Standing in Data Breach Litigation: Will the U.S. Supreme Court Weigh In?

The U.S. Supreme Court may finally weigh in on the hottest issue in data breach litigation, whether a demonstration of actual harm is required to have standing to sue. Standing to sue in a data breach class action suit, largely turns on whether plaintiffs establish that they have suffered an “injury-in-fact” resulting from the data breach. Plaintiffs in data breach class actions are often not able to demonstrate that they have suffered financial or other actual damages resulting from a breach of their personal information. Instead, plaintiffs will allege that a heightened “risk of future harm” such as identity theft or fraudulent charges is enough to establish an “injury-in-fact”.

Federal circuits court over the past few years have struggled with the question whether plaintiffs in a data breach class action can establish standing if they only allege a heightened “risk of future harm”.  For example, the 3rd6th, 7th,  11th, and D.C. circuits have generally found standing, while the 1st2nd4th5th8th and 9th circuits have generally found no standing where a plaintiff only alleges a heightened “risk of future harm”. This circuit court split is in large part to due to lack of clarity following the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins which held that even if a statute has been violated, plaintiffs must demonstrate that an “injury-in-fact” has occurred that is both concrete and particularized, but which failed to clarify whether a “risk of future harm” qualifies as such an injury.

The U.S. Supreme Court may finally weigh in on the status of standing in data breach litigation this term, in Frank v. Gaos. The Court recently requested supplemental briefs addressing whether any of the name plaintiffs has standing such that federal courts have Article III jurisdiction over the dispute. The Court’s request is particularly notable, as the issue before the Court was not initially focused on standing. Although Frank is not a classic data breach case, rather a privacy class action settlement based on unauthorized sharing of website search terms to third-parties, it may still provide the Court an opportunity to resolve the circuit split and issue further guidance on standing in data breach litigation.

Similarly, the Illinois Supreme Court recently held that actual harm was not required to sue under the Illinois Biometric Information Privacy Law (“BIPA”), likely to increase the already large number of suits, including putative class actions, filed under the law. It goes without saying that the U.S. Supreme Court’s decision in Frank v. Gaos could have significant impact on data breach class action lawsuits.

 

FDA Focuses Attention on Medical Device Cybersecurity Risks

All companies in this day and age must devote some attention to cybersecurity risks. Regardless of industry, almost every entity maintains some form of personally identifiable information that requires protection (e.g., credit card information, Social Security numbers, bank account information, etc.). However, the medical device industry has additional concerns – it must make sure that its Internet or WiFi connected devices do not provide potential for cybersecurity risks because failure to address cybersecurity vulnerabilities can result in compromised device functionality, loss of data, or exposure to security threats resulting in patient illness, injury, or death. Moreover, medical identity theft is on the rise, attributed largely to the worth of medical information to cyber criminals. As medical identify theft often takes time to detect, it allows criminals to accumulate significant amounts of information making it more valuable than other forms of fraud, such as credit card information which can be quickly detected and cancelled.

The devices posing the greatest risks are those such as implantable defibrillators, pacemakers, brain stimulators, dialysis devices, and insulin pumps which are connected to another medical or non-medical product, or to a network, or to the Internet.

In late January, the Food and Drug Administration (FDA) held a two-day program intended to inform medical device manufacturers and professionals that prescribe the devices about the steps that can be taken in the premarket process to better protect medical devices from cybersecurity threats. The information provided by the FDA was set forth a recently updated draft guidance the FDA published in October 2018 (the “Guidance”). Adapting the steps set forth in the Guidance will make it more likely the FDA will find the device meets the statutory standard for premarket review.

The FDA does not have the authority to regulate cybersecurity protections. However, the recommendations will be considered as part of the review process of bringing a medical device to market. Federal regulations state that a manufacturer must “establish and maintain procedures for validating the devices design” including “software validation and risk analysis.” 21 CFR 820.30(g). The Guidance states that part of the validation and analysis requires that manufacturers establish a cybersecurity vulnerability and management process, including design controls to endure medical device cybersecurity.

