Federal Court Permits Former Employees’ Data Breach Claims to Move Forward

A data breach occurs in which an outside individual obtains your company’s employees’ W-2 forms including social security numbers, addresses, and salary information. As a result, your company notifies all affected employees, explains what occurred, and offers a complimentary two-year membership to a service that helps detect misuse of personal information.   Is your company liable for negligence and breach of contract?

The answer may be, “yes,” according to a federal district court in Kentucky. Savidge v. Pharm-Save, Inc. (W.D. Ky. Dec. 1, 2017).  In Savidge, the plaintiffs alleged various state law claims that their former employer was liable due to the theft of their personally identifiable information (“PII”).  With regard to one plaintiff, the data breach resulted in a false tax return being filed on her behalf.

The company moved to dismiss the claims. In denying dismissal of the negligence claim, the court concluded that because Plaintiffs’ information was released to unauthorized individuals, the company breached its duty to “safeguard that information.”  Further, the court found there were sufficient allegations of injury based on Plaintiffs’ alleged purchase of credit monitoring and identity theft protection services as well as expenses incurred in responding to the fraudulent tax return.  Finally, the court held that Plaintiffs sufficiently alleged causation simply by alleging a nexus between the data breach and fraudulent activity that took place.

In addition, the court declined to dismiss Plaintiffs’ implied breach of contract claim. The complaint alleged that Plaintiffs provided their W-2 information to the company so the company could verify their identities, provide them with compensation, and to provide the company with complete records for tax purposes.  According to Plaintiffs, the company implicitly promised they would take adequate measures to protect their personal information and the company breached that obligation through the release of their PII.  According to the court, the allegations were sufficient to draw an inference that the company impliedly promised to protect their employees’ PII. Therefore, this claim also was permitted to proceed.

With a patchwork of federal laws governing various aspects of data breach liability, it is important for all those possessing PII to understand the extent of exposure under state law as well. Failure to take reasonable steps to protect such information is likely to result in liability.  The trend toward greater protection of PII is only growing, and with tax season nearly upon us it is important for employers to be aware of the kinds of schemes that could result in these kinds of breaches.

Senate Bill Introduced to Protect Personally Identifiable Information

Primarily motivated by several recent massive data breaches, Senate Democrats recently introduced a bill geared toward protecting Americans’ personal information against cyber attacks and to ensure timely notification and protection when data is breached.

The Consumer Privacy Protection Act of 2017 provides that companies that collect and hold data on at least 10,000 Americans would be required to implement “a comprehensive consumer privacy and data security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity, and the nature and scope, of the activities of the covered entity.”

The legislation protects broad categories of data, including: Social Security, drivers’ license, and passport numbers, financial account numbers or debit/credit card numbers in combination with a security code or PIN, online usernames and passwords, unique biometric data such as fingerprints and retina or iris scans, physical and mental health data, geolocation data, and private digital photographs and videos.

The bill would also allow the United States Attorney General, state attorneys general, and the Federal Trade Commission to enforce alleged violations of the breach notification or security rules, which could subject companies to civil penalties of at least $16,500, depending on the number of records that were breached. The bill does not provide for a private right of action.

The legislation would require notification to be made “as expediently as possible and without unreasonable delay following the discovery by the covered entity of a security breach.”

The law would also require companies to provide “five years of appropriate identity theft prevention and mitigation services” at no cost to any individual who asks for it, and prohibits automatic enrollment in the identity theft prevention and mitigation services without their consent.

The text of the bill can be found here.

It is worth noting that shortly following the introduction of the Consumer Privacy Protection Act, three Democrat senators introduced the Data Security and Breach Notification Act that would require companies to report data breaches within 30 days of becoming aware of a breach. An individual who conceals a data breach could face a penalty of up to five years in prison. This bill comes on the heels of Uber’s recent data breach announcement that hackers stole 57 million records in 2016, and that Uber paid the hackers $100,000 to destroy the documents.

We will continue to report on the status of these bills and other legislative proposals for heightened data security at the federal level, in light of the massive data breaches of late, as developments unfold.

