Pennsylvania Court Dismisses Data Breach Claims

Posted on June 11, 2015 by Matthew F. Noone — No Comments ↓

In 2014, the University of Pittsburgh Medical Center’s computer system was hacked, resulting in the disclosure of sensitive personal information of current and former employees, including names, addresses, birthdates, social security numbers and banking account numbers. Allegedly, the stolen information was used to file fraudulent tax returns for as many as 800 employees. A class action was filed on behalf of current and former employees against the hospital and its payroll company.

On May 28, 2015, the Allegheny County Court of Common Pleas applied the economic loss doctrine to dismiss the class action. The Court in Dittman v. UPMC refused to adopt a duty of care that would require employers to protect the confidential information of its current and former employees. And it refused to find that there was an implied contract between the hospital and its employees that would require the hospital to protect its employees’ confidential information from data breaches.

The Court’s holding in UPMC decided one key point: Pennsylvania companies whose computer systems are hacked will not be liable to the persons whose confidential information was compromised.

Plaintiffs claimed that “UPMC had a duty protect the private, highly sensitive, confidential and personal financial information [of is current and former employees].” The plaintiffs also alleged that, as a result of the breach, they incurred damages relating to fraudulently filed tax returns and “are at an increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse.”

The hospital argued that the plaintiffs’ negligence claim was barred by the economic loss rule. Noting that the only losses that the UPMC employees sustained were economic, the trial court applied the economic loss doctrine and dismissed the plaintiffs’ negligence count. The Court wrote: “The Economic Loss Doctrine provides that no cause of action exists for negligence that results solely in economic damages unaccompanied by physical or property damage.”

No doubt realizing the futility of their negligence claim in light of the economic loss rule, the plaintiffs also urged the Court to impose a duty of care upon UPMC to protect the confidential information of its employees. Specifically, the plaintiffs proposed that the court create “a private negligence cause of action to recover actual damages, including damages for increased risks, upon a showing that the plaintiff’s confidential information was made available to third persons through a data breach.”

The Court refused, finding that “the public interest is not furthered by this proposed solution.” The Court then cited a laundry list of reasons to justify its refusal to adopt the new duty of care, including the lack of a safe harbor for entities storing confidential information, the inability of the state judicial system to handle the volume of potential lawsuits, the difficulty in establishing a minimum standard of care required, and the substantial resources that for-profit and non-profit entities would be required to spend in defending these lawsuits.

Another reason for the Court’s refusal to adopt a new duty of care was the Pennsylvania General Assembly’s recent consideration of the issue in connection with Pennsylvania’s Breach of Personal Information Notification Act. The legislative history shows that the General Assembly considered adopting an expansive civil liability provision as part of the Act, but the final bill contained only a notification requirement. In refusing to adopt the new duty urged by the UPMC employees, the Court observed, “It is not for the courts to alter the direction of the General Assembly because public policy is a matter for the Legislature.”

As definitive as the ruling in UPMC appears to be, there are two caveats. If the hacked company is “in the business of supplying information for economic gain,” then it may be liable to the people whose information is compromised. See Sovereign Bank v. BJ’s Wholesale Club, Inc., No. 06-3405 (filed July 16, 2008 by U.S. Third Circuit Court of Appeals). And there are many different iterations of the economic loss rule; a victim of a security breach could possibly sue a company whose system was compromised if the breach occurred in a state that has a more expansive rule. Other than that, however, Pennsylvania is one state that will shield companies from liability in data breach events resulting in economic loss.

Posted in Data Breach, Data Security, Litigation, Privacy

Connecticut Affirms Personal Injury Coverage for Data Breach Requires Actual Publication

Posted on May 20, 2015 by Nicole Bakare — No Comments ↓

As expected, the Connecticut Supreme Court has affirmed decisions by both the trial court and intermediate appellate court that personal injury liability coverage for a business’s data loss or theft requires publication as a matter of law. We reported on the oral arguments here.

The claim for coverage in Recall Total Information Mgmt. v. Federal Ins. Co., arose from the loss of computer tapes containing personal information of current and former IBM employees. Recall Total had contracted with IBM to transport and store computer tapes containing this information and subsequently subcontracted with Ex Log to provide the transportation services. During transport, the tapes fell off Ex Log’s truck on to the side of the road and were recovered by an unknown individual.