The Guidance states that the FDA considers medical device protection to be a shared responsibility among many including health care facilities, health care providers, patients, as well as manufacturers. The Guidance includes recommendations to:

  • Limit access to trusted users and devices
  • Create authentication and check authorizations of safety critical commands
  • Ensure trusted content by maintaining code, data, execution integrity
  • Verify data integrity
  • Maintain confidentiality of data
  • Design the device to detect cybersecurity events in a timely manner
  • Design the device to respond to and contain the impact of a potential cybersecurity incident

The complete Guidance can be viewed by clicking here. The FDA is accepting comments on the Guidance until March 18. We will continue to monitor these developments.

NYS Education Department Proposes to Significantly Strengthen Data Security and Privacy Protocol

Co-Author: Gabrielle Bruno

Government agencies, businesses, hospitals and universities are the frequent targets of staggering data breaches that can affect millions of individuals. But K-12 schools are also at risk for cyber attacks as they rely more on technology for day-to-day operations and typically maintain a wealth of sensitive information about their students, teachers, administrators and other staff.

News reports of cyber attacks on schools surface regularly. A phishing attack on San Diego Unified School District in California enabled hackers to steal Social Security numbers and addresses of more than 500,000 students and district staff. Discovered in October 2018, this far-reaching incident occurred between January 2001 and November 2018. And generally, data breaches are on the rise – a recent report found that nearly half a billion consumer records containing sensitive personal information were hacked in 2018, in comparison to 198 million sensitive records in 2017.

To address these gathering cyber threats against schools, the New York State Department of Education (“SED”) recently proposed new regulations that will, once adopted, require school districts and state-supported schools to develop and implement robust data security and privacy programs to protect any personally identifiable information (“PII”) relating to students, teachers and principals.

The SED’s regulation is comprised of a number of key sections, including:

  • Parent’s Bill of Rights. Each school must publish a parent’s bill of rights on its website. Schools must also include the bill of rights in every third party contract where a third party contractor will receive PII. Schools will be required to establish a clear path for parents to communicate and file complaints about breaches or unauthorized releases of student data, including a challenge to the accuracy of the student data.
  • Data Security and Privacy Standard and Plan. The National Institute for Standards and Technology Cybersecurity Framework (“NIST CSF”) is the standard for school security policies. Additionally, each time a school enters into a third party contract with an entity that will receive PII, a data security and privacy plan must be provided. The plan must outline, among other things, how the third-party contractor will safeguard PII consistent with the school’s data security and privacy program. All officers or employees of the third-party contractor who have direct access to PII must receive training on applicable federal and state law.
  • Training for Educational Agency Employees. Information privacy and security awareness training, online or in person, must be provided annually by schools to their officers and employees that have access to PII.
  • Data Protection Officer Appointment. Every school is required to appoint a Data Protection Officer (“DPO”), filled by a new or existing employee, that is responsible for implementing all required security and privacy policies and procedures. The DPO will serve as the point of contact within the school on all data security and privacy matters.
  • Reports and Notifications of Breach and Unauthorized Release. Regarding any breach or unauthorized release of PII, third-party contractors must report to all affected schools without unreasonable delay but in no case no more than seven calendar days from the date of discovery. After a third-party breach notification, or after independent discovery by the school itself, the affected school must notify SED within 10 calendar days. Regardless of where the breach or unauthorized release was discovered, the school must notify affected individuals without unreasonable delay but in no case no more than 14 calendar days from the date of discovery. If, however, notification would expose an ongoing vulnerability or interfere with a law enforcement investigation, the notification may be delayed until no later than seven calendar days after the vulnerability has been remedied or the investigation has concluded.
  • Chief Privacy Officer’s Powers and Responsibility. The Chief Privacy Officer (“CPO”) of SED will have access to all records, audits, and documents within a school regarding the PII of individuals. Additionally, the CPO will have the authority to require schools to perform privacy and security risk assessments at any given time.
  • Third Party Contractor Civil Penalties. After each breach or unauthorized release of PII by a third-party contractor, the civil penalty will be up to $10 per affected student, teacher, and principal. It will be the CPO’s responsibility to investigate each breach or unauthorized release from a third party entity.