 

Supreme Court Will Not Hear Ninth Circuit Decision Regarding Willful Violations of FCRA’s Disclosure Provision

On November 13, 2017, the U.S. Supreme Court declined to hear the appeal of one of 2017’s more significant Fair Credit Reporting Act (FCRA) opinions, Syed v. M-I, LLC. (9th Cir. Jan. 20, 2017).  In Syed, the Ninth Circuit Court of Appeals held that a background check disclosure which included a liability waiver violated the FCRA. This case was significant because the Ninth Circuit is the first federal appeals court to definitively state that the FCRA “unambiguously bars the inclusion of a liability waiver.” The court also notably held that the employer willfully violated the FCRA by including the liability waiver in the disclosure, finding that no reasonable interpretation of the statute would allow any language besides a disclosure and authorization.

By way of background, the FRCA prohibits an employer from procuring a “consumer report” (e.g. a background report, credit report, etc.) on an employee or applicant without first providing a clear and conspicuous disclosure in a document consisting solely of the disclosure. FCRA litigation in recent years has primarily involved whether employers’ FCRA disclosure forms improperly included a release of liability or other “extraneous information” that violated the FCRA’s disclosure requirements.

In Syed, the Ninth Circuit agreed with the employee that the employer’s inclusion of waiver of liability language in the disclosure document willfully violated the FCRA. Analyzing the language of the statute and Congressional intent, the Ninth Court found that FCRA disclosure requirements are not met where a document contains any language other than the disclosure and an authorization. The court also reviewed the Supreme Court’s 2016 decision in Spokeo, Inc. v. Robins, but found that the employee in Syed had standing to bring the claim because he had alleged more than a “bare procedural violation” of the FCRA. For more information regarding the Spokeo case and other cases referring to the Supreme Court’s decision in Spokeo, please refer to our prior blog posts on the topic:

In its petition for certiorari to the Supreme Court, M-I argued that the Ninth Circuit incorrectly applied the Court’s holding in Spokeo when it found that Syed had standing to bring his claim under the FCRA. On November 13, the Supreme Court denied M-I’s petition without providing any explanation for the denial. As a result, the Ninth Circuit’s decision in Syed remains good law on both the issue of willfulness and the disclosure requirements under the FCRA.

The Syed decision serves as a warning to employers of the strict approach many courts have taken regarding the FCRA’s disclosure requirements. The Ninth Circuit’s determination that the inclusion of a liability waiver was a willful violation of the FCRA is of particular concern. Under the FCRA, willful violations can result in either actual damages or statutory damages, ranging from $100 to $1,000 per violation, which can result in significant potential liability in class action litigation.  There is also the possibility that employers may be hit with punitive damages for willful violations, which is at the court’s discretion.

Employers who obtain background checks from consumer reporting agencies must ensure their forms comply with the FCRA, as well as various state and local laws. Relying on disclosure and authorization forms provided to them by third-party vendors, including credit reporting agencies, is not recommended as such forms may include violations of the technical many provisions of the FCRA. Thus, employers should review their hiring forms with legal counsel to ensure they comply with the FCRA and applicable state and local laws.

We will continue to monitor and report on any further developments in the Syed case as well as any other developments related to the issues decided therein.

Elder Abuse: Are Granny Cams a Solution, a Compliance Burden, or Both?

 

In Minnesota, 97% of the 25,226 allegations of elder abuse (neglect, physical abuse, unexplained serious injuries and thefts) in state-licensed senior facilities in 2016 were never investigated. This prompted Minnesota Governor, Mark Dayton, to announce plans last week to form a task force to find out why. As one might expect, Minnesota is not alone. A study published in 2011 found that an estimated 260,000 (1 in 13) older adults in New York had been victims of one form of abuse or another during a 12-month period between 2008 and 2009, with “a dramatic gap” between elder abuse events reported and the number of cases referred to formal elder abuse services. Clearly, states are struggling to protect a vulnerable and growing group of residents from abuse. Technologies such as hidden cameras may help to address the problem, but their use raises privacy, security, compliance, and other concerns.