As the Supreme Court recognized, however, there is no evidence that anyone ever accessed the information on the tapes or that their loss caused injury to any IBM employees. Nevertheless, IBM spent a significant amount of money providing identity theft services to the affected employees and, in informal negotiations, sought reimbursement of those sums from Recall Total and Ex Log. Ex Log’s liability carriers, whose policies named Recall Total as an additional insured, declined to participate in the negotiations or provide coverage.

Recall Total and Ex Log later filed suit for, among other things, breach of contract. The trial court’s dismissal of this claim on summary judgment was later affirmed by the intermediate appellate court. That court first concluded that there was no breach of the duty to defend because the settlement negotiations with IBM did not constitute a suit other dispute resolution proceeding that triggered such a duty under the policies. The court next concluded that the loss of the tapes did not constitute a “personal injury” as defined by the policies because there had been no publication of the information stored on the tapes that had resulted in a violation of a person’s right to privacy.

This decision was appealed to and affirmed by the Connecticut Supreme Court. Explaining that it would serve “no purpose” to repeat the lower court’s discussion, the Supreme Court adopted the intermediate court’s “well reasoned opinion . . . as the proper statement of the issue and the applicable law concerning that issue.”

Posted in Data Breach, Litigation, Privacy

SCOTUS to Consider Whether FCRA Violation Confers Article III Standing on Individual

Posted on May 12, 2015 by Daniel Johnson — No Comments ↓

On April 27, 2015 the Supreme Court of the United States granted certiorari on a petition filed by Spokeo, Inc., asking the court to review the Ninth Circuit opinion in Robins v. Spokeo, Inc., 742 F.3d 409 (9th Cir. 2014). On February 4, 2014, the circuit court ruled that an allegation of a violation of the Fair Credit Reporting Act (FCRA) ipso facto satisfied the injury-in-fact requirement of Article III of the Constitution. Whether violation of the FCRA does confer standing upon a plaintiff is an issue that will greatly affect the landscape of privacy and cyber litigation by either opening or closing a key theory of liability.

The California district court had held that Robins had failed to allege an injury-in-fact, when he alleged that Spokeo operated a website that provided users with the contact data, marital status, age, occupation, economic health, and wealth level of individuals and reported false information about him, causing actual harm to his employment prospects in addition to stress and worry. After the district court dismissed Robins’s complaint for lack of standing, he appealed.

As an initial matter, the Ninth Circuit explained, the statutory cause of action did not require a showing of actual harm when a plaintiff sues for willful violations and identified the issue before it as whether violations of statutory rights created by the FCRA are “concrete, de facto injuries” that Congress can elevate to legally cognizable injuries.

The Ninth Circuit held that Spokeo’s violations of the FCRA satisfied the injury-in-fact requirement of Article III because Robins satisfied two constitutional limitations on Congress’s ability to confer standing: (1) a plaintiff must allege the defendants violated his statutory rights, and (2) the statutory right at issue must protect against “individual, rather than collective, harm.” The Ninth Circuit reasoned that Robins alleged that Spokeo violated his statutory rights and that his “personal interests in the handling of his credit information are individualized rather than collective.” Because it ruled that violation of the FCRA was sufficient, the Ninth Circuit did not address whether harm to Robins’s employment prospects or related anxiety were sufficient injuries-in-fact.

We will provide further updates as the matter progresses in front of SCOTUS.

Posted in Data Breach, Litigation, Privacy

OCR Announces Another HIPAA Settlement and Warns Not to Forget About Paper Records

Posted on May 6, 2015 by Gregory Fliszar — No Comments ↓

On April 27, 2015, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that Cornell Prescription Pharmacy (“Cornell Pharmacy”) had entered into a resolution agreement to settle, without an admission of liability or wrongdoing, potential HIPAA violations. As part of the resolution agreement Cornell Pharmacy will pay $125,000 and enter into a two-year corrective action plan (“CAP”) focused on correcting the alleged deficiencies in its HIPAA compliance program.

Cornell Pharmacy is a small, single store pharmacy located in Denver, Colorado that specializes in compound medications and providing services for local hospice agencies. OCR began an investigation into the pharmacy after it received a media report from a Denver news agency that protected health information (“PHI”) belonging to Cornell Pharmacy was apparently disposed of and found in an unlocked, publically accessible dumpster. The documents were not shredded and contained the PHI of approximately 1,610 of Cornell Pharmacy’s patients. After conducting its investigation, OCR concluded that Cornell Pharmacy failed to implement any written policies and procedures as required by HIPAA’s Privacy Rule, and further failed to provide training on the Privacy Rule to its workforce members.

