Significant Case Developments
Target Breach Multidistrict Litigation Snowballs to 111 Suits
In re Target Corp. Customer Data Security Breach
Litigation, No. 14-md-02522 (D. Minn.).
On December 19, 2013, Target publicly announced it had experienced
a data security breach via malware installed on its point-of-sale
network. Forty million customer credit and debit card numbers,
encrypted PINs, and CVV codes and 70 million customer names,
mailing addresses, email addresses, and phone numbers were stolen
between November 27 and December 15, 2013.
The breach spawned dozens of putative class action suits. Because
they involved common questions of fact, on April 2, 2014, the
pending 33 cases and potential 71 tag-along cases that spanned 18
federal districts were consolidated in the District of Minnesota.
The multidistrict litigation now includes a total of 111 suits.
The plaintiffs include both Target customers whose personal information was compromised by the breach and banks and credit unions that issued customers' debit and credit cards. The most common claims are negligence, negligence per se, breach of contract, bailment, conversion, unlawful deceptive trade practices and unfair competition, unjust enrichment, unlawful retention of credit card information, breach of fiduciary duty, violations of consumer protection laws, fraudulent concealment, negligent performance of services, and negligent misrepresentation. The plaintiffs seek various types of relief, including mandatory payment of identity theft and credit monitoring services, imposed auditing requirements, injunctions to cease and desist improper retention of customer data, reimbursement of funds stolen and costs expended in issuing new cards, disgorgement of Target's profits during the time of the breach, and forced adoption of certain security measures.
In addition to the class actions now comprising the multidistrict litigation, at least four shareholder suits have been filed against Target and its board of directors, alleging breach of fiduciary duty and waste of corporate assets.
Symantec Wins Dismissal of Suit Over Software Vulnerability
Haskins v. Symantec Corp, No. 13-01834, 2014 U.S. Dist.
LEXIS 75348, 2014 WL 2450996 (N.D. Cal June 2, 2014).
In 2006, hackers stole the source code for several of
Symantec's antivirus programs. The breach was not publicized
until 2012, when the hackers announced their theft. Kathleen
Haskins brought a putative class action against Symantec on behalf
of all purchasers of the affected software, claiming that
Symantec's failure to publicize the theft violated the
California Consumer Legal Remedies Act and Unfair Competition Act
and breached an implied contract, and also alleging a breach of
money received.
On August 23, 2013, the Northern District of California dismissed Ms. Haskins's first amended complaint without prejudice. 2013 U.S. Dist. LEXIS 120376, 2013 WL 4516179. On December 1, while holding that downloaded or otherwise purchased software is a chattel under the California Legal Remedies Act, the court dismissed Ms. Haskins's second amended complaint, again allowing her to amend her pleading. 2013 U.S. Dist. LEXIS 169865, 2013 WL 6234610.
On June 2, the court dismissed Ms. Haskins's third amended complaint with prejudice. The court found that both consumer protection claims failed because Ms. Haskins had not pleaded that she relied on a specific advertisement or had been exposed to a long-term advertising campaign. Ms. Haskins also did not adequately allege the facts necessary to establish the existence of an implied contract. And the existence of a software license agreement negated Ms. Haskins's claim for money received.
Misuse of Data Not a Requirement for Data Breach Class Certification, At Least in West Virginia
Tabata v. Charleston Area Medical Center, Inc., No.
13-0766, --- S.E.2d ----, 2014 WL 2439961 (W. Va. May 28,,
2014).
In February 2011, two medical providers notified 3,655 patients
that their names, contact details, Social Security numbers, dates
of birth, and basic health information had accidentally been posted
to the internet. Several of these patients sued in a putative class
action, asserting claims for breach of the duty of confidentiality,
invasion of privacy – "intrusion upon the seclusion of
the petitioners," invasion of privacy –
"unreasonable publicity into the petitioners' private
lives," and negligence. Both the trial and circuit courts
found that the plaintiffs lacked standing because they did not
allege that any personal information had actually been misused. In
an opinion issued in May 2014, West Virginia's highest court disagreed, explaining that damage to the legal
interests of privacy and medical confidentiality are sufficient
injuries to confer standing. The court also reversed the circuit
court's denial of certification and found that the plaintiffs
did meet the commonality, typicality, and predominance
requirement.
Michaels Stores Seeks Dismissal of Data Breach Class Action
Moyer v. Michaels Stores, Inc., Nos. 14-CV-00561;
14-CV-00648; 14-CV-1229 and 14-CV-1827 (N.D. Ill.).
On January 25, 2014, Michaels Stores disclosed that it experienced
a data breach that may have exposed customers' credit and debit
card information to hackers. Alleging that Michaels did not
maintain adequate security measures and that they now face an
increased risk of identity theft and must spend time and money
protecting themselves, Michaels customers filed several, now
consolidated, putative class actions on behalf of a nationwide
class claiming: (i) breach of implied contract and (ii) violations
of the Illinois Consumer Fraud Act and other state consumer
protection laws. On June 3, 2014, Michaels filed a motion to dismiss, arguing that the plaintiffs
lack standing because they did not allege that they suffered actual
or imminent injuries (e.g., unauthorized activity or
unreimbursed charges on their accounts). Michaels also argued that
the plaintiffs failed to state claims due to their omission of an
allegation of injury as well as other pleading deficiencies. A
hearing on the motion is scheduled for July 17, 2014.