With governmental agencies apparently lacking the resources to identify, investigate, and respond to mounting cases of elder abuse in the long-term care services industry, and the number of persons in need of long-term care services on the rise, this problem is likely to get worse before it gets better. According to a 2016 CDC report concerning users of long-term care services, more than 9 million people in the United States receive regulated long-term care services. These numbers are only expected to increase. The Family Caregiver Alliance reports that

by 2050, the number of individuals using paid long-term care services in any setting (e.g., at home, residential care such as assisted living, or skilled nursing facilities) will likely double from the 13 million using services in 2000, to 27 million people.

However, technologies such as hidden cameras are making it easier for families and others to step in and help protect their loved ones. In fact, some states are implementing measures to leverage these technologies to help address the problem of elder abuse. For example, New Jersey’s Attorney General recently expanded the “Safe Care Cam” program which lends cameras and memory cards to Garden State residents who suspect their loved ones may be victims of abuse by an in-home caregiver.

Common known as “granny cams,” these easy-to-hide devices which can record video and sometimes audio are being strategically placed in nursing homes, long-term care, and residential care facilities. For example, the “Charge Cam” (pictured above) is designed to look like and actually function as a plug used to charge smartphone devices. Once plugged in, it is able to record eight hours of video and sound. For a nursing home resident’s family concerned about the treatment of the resident, use of a “Charge Cam” or similar device could be a very helpful way of getting answers to their suspicions of abuse. However, for the unsuspecting nursing home or other residential or long-term care facility, as well as for the well-meaning family members, the use of these devices can pose a number of issues and potential risks. Here are just some questions that should be considered:

  • Is there a state law that specifically addresses “granny cams”? Note that at least five states (Illinois, New Mexico, Oklahoma, Texas, and Washington) have laws specifically addressing the use of cameras in this context. In Illinois, for example, the resident and the resident’s roommate must consent to the camera, and notice must be posted outside the resident’s room to alert those entering the room about the recording.
  • Is consent required from all of the parties to conversations that are recorded by the device?
  • Do the HIPAA privacy and security regulations apply to the video and audio recordings that contain individually identifiable health information of the resident or other residents whose information is captured in the video or audio recorded?
  • How do the features of the device, such as camera placement and zoom capabilities, affect the analysis of the issues raised above?
  • How can the validity of a recording be confirmed?
  • What effects will there be on employee recruiting and employee retention?
  • If the organization permits the device to be installed, what rights and obligations does it have with respect to the scope, content, security, preservation, and other aspects of the recording?

Just as body cameras for police are viewed by some as a way to help address concerns over police brutality allegations, some believe granny cams can serve as a deterrent to abuse of residents at long-term care and similar facilities. However, families and facilities have to consider these technologies carefully.

Lessons To Be Learned From The Breach Of Nearly 500,000 Individual Health Records Reported In September 2017

A recent report indicates that nearly 500,000 individual health records were breached in September 2017. This figure is taken from the 39 healthcare data breaches involving more than 500 records that were reported to the Department of Health and Human Services’ Office for Civil Rights in September 2017.  Healthcare providers suffered the most breaches with 27 reported incidents, followed by health plans with 10 breaches, and 2 breaches reported by business associates of covered entities.  This demonstrates the need for security measures by both HIPAA Covered Entities and Business Associates.

The way the health records were accessed is notable. The biggest cause of the breaches was unauthorized access/disclosures (18 breaches), closely followed by hacking and IT incidents (17 breaches).  This data about breaches reported in September shows the importance of taking proactive steps to ensure data security.  With unauthorized access and disclosure continuing to be a leading cause of data breaches, organizations should consider focusing on potential sources of such unauthorized access and disclosure as they conduct the risk assessments required by HIPAA.

The report also notes that email was involved in many of the breaches reported to HHS in September, finding that there were 13 email-related breaches, including a healthcare employee who emailed PHI to a relative to receive assistance with a work-related action. While that case apparently involved intentional misconduct by a healthcare employee, it raises questions that are instructive for organizations across all industries dealing with sensitive data:

  • Does the organization have clear policies regarding appropriate access to and disclosure of protected information?
  • Does the organization provide training for new employees on information security?
  • Does the organization provide refresher training for employees on information security?
  • Does the organization’s email policy address information security?
  • Has the organization reviewed its email system as part of its risk assessment?
  • Does the organization coordinate enforcement of its information security policies with its corrective action policies?

