Privacy & Cybersecurity Update - May 2017

Skadden, Arps, Slate, Meagher & Flom LLP
Contact

Skadden, Arps, Slate, Meagher & Flom LLP

In this edition of our Privacy and Cybersecurity Update, we take a look at the Trump administration's executive order outlining its cybersecurity plans, Acting FTC Chairwoman Maureen Ohlhausen's comments on the possible expansion of the definition of cybersecurity-related substantial harm and Target's settlement with the state attorneys general regarding its 2013 data breach. We also examine the likelihood of the United Kingdom maintaining its data protection laws following Brexit, the SEC's alert regarding the WannaCry ransomware attacks and Experian's success in protecting an IT consultant's report prepared in anticipation of litigation, as well as other recent court decisions.

White House Issues Executive Order Highlighting Trump Administration’s Cybersecurity Plans

On May 11, 2017, President Donald Trump signed an executive order titled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” (the order) outlining the administration’s cybersecurity plans1 The order focuses on (a) enhancing the security of federal networks and identifying federal information technology procurement needs; (b) reporting on cybersecurity concerns within U.S. critical infrastructure; and (c) reviewing the nation’s overall cybersecurity posture and assessing cybersecurity threats. The order asks for multiple reports on each of these topics with input from more than a dozen different federal agencies. The Trump administration appears ready to use the reports generated to set its cybersecurity priorities for the next four years.

Section 1 of the order states that agency heads will be held accountable for assessing and addressing cybersecurity risks. Within 90 days, each federal agency will be required to use the National Institute of Standards and Technology Cybersecurity Framework to develop and provide a risk management report to the civilian or military agencies in charge of assessing federal agency cybersecurity readiness, as appropriate. The agencies in charge of assessing readiness are then required to review those reports and, within 60 days, provide an assessment of cybersecurity risks and a strategy for adequately protecting executive branch agencies from those risks. The order also addresses federal IT modernization, requiring a study addressing the technical feasibility, cost effectiveness and cybersecurity implications of shifting to a consolidated network architecture, or a cloud services model, for IT delivery.

Section 2 of the order addresses cybersecurity risks to U.S. critical infrastructure. As defined in a February 2013 executive order issued by the Obama administration, critical infrastructure industries include any in which “a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” The Trump order asks a number of national security agencies to assess their existing authorities, consult with critical infrastructure industries and then collectively issue a report within 180 days describing how the federal government can support critical infrastructure in protecting its assets against cybersecurity risks. Separately, the order also requires the government to issue a report on market transparency in sharing risk management practices among critical infrastructure entities.

In addition, several agencies are called upon to issue multiple reports addressing specific cybersecurity concerns associated with individual critical infrastructure industries:

  • The departments of Commerce and Homeland Security are tasked with leading a process to promote action against threats to the “internet and communications ecosystem.” Notably, in the final version of the order, this phrase expands the scope of potential participants beyond those responsible for “core communications infrastructure,” which was the phrase used in the initial draft. The order requires the lead agencies to engage with other federal agencies and appropriate stakeholders in the technology and communications industries to develop a plan and report back to the White House on their preliminary results within 240 days;
  • The departments of Energy and Homeland Security are required to consult with other agencies and industry stakeholders to develop an assessment of the U.S. power grid’s readiness to respond to a significant cyber incident and report back to the White House within 90 days; and
  • The departments of Defense and Homeland Security, along with the Federal Bureau of Investigation (FBI), are required to draft a report on risks to the defense industrial base and submit it to the White House within 90 days.

Finally, Section 3 of the order addresses questions germane to the cybersecurity of the nation as a general matter. In addition to various reports on the development of a trained U.S. cybersecurity workforce, this section requires agencies to develop two reports on the country’s position in the international cybersecurity order. The departments of State, Treasury, Defense, Justice, Commerce and Homeland Security, and the Office of the U.S. Trade Representative, in coordination with the Directorate of National Intelligence, are asked to assemble a report on “the Nation’s strategic options for deterring adversaries and better protecting the American people from cyber threats.” Many of the same agencies, along with the FBI, are separately asked to submit reports on their “international cybersecurity priorities” and are collectively asked to develop “an engagement strategy for international cooperation in cybersecurity.”

