Do Claims Resulting From a Data Breach Have Any Success in Court?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.newyorklawjournal.com/home/id=1202649834560

As of late, data breaches at businesses, governmental entities and others
that are repositories for confidential information have occurred almost
quotidian. For example, in late March the California Department of Motor
Vehicles disclosed that it was investigating a theft of credit card numbers
from the payment component of its website. In the same vein, a public
university in Maryland revealed in the same week that an attack to its
computer network resulted in potential loss of personal information. In
fact, this was the second such attack at this university since late
February of this year. In another well-publicized breach, as many as 40
million customers had credit and debit card numbers released as a result of
a malware attack. It was later disclosed by the same company that 70
million more customers had their personal information stolen in the same
attack.

These incidents are hardly isolated. According to an industry report, in
2013 more than 47,000 security incidents occurred, with 621 of them
classified as "certified data breaches." Of the breaches, 75 percent
exposed insufficient security procedures and 29 percent arose as a result
of contact via social tactics, tactics which include using email, phone and
social media communications to elicit confidential information. At this
point, data breaches are so commonplace that they have crossed the Rubicon
into popular culture. Case in point: In March of 2014 it was revealed that
a major studio had optioned the rights to the story of the blogger who
broke a well-known data breach incident.

Unsurprisingly then, courts have begun to confront a myriad of legal
questions arising from these incidents. Companies and employees have
heretofore been subject to suit in myriad jurisdictions as a result of data
breaches and disclosures. Heretofore, the results have not been consistent
and remain largely contingent on the facts of a specific controversy. This
article will discuss several pressing issues in the rapidly evolving area
of law responsive to data breaches, including: litigating class action
claims following a breach of consumer personal data; instances of
settlement of data breach claims; and particularized data breach claims
that arise after an involuntary divulgence of medical records.

Disclosure of Information

Theft, disclosure and subsequent dissemination of personally identifiable
(PII) and/or financial information create a daunting set of problems for
each party involved. The individuals whose privacy has been breached
thereafter live in fear of identity theft and manipulation of their bank
accounts and credit reports. In the instance of stolen credit or debit card
numbers, issuers are often forced to replace each card, often at
significant expense. The entity specifically breached suffers reputational
damage, financial loss and generally must spend significant sums to
implement an internal security system sufficient to prevent future breaches.

Moreover, the entity targeted by a successful attack can confront years of
costly litigation. In recent years, a spate of suits have materialized that
focus squarely on entities that have been subject to a data breach. For
example, in Galria v. Nationwide Mut. Ins. Co., - F. Supp. 2d -, 2014 WL
689703 (S.D. Ohio 2014), a class action was filed after an insurance
company disclosed to prospective insured's that thieves had hacked into a
portion of its network to steal and subsequently disseminate the PII of the
plaintiffs. The class action complaint alleged, among other causes of
action, violations of the Fair Credit Reporting Act (FCRA), negligence and
invasion of privacy.

The court ultimately rejected all of these claims. With respect to the FCRA
claim, the court held that the plaintiffs did not have standing, even
though the defendant had initially conceded to the contrary. See Simon v.
E. Ky. Welfare Rights Org., 426 U.S. 26 (1976) (noting that in order to
have standing the plaintiff must show that the injury to himself is likely
to be redressed by a favorable decision). However, as the court possessed
an "independent duty" to undertake an inquiry into plaintiff's standing
vis-à-vis FCRA claims, it did so. What this inquiry entailed was primarily
an analysis of the text of the FCRA. Specifically, the plaintiffs cited
solely to the statement of purpose of the FCRA as evidence that the
insurance company committed a violation of it. The court found this
wanting. It held that because the plaintiff did not "allege injury arising
from the violation of a particular statutory requirement or prohibition" in
the FCRA, the plaintiffs did not have standing.

The state law claims against the insurer similarly failed, albeit based on
a different, more substantive rationale. First, it noted that because
allegations by the plaintiffs of an "increased risk of harm" from identity
theft were "speculative" and not "certainly impending," the injury-in-fact
element in the context of standing in data breach cases was unsatisfied.
See Clapper v. Amnesty Intern. USA, 133 S. Ct. 1138 (2013) (holding that
"allegations of possible future injury are not sufficient" to establish
standing). Additionally, the court held that because the putative injury to
plaintiffs from the data breach was contingent on the actions of
third-party independent entities, the injury-in-fact was too conjectural to
warrant standing. Finally, as a substantive matter, the court held that the
plaintiff's study claiming that customers who receive a data breach
notification had a 19 percent fraud incidence rate hardly illustrated that
the injury alleged as a result of the breach was fait accompli, or even
remotely likely.

Another federal case arising out of a disclosure of PII following a data
breach likewise concluded that the plaintiff could not claim standing. See
Strautins v. Trustware Holdings, - F. Supp. 2d --, 2014 WL 960816 (N.D.
Ill. 2014). Like the insurance case discussed above, the court held that
the plaintiff did not have standing because the allegations of injury only
concerned future harm. Specifically, the plaintiff argued that the
inadequate notification of the data breach by defendant engendered an
increased risk of identity theft and identity fraud. This argument failed.
In citing to the insurance case discussed above, the risk of imminent harm
from a data breach cited by the plaintiff was premised both on the actions
of third parties and the occurrence of a statistically unlikely event. As
such, this "chain of attenuated hypothetical events" could not confer
standing.