This settlement is instructive as OCR again highlights the importance of having updated and comprehensive HIPAA policies and procedures in place, including policies on the proper disposal of PHI, and on training all staff on those policies and procedures. Further, in this year of massive cyber-attacks and other breaches of electronic data, this HIPAA settlement serves to remind covered entities and business associates not to forget about protecting their paper records as well. As stated by OCR in its press release, “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.” As discovered by Cornell Pharmacy, a breach or other improper disclosure of paper PHI can also result in significant consequences.

For further information please contact the author, Gregory M. Fliszar (Philadelphia, PA), or other members of Cozen O’Connor’s healthcare team.

Links:

resolution agreement:
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cornell/cornell-cap.pdf

press release:
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cornell/cornell-press-release.html

Posted in Data Breach, Data Security, HIPAA

Connecticut Supreme Court Likely To Affirm Personal Injury Coverage For Data Breach Requires Actual Publication To Third Parties

Posted on April 30, 2015 by Michael D. Handler — No Comments ↓

The Connecticut Supreme Court heard oral arguments Monday April 27th on an appeal testing the scope of coverage afforded for a business’s data loss or theft events under its Commercial General Liability insurance’s “Personal Injury” coverages. Based on the Justices’ comments and questions posed with regard to Recall Total Information Mgmt. v. Federal Ins. Co., Connecticut’s highest court appears unlikely to depart from the determinations previously reached by both the trial court and Appellate Court panel below, that no coverage was afforded under the “publication” and invasion of privacy clauses of the insured’s CGL policies as a matter of law.

Recall Total’s claim for coverage arose from its agreement to transport and store various electronic media belonging to IBM. Recall Total’s subcontractor Ex Log was moving computer tapes by transport van during February 2007, when some of the tapes fell out of the back of the van. Over 100 tapes were removed from the roadside by an unknown person and never recovered. The tapes contained past and present IBM employees’ employment related data. IBM gave notice and provided credit monitoring to potentially affected employees, then claimed and eventually obtained a settlement of over $6 Million from Recall Total. When Ex Log’s CGL insurers denied coverage, Ex Log assigned its insurance rights to Recall Total. The insurers prevailed in the trial court that there was no coverage under the CGL policy, then prevailed again in January 2014 on all appealed issues including whether the loss of tapes constituted a personal injury.

Justice Richard A. Robinson had pointed questions for Recall Total’s counsel on whether “publication” within the policies’ Personal Injury definition was even possible, based on the fact that the reel to reel data tapes were part of a “closed architecture system” that no thief or third party could access. Chief Justice Chase T. Rogers had some choice inquiries as well, positing “you got what you paid for” if Recall Total purchased coverage for publication to a third party, and not a broader theft coverage. She asked for Recall Total’s “fallback position” on whether there was enough ambiguity about whether there was a “suit” to avoid summary judgment in the insurers’ favor on their defense duties, signaling her diminished interest in Recall Total’s primary argument that the legal definition of “publication” might require nothing more than “to make public” the private data.

The Hartford-area attorneys representing the two insurers used their portion of the oral arguments, under reduced questioning from the panel, to point out that Recall Total had the burden to establish the scope of coverage under the CGL policies, and to reference several potentially applicable exclusions that need not be addressed because Recall Total had failed to satisfy its initial burden. Scottsdale Insurance’s counsel further contended that this Court must conclude, as the appellate panel had before, no “presumptive” invasion of privacy existed merely because IBM’s data breach notification statutory obligations may have been triggered in Connecticut and in New York. Neither the breach notification statutes, nor the public policy on which they are based, requires a presumption or finding of personal injury as defined in the CGL insurance policies.

The Appellate Court’s determination was reached approximately 3 months after its hearing in October 2013. We will post a follow-up Blog report when the Connecticut Supreme Court issues an opinion in this matter.

Posted in Data Breach, Data Security, Insurance, Litigation

Middle District of Pennsylvania Dismisses Data Breach Class Actions for Lack of Standing

Posted on April 10, 2015 by Matthew Siegel, Nicole Bakare

— No Comments ↓

Yet another federal judge has concluded that an individual whose personal information was allegedly accessed during a data breach lacks standing to sue unless and until there has been a misuse of that personal information or such misuse can be proven “imminent.” See Storm v. Paytime Inc., No. 14-CV-1138, 2015 WL 1119724 (M.D. Pa. Mar. 13, 2015).