Key Takeaways

  • Companies in critical infrastructure industries can expect more engagement from the U.S. government. Over the next year, agencies will be seeking input from critical infrastructure industry members generally, and those in the communications, technology, energy and defense industries more specifically. The resulting opportunities for both informal discussion and formal participation in the development of the various reports mandated by the order may allow critical infrastructure companies to influence the direction of federal oversight in their respective industries.
  • Companies that manufacture or trade in information technology and foreign companies that invest in U.S. critical infrastructure should closely watch for the report on “strategic options for deterring adversaries.” The inclusion of the departments of State and Commerce, and the Office of the U.S. Trade Representative, in the team of agencies preparing the report demonstrates the Trump administration’s interest in using trade remedies to address cybersecurity concerns. The Trump administration recently initiated the first action since 20012 under Section 232 of the Trade Expansion Act of 1962, which permits investigation of trade-related threats to national security. Moreover, the overall membership of the authoring agencies group tracks the membership of the Committee on Foreign Investment in the United States (CFIUS), which reviews individual foreign investments into the U.S. for any national security risks they present. The strategic options report may serve as a mission statement for CFIUS and trade agencies determined to use their authority to more aggressively pursue trade practices and foreign acquisitions that may be viewed as adding cybersecurity risk.
  • The report on “international cybersecurity priorities” may serve as an early indication as to how the Trump administration will address U.S.-EU information-sharing and privacy concerns. Over the last few years, tensions have developed between United States and EU privacy regulators regarding how U.S.-based internet companies collect and use personal data of European citizens. During the Obama administration, the U.S. and EU worked to develop agreements, including the Privacy Shield and revisions to the current international scheme of Mutual Legal Assistance Treaties, to address both sides’ concerns. However, the Trump administration has not articulated a definitive position on these issues. The international priorities report may shed light on the current administration’s views.

Acting FTC Chairwoman Speaks on Cybersecurity Substantial Injury Definition

At a recent cybersecurity law event at Georgetown University, Maureen K. Ohlhausen, the acting chair of the FTC, stated that the agency will focus on the definition of substantial injury to consumers that can give rise to enforcement actions under Section 5 of the FTC Act, which provides the FTC with jurisdiction to regulate cybersecurity and consumer privacy. Ohlhausen’s focus on defining substantial injury has been a common theme throughout her public comments as chairwoman, and she has been hesitant to regulate in areas where she views harm to consumers as hypothetical. In recent interviews, Ohlhausen has stressed that regulators should tread carefully and has advocated for a less expansive and more transparent interpretation of the FTC’s authority under Section 5 of the FTC Act.

Despite this hesitation to expand the regulatory authority of the FTC, her remarks at Georgetown signaled a potential broadening of the types of consumer harms that would qualify as substantial injury. In addition to direct financial harm to consumers, which the FTC has focused on in past, Ohlhausen said that harms such as health and safety risks arising from the sharing of real-time location data could threaten consumers’ physical safety and thus constitute a substantial injury. Ohlhausen also pointed to disclosure of sensitive medical information as having the potential to cause substantial injury. The definition of substantial injury is still uncertain, with Ohlhausen saying that “we need to think about this more fully,” while also noting that work at the FTC on these issues is ongoing, particularly as it relates to the evolving internet of things and the risks posed by such technology.

Key Takeaways

Acting Chairwoman Ohlhausen’s comments at Georgetown suggest that while the FTC may take a more conservative approach to regulation in the privacy and cybersecurity space going forward, the agency may broaden its definition of substantial harm to consumers to include scenarios beyond direct financial harm.

Target Reaches Settlement with State Attorneys General Regarding Data Breach

Target Corporation has entered into a settlement agreement3 with the attorneys general of 47 states,4 as well as the District of Columbia, to settle claims arising out of the 2013 data breach in which computer hackers stole credit and debit card information from approximately 110 million Target customers by installing malware on Target’s computer servers. In what has been described by regulators as the largest multistate data breach settlement ever reached, Target has agreed to pay approximately $18.5 million in settlement fees and to take specific steps to improve its cybersecurity. Those steps, summarized below, have been described by Illinois Attorney General Lisa Madigan as setting the industry standard for protecting consumers’ information from data breaches going forward.