Cybercrime in the News
Cyberattack on Hong Kong Vote Was Among
Largest Ever, Security Chief Says, N.Y. Times, June 21,
2014.
Tally of Cyber Extortion Attacks on Tech
Companies Grows, N.Y. Times, June 19, 2014.
Cybercriminals Zero In on a Lucrative New
Target: Hedge Funds, N.Y. Times, June 19, 2014.
Report: Cybercrime and espionage costs $445
billion annually, Washington Post, June 9, 2014.
Government Enforcement
11th Circuit Refuses to Rule on LabMD's Challenge to FTC's Jurisdiction, but Congress Intervenes, Delaying Administrative Proceedings
In August 2013, after a document containing the personal information of about 9,300 patients was posted to a peer-to-peer file sharing network, the FTC filed an administrative action against LabMD alleging that its failure to safeguard its data constituted a violation of the Federal Trade Commission Act.
In November and December 2013, LabMD responded by: (1) moving to dismiss the administrative action, (2) filing suit for declaratory and injunctive relief in the District Court for the District of Columbia, and (3) moving to stay the administrative proceedings in the 11th Eleventh Circuit. In all three actions, LabMD argued that the FTC Act does not grant the FTC power to regulate data breaches and, as a HIPAA-covered entity, LabMD only must answer to the Department of Health and Human Services regarding its data security practices.
After the Eleventh Circuit declined to exercise jurisdiction over its motion to stay, LabMD voluntarily withdrew its suit in the District of Columbia and, in March 2014, filed an identical action in the Northern District of Georgia. On May 12, the Northern District of Georgia determined that, in the absence of final agency action, LabMD's alleged injuries were not ripe for review and, on May 19, the Eleventh Circuit denied LabMD's emergency motion to stay the administrative proceedings pending an appeal.
But it did not end there. While the FTC administrative proceedings resumed on May 20, the House Committee on Oversight and Government Reform launched an investigation into Tiversa, Inc., a company that provided the FTC with much of the information that formed the basis for its enforcement action against LabMD. When former Tiversa employee Rick Wallace, a key witness in the enforcement action, notified the administrative law judge that he would be pleading the Fifth Amendment, the proceedings were recessed until June 12. On June 11, the chair of the House panel, Darrell Issa, wrote a letter to FTC Chair Edith Ramirez stating that "the information provided to the FTC [by Tiversa] is incomplete and inaccurate." On June 12, the administrative proceedings were stayed pending negotiations between Mr. Wallace and the House panel over a grant of immunity for his testimony. On June 17, Congressman Issa requested that the FTC Inspector General review the FTC's relationship with Tiversa.
Wyndham Court Certifies Questions About FTC's Data Breach Jurisdiction for Interlocutory Appeal
FTC v. Wyndham Worldwide Corp., No. 13-1887, 2014 U.S.
Dist. LEXIS 84914, 2014 WL 2815356 (D.N.J. June 23, 2014).
In a motion to dismiss, Wyndham Hotel and Resorts challenged the
FTC's assertion of broad authority to regulate data security
under the Federal Trade Commission Act. Although the court denied
the motion to dismiss, on June 23 it granted Wyndham Hotel and Resorts' motion
to certify two issues for interlocutory appeal to the Third
Circuit: (1) whether the FTC can bring an unfairness claim
involving data security under Section 5 of the FTC Act, and (2)
whether the FTC must formally promulgate regulations before
bringing such a claim. For a detailed description of the
Wyndham case, see
Federal Court Refuses to Dismiss FTC Data Security
Authority.
SEC Official Urges More Breach Disclosure, More Board Oversight of Cybersecurity
On June 10, during a speech with significant implications for corporate governance, SEC Commissioner Luis Aguilar urged corporate boards to exercise more oversight over cybersecurity by using the National Institute of Standards and Technology Cybersecurity Framework. (For more details on the NIST framework, see White House's Cybersecurity Framework Highlights Need for Preparednessand NIST Releases Draft Cybersecurity Framework.) He further recommended that boards lacking technical expertise either receive cyber-risk education or set up separate enterprise risk committees. The Commissioner also advocated increased disclosure of data breached, saying "I would encourage companies to go beyond the impact on the company and to also consider the impact on others."