In April 2014, hackers gained unauthorized access to the computer systems of Paytime, Inc., a national payroll service company. Several employees of companies that use Paytime’s services later filed suit against Paytime and sought class certification, alleging claims of negligence and breach of contract. In response, Paytime moved to dismiss their claims, contending that plaintiffs lacked standing or, in the alternative, that they had failed to state claims as a matter of law.

The court found that the plaintiffs did indeed lack standing to sue Paytime, relying heavily on the Third Circuit’s holding in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011). “In the event of a data breach, a plaintiff does not suffer a harm, and thus does not have standing to sue, unless [the] plaintiff alleges actual ‘misuse’ of the information, or that such misuse is imminent,” the Reilly court concluded. In Reilly, the employees of a law firm brought a putative class action against a payroll processing firm after it suffered a security breach by an unknown hacker, which they alleged caused increased risk of identity theft, costs of credit monitoring, and emotional distress. According to the court, the alleged future harm was “not sufficiently imminent,” however. Rather, it was “significantly attenuated, considering that it was ‘dependent on entirely speculative, future actions of an unknown third party.”

Likewise, in Paytime, the plaintiffs alleged they were at an increased risk of identity theft, spent time and money to protect themselves from identify theft, and have suffered “actual damages.” What they failed to allege, the court explained, were “allegations of misuse or that such misuse is certainly impending.” None alleged that they had actually suffered any form of identity theft or even that any of their data had been misused.

Allegations of being at an increased risk of identity theft are not sufficient to amount to an imminent injury, the court decided, reasoning that the data breach had occurred more than a year ago. Given that none of the plaintiffs had yet become “actual victims of identity theft,” any layperson “with a common sense notion of ‘imminence’ would find this lapse of time, without any identity theft, to undermine the motion that identity theft would happen in the near future.”

The court acknowledged that Reilly’s standing requirements leave plaintiffs on the hook for the costs of preventive measures, but found that the logic of the doctrine is sound and its wisdom clear: given the constant efforts of hackers to access confidential data, “for a court to require companies to pay damages to thousands of customers, when there is yet to be a single case of identity theft proven, strikes us as overzealous and unduly burdensome to business.” Once a hacker succeeds in actually misusing a person’s personal information, the court explained, there is a “clear injury” that can be fully compensated with money damages and the plaintiff is “free to return to court and would have standing to recover his or her losses.”

Posted in Data Breach, Litigation

Another Health Plan Hit By Massive CyberAttack and Class Actions Follow

Posted on April 03, 2015 by Ryan Blaney, Gregory Fliszar

— No Comments ↓

Coming fresh off the heels of the Anthem data breach Premera Blue Cross announced on March 17^th that it was the victim of a “sophisticated” cyberattack that may have exposed the personal information of approximately 11 million of its members. Premera has approximately 6 million members residing in the State of Washington, 250,000 members residing in Oregon and 80,000 members residing in Alaska. Premera stated that the cyberattack began sometime in May of 2014 but was not discovered until the end of January 2015. According to Premera, the information exposed may include social security numbers, bank account information, and medical and financial information, including clinical information.

Three state insurance commissioners (Washington, Oregon and Alaska) have already launched a joint investigation and a market conduct examination of Premera related to the breach. The joint investigation will include on-site reviews of Premera’s financial books, records, transactions, and Premera’ cybersecurity. The Washington Insurance Commissioner has expressed concern over the length of time (approximately six weeks) it took for Premera to notify his office of the attack. Alaska’s governor ordered all state agencies to review their online security safeguards as well as those put in play by their business associates. Premera is also conducting an internal forensic investigation by a cybersecurity firm and is cooperating with the FBI in a criminal investigation.

Combined with the cyberattacks on Community Health Systems and Anthem, this is the third large attack on a member of the health care industry announced in the last seven months, and these three breaches may have collectively impacted approximately 95.5 million people. As these attacks illustrate, health information is now a high priority target for cybercriminals. Currently a complete health record may be worth at least ten times more than credit card information on the black market as health records often include a wealth of personal information that can be used for identity theft and to file false health insurance claims. Further, the data security protections currently in place in the health care industry tend to lag behind those in the banking and financial sector, which makes the information vulnerable to attack by those who view the valuable information as “low hanging fruit.”