As part of the settlement, Target commits to do the following:

  • within 180 days following the date of the settlement, the company must establish a comprehensive information security program, which must:
    • include administrative, technical and physical safeguards appropriate to the size of Target’s operations, the nature of its activities and the sensitivity of the personally identifiable information that it collects;
    • be supported by appropriate resources; and
    • include steps to handle security breaches involving personally identifiable information;
  • employ an experienced cybersecurity executive who is responsible for overseeing the information security program and advising the CEO and the board of directors on the security risks faced by Target and the security implications of the company’s decisions;
  • develop written risk-based policies and procedures for auditing vendor compliance with the information security program;
  • make reasonable efforts to maintain and support the software on its networks;
  • maintain protocols to encrypt certain cardholder data;
  • scan and map the connections between the portion of its network that processes and stores card authentication data (Cardholder Data Environment) and separate it from rest of its network;
  • implement a penetration testing program;
  • implement controls to manage access to individual accounts, service accounts and vendor accounts, including strong passwords and password-rotation policies, and two-factor authentication;
  • restrict or disable unnecessary network programs that provide access to the Cardholder Data Environment;
  • implement a file integrity monitoring solution to notify personnel of unauthorized modifications to critical applications within the Cardholder Data Environment;
  • implement controls designed to detect the execution of unauthorized applications within its point-of-sale terminals and servers;
  • implement controls to manage the access of any device attempting to connect to the Cardholder Data Environment, and to monitor and log network activity;
  • develop policies and procedures to manage and document changes to network systems;
  • maintain separation of development and production environments;
  • manage the review and, where appropriate, adoption of improved industry-accepted payment card security technologies, such as chip-and-PIN technology; and
  • encrypt payment card information throughout the course of retail transactions at retail locations.

Target is required to obtain an information security assessment and report from a qualified third party within one year following the date of the settlement. The report must specify the safeguards implemented by Target and explain the extent to which such safeguards are appropriate in light of Target’s operations.

Key Takeaways

The list of steps Target has agreed to take provides a useful cybersecurity checklist for companies, although we would caution against fully relying on this list as the “industry standard,” particularly given how quickly the area of cybersecurity protection and preparedness is evolving.

T-Mobile Denied Access to Data Breach Report Prepared by IT Consultant

In September 2015, hackers accessed the IT systems of Experian Information Solutions Inc. (Experian) and stole the personally identifiable information of approximately 15 million T-Mobile USA Inc. (T-Mobile) customers on whom T-Mobile had run credit checks with Experian. The information included customers’ names, addresses, social security numbers, birthdays, driver’s license ID numbers, military ID numbers and passport numbers. Following discovery of the data breach, Experian immediately hired the law firm Jones Day. Jones Day then hired Mandiant, a third-party information technology forensics consultant, to investigate the breach. Multiple class actions filed on behalf of consumers whose personally identifiable information was stolen in the breach were consolidated in the U.S. District Court for the Central District of California, and the plaintiffs sought to compel discovery of the report prepared by Mandiant following its investigation. The court denied the motion to compel.5

The court ruled that the report was protected by the work product doctrine because it had been ordered by and prepared for Jones Day, rather than Experian itself, in anticipation of litigation.6 The court found that the facts supported Experian’s contention that Mandiant was retained by Jones Day for the sole purpose of helping to prepare a defense to the complaints that would inevitably be filed as a result of the data breach, rather than simply to aid Experian’s own internal investigation of the breach. The court found it persuasive that a full draft of the report was provided only to Jones Day and not to Experian’s incident response team, and that the report would not have been prepared with the same content and in the same form had Jones Day not been instructing Mandiant.

Key Takeaways

In general, a company’s security incident response plan should call for the prompt engagement of counsel, who can then assist in involving other third-party consultants in a manner designed to preserve protections such as the work product doctrine or attorney-client privilege. Whether these protections attach in all cases is highly dependent on the facts of a particular scenario, however, as this ruling demonstrates, retaining third-party consultants through and with the advice of counsel following a data security incident can yield benefits in any ensuing litigation.

Federal Court Finds System Coding Error Not Covered Under Crime Insurance Policy

A recent decision from the U.S. District Court for the Northern District of Georgia underscores the need for businesses to evaluate the adequacy of their insurance coverage for potential cyber- related losses stemming from weaknesses or errors in their information technology platforms. In InComm Holdings, Inc., et al. v. Great American Insurance Company,7 the court held that InComm Holdings, Inc. (InComm), a prepaid debit card processing company, was not covered under its crime insurance policy for a loss in excess of $11 million that it sustained when cyber criminals exploited a coding error in InComm’s Interactive Voice Response (IVR) system to carry out a fraudulent redemption scheme.