After the required 60 day public comment period for the proposed regulation, it will likely be presented for permanent adoption to the Board of Regents during its May 2019 meeting. If adopted by the Board of Regents, the regulation will be effective July 1, 2019.

Data Privacy Day – Special Report – California Consumer Privacy Act FAQs for Employers

Happy Data Privacy Day from the Jackson Lewis Privacy, Data and Cybersecurity Team!

In Honor of National Privacy Day, we are focused on what is sure to be one of the hottest issues of 2019 and present our FAQs for employers on the California Consumer Privacy Act (CCPA).

As you know, data privacy and security regulation is growing rapidly around the world, including in the United States. In addition to strengthening the requirements to secure personal data, individuals are being given an increasing array of rights concerning the collection, use, disclosure, sale, and processing of their personal information. Meanwhile, organizations’ growing appetite for more data, and more types of data, persists, despite mounting security risks and concerns about permissible use. The recently enacted CCPA is intended to address some of these risks and concerns. The CCPA, which becomes effective on January 1, 2020, is in some ways the most expansive privacy law currently in the United States.

With the CCPA’s effective date fast approaching, regulations being prepared by California Attorney General Xavier Becerra’s office, and considering that certain provisions may reach back prior to the effective date, businesses need to begin preparing as soon as possible. These FAQs are intended to call attention to some of the pressing issues relating to the CCPA’s application to employee personal information, and highlight action items that can help businesses’ compliance efforts.

One of the most common questions is how the CCPA’s will apply to employment data.  We hope you will find these FAQs helpful in answering this and related questions.

 

 

Actual Harm Not Required to Sue Under Illinois Biometric Information Privacy Law

Earlier today, the Illinois Supreme Court handed down a significant decision concerning the ability of individuals to bring suit under the Illinois Biometric Information Privacy Act (BIPA). In short, individuals need not allege actual injury or adverse effect, beyond a violation of his/her rights under BIPA, in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages, attorneys’ fees and costs, and injunctive relief under the Act.  Potential damages are substantial as the BIPA provides for statutory damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation of the Act.  To date, no Illinois court has interpreted the meaning of “per violation,” but the majority of BIPA suits have been brought as class actions seeking statutory damages on behalf of each individual affected.

If they have not already done so, companies should immediately take steps to comply with the statute. That is, they should review their time management, point of purchase, physical security, or other systems that obtain, use, or disclose biometric information (any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry used to identify an individual) against the requirements under the BIPA. In the event they find technical or procedural gaps in compliance – such as not providing written notice, obtaining a release from the subject of the biometric information, obtaining consent to provide biometric information to a third party, or maintaining a policy and guidelines for the retention and destruction of biometric information – they need to quickly remedy those gaps.  For additional information on complying with the BIPA, please see our BIPA FAQs.

Companies were hoping that the Illinois Supreme Court would ultimately conclude, consistent with the underlying appellate decision, that in order for a plaintiff to bring a claim under the BIPA (i.e. in order for the plaintiff to be considered “aggrieved”) the plaintiff would have to allege actual harm or injury, and not just a procedural or technical violation of the statute.  In reversing and remanding the case, the Illinois Supreme Court held:

The duties imposed on private entities by section 15 of the Act (740 ILCS 14/15) regarding the collection, retention, disclosure, and destruction of a person’s or customer’s biometric identifiers or biometric information define the contours of that statutory right. Accordingly, when a private entity fails to comply with one of section 15’s requirements, that violation constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach. Consistent with the authority cited above, such a person or customer would clearly be “aggrieved” within the meaning of section 20 of the Act (740 ILCS 14/20) and entitled to seek recovery under that provision. No additional consequences need be pleaded or proved. The violation, in itself, is sufficient to support the individual’s or customer’s statutory cause of action.

