cases because plaintiffs failed to allege standing.– No “credible threat of harm” that is “both real and

immediate, not conjectural or hypothetical.”• e.g., increased risk of identity theft

– More recently, there are mixed results.

72

Presented By:


• In re LinkedIn User Privacy Litig. (N.D. Cal. 2013)– Plaintiffs filed a complaint against LinkedIn over a

data breach incident in which approximately 6.5 million users’ passwords and email addresses were stolen and posted on the Internet.

– Plaintiffs argued that they had standing to sue because they suffered economic harm by not receiving the full benefit of the bargain they paid for premium memberships.

– On March 6, 2013, the Court dismissed the complaint for lack of standing.

73

Presented By:


• In re LinkedIn User Privacy Litig. (N.D. Cal. 2013) (cont’d)– The Court held that, “[t]o satisfy Article III standing,

plaintiff must allege: • An injury-in-fact that is concrete and particularized, as

well as actual and imminent;

• That injury is fairly traceable to the challenged action of the defendant; and

• That it is likely (not merely speculative) that injury will be redressed by a favorable decision.”

74

Presented By:


• In re LinkedIn User Privacy Litig. (N.D. Cal. 2013) (cont’d)– Plaintiffs failed to allege that “included in Plaintiffs’ bargain for

premium membership was the promise of a particular (or greater) level of scrutiny that was not part of the free membership.”

– Plaintiffs did not allege that they relied upon (or even read) LinkedIn’s representations regarding safeguarding personal information.

– Plaintiffs’ allegation that their LinkedIn passwords were “publicly posted on the Internet” does not amount to a “legally cognizable injury, such as, for example, identity theft or theft of personally identifiable information.”

75

Presented By:


• In re Barnes & Noble Pin Pad Litigation (N.D. Ill.)– Skimmers placed on PIN pad devices at 63 locations.– Plaintiffs argued a wide variety of injuries:

• Increased risk of identity theft• Untimely and inadequate notification• Improper disclosure of PII• Invasion of privacy• Decreased value of PII• Anxiety and emotional distress• Overpayment for products

76

Presented By:


• In re Barnes & Noble Pin Pad Litigation (N.D. Ill.) (cont’d)– Relying on the U.S. Supreme Court decision in

Clapper v. Amnesty Int’l USA Inc., No. 11-1025 (2013), on Sept. 3, 2013, the Court granted Barnes & Noble’s motion to dismiss.

– Defendants routinely rely upon Clapper as basis for dismissal of data breach claims.

77

Presented By:


• In re Barnes & Noble Pin Pad Litigation (N.D. Ill.) (cont’d)– Clapper:

• Plaintiffs argued that, because their work required them to communicate with individuals outside the United States, they suffered injury because there was an “objectively reasonable likelihood” that their communications would be acquired under the Foreign Intelligence Surveillance Act.

• The Supreme Court concluded that plaintiffs’ fears were “highly speculative” and based on a “highly attenuated” chain of possibilities that did not result in a “certainly impending” injury.

78

Presented By:


• In re Barnes & Noble Pin Pad Litigation (N.D. Ill.) (cont’d)– No proof that an “injury in fact” is “certainly

impending.”• Speculation of future harm does not constitute actual injury.• Even if plaintiffs could prove statutory violations, such violations

would be insufficient to establish standing without actual injury.• Increased identity theft expenses cannot establish standing for

non-imminent harm.• Emotional distress insufficient absent any imminent threat to PII.• Fraudulent charges were reimbursed.

79

Presented By:


• Since Clapper, other courts have dismissed data breach claims based upon lack of standing.– In re Sci. Applications Int’l (D.D.C.): No immediate injury

because thief would have to obtain special equipment to read encrypted tapes, break the encryption and review the contents with special software.

– Polanco v. Omnicell Inc. (D.N.J.): No standing because plaintiffs did not allege that thief targeted the stolen laptop for its data or any actual misuse of personal information.

– Galaria v. Nationwide Ins. (S.D. Ohio): Plaintiffs’ injury not “certainly impending” because the harm they feared has “less than a 20% chance of occurring.”

80

Presented By:


• Since Clapper, other courts have dismissed data breach claims based upon lack of standing.– Lewert v. P.F. Chang’s (N.D. Ill.)

• In December 2014, the Court found that plaintiffs did not have standing and dismissed the case.

• Court rejected overpayment for services argument because plaintiffs failed to allege that P.F. Changs charged a higher price to people who paid with credit card and, therefore, additional value was expected when customer used a credit card.

• Court rejected argument that plaintiffs suffered monetary losses because suspicious transactions were declined or merely attempted.

– Plaintiffs appealed to the Seventh Circuit. 81

Presented By:

LitigationPlaintiffs Have Standing

• In re Adobe Systems, Inc. (N.D. Cal.)– Hackers accessed personal information (including credit

card information) of 38 million consumers.

– Plaintiffs argued that they had standing because they suffered three types of injuries:

• Increased risk of future harm;

• Cost to mitigate risk of future harm; and

• Loss of the value of their Adobe products.