Background

InComm’s IVR system is an automated technology that allows prepaid debit card holders to interact with a computer through telephone touch-tone and voice commands to load funds on to prepaid debit cards issued by third-party banks. In order to load funds on to a debit card, the cardholder first must purchase a “chit” from a retailer in the amount that he or she wishes to add to the card. After purchasing a chit, the cardholder would then call InComm’s IVR system to redeem the value. Once the chit is redeemed via the IVR system, the chit becomes inactive and InComm transfers funds equal to the value of the chit to the issuing bank.

In May 2014, InComm learned that cyber criminals, without hacking the system, were able to exploit a “code error” in the IVR system that allowed cardholders to redeem single chits multiple times, thereby obtaining more credit than was purchased. The cyber criminals carried out the fraudulent redemption scheme by submitting multiple simultaneous redemption requests for single chits to InComm’s IVR system, which the company said resulted in more than 25,000 duplicate redemptions and a loss in excess of $11 million.

Shortly thereafter, InComm submitted a claim for its loss to Great American Insurance Company (Great American), which insured InComm at the time of the loss under a crime insurance policy providing coverage for losses resulting from computer fraud. Great American denied coverage for the claim, concluding that the loss did not fall within the policy’s computer fraud coverage.

The Court’s Decision

InComm argued that its loss was insured by the policy’s computer fraud provision, which provided coverage for “loss of … money … resulting directly from the use of any computer to fraudulently cause a transfer of that [money] from inside the premises” to a person or place “outside those premises.” In InComm’s view, because the IVR system was used to fraudulently redeem chits, the “use of any computer” requirement was satisfied.

The court disagreed and sided with Great American, holding that InComm’s loss was not covered by the policy. The court found that adopting InComm’s reading of the policy “would unreasonably expand the scope of the Computer Fraud Provision, which limits coverage to ‘computer fraud.’” The court reasoned that while the cardholders used telephones to provide responses to prompts from an InComm-operated computer connected to the IVR system, there was no evidence that the cardholders realized that their telephone calls resulted in interaction with a computer. “That the cardholders’ use of telephones ultimately led InComm’s computer to process multiple chit redemptions does not establish that InComm’s loss resulted from the cardholders’ ‘use of a computer,’” the court opined.

The court further held that even if it was to be assumed that a computer was “used” to perpetrate the fraudulent redemption scheme, InComm still would not be entitled to coverage under the policy’s computer fraud provision because InComm’s loss did not directly result from the alleged computer use. This was the case, in the court’s view, because InComm’s loss “occurred only after InComm wired money to [the cardholder’s bank], after the cardholder used his card to pay for a transaction, and after [the bank] paid the seller for the cardholder’s transaction.”

Key Takeaways

The InComm decision serves as an important reminder for policyholders to assess their coverage for cyber risks, particularly regarding those that rely on information technology platforms for key business operations, as infrastructure weaknesses and programming errors in such platforms have the potential to cause costly cyber incidents that are not necessarily covered by their existing policies.

UK Likely to Retain EU Data Protection Laws After Brexit

Among the many questions surrounding the United Kingdom’s exit from the European Union was that of the fate of EU data protection laws in a post-Brexit U.K., including the soon-to-be-enforced General Data Protection Directive (GDPR). However, at the end of March 2017, the British government released a white paper announcing its plan to retain all existing EU laws immediately following the U.K.’s withdrawal from the EU.8 This plan should provide companies that collect data from the U.K. with some clarity regarding the laws that will apply to those actions, though many details remain unresolved.

The Great Repeal Bill

Before the U.K. leaves the EU, the British government intends to pass a “Great Repeal Bill,” which will simultaneously (a) exit the U.K. from the EU, (b) convert all EU laws at the time into U.K. laws, and (c) allow the government to amend EU laws to address issues such as references to EU bodies and other technical matters.

Although the government has not commented on EU data protection laws specifically, so far it seems likely that these laws will be included in the Great Repeal Bill’s scope. Elizabeth Denham, the newly appointed head of the U.K. Information Commissioner’s Office, has said the U.K. should retain EU laws, stating that she doesn’t “think Brexit should mean Brexit when it comes to standards of data protection.”9

Denham further noted that, were the U.K. not to retain the EU’s data protection laws, it would put data sharing between the U.K. and the EU at risk, as the EU only allows personal information to be exported from the EU to countries that, in the EU’s view, offer adequate levels of protection for personal data. As Denham noted, “In order for British businesses to share information and provide services for EU consumers, the law has to be equivalent.”