Another important lesson from these September data breach reports is that hacking continues to be a very real risk. Six of the top ten breaches in September were the result of hacking/IT incidents resulting in the exposure of 363,364 records – 76.81% of the records exposed in all reported breaches in September.  The continuing risk from cyberattacks highlights the need for ongoing security audits, employee training, and table top exercises.

SCOTUS Will Not Review CFAA Password Sharing Case

The United State Supreme Court recently denied certiorari in Nosal v. United States, 16-1344, declining to weigh in on the scope of unauthorized access under the Computer Fraud and Abuse Act (“CFAA”). The Ninth Circuit held in Nosal that David Nosal violated the CFAA by using his past assistant’s password to access his former employer’s computer system after his access credentials were expressly revoked. (For Nosal case history see our past blog posts here and here.)

The CFAA has generated much debate among the courts regarding the scope of its application. Some forms of “unauthorized access” are obvious – e.g. a hacker breaking into a protected computer system resulting in data theft is clearly a CFAA violation and is the type of event the CFAA was originally designed to protect against. However, other circumstances, particularly in the employment context, can blur the lines of what is considered “unauthorized access” under the CFAA.

For example, in  International Airport Centers, LLC v. Citrin, the Seventh Circuit held that where an employee accesses an employer’s computer or information to further interests adverse to the employer, the employee has violated his or her duty of loyalty and in turn “exceeds authorized access” under the CFAA. The First, Fifth and Eleventh Circuits have taken a similar expansive view that an employee violates the CFAA when he/she accesses the computer system in violation the employer’s data use policies. In U.S. v. John, the Fifth Circuit held that an employee violated the CFAA when she retrieved confidential customer account information she was authorized to access and transferred it to her half-brother for the purpose of committing a fraud. Under this expansive view, there is the potential for more ordinary forms of password-sharing could be prosecutable under the CFAA.  For instance, an employee’s use of a colleague’s password that is out sick to access a presentation or print a document.

Conversely, other courts have taken a more narrow approach to CFAA application. The Fourth Circuit held in WEC Carolina Energy Solutions LLC v. Miller that an employee who allegedly downloaded proprietary information from an employer’s computer system for the benefit of his subsequent employer did not violate the CFAA. The Fourth Circuit emphasized that the CFAA is a criminal statute that should be construed narrowly and is meant to target hackers as opposed to “workers who access computers or information in bad faith, or disregard a use policy.”

In light of the conflicting jurisdictional interpretations of the CFAA, companies should review their policies and procedures to ensure access rights and limitations to their information and information systems are clearly defined and effectively communicated to their employees. Further, when faced with apparent unauthorized access to computer systems – especially if password sharing is involved – companies should conduct an analysis to determine if a potential CFAA violation has occurred.

USCIS: Watch Out For I-9 Email Scams

As reported on our Global Immigration Blog, the U.S. Citizenship and Immigration Services (USCIS) has issued a notice regarding scam email requests for I-9 information. 

According to USCIS, employers have received scam emails that appear to come from USCIS.  These scam emails come from a fraudulent email address (news@uscis.gov) and the body of the email may contain USCIS and Office of the Inspector General labels, the employer’s address and a fraudulent download button that links to a non-government web address (uscis-online.org).  USCIS is reminding employers that they are not required to submit Forms I-9 to USCIS and USCIS will not request same via email.  Rather, employers must simply maintain certain records for employees who are required to complete an I-9.  USCIS has instructed employers to not respond to these emails or click the links in them.

USCIS has advised employers who believe they have received a scam email request for Form I-9 information to report it to the Federal Trade Commission.  Additionally, employers who are not sure whether a particular email is a scam may forward the suspicious email to the USCIS webmaster and USCIS will review the email and share with law enforcement agencies as appropriate.

