Lessons From Recent
Data Security Cases
Mobile Payments Law, Law Seminars International Palo Alto, California, November 22, 2013
Topics
What types of alleged damages allow data breach plaintiffs to
avoid dismissal of their claims?
Does the economic loss doctrine bar card issuers’ negligence
claims against hacked merchants and processors?
Does the FTC have jurisdiction to issue unfair practice
complaints related to data security?
What must card brands establish to justify fines and
assessments against merchants for violating the PCI DSS?
Current law
Courts often dismiss claims filed by private
plaintiffs after data breaches.
– Claims typically include breach of contract, negligence, fraud, and unfair trade practices, among others.
– Unless the lead plaintiffs can show they have incurred economic damages, the claims will almost always be dismissed due to lack of standing or failure to adequately plead the damages component of the claims.
Current law
See, e.g.,
– Katz v. Pershing, LLC, 672 F.3d 64 (1st Cir. 2012) (no standing); – Reilly v. Ceridian Corp., 664 F.3d 38 (3rd. Cir. 2011) (same), cert.
denied, 132 S. Ct. 2395 (2012);
– In re Barnes & Noble Pin Pad Litig., No. 12-cv-8617 (N.D. Ill. Sept. 3,
2013) (same)
– Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d (E.D. Mo. 2009)
(same);
– Hendricks v. DSW Shoe Warehouse, 444 F. Supp. 2d 775 (W.D. Mich.
2006) (dismissing Michigan CPA claims , holding “There is no existing Michigan statutory or case law authority to support plaintiff’s position that the purchase of credit monitoring constitutes either actual
damages or a cognizable loss.”);
– Paul v. Providence Health System-Oregon, 351 Or. 587, 273 P.3d 106
(Or. 2012) (affirming dismissal of Oregon UTPA claims; finding
Current law
If a plaintiff pleads economic damages, courts may
deny a motion to dismiss. See, e.g.,
– Resnick v. Avmed, Inc., 693 F.3d 1317, 1323 (11th Cir. 2012) (“Plaintiffs allege that they have become
victims of identity theft and have suffered monetary damages as a result. This constitutes an injury-in-fact under the law.” Plaintiffs also alleged unjust
enrichment, which the Court agreed could proceed);
– Anderson v. Hannaford Bros. Co., 659 F.3d 151, 164-67 (1st Cir. 2011) (holding that plaintiffs who pled that
they were forced to pay card-replacement fees, or had to purchase insurance, after their credit and debit card data was stolen and thieves made
Current law
After remand, the court in
Resnick v. AvMed,
Inc.
, No. 1:10-cv-24513-JLK (S.D. Fla. Oct. 25,
2013), granted an unopposed motion for
preliminary approval of class action settlement,
which sought
$3 million
in damages, including:
– reimbursement for losses caused by identity theft;
– up to $10 per year for each class member who paid for
insurance before the data breach, subject to a $30 limit,
for unjust enrichment damages;
– $750,000 for class counsel’s attorney’s fees and costs; – $10,000 to be split among the class representatives.
Current law
The preliminary settlement in Resnick also includes mandatory security improvements:
– security awareness training for all company employees; – training on appropriate laptop use and security for all
company employees whose employment responsibilities include accessing information on company laptops;
– upgrading of all company laptops with additional
security mechanisms;
– full disk encryption technology on all company
desktops and laptops;
– physical security upgrades at company facilities to
further safeguard workstations from theft; and
– revision of written policies and procedures to enhance
Current law
Among alleged economic harms courts have
held sufficient to avoid dismissal are claims that
vendors’
inaccurate security and privacy
representations caused consumers to overpay
for smartphones
.
E.g.
,
– Pirozzi v. Apple, Inc., 2013 U.S. Dist. LEXIS 110729, at *11-27 (N.D. Cal. Aug. 5, 2013)
– In re Apple iPhone Litig., 844 F. Supp. 2d 1040, 1053-56 (N.D. Cal. 2012)
– Goodman v. HTC America, Inc., 2012 WL
Current law
Most courts have held that an alleged
diminution of the value of personal information
is not sufficient
to avoid dismissal:
– In re Google Inc. Cookie Placement Consumer Privacy Litig., 2013 WL 5582866, at *2-3 (D. Del. Oct. 9, 2013)
– Goodman v. HTC America, Inc., 2012 WL 2412070, at *7-8 (W.D. Wash. June 26, 2012)
But see Claridge v. RockYou, Inc., 785 F. Supp. 2d
Current law
Courts have held that payment
card issuers’
negligence claims
against merchants and
payment processors were
barred by the
economic loss doctrine
.