Impact on the GDPR

The GDPR is set to come into effect in May 2018, which means it will become law before the U.K. leaves the EU and therefore likely will be covered by the Great Repeal Bill. The implementation and interpretation of the GDPR could diverge fairly quickly, however, as U.K. data protection authorities will be able to act independently of EU-wide organizations, such as the EU’s Article 29 Working Group, and will not be subject to rulings of EU courts interpreting the GDPR’s requirements.

Impact on the Privacy Shield

It remains unclear how the EU-US Privacy Shield, which allows data to be transferred from the EU to those U.S. companies that self-certify to the Privacy Shield, will be addressed post-Brexit. Since this a negotiated agreement, it likely would not be included in the Great Repeal Bill. However, we anticipate that the U.K. would enter into its own parallel agreement, much as Switzerland has done with respect to the Privacy Shield. This would depend, of course, on the Privacy Shield remaining intact (see below for a discussion of some current challenges to the Privacy Shield). If the Privacy Shield is renegotiated in the future, it will be interesting to see if the U.K. enters into its own separate negotiations or follows the lead of the EU.

Key Takeaways

The British government’s stated plan to incorporate all EU laws following Brexit provides some degree of certainty to companies that collect personal data in the U.K. However, the risk of divergent interpretations of these laws between the EU and the U.K. over time will require companies to pay close attention to both jurisdictions.

SEC Issues Risk Alert Following Massive Global Ransomware Attacks

The Office of Compliance Inspections and Examinations (OCIE), the arm of the SEC charged with monitoring risks and improving compliance among market participants through the agency’s National Exam Program, released a cybersecurity risk alert on May 17, 2017, in the wake of the widespread “WannaCry” ransomware attacks that had affected organizations in over 100 countries in the preceding days10 The alert highlights certain deficiencies in cybersecurity practices across financial firms (as identified in recent examinations) and identifies risk management considerations in order to encourage market participants to strengthen cybersecurity preparedness across the industry.

In a recent examination of 75 SEC-registered broker-dealers, investment advisers and investment funds, OCIE found shortcomings in certain industry cybersecurity practices. Despite nearly all firms having a process in place for regular system maintenance, OCIE’s examination found that:

  • 26 percent of investment advisers and funds and 5 percent of broker-dealers did not conduct periodic cyber risk assessments of critical systems;
  • 57 percent of investment management firms and 5 percent of broker-dealers did not conduct penetration tests or vulnerability scans of critical systems; and
  • 4 percent of investment management firms and 10 percent of broker-dealers had a significant number of high-risk security patches missing important updates.

The OCIE alert uses these results to underscore the importance of testing critical systems for vulnerabilities and implementing system upgrades on a timely basis, noting that the WannaCry ransomware has been effective largely due to companies’ lack of speed in applying available security patches to the Microsoft systems that were targeted in the attack.

In light of the WannaCry attacks in particular, the alert encourages broker-dealers and investment management firms to evaluate whether they have properly and timely installed applicable patches for affected Windows operating systems, and to review an alert drafted by the U.S. Department of Homeland Security’s Computer Emergency Readiness Team11 that provides technical analysis of the WannaCry ransomware. The alert also recommends prevention, protection and remediation solutions. More broadly, OCIE encourages firms to review periodic guidance and other resources provided by OCIE, the SEC’s Division of Investment Management and FINRA12 in order to fortify cybersecurity programs. By developing appropriate planning, increasing rapid response capabilities and strengthening cybersecurity preparedness, OCIE asserts that companies will be better suited to prevent and mitigate the impact of cybersecurity attacks on investors and clients.

Key Takeaways

Companies that are subject to regulation by the SEC should confirm that the Microsoft patches identified in the OCIE alert have been implemented on their critical systems and have a program in place to ensure that future patches are promptly implemented following release.

District Court Judge Dismisses Data Breach Lawsuit Against Midwest Supermarket Chain

In Community Bank of Trenton et al. v. Schnuck Markets Inc., the U.S. District Court for the Southern District of Illinois dismissed a lawsuit brought by a group of banks and credit unions against supermarket chain Schnuck Markets (Schnucks) in connection with a data breach it suffered in 2012 and 2013.13 In dismissing the suit, the district court judge emphasized that there were no allegations that Schnucks ignored warnings about its data security and that the breach “took place during what seemed to be the boom of data breach activity, at a time when many retailers were caught either unaware or unluckily in the cross-hairs of cybercrime.”