The decision is likely to increase the already significant number of suits, including putative class actions, filed under the BIPA.  In the words of the Illinois Supreme Court, “[c]ompliance should not be difficult; whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded; and the public welfare, security, and safety will be advanced.”

CEOs Lead Charge for National Consumer Privacy Law

Recently, Business Roundtable, an association for over 200 CEOs of America’s largest companies, released a detailed framework for a national consumer data privacy law that would provide uniformity in an area currently governed by an amalgam of state statutes and regulations. Business Roundtable is hopeful that it has the ear of the Administration and the Legislature to see progress on this effort in the 2019 Session.

The CEOs leading this effort come from a wide variety of industries, including: technology, communications, retail, financial services, health, manufacturing, hospitality, insurance and others. “There is an unprecedented opportunity to establish an innovative privacy landscape and underscore the need for a national privacy law,” said Julie Sweet, Chief Executive Officer – North America of Accenture and Chair of the Business Roundtable Technology Committee. “Consumers do not feel in control of their personal data and how it is collected, used and shared. U.S. laws to protect consumer privacy are highly fragmented, inconsistent and are nonexistent for much of the U.S. economy. A comprehensive national standard that details individual data privacy rights and provides clear obligations for how companies handle personal data is crucial for consumers, business and the U.S. economy.”

            The Business Roundtable legislative framework outlines four fundamental privacy rights for consumers:

  • The right to transparency regarding a company’s data practices, including the types of personal data that a company collects, the purposes for which this data is used and whether and for what purposes personal data is shared.
  • The right to exert control over their data, including the ability to control whether companies sell their personal data.
  • The right to access and correct inaccuracies in their personal data
  • The right to delete their personal data.

The proposal invokes federal preemption of state and local regulations and also addresses uniformity for data breach notifications. Currently all 50 states, Puerto Rico, the Virgin Islands, and Guam have a variety of requirements related to notification after data breaches or potential breaches. Despite having common threads, businesses operating in several states currently have to be wary of variance in notification requirements dependent on the number of affected residents, what constitutes “unreasonably delay,” and whether breaches may be pursued by private individuals or only the state’s attorney general. The proposal encompasses regulation by the FTC to ensure uniformity across industries and does not provide for a private right of action.

We will continue to track this issue, which addresses the balance that must be struck between the need for protection of the privacy of consumers and employees with the business community’s need for consistency and predictability in data privacy protection.

 

 

Updates to Massachusetts Breach Notification Law – Much More Than Mandatory Credit Monitoring

Observers of the recent changes in the Massachusetts data breach notification law likely will focus on the addition of the obligation to provide 18 months of credit monitoring following a breach involving Social Security numbers (42 months, if the breached entity is a consumer reporting agency). This certainly is a significant change, making Massachusetts only the fourth state to have enacted a similar mandate (See also, California, Connecticut, and Delaware). However, other changes are perhaps much more significant for an organization that has a breach triggering the updated Massachusetts law, which becomes effective April 11, 2019.

Data security and breach notification legislative developments are off to a running start in 2019. On January 1, 2019, Vermont began regulating data brokers and South Carolina’s adoption of the National Association of Insurance Commissioners’ (NAIC’s) Insurance Data Security Model Law became effective adding significant breach notification and information security requirements for entities licensed by state insurance regulators, including insurers and agents. The North Carolina Attorney General announced a proposal to make significant changes to that state’s notification law, among them requiring notification for ransomware attacks. The trend continues in Massachusetts, where last week Gov. Charlie Baker signed legislation substantially updating the state’s breach notification law.

Here is an overview of some of key changes:

Organizations that experience a breach must report to the Attorney General and the Office of Consumer Affairs and Business Regulation whether they have a written information security program (WISP). Nearly ten years ago, Massachusetts enacted one of the most comprehensive set of data security regulations affecting certain organizations in the state. (Read more about that and get a compliance checklist here.) Organizations that have not adopted a WISP will have to inform the government that they have not done so, which likely will lead to a follow up inquiry concerning compliance and potentially significant penalties. But that is not all, they also will have to report information such as the type of personal information involved in the incident (e.g., social security number, driver’s license number), steps the organization has taken or plans to take relating to the incident, including updating the WISP, and a certification that they have offered compliant credit monitoring services, if applicable.

