A recent skirmish about standing in data breach class actions (this time in the Eighth Circuit), involving securities and brokerage firm Scottrade, suggests that, even if plaintiffs win that limited question, there are other key battles that can win the war for defendants. As we reported with Neiman Marcus, P.F. Chang’s, Nationwide, and Barnes & Noble, the Eighth Circuit’s decision in Kuhn v. Scottrade offers important proactive steps that organizations should consider taking that can mitigate post-breach litigation exposure. READ MORE
This week, a high profile plaintiffs’ firm (Edelson) stated that “if done right,” the data breach class actions against Equifax should yield more than $1 billion in cash going directly to more than 143 million consumers (i.e., roughly $7 per person).
No defendant to date has paid anything close to $1 billion. In fact, the largest class settlements in breach cases hardly get close: Target Stores paid $10 million (cash reimbursement for actual losses) and The Home Depot paid $13 million (cash reimbursement for actual losses + credit monitoring). Will Equifax be different?
Part of the answer revolves around the increasingly debated role and importance of “consumer harm” in resolving data breach disputes. READ MORE
In the latest sign that data breach class actions are here to stay—and, indeed, growing—the D.C. Circuit resuscitated claims against health insurer CareFirst BlueCross and Blue Shield, following a 2015 breach that compromised member names, dates of birth, email addresses, and subscriber identification numbers of approximately 1.1 million individuals. The decision aligns the second most powerful federal appellate court in the nation with pre-Spokeo decisions in Neiman Marcus and P.F. Chang and post-Spokeo decisions in other circuits (Third, Seventh, and Eleventh). In short, an increased risk of identity theft constitutes an imminent injury-in-fact, and the risk of future injury is substantial enough to support Article III standing.
The D.C. Circuit’s holding is an important development. First, the D.C. Circuit went beyond credit card numbers and social security numbers to expand the scope of data types that create a risk to individuals (i.e., names, birthdates, emails, and health insurance subscriber ID numbers). Second, the decision makes clear that organizations should carefully consider the interplay between encryption (plus other technical data protection measures) and “risk of harm” exceptions to notification, including exceptions that may be available under HIPAA and GLBA statutory regimes. READ MORE
States were busy updating their data breach notification statutes in 2016. With 2016 in the rear view, let’s take a look back at the legislative changes that will impact corporate incident response processes and what those trends portend going forward.
Expanded Definition of “Personal Information”
Login Credentials. In 2016, Rhode Island, Nebraska and Illinois (effective January 2017), joined the ranks of states that include usernames (or email addresses) and passwords in the definition of “personal information” that triggers notification obligations. As of this writing, the following eight states may require notification when login credentials are compromised: California, Florida, Illinois, Nebraska, North Dakota, Nevada, Rhode Island and Wyoming.
It was about time for data breach defendants to get a win. The District Court for the Northern District of Illinois delivered one to Barnes & Noble in its long-running class action that stems from a breach suffered in 2012. Plaintiffs’ case was dismissed in its entirety on a motion to dismiss under Rule 12(b)(6). This development—just days after the Sixth Circuit in Nationwide had aligned itself with the Seventh Circuit’s Neiman Marcus and P.F. Chang’s decisions that found standing to sue for breach plaintiffs—shows that the legal battle over “harm” may start with standing, but goes nowhere absent alleged damages that tightly match the substantive elements of each claim.
The Sixth Circuit joined the growing trend of appellate courts holding that plaintiffs had demonstrated standing for data breach class actions in Galaria et al. v. Nationwide Mutual Insurance Company. In a recent order, the Sixth Circuit highlighted yet another fact that supports standing, that clients should consider in their post-breach response efforts: a recommendation that consumers set up fraud alerts and place security freezes on credit reports, without an accompanying offer to pay for the security freeze itself.
Last month the Federal Communications Commission (“FCC”) closed the comment period for its proposed privacy regulations, which we previously wrote about here. The million dollar question on everyone’s minds is whether the final regulations will be broader or narrower in scope than the initial proposal, which included not only a significant expansion of the definition of personal information, but also sweeping new obligations and raised serious questions in areas where the obligations could become even stricter still. Accordingly, companies subject to the new regulations are bracing for tighter FCC Enforcement Bureau scrutiny of broad data collection and handling practices.
In one of the first court decisions to analyze in depth the coverage provided by a cyber policy, a federal judge has found that PF Chang’s policy came up short. Following a 2014 data breach in which hackers accessed and posted online 60,000 credit card numbers belonging to PF Chang’s customers, the company sought coverage under its “CyberSecurity by Chubb” insurance policy. Although PF Chang’s insurer, Federal Insurance Company (“Federal”), agreed to reimburse nearly $1.7 million for customer claims and other breach-related expenses, it refused to reimburse an additional $2 million in fees and assessments levied against P.F. Chang’s by the credit card brands. Last week a federal district judge in Arizona, applying Arizona law, denied PF Chang’s claim for reimbursement and granted summary judgment for Federal. While it held that these fees and assessments fell within the scope of coverage, the court held that the “contractual liability” exclusion barred coverage.
Last week, the Seventh Circuit revived a data breach class action against P.F. Chang’s restaurant in an important opinion that continues a plaintiff-friendly trend that began with the court’s opinion in the Neiman Marcus case that we previously reported on here. The court used statements that P.F. Chang’s made in response to the breach and protective remediation measures it implemented to draw inferences that customers were at a risk of identity theft and harm, and then used those inferences to find that plaintiffs had standing to proceed with their litigation. The case raises new issues that organizations should consider in crafting post-breach communications, and important takeaway lessons that may help increase the likelihood of obtaining dismissal of data breach class actions at the pleadings stage.
This week, a Fourth Circuit panel in an unpublished decision validated arguments long made by policyholders: that commercial general liability policies may provide coverage for certain data breach liabilities. In this case, Travelers Indemnity Company v. Portal Healthcare Solutions, the appellate court affirmed the district court’s 2014 ruling that an insurer had the duty to defend a company that provides electronic medical record management services in a class action alleging that the company made patients’ confidential records publicly accessible by posting the records to an unsecured public website.