Background

The lawsuit stemmed from the alleged compromise of unencrypted data for 2.4 million credit and debit cards that were used by customers at 79 Schnucks stores from December 1, 2012, through March 30, 2013. The plaintiffs claimed Schnucks first learned of the possible breach on March 14, 2013, when it received reports of fraudulent card use. Five days later, it retained a forensic investigation firm to examine the issue. According to the plaintiffs, the firm identified the breach on March 20, 2013, but Schnucks did not inform the public until March 30, 2013.

Three payment card issuers, on behalf of themselves and other similarly situated plaintiffs, first filed suit against Schnucks in October 2015. After the court dismissed the initial complaint in September 2016, the plaintiffs refiled in October 2016, alleging violations of the Illinois Consumer Fraud Act, as well as other Missouri and Illinois common law negligence and contract claims.

The Court’s Ruling

The district court dismissed all of the plaintiffs’ claims, finding that the plaintiffs failed to plead facts that suggested Schnucks had violated a duty to safeguard credit card data. The court specifically rejected the plaintiffs’ reliance on the Home Depot14 and Target15 data breach cases, both of which survived motions to dismiss. “The facts in the record suggest that Home Depot’s data security conduct in the lead-up to their breach was egregious and intentional — Home Depot on numerous occasions ignored warning signs of poor data security, and even went so far as to fire tech employees who tried to alert the company to the risks of the poor data security measures,” the court noted. “Such alarming conduct,” the court further explained, “certainly weighed heavily on the Northern District of Georgia when deciding whether or not to let a negligence claim proceed.” Regarding the Target case, the court observed that the duty at issue in that case arose from a special Minnesota statute, which had no analogue in Missouri law, explaining that “in the absence of such legislation, this court declines to sua sponte create a duty where the Missouri government has declined to do so.”

The plaintiffs also brought implied and third-party beneficiary contract claims, relying on agreements between Schnucks and card issuers Visa and MasterCard that required Schnucks to maintain proper data security. The court rejected those claims as well, ruling that those contracts did not “expressly or impliedly” give the plaintiffs contractual rights. The court also did not find support for the plaintiffs’ claim “that they were intended to directly enforce or otherwise control the contractual relationship between the merchant and the card processing network.”

Finally, the court dismissed the Illinois Consumer Fraud Act claims, noting that Schnucks had not touted its data security or “lur[ed] customers into the store on the premise that it practiced better data security.” The court also emphasized that, “[u]nlike Home Depot’s conduct of skirting warnings and firing employees, [Schnucks] retained a firm to investigate a potential breach” soon after learning of it.

The fact that the Schnucks data breach took place in early 2013 (before the prominently publicized data breaches at Target and Home Depot) also played a role in the court’s ruling that Schnucks adequately monitored its data security. The court cautioned, however, that “[i]n the wake of the data breach boom, it seems fair to say that retailers will have to act more prudently, but at the time that this breach occurred the law did not contemplate harms of the kind that emerged.”

Key Takeaways

The ruling highlights the ways in which a company can help minimize its litigation exposure from a data breach. In dismissing the lawsuit, the court found it significant that Schnucks promptly retained a forensics investigator in the wake of the breach, that it had no track record of ignoring data security problems and that it had not exaggerated the strength of its data security. It remains to be seen, however, whether the court’s suggestion that companies should act more prudently following the “data breach boom” of 2013 and 2014 will result in stricter standards being applied by the court going forward.

Second Circuit Rules Plaintiffs in Data Breach Lawsuits Must Show Concrete Injuries

In Whalen v. Michael’s Stores, Inc., the U.S. Court of Appeals for the Second Circuit affirmed the dismissal of a data breach class action lawsuit against Michaels Stores Inc. (Michaels), stating that the lead plaintiff failed to show that she suffered any actual injury and thus lacked Article III standing.16 The Second Circuit’s decision is part of a growing trend in which plaintiffs have had difficulty establishing standing in data breach cases.