Similar to the Anthem and the Community Health Systems breaches, Premera was immediately hit by a proposed class action accusing Premera of negligence and inadequate security. The March 26, 2015 Complaint alleges that Premera breached its duty of care by failing to secure and safeguard the personal and health information of its members and negligently maintaining a system that it knew was vulnerable to a security breach. The Complaint further alleges that Premera has a duty to secure and safeguard the personal health information of its members under HIPAA and its failure to implement security and privacy safeguards was a violation of HIPAA. The Complaint also alleges violations of state consumer protection laws and data disclosure laws.

As evident by the Anthem and Premera breaches, a single security incident resulting in a data breach can have significant consequences for health care companies and business associates that include government investigations, class action lawsuits, and a hit to the organization’s reputation. To manage this risk, we encourage all companies handling health information to conduct comprehensive risk assessments and to create, review and update their data security policies and procedures to ensure that they are doing enough to adequately protect the health information maintained on their IT systems and elsewhere in their organization.

Posted in Cyberattack, Data Breach, Data Security, Litigation, Privacy

EMV Credit Cards Are Coming, But Consumers Must Stay Vigilant

Posted on March 13, 2015 by Matthew Siegel, Michael Melusky

— No Comments ↓

Major credit card companies, including Visa, MasterCard, Discover, and American Express, have announced plans to switch to EMV cards in the United States over the course of 2015. Nearly eighty other countries around the world have already made the switch to EMV credit cards (also known as “chip and pin” credit cards) from the magnetic strip variety. While the transition is happening gradually, it is happening. EMV cards will help prevent some types of fraud, but consumers should be aware that they will not put an end to all fraud.

EMV stands for Europay, MasterCard, and Visa, the originators of the cards. They got the name “chip and pin” because a computer chip is built into each card and a personal identification number (PIN) can be set up by the owner to use with the card.

The EMV cards are expected to decrease fraud because the computer chip inside each card creates a unique code for every transaction. The code is only good for one specific transaction and cannot be used again. The traditional magnetic cards store data in their strips, which can be copied and reused, allowing thieves to create counterfeit versions of the cards. With the EMV cards, it should be much more difficult for potential thieves to create counterfeit working copies.

It is widely agreed that the chip and pin technology will significantly deter some types of fraud, but security risk experts warn that the EMV cards come with their own vulnerabilities. According to Geoffery Blackburn, a Senior Risk Analyst at EBay Enterprise, EMV cards can be used without a PIN. This is called “chip and signature” payment, and it removes the extra layer of security provided by the PIN, meaning thieves do not have to steal as much information to use the card. The EMV cards can also be used in the same swipe-and-sign way that magnetic strip cards are currently used, making the EMV cards as vulnerable to attack as the magnetic cards.

An even more significant drawback, Blackburn asserts, is that the EMV cards will not increase protection for online transactions. Because the EMV cards will improve protection for physical transactions when both the chip and PIN technologies are applied, thieves could be led to focus their attacks on online transactions. This is precisely what happened in the United Kingdom; online credit card fraud rose by almost eighty percent within three years of the United Kingdom’s switch to the EMV cards.

When credit card fraud does occur after EMV cards are widely used in the United States, it will be necessary to determine who is liable. Several major credit card companies are pushing for a shift in the rules that would take effect on October 1, 2015. Cardholders’ liability would be as limited as it is now. Liability for credit card fraud among financial institutions and merchants would fall upon whichever party has the least advanced technology with respect to the new EMV credit cards. If the bank issuing the credit card does not provide chip and pin technology, but the merchant does, the liability will fall on the issuing bank. If the bank provides the technology, but the merchant is unable to support it, the liability will fall on the merchant. If neither or both has the technology, liability is unchanged from how it exists now and will hinge on whether the merchant complied with all rules and regulations.

Overall, consumers and merchants need to be aware that EMV cards will help deter fraud in stores, but the cards will not increase protections in online transactions. This could lead criminals to target online transactions more frequently. As a result, consumers and merchants must remain vigilant for fraud, even after the EMV cards are in place.

Posted in Data Security, Standards

No Standing for Data Breach Plaintiffs in Southern District of Texas Class Action

Posted on February 27, 2015 by Matthew Siegel, Alexa Sebia

— No Comments ↓

Earlier this month, a Texas federal judge rejected a data breach plaintiff’s claim of a relaxed standard for Article III standing based on the “heightened risks” posed by potential identity theft and security fraud. The court ruled that despite the possibility that thieves could drain her back accounts, charge her credit cards, and perpetrate tax, medical, and insurance fraud, the plaintiff’s injuries were not “imminent” or “certainly impending,” as required under Constitutional precedent. As such, the court held that the plaintiff lacked standing to sue.