Responding to these types of phishing email schemes is one of the most prevalent ways in which an organization may experience a data breach and further highlights the significant risk posed by employee error.  Understanding these risks exist and developing a plan to address them is a key component of data breach preparedness.

New York AG Announces SHIELD Act

On November 2nd, New York Attorney General Eric T. Schneiderman announced his proposal of the SHIELD Act – Stop Hacks and Improve Electronic Data Security Act – a bill that would heighten data security requirements for companies and better protect New York residents from data breaches of their personal information.

“It’s clear that New York’s data security laws are weak and outdated. The SHIELD Act would help ensure these hacks never happen in the first place. It’s time for Albany to act, so that no more New Yorkers are needlessly victimized by weak data security measures and criminal hackers who are constantly on the prowl,” said Attorney General Eric Schneiderman.

Key aspects of the proposed SHIELD ACT include:

  • Covering any business that holds sensitive data of New York residents. Interestingly, the proposed legislation would amend the existing breach notification requirement to remove language currently limiting application of the notification rule to persons or businesses that conduct business in New York
  • Requiring all covered businesses to implement “reasonable” administrative, technical, and physical safeguards to protect sensitive data
  • Businesses that are already regulated by and comply with certain applicable state or federal cybersecurity laws (e.g., HIPAA, NY DFS Reg 500, Gramm-Leach-Bliley Act) are considered “compliant regulated entities” under the SHIELD Act. These entities and others that are annually certified by an authorized and independent third party to be compliant with certain data security standards, such as the most up to date version of the ISO /NIST standards, are called “certified compliant entities.” These entities are deemed to be compliant with the proposed law’s reasonable safeguard requirements, and a safe harbor from state enforcement actions would apply to “certified compliant entities”
  • A more flexible standard would exist for small businesses (less than 50 employees and under $3 million in gross revenue; or less than $5 million in assets)
  • Data breach notification obligations would become broader by (i) adding “access to” (in addition to the current trigger “acquisition”) as a trigger for notification, and (ii) expanding the data elements that if breached would require notification to include username-password combination, biometric data, and HIPAA covered health data
  • Deeming inadequate security to be a violation of General Business Law § 349 and permitting the Attorney General to bring suit and civil penalties under General Business Law § 351

AG Schneiderman’s proposed bill comes on the heels of several massive data breaches and ransomware attacks (e.g., Wanncry). The proposed SHIELD Act has the support of two major sponsors in the State Legislature: Senator David Carlucci (D-Clarkstown) of the Independent Democratic Conference and Assemblyman Brian Kavanaugh (D-Manhattan) who led their chamber’s consumer protection committees.

Although the SHIELD Act is a significant step forward for the Empire State, it does not come as a surprise. Attorney General Schneiderman has been vocal and proactive in the pursuit of heightened data security. Following a recent massive credit reporting agency breach, Schneiderman sent formal inquiries to the two other major credit reporting agencies, asking them to detail their security measures, steps they have taken since learning the breach and how they will further assist consumers in protection of their personal information.

In addition, AG Schneiderman has issued several enforcements actions in 2017 against companies that have failed to effectively protect consumer information. In January, Schneiderman announced a settlement with Acer Service Corporation, a computer manufacturer in Taiwan, after a data breach of its website exposed 35,000 credit card numbers. An investigation by the AG office revealed that sensitive customer information had not been protected for almost a full year. Acer agreed to pay $115,000 in penalties and improve data security practices. In April, Schneiderman announced that TRUSTe, Inc., agreed to settle allegations that it failed to properly verify that customer websites aimed at children did not run third-party software to track users. TRUSTe agreed to pay $100,000 and “adopt new measures to strengthen its privacy assessment”. In June, Schneiderman issued his first enforcement action against a wireless security company, Safetech Products LLC, for failing to implement adequate security in its Internet of Things (IoT) devices. It was found that Safetech did not force users to reset default passwords, and did not encrypt passwords sent over the network. As part of the settlement agreement, Safetech agreed to implement a written comprehensive security program.