E.g.,
– In re TJX Cos. Retail Security Breach Litig., 564 F.3d 489, 498-99 (1st Cir. 2009)
– Sovereign Bank v. BJ’s Wholesale Club, Inc., 533 F.3d 162, 175-78 (3d Cir. 2008)
A recent case may change the law
Lonestar Nat’l Bank v. Heartland Payment Sys.,
Inc., 2013 WL 4728445, at *2-6 (5th Cir. Sept. 3,
2013) (
New Jersey’s economic loss doctrine
does not bar card issuer banks’ negligence
claim against hacked card processor, reversing
dismissal)
Current law
The FTC may claim breach of § 5 of the FTC Act,
regardless of whether individuals incurred
damages.
The FTC has filed complaints at least 19times
against companies that have suffered data
breaches, alleging either that
– the company violated its privacy policy and thereby committed a deceptive practice or – the company’s failure to deploy adequate
Current law
See, e.g.,
– In the Matter of HTC America Inc., FTC File No. 122 3049 (Agreement containing
Consent Order, Feb. 22, 2013) available at
http://ftc.gov/os/caselist/1223049/130222htcorder.pdf
– In the Matter of BJ’s Wholesale Club, Inc., FTC File No. 042 3160 (Agreement
containing Consent Order, June 16, 2005), available at
www.ftc.gov/opa/2005/06/bjswholesale.htm
– In the Matter of The TJX Companies, Inc., FTC File No. 072-3055 (Agreement
containing Consent Order, March 27, 2008),available at
www.ftc.gov/os/caselist/0723055
– In the Matter of Sears Holdings Management Corporation, FTC File No. 082 3099
(Agreement containing Consent Order, September 9, 2009), available at
http://www.ftc.gov/os/caselist/0823099/index.shtm
– In the Matter of DSW Inc., FTC File No. 052 3096, (Agreement containing Consent
Order, Dec. 1, 2005), available at www.ftc.gov/opa/2005/12/dsw.htm
– In the Matter of Dave & Buster's, Inc., FTC File No. 082 3153 (Agreement containing
Consent Order, March 25, 2010), available at
Current law
“Reasonable” or “appropriate” security measures
can be determined from the FTC cases, regulations under other U.S. statutes, and industry standards:
– Assign Responsibility
– Identify Information Assets – Conduct Risk Assessments
– Select and Implement Responsive Security Controls – Monitor Effectiveness
– Regularly Review Program – Address Third Party Issues
Current law
E.g.
,
In the Matter of HTC
required HTC to:
– Designate an employee to coordinate security – Identify internal and external threats
– Conduct risk assessments
– Implement reasonable safeguards including security testing
– Retain service providers capable of maintaining security practices consistent with the order
– Evaluate and adjust the security program as needed
Pending cases may change the law
FTC v. Wyndham Worldwide Corp.
,
No.
2:13-cv-01887 (D.N.J.):
– Wyndham provided certain computer services for its hotel franchisees
– Attackers accessed the hotels’ networks,
allegedly though Wyndham’s network and stole payment card data – three times
– Wyndham’s privacy policy made representations about its data security but disclaimed
Pending cases may change the law
– Wyndham declined to enter into an Agreement and Consent Order with the FTC
– The FTC sued Wyndham, alleging both unfair and deceptive practices
Pending cases may change the law
– Wyndham moved to dismiss, arguing:
• The FTC Act does not extend to data security regulation • The FTC may not announce data security standards
through consent orders rather than through rulemaking
• The Act requires the FTC to show substantial injury to
consumers, which doesn’t exist because consumers are reimbursed for payment card fraud
• The unfairness claim fails to allege how Wyndham’s
security measures were inadequate or caused losses
• The deceptive practice claim fails to meet Rule 9(b) • The deceptive practice claim ignores franchise law. • The deceptive practice claim fails to plead facts to
support how Wyndham’s own security measures were inadequate
Pending cases may change the law
– The FTC responds to Wyndham:
• It pled specifically how Wyndham’s security was deficient
(Wyndham failed to use firewalls, stored PCI data in clear text, passwords were not complex, servers on connected networks were not patched, etc.)