Conversely, in a case involving loss of credit card numbers after a
compromise of the defendant's computer systems by hackers, the defendant
decided to settle rather than litigate extensively. See In re Heartland
Payment Systems Customer Data Sec. Breach Litigation, 851 F. Supp. 2d 1040
(S.D. Tex. 2012). Instead of fighting myriad allegations from the class
plaintiffs, the defendant structured a settlement in which it paid a
minimum of $1 million and a maximum of $2.4 million depending on the number
of claimants. However, only 11 valid claims were filed, thereby minimizing
the reimbursement funds dispensed by the defendants. As a result, almost
all of the $1 million dollar payment was dispended as cy pres to a number
of organizations dedicated to protecting consumer privacy.

Characterizing attacks as a seizure of financial data and PII is an
overarching way to describe the preponderance of previously occurring data
breaches. However, one specialized type of attack that has become
increasingly favored among its perpetrators is one that looks to seize and
exploit medical records. Medical records have also been released by
providers or its contractors or vendors as a result of negligence. As the
cases below will illustrate, the purposes behind a theft of medical records
range from financial gain, to a desire to besmirch the reputation of an
individual within the relevant community.

Breaches of Medical Records

It is decidedly noncontroversial to observe that a patient's medical
records contain some of the most confidential information about a
particular person. As such, disclosure, particularly of adverse health
conditions or diagnoses can be emotionally devastating and financially
injurious. For instance, in a recent state case, the disclosure of a
patient's adverse diagnosis by an employee of the medical provider led to a
suit based in tort. In C.E. v. Prairie Family Medicine P.C., - N.W.2d -,
287 Neb. 667 (Neb. 2014), the plaintiff sued a local medical clinic (the
clinic) after an employee of the clinic allegedly disclosed the plaintiff's
positive HIV test to a third party, thereby leading to the spread of this
positive test to the surrounding community. This surrounding community
consisted of plaintiff's friends and business associates, and thus the
disclosure significantly damaged her reputation therein. As a result, it
also led to claims of invasion of privacy and intentional and negligent
infliction of emotional distress.

At the lower court level, the plaintiff's claims were dismissed as a matter
of law because there had not been a showing of causation. Specifically,
this court held that the plaintiff could not produce any "competent
evidence" illustrating that the clinic or its agents were negligent in
releasing the details of the positive HIV test, and thus there was no
connection between the clinic and the plaintiff's request for damages. On
appeal, the Supreme Court of Nebraska considered whether any issue of
material fact existed showing that the clinic or its employees had
disclosed the positive HIV test. In overturning the lower court, the court
held that the applicable standard for these sorts of claims was whether the
allegations of the plaintiff could show tortious conduct by the clinic, and
not a showing of causation. Applying this revised standard, the court held
that the plaintiff had shown by circumstantial evidence that there was a
possibility that the clinic had caused the tortious conduct alleged in the
case. As such, it remanded the proceedings to the lower court.

Other claims resulting from a breach of medical records have produced
varying outcomes. For example, after a data breach led to emergency room
patients having information posted online for almost a year, the hospital,
its contractors and its subcontractors agreed to settle. See Springer v.
Stanford Hosps. and Clinics, No. BC470522 (Cal. Super. Ct, settlement filed
March 13, 2014). The plaintiffs had initially filed a complaint alleging
violations of California's Confidentiality of Medical Information Act after
the names and diagnoses of roughly 20,000 patients had been displayed
online on a website of a student helper of the hospital. In another case, a
patient brought a putative class action after an employee of a medical
services provider had a laptop containing unencrypted personal medical
information stolen from a car. See Polanco v. Omnicell, - F. Supp. 2d -,
2013 WL 6823265 (D.N.J. 2013). The presiding court ultimately held that the
plaintiff lacked standing for a number of reasons: (1) the provider had
informed the plaintiff that her confidential information was not located on
the stolen laptop; (2) the purported increased expenditures by the
plaintiff was based on speculative belief that the information was in fact
stolen; and (3) the plaintiff has willingly incurred costs to mitigate a
speculative increased risk of identity theft is insufficient to evince an
actual or imminent injury required to have standing. Finally, in Worix v.
MedAssets, 857 F. Supp. 2d 699 (N.D. Ill. 2012), allegations that a company
that handled confidential information for hospitals that was subsequently
stolen were inadequate to sustain a negligence claim since they failed to
demonstrate neither actual damages nor a legally cognizable injury.

Conclusion

If recent months are any harbinger, data breaches are a threat that will
not disappear in the near future. If anything, as hackers become more
sophisticated and continue to outpace attempts to thwart their attacks,
businesses should prepare for the increasing frequency, scope and damage of
potential data breaches. For companies who are particularly susceptible to
these attacks, the U.S. Supreme Court has in the past year circumscribed
the types of harm plaintiffs can allege that result from data breaches,
thereby appreciably limiting eligible plaintiffs in this type of action. By
eliminating possible future harm from the type of injury that can confer
standing upon a plaintiff, those whose allegations are conjectural or rely
primarily on future actions by unrelated third parties will now confront a
higher burden simply to get their case into court. Nonetheless, the cases
above are emblematic of the types of actions that inevitably arise from a
data breach, from a voluminous class action to a state court
single-plaintiff tort case.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!