The Second Circuit relied on the Supreme Court case Clapper v. Amnesty, which reiterated the long-standing judicial requirement that a plaintiff must allege an injury that is “concrete, particularized, and actual or imminent” to have standing to bring a lawsuit.17 The Second Circuit explained that the plaintiff failed to show that she suffered, or was likely to suffer, an injury. The plaintiff’s complaint described two attempted fraudulent credit card charges, however, neither was successful. Consequently, the court found that these attempts did not constitute an “injury” to the plaintiff sufficient to confer standing. Additionally, the court emphasized that the plaintiff could not possibly face a threat of future fraud, as her stolen credit card was cancelled after the breach and no other personally identifiable information was alleged to have been compromised by the breach.

The court distinguished the Whalen case from a 2016 Sixth Circuit case, in which the plaintiffs did establish standing in a lawsuit against Nationwide Mutual Insurance Company. In that case, a data breach could have compromised names, dates of birth, Social Security numbers and drivers’ license numbers. According to the Sixth Circuit, although it was not certain that the plaintiffs would suffer an injury as a result of the theft of their data, there was a substantial risk of harm such that incurring mitigation costs was reasonable.18

In contrast, in the Whalen case, the Second Circuit noted that the plaintiff’s risk of future injury was not a concrete threat because none of her other personally identifiable information had been stolen. In addition, the plaintiff did not provide particularized information regarding the time or money she spent monitoring her credit. Instead, her complaint “alleges only that consumers must expend considerable time on credit monitoring and that she and the Class suffered additional damages based on the opportunity cost and value of time.” The court found these allegations too vague and insufficient to establish standing.

Key Takeaways

The Second Circuit’s decision reflects the continuing difficulty plaintiffs are facing when alleging speculative or future harm in data breach cases. Companies that suffer data breaches and subsequent litigation should carefully assess whether the complaints filed against them plead actual harm as a result of the breach, or at least plead a “substantial risk that the harm will occur.” This case, together with other recent cases, suggest that standing will continue to be a key issue in privacy litigation.

CNN Wins Privacy Battle Over Mobile App in the Eleventh Circuit

In Perry v. Cable News Network, Inc., the U.S. Court of Appeals for the Eleventh Circuit held that Ryan Perry, a consumer who used a free CNN app on his phone, is not protected as a “subscriber” under the VPPA and thus is not able to make a claim against CNN for sharing his personal information with a third party.19 This holding may make it easier for the providers of mobile apps to avoid such claims, but the fact that the court did not bar the action on standing grounds may leave opportunities for future litigation under the VPPA.

Background

Perry downloaded CNN’s free app in 2013. He was not required to create a separate user name and password to access the app; rather, he used an ID number provided to him by his cable television provider. Perry used the app and such ID to access content that was freely available to all users of the app, as well as certain content that was available only to those users with cable television subscriptions that included CNN. The VPPA prohibits a provider of audio/visual materials from disclosing a customer’s personally identifiable information without consent.20 In a putative class action, Perry alleged that CNN violated the VPPA because the app disclosed users’ viewing activity and mobile device MAC addresses to a third-party data analytics company without users’ consent.

The Court’s Decision

The court first applied the Supreme Court’s decision in Spokeo in a standing analysis and found that the alleged procedural violation in this case was sufficient to constitute an injury-in-fact. This ruling provides a liberal reading of the Spokeo decision, which held that bare procedural violations divorced from any concrete harm are not enough to constitute standing. The Eleventh Circuit found that the “structure and purpose of the VPPA supports the conclusion that it provides actionable rights.” In finding as such, the court partially relied on the fact that in creating a cause of action for an invasion of privacy, the VPPA addresses “a harm that has traditionally been regarded as providing a basis for a lawsuit in English and American courts,” while also observing that Supreme Court precedent points to a privacy interest in “preventing disclosure of personal information.” Accordingly, the court concluded that a violation of the VPPA, by itself, is a harm sufficient to confer standing.