Parent companies may have to answer for breaches by subsidiaries. Organizations that must report a breach under the new law and that are owned by another person or corporation, must inform affected residents of the name of the parent or affiliated corporation. This provision is sure to create some confusion. For example, there is no level of ownership that is needed to be listed in the notice to affected residents. Additionally, because a breached entity might be owned by a few different entities, it is unclear if all of those entities would have to be listed. Clearly, this provision may create some unfavorable publicity for organizations whose subsidiaries experience a breach. As such, it might spur them to be more actively involved with the date security compliance and breach response efforts of their subsidiary and affiliated entities. Parents and affiliated companies may also want to revisit their cyber insurance policies to assess coverage for losses that may arise out of a subsidiary’s breach. For the breached subsidiary, this provision may result in them involving their parent companies sooner and more extensively in the breach response process.

Once an organization knows about a breach affecting a Massachusetts resident, it must notify the resident as soon as practicable and without unreasonable delay, and cannot wait to determine the total number of residents affected by the incident. Security incident investigations sometimes take time and it is not uncommon during those investigations for the number affected persons to grow as the investigation continues. With this change, businesses need to notify continually, and not wait for the investigation to conclude before sending notification. Additionally, because state agency notifications must include the number of affected persons, business will need to keep these agencies apprised of the growing number of residents affected.

The Office of Consumer Affairs and Business Regulation will be reporting about your breach on its website. When an organization reports a breach to the Office of Consumer Affairs and Business Regulation (OCABR), under the new law OCABR must post on its website copies of the sample notice sent to affected residents within 1 business day of receipt and continually update the site with information learned from the investigation. OCABR also will be helping affected residents file public records requests to obtain the notices that organizations that experienced the breach have filed with the Attorney General and OCABR.

A number of the updates to the Massachusetts data breach notification law are not the typical changes we see made in many other states – e.g., expanding the definition of personal information, establishing a set number of days by which notice must be provided. Some of the changes seem intent on drawing attention to organizations that had a breach and their related companies (posting of OCABR website, helping affected residents get more information about the breach, requiring the name of parent companies be listed in the notice, etc.) and pushing for greater enforcement of data security safeguards (requiring reporting on whether a WISP is maintained). Organizations will need to revisit their overall incident response plans, as well as confirm their compliance with the state’s data security mandate, now nine years old.

North Carolina AG Seeks Breach Notification for Ransomware, Other Enhancements to Data Breach Law

According to SC Magazine, an escalating number of victims of data breaches in 2017 have led Attorney General Josh Stein and state Rep. Jason Saine to propose updates to the state’s existing data breach notification law – “Act to Strengthen Identity Theft Protections.”

The Act would make a number of changes to the existing law, including:

  • Expand the definition of “security breach” to include “ransomware” attacks. Ransomware attacks generally result in the encryption of an organization’s system files, preventing the owner from accessing the files unless the owner buys (usually through some form of cryptocurrency) a valid encryption code from the attackers, which may never be delivered. In many cases, the malware deployed by the attackers does not enable them to access or acquire the organization’s information. However, sponsors of the law change would like the victim organization to notify both the affected consumers and the Attorney General’s office, empowering the affected person and the Attorney General’s Office to determine the risk of harm – not the breached organization.
  • Mandate reasonable safeguards. The Act would require businesses that own or license personal information to implement and maintain reasonable security procedures and practices – appropriate to the nature of personal information – to protect the personal information from a security breach. It does not appear that the new law would provide specific requirements for safeguarding personal information. States such as Massachusetts and Colorado have provided more specific requirements for the safeguards covered entities must put in place.
  • Update definition of personal information. The Act would update the definition of personal information to include medical information and insurance account numbers.
  • Shorter (15-day) notification period. The Act would require notification to the affected consumer(s) and the Attorney General’s office within 15 days. The hope is this would give consumers more time to freeze their credit across all major credit reporting agencies and take other preventative measures to prevent identity theft before it occurs.
  • Free credit freezes and credit reports. The Act would permit consumers to place and lift a credit freeze on their credit report at any time, for free. They also would be able to access three free credit reports from each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis. Notably, if consumer reporting agencies experience a security breach, they will have to provide five years of free credit monitoring to affected consumers.
  • Penalty clarification. The Act would provide that businesses that suffer a breach and that failed to maintain reasonable security procedures will have committed a violation of the state’s Unfair and Deceptive Trade Practices Act and each person affected by the breach would constitute a separate and distinct violation of the law triggering a penalty.