State and Federal Authorities Investigate eBay Breach
After eBay announced in late May that hackers had gained access to the personal information—including names, birth dates, encrypted passwords, email and physical addresses, and phone numbers—of 145 million customers, both state and federal officials launched investigations. Attorneys general from Connecticut, Florida, Illinois, and reportedly California, are coordinating an inquiry into eBay's data protection and response measures. Congressmen Joe Barton and Bobby Rush, members of the Congressional Bi-Partisan Privacy Caucus, sent a letter to eBay asking for more information about the scope of the breach and the data protection measures that were in place. Meanwhile, the data protection authority in Luxembourg, eBay's European base, has launched its own investigation into eBay's data protection practices.
International
The Right to be Forgotten
Google Spain SL v. Agencia Española de
Protección de Datos, Judgment (May 13, 2014).
Mario Costeja Gonzálezdiscovered that the Google search
results for his own name included two 1998 newspaper announcements
about real estate auctions resulting from attachment proceedings
against him. González complained to a Spanish agency, which
held that the paper did not have an obligation to remove the
article but that European Union data protection laws required
Google and its Spanish subsidiary to remove the offending links.
Google appealed the agency's decision was to the National High
Court of Spain, which referred several questions to the Court of
Justice of the European Union.
The court determined that search engines, by finding,
indexing, storing, and making available information on websites,
engage in the "processing of personal data" and are
"controllers" of that data within the meaning of
Directive 95/46 of the European Parliament. A search engine's
European subsidiary—even if set up to promote and sell
advertising space—is also a data processor under Directive
95/46. The court held that two provisions of the directive
encompass a "right to be forgotten" requiring search
engine operators to remove web pages published by third parties
from the search results for a person's name upon that
person's request even if the information was lawfully published
on the indexed webpage.
British Columbia Privacy Act Trumps Facebook's Jurisdiction Selection Clause
Douez v. Facebook, Inc., 2014 BCSC 953 (Can.
BC).
In 2011, Facebook launched Sponsored Stories, a product that used
names and images of Facebook users to display advertisements to
users' contacts. Deborah Douez filed a class action suit on
behalf of all British Columbia Facebook users alleging that
Facebook's Sponsored Stories violated the British Columbia
Privacy Act by using their names or likenesses without
consent.
On May 30, the Supreme Court of British Columbia (a superior trial
court) held that it would not enforce the California
forum selection and choice of law clauses in Facebook's Terms
of Use. The court explained that the legislature gave the court
exclusive jurisdiction over Privacy Act claims and that the
application of either clause would deprive Douez of the ability to
bring her claim. The court also noted that Facebook stated in its
Terms of Use that it would "strive to respect local
laws." Rejecting Facebook's forum non conveniens
argument, the court held that it would exercise jurisdiction over
the case and certified it as a class action.
New Filings
Class Actions Against P.F. Chang's
Lewert v. P.F. Chang's China Bistro, Inc., No.
14-cv-04787 (N.D. Ill., filed Jun. 25, 2014).
Kosner v. P.F. Chang's China Bistro, Inc., No.
14-cv-04923 (N.D. Ill,, filed June 30, 2014).
On June 10, 2014, the U.S. Secret Service informed P.F.
Chang's that credit and debit cards had been stolen from some
of its restaurants. News broke of the breach on June 11, and the
company publicly acknowledged the breach on June 12. The extent of
the breach has not been announced but some reports estimate that
more than 7 million cards could have been compromised over a period
of approximately nine months. The restaurant has not yet notified
affected customers. John Lewert, a P.F. Chang's customer, filed
a putative class action on behalf of customers
nationwide alleging that by failing to safeguard credit and debit
card data, the restaurant breached an implied contract and violated
various consumer protection statutes. Lucas Kosner filed a competing identical action two weeks
later.
Smith v. Triad of Alabama LLC, No. 14-cv-00324-MEF-CSC(M.D. Ala.).
Flowers Hospital notified patients by letter on April 15 that between June 2013 and February 2014, a former hospital employee, Kamarian Millender, stole lab test records containing names, addresses, dates of birth, Social Security numbers and health plan policy numbers, and information about lab tests, but not test results. The letter stated that Mr. Millender may have used the information to file false tax returns and offered a year of free credit monitoring. In this putative class action, filed on May 5 and amended June 20, the plaintiffs, all hospital patients, allege that Triad of Alabama (doing business as Flowers Hospital) failed to properly safeguard their personal information and that, as a result, Mr. Millender used their Social Security numbers to file fraudulent false tax returns and put them a greater risk for future identity theft. The complaint included claims for willful and negligent violations of the Fair Credit Reporting Act, negligence, negligence per se, and invasion of privacy.
Perea v. AvMed, Inc., No.
2014-01362-CA-01 (Fla. Cir. Ct.).
In March 2014, health insurance provider AvMed settled a
nationwide class action stemming from the theft of two unencrypted
laptops holding the personal information of 1.2 million customers.
However, the class included only customers who had not experienced
identity theft as a result of the breach. In this individual action, Joseph Perea alleges that
as a result of the AvMed data breach, someone filed a fraudulent
tax return under his name and two others made unauthorized
purchases with his check card. He brings claims for negligence,
breach of contract, breach of implied contract, and unjust
enrichment.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.