Though Perry cleared the hurdle of standing in this case, the court did not agree that he suffered an injury as a “subscriber” that would entitle him to bring a claim under the VPPA. According to the court, Perry was not a subscriber because he had not demonstrated an “ongoing commitment or relationship with CNN.” In making this ruling, the court relied on Ellis v. Cartoon Network, Inc.,21 which held that a user of a free mobile app is not necessarily a “subscriber” for purposes of the VPPA. The court pointed to a dearth of contacts between Perry and CNN, as evidenced by no direct payments, a lack of a user profile and other factors to support its conclusion that Ellis was controlling in this case. The court was not persuaded by the fact that Perry is a cable television subscriber and CNN’s inclusion in his television bundle allowed him to access certain functionality and features on the app. The court found that this arrangement only showed a commitment to his cable television provider, not CNN, stating, “the ephemeral investment and commitment associated with Perry’s downloading of the CNN App on his mobile device, even with the fact that he has a separate cable subscription that includes CNN content, is simply not enough to consider him a ‘subscriber’ under Ellis.” The court distinguished the First Circuit decision in Yershov v. Gannett Satellite Information Network, Inc.,22 in which the First Circuit found that the end user of an app provided by USA Today was a subscriber of USA Today for purposes of the VPPA, by noting that in Yershov the plaintiff had provided his mobile device identification number and GPS location to USA Today, which in that case was sufficient to establish an ongoing “subscriber” relationship.

Key Takeaways

Though this case provides a clearer path to establishing Article III standing for violations of the VPPA, it also makes it more difficult for mobile app users to bring successful actions under this statute in the Eleventh Circuit if they simply downloaded a free app without creating a user account or providing specific information requested by the app. It remains to be seen how this case will shape the law under other privacy-related statutes and in other circuits, although given the prevalence of mobile apps corresponding to subscription-based services in other media, we should expect to see more litigation in this area in the future.

__________________________

1 A copy of the order can be found here.

2 See our recent mailing on this action here.

3 A copy of the settlement agreement can be found here.

4 California is negotiating its own settlement with Target that is expected to be the same in substance as the settlement agreement, but also will include appropriate changes in form to comply with California law and, accordingly, California has been counted among the 47 states.

5 A copy of the Order Denying Motion to Compel Production of Documents can be found here.

6 Because the court found that the report was protected by the work product doctrine, it did not analyze whether it also would be protected by the attorney-client privilege.

7 No. 1:15-CV-2671-WSD, 2017 WL 1021749 (N.D. Ga. Mar. 16, 2017). A copy of the opinion can be found here.

8 The white paper is available here.

9Commissioner: UK ‘must avoid data protection Brexit.’”

10 A copy of the alert can be found here.

11 The U.S. Department of Homeland Security/U.S. Computer Emergency Readiness Team (US-CERT), Alert (TA17-132A), Indicators Associated with WannaCry Ransomware (May 12, 2017, last revised May 19, 2017), can be found here.

12 See, e.g., Division of Investment Management, IM Guidance Update: Cybersecurity Guidance (April 2015); Cybersecurity Examination Sweep Summary (Feb. 3, 2015); OCIE’s 2015 Cybersecurity Examination Initiative (Sept. 15, 2015); FINRA Cybersecurity.

13 The opinion and order may be found here.

14 In re: The Home Depot, Inc., Customer Data Sec. Breach Litig., No. 1:14-MD-2583-TWT, 2016 WL 2897520 (N.D. Ga. May 18, 2016).

15 In re Target Corp. Customer Data Sec. Breach Litig., 64 F. Supp. 3d 1304 (D. Minn. 2014).

16 See No. 16-260 (L), 2017 WL 1556116, at *2 (2d Cir. May 2, 2017). A copy of the opinion can be found here.

17 Clapper v. Amnesty Int’l USA, 568 U.S. 398, 133 S. Ct. 1138, 1140, 185 L. Ed. 2d 264 (2013).

18 Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384, 388 (6th Cir. 2016).

19 A copy of the decision is available here.

20 The text of the VPPA is available here.

21 A copy of the decision can be found here.

22 A copy of the decision is available here.

Download pdf

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Skadden, Arps, Slate, Meagher & Flom LLP | Attorney Advertising

Written by:

Skadden, Arps, Slate, Meagher & Flom LLP
Contact
more
less

Skadden, Arps, Slate, Meagher & Flom LLP on:

Readers' Choice 2017
Reporters on Deadline

Related Case Law

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at www.jdsupra.com) (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at privacy@jdsupra.com.

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to privacy@jdsupra.com. We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to privacy@jdsupra.com.

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at: privacy@jdsupra.com.

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at www.jdsupra.com) (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit legal.hubspot.com/privacy-policy.
  • New Relic - For more information on New Relic cookies, please visit www.newrelic.com/privacy.
  • Google Analytics - For more information on Google Analytics cookies, visit www.google.com/policies. To opt-out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout. This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit http://www.aboutcookies.org which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at: privacy@jdsupra.com.

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.