If the Act is passed into law, North Carolina would join a number of other states that have and continue to update and strengthen their state laws requiring notification following a breach, and that have added obligations requiring reasonable safeguards to protect personal information. All organizations should be reviewing these developments and take appropriate steps to safeguard personal information they maintain about individuals, as well evaluating and enhancing their breach response readiness.

 

The U.S. Supreme Court Will Rule on FCC Interpretation of the TCPA

Late last year, the U.S. Supreme Court granted certiorari in PDR Network, LLC v. Carlton & Harris Chiropractic (No. 17-1705), addressing the issue of whether the Hobbs Act requires the district court to accept the Federal Communication Commission’s (FCC’s) legal interpretation of the Telephone Consumer Protection Act (TCPA). In 1991, Congress passed the TCPA to restrict telephone solicitations and use of automated telephone equipment, charging the FCC with interpretation and rulemaking authority over the Act. In 2005, the TCPA was amended to include the Junk Fax Prevention Act (JFPA) that restricted the use of the fax machines to deliver unsolicited advertising. Shortly after, the FCC issued 2006 FCC Rule, which inter alia, provided guidance on the 2005JFPA amendment.   At issue before the Court, is the FCC’s interpretation of the definition of “unsolicited advertisements” in the context of the JFPA, found in the 2006 FCC Rule.

The Fourth Circuit, in PDR Network, held that the district court erred in refusing to defer to the FCC’s interpretation of the definition of “unsolicited advertisement” under the TCPA. Specifically, the district court ruled that a fax advertisement for free services did not qualify as an “unsolicited advertisement” under the law, despite the 2006 FCC Rule which stated that “even at no cost”, a fax message promoting good and services qualified as an unsolicited advertisement”.

Although PDR Network centers on a dispute over “junk faxes”, its implications extend far beyond. The Court will address a broad range of issues dealing with the scope of deference under the Hobbs Act and its interplay with the Chevron doctrine. The Hobbs Act provides exclusive jurisdiction to the Court of Appeals, in challenges to final orders issued by six federal agencies, including the FCC. To complicate matters, the Chevron doctrine, an administrative law principle derived from the Supreme Court case, compels federal courts, regardless of level, to adhere to agency interpretation of a statute it administers unless the court finds Congress’s language in the statute “clear and unambiguous”. Thus, a dilemma arises when a district court is adjudicating a case involving a final ordered issued by one of the six federal agencies regulated by the Hobbs Act. Does the Hobbs Act strip the district court of its ability to apply the Chevron deference?

Ultimately, the Court will conclude whether the district court is automatically bound by federal agency interpretation under the Hobbs Act, or has some leeway to ignore such interpretation, as allotted under Chevron when it deems statutory language “clear and unambiguous”. The Court’s ruling is timely, as the FCC is scheduled to issue rules regarding several significant TCPA issues in the coming year.

On a practical level, if the Court rules in favor of greater district court discretion, TCPA litigation will likely become much more unpredictable and costly. With regulatory, legislative, and judicial developments imminent, 2019 is shaping up to be an interesting year for the TCPA. We will continue to update as TCPA developments unfold. Stay tuned for our upcoming TCPA post on the circuit split over what constitutes an “Automatic Dialing Telephone System” (ATDS).

LexBlog