– The Court went against the trend and denied Adobe’s motion to dismiss.

82

Presented By:


• In re Adobe Systems, Inc. (N.D. Cal.) (cont’d)– The Court found that:

• “The threatened harm alleged here is sufficiently concrete and imminent to satisfy Clapper.”

• Some of the stolen data appeared on the Internet and, thus, “the danger that Plaintiffs’ stolen data will be subject to misuse can be plausibly described as ‘certainly impending.’”

• Costs for credit monitoring were an injury-in-fact that conferred standing.

– Plaintiffs all over the country have started to cite the Adobe decision.

83

Presented By:


• Remijas v. Neiman Marcus (N.D. Ill.)– Hackers accessed 350,000 customers’ credit

cards.– On Sept. 16, 2014, despite the Adobe decision in

the Northern District of California, the Court granted Neiman Marcus’ motion to dismiss because the plaintiffs’ did not have standing.

84

Presented By:


• Remijas v. Neiman Marcus (N.D. Ill.) (cont’d)– The Court found that:

• Unauthorized credit card charges for which the plaintiffs would be reimbursed were not concrete injuries.

• Because only 2.5% of customers had fraudulent charges, there was no “certainly impending risk of identity theft.”

• Plaintiffs failed to allege “precise costs” allegedly spent mitigating the risk of future fraud or identity theft.

• Loss of control over and value of personal information was not concrete harm.

85

Presented By:


• Harris v. comScore (N.D. Ill.) – Plaintiffs alleged that defendants improperly obtained

and used personal information after consumers downloaded and installed company’s software.

– comScore’s data collection violated the User License Agreement and the Downloading Statement.

– Court found standing based upon statutory damages available under the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act and the Stored Communications Act.

86

Presented By:


• Robins v. Spokeo, Inc. (9th Cir.)– Plaintiff filed complaint alleging that Spokeo violated

the Fair Credit Reporting Act by publishing inaccurate personal information about him.

– District Court granted motion to dismiss because plaintiff failed to prove an injury-in-fact and, thus, did not establish standing.

– The Ninth Circuit Court of Appeals reversed the District Court’s decision and held that “the statutory cause of action [FCRA] does not require a showing of actual harm when a plaintiff sues for willful violations.”

87

Presented By:


• Robins v. Spokeo, Inc. (9th Cir.) (cont’d)– Petition for writ of certriori pending before the U.S.

Supreme Court.

– Issue: Whether a plaintiff who suffers no actual harm may have Article III standing conferred upon him by law based upon a violation of a federal statute that provided for statutory damages?

– Courts of appeals are divided about whether an “injury in law” confers Article III standing.

88

Presented By:

LitigationAdditional Challenges for Plaintiffs

• Lovell v. P.F. Chang’s (W.D. Wash.)– In addition to standing hurdle, data breach plaintiffs face

other challenges.– Plaintiffs did not move to dismiss on the basis of standing.– Court dismissed complaint for other reasons:

• Breach of contract claim failed because plaintiffs failed to identify any conduct showing that P.F. Chang’s agreed to any specific data security obligations.

• No fiduciary duty between a restaurant and its customers.• Deception based claims failed because P.F. Chang’s data

security protocols were not “material” to customer’s decision to eat at the restaurant.

89

Presented By:

LitigationPlaintiffs Have Duty

• In re Target Corp. (D. Minn.)– Banks, credit unions and other financial institutions

file negligence claims against Target.

– Seeking damages for costs associated with the data breach.

• Including the cost of replacing payment cards, which is estimated at $400 million.

– First decision to clarify the relationship between merchants and banks.

90

Presented By:

LitigationPlaintiffs Have Duty

• In re Target Corp. (D. Minn.) (cont’d)– On Dec. 2, 2014, the Court denied Target’s motion to

dismiss.• Target owed a duty to banks to protect consumer debit

and credit card information. • Target had a “special relationship” with the banks and

from that relationship flowed a duty upon Target to ensure that it adequately protected customer credit and debit card data.

• Although third-party hackers caused harm, “Target played a key role in allowing the harm to occur.”

91

Presented By:

Avoid Future Data Security Breaches

• Understand what types of personal information is collected, how, where and how long it is stored, and who has access to it

• Collect only personal information necessary to conduct business

• Retain personal information for shortest time necessary to conduct business

• Limit access to personal information• Encrypt data at rest and in transit

92

Presented By:


• Establish internal policies to protect personal information– e.g., robust passwords, usage policies for laptops and

mobile phones, secure disposal policies

• Comply with promises made to consumers or employees regarding privacy and security of personal information– Disclosures about collection, maintenance, use and

dissemination of personal information must be accurate and complete

93

Presented By:


• Train employees• Conduct periodic audits• Update and revise policies and procedures regularly• Enhance technology to strengthen security and

reduce risk– e.g., strong firewalls, scans for vulnerabilities, up-

to-date anti-virus software• Use care when engaging third-party vendors and

hold them to high standards94

Documents

May 12 1130 data breach 411