• Consumers were injured due to unreimbursed fraud, lost
access to credit, and increased costs; Wyndham’s damages arguments raise fact issues
• The injuries were caused by Wyndham, e.g., being unable
to determine the source of a brute force attack
• The FTC’s authority is broad and includes data security
• Wyndham had notice through industry standards and FTC
consent orders about what reasonable security required
Pending cases may change the law
– The Chamber of Commerce as an amicus argues the FTC is overreaching because:
• Congress reined in the FTC by adding the “substantial
injury” requirement after the agency previously sought to extend its authority too far
• Congress excluded FTC consent orders from precedents
for civil money penalties in 15 U.S.C. § 45(m)(1)(B)
• The FTC has rulemaking authority under 15 U.S.C. § 57a,
which the agency failed to use to specify data security rules
Pending cases may change the law
In the Matter of LabMD, Inc.
,
FTC No. 9357 (FTC
Complaint, August 28, 2013), the FTC alleges:
– The lab had a copy of LimeWire P2P software installed on a billing computer in 2008
– The lab generated insurance aging reports and “day sheets,” which included patients’ names and SSNs, and cancelled checks
– One of the lab’s insurance aging reports was available on LimeWire and day sheets were in possession of an identity thief
Pending cases may change the law
LabMD filed an Answer on September 17, 2013,
alleging, among other things:
– The FTC has no subject matter jurisdiction
– The FTC Act does not give the FTC authority to regulate the
acts alleged in the Complaint
– The alleged acts did not cause consumers substantial injury – The FTC failed to provide fair notice and due process by
Current law
The payment card brands may impose fines
and assessments through their fraud recovery
rules if
– an attacker steals payment card data from a merchant and
– a forensic investigation shows the merchant
failed to comply with any of the requirements of the PCI DSS
Pending cases may change the law
Genesco, Inc. v. Visa U.S.A., Inc.
,
2013 WL
3790647 (M.D. Tenn. July 18, 2013), denied Visa’s
motion to dismiss Genesco’s California UCL and
common law claims.
– Genesco alleged Visa’s fines and assessments of
$13.3 million violated the UCL, breached
Genesco's contracts, violated the duty of good faith, unjustly enriched Visa, and entitled
Genesco to restitution
– Visa moved to dismiss the UCL, unjust
Pending cases may change the law
– The Genesco court denied Visa’s motion, holding
• The UCL is broad and covers claims unconscionable
commercial contract terms where the terms of the contract implicate the public interest
• Visa’s contracts could be found to be harmful to
merchant competition and may be unfair in the market for credit and debit card transactions if Genesco shows, as it alleges, that Visa imposed fines and assessments without a factual basis or in violation of Visa’s standards and procedures
• Additionally, the fines and assessments may be
Pending cases may change the law
Elavon, Inc. v. Cisero’s Ristorante, Inc.
, Dist. Ct.
No. 100500480 (Summit County, Utah):
– Acquiring bank and its parent company sued to recover
card brand fines and assessments
– Merchant, represented by Constantine Cannon,
counterclaimed seeking a declaratory judgment of
nonliability, and alleging negligence, breach of contract, breach of good faith, conversion, and breach of fiduciary duty
– The court dismissed the negligence counterclaim as barred
by the economic loss doctrine
Current law
The U.S. Department of Justice has prosecuted both
U.S.-based and foreign hackers. E.g.,
– Albert Gonzalez, a ring-leader in the Hannaford breach
and many others, is currently serving a 20-year sentence.
– Four Russians and a Ukrainian were recently indicted for
their roles in 14 different breaches in which 170.5 million payment card datasets were stolen. U.S. v. Drinkman, et al., Second Superseding Indictment, Cr. No. 09-626 (D. N.J. July 25, 2013)
Pending cases may change the law
Microsoft, working with the FBI, obtained a
preliminary injunction seizing domain names and IP addresses used by criminals who ran the Citadel
botnet. Microsoft v. John Does 1-82, Civ. No.
3:13-cv-319 (D.N.C. June 13, 2013).
– The injunction also enabled Microsoft to upload
curative code that deleted botnet files from zombie computers controlled by Citadel command and control servers.
– The court also granted leave for Microsoft to conduct discovery to identify the Doe defendants.
Questions?
Randy Gainer, Attorney, CISSP Davis Wright Tremaine LLP | Seattle
(206) 757-8047