AG Schneiderman did not begin enforcing New York’s data security laws and regulations in 2017; the issue has been a growing area of concern in his office for some time. In January of 2015, on the heels of former President Obama’s announcement of a cybersecurity legislative proposal, AG Schneiderman indicated his own plans to propose legislation to heighten New York’s data security laws.

The SHIELD Act, if enacted, would have far reaching effects, as any business that holds sensitive data of a New York resident would be required to comply.  Moreover, given the nation’s heightened awareness of cybersecurity in the wake of the recent massive data breaches, other states may also consider similar legislation.

State AGs Argue That Federal Data Security Legislation Should Set Floor, Not Ceiling

The flood of massive data breaches – including, most recently, the Equifax breach that compromised the personal data of around 145 million U.S. consumers – has increased the pressure on Congress to pass sweeping federal data security and breach reporting legislation. While it’s difficult to project whether such legislation will be enacted in the near future, and what it will look like in the event that it is, an important and contentious question has already arisen: If federal legislation is ultimately enacted, should preempt the patchwork of state and local laws that presently govern this area?

Setting aside the handful of industries – including healthcare and finance – that are already subject to federal data security laws, the data security and breach reporting obligations of most U.S. organizations are established by a medley of state and local laws. This legal patchwork is confusing and arduous for organizations and data subjects to navigate, particularly since the types of data elements protected, and the processes for determining when a breach must be reported, vary from state to state. At least in theory, therefore, federal preemption in this area would be a step in the right direction.

Not so, say the New York and Massachusetts attorney general’s offices, both of which have been active in the data security space. On October 25, 2017, these offices urged U.S. House members to use federal law to set a floor for data security and reporting standards; not a ceiling. Setting a federal ceiling, argued Kathleen McGee, Chief of the Bureau of Internet and Technology at the New York Attorney General’s Office, would stifle innovation in this area: “States have proven the ability to act quickly” to address technological changes that impact data security, Ms. McGee said. Congress, she added, “should not limit states’ ability to innovate in this area.”

Touting the effectiveness of state-level legislative and enforcement efforts, assistant Massachusetts Attorney General Sara Cable noted that her office has received over 19,000 notices since its data breach notification law went into effect in 2007, including 4,000 in 2016 alone. These notices, she said, have revealed that, while “there are entities that are doing it right,” she sees “far too often that entities are not treating consumer information like the valuable asset it is.” “I would submit,” she continued, “that any [federal] law that is proposed that is weaker than the law that we currently have today [in Massachusetts] is worse than doing nothing.”

We will keep you posted as federal lawmakers continue to grapple with the escalating threats to personal data. In the meantime, we strongly encourage organizations to take appropriate steps to ensure that they are compliant with their current state law data security obligations. A growing number of states now require subject organizations to develop policies and procedures to safeguard the personal information that they hold, and the definitions of “personal information” under state law continue to expand to cover additional data elements like health information, email addresses and usernames, and biometric data. And state agency investigations and enforcement actions are not the only area of concern for organizations that fail to comply with their data security and reporting obligations. Some state laws provide a private right of action and, in an ominous development, 26 employment class actions lawsuits in the past three months alone have alleged violations of the Illinois Biometric Information Privacy Act.

Illinois Nursing Home Faces Employee Class Action Based on State Biometric Privacy Act

An Illinois nursing home is facing a putative class action lawsuit filed by a worker who argues that the facility’s required fingerprint scan for timekeeping poses a threat to their privacy, and violates Illinois’s Biometric Information Privacy Act (“BIPA”). From July 2017 to October 2017, at least 26 employment class actions based on the BIPA have been filed in Illinois state court and show no sign of slowing.

Although some consider Illinois the leader in biometric data protection, other states have enacted laws similar to the BIPA, and still others are considering such legislation. Companies that want to implement technology that uses employee or customer biometric information (for timekeeping, physical security, validating transactions, or other purposes) need to be prepared. For more information on the nursing home case and advise on how to prepare when collecting biometric information, our comprehensive article is available here.

Below are additional resources to help navigate biometric information protection laws:

LexBlog