Although some courts have recently shown a willingness to recognize standing for victims of hackers who deliberately target and intentionally misappropriate stolen information, this case illustrates that data breach plaintiffs still face an uphill battle in bringing suit for intangible damages. See, e.g., In re Adobe Sys., Inc. Privacy Litig., No. 13-CV-05226-LHK (N.D. Cal. Sept. 4, 2014).

One year ago, St. Joseph Services Corporation and St. Joseph Regional Health Center (collectively “St. Joseph”), reported that hackers had infiltrated its computer network and gained access to the names, social security numbers, birthdates, addresses, medical records, and bank account information of approximately 405,000 patients. The Texas-based healthcare provider arranged to provide potentially affected patients with one year of free credit monitoring and identity theft protection. It also encouraged victims to take steps to safeguard personal information by monitoring credit reports and account statements.

Named plaintiff Beverly Peters, a former patient of St. Joseph, sued the healthcare provider via class action for violations of the Fair Credit Reporting ACT (FCRA), claiming that but for its failure to safeguard her personal information and notify her of the breach in a timely way, her identity would not have been exposed, stolen, or misused. Specifically, she alleged that individuals fraudulently attempted to access her Amazon.com account and make retail purchases with her Discover card. She also reported receiving unsolicited telephone and email communications from medical products and service companies. In this way, she and other class members were particularly vulnerable to future attacks by thieves seeking to commit any number of identity theft-related crimes.

In order to satisfy Constitutional requirements for standing, plaintiffs must establish the existence of an injury that is “concrete, particularized, and either actual or imminent.” Clapper v. Amnesty Intern. USA, 133 S. Ct. 1138, 1147 (2013). Prior to Clapper, a split existed among the Third, Seventh, and Ninth Circuits over whether the increased risk of harm to victims of data security breaches constituted “imminent injury” under Article III. See e.g., Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. 2007); Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) (finding such risk sufficient to confer standing); but see Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (holding that risk falls short of Constitutional requirements). Clapper, however, resolved the split and held that a threatened injury must be “certainly impeding” in order to satisfy Article III standing. Clapper, 133 S. Ct. at 1147. In other words, data breach plaintiffs who do not suffer actual misuse of stolen information may be left without a remedy.

Like many other data breach defendants in the wake of Clapper, St. Joseph moved to dismiss for lack of standing. Specifically, St. Joseph emphasized that Discover never charged Peters for the fraudulent purchase, closed her account to prevent future fraud, and issued her a new secure card. St. Joseph further noted that Peters changed her Amazon.com and Yahoo passwords after her accounts had been compromised. In this way, they argued, Peters did not suffer a quantifiable actual or imminent injury as a result of the data breach.

Southern District Judge Kenneth Hoyt agreed, reiterating that Peters could not describe her injuries without beginning the explanation with the word “if.” The court explained that Peters’s theory of standing relied on a “highly attenuated chain of possibilities” and, as such, failed to satisfy the requirement that the threatened injury be “certainly impending.” In other words, the court concluded, her alleged future injuries were speculative at best.

The court further rejected Peters’s assertion that she suffered present injury because the risk of surveillance forced her to take costly and burdensome measures to protect the confidentiality of her identity. It explained that costs incurred to monitor “hypothetical future criminal acts” are not “actual injuries” that confer standing. Clapper, 133 S. Ct. at 1150-51 (reasoning that otherwise, “enterprising plaintiffs would be able to secure a lower standard for Article III standing simply by making an expenditure based on nonparanoid fear”). Rather, prophylactic spending to monitor credit services and “ease fears of future third-party criminality” were speculative measures not proximately caused by St. Joseph’s conduct. As such, the court granted the motion to dismiss.

This case demonstrates the difficulty for data breach plaintiffs to bring suit, particularly where damages are intangible or impending. Although sweeping attacks on corporate technology systems continue to occur with increased frequency, victims face an uphill battle in securing judicial relief.

Posted in Data Breach, Litigation

Politics Slow Federal Action on Cybersecurity

Posted on February 13, 2015 by Rob Freeman — No Comments ↓

Expectations were raised last month that the federal government would soon enact legislation to address the legal and regulatory obstacles that prevent private companies and government agencies from working together to prevent cyberattacks. President Obama announced he was forwarding a set of revised proposals to Congress, and congressional committee leaders announced hearings on a wide range of cyber issues. It appeared that both parties felt cybersecurity was an area where they could work together.

A month later, very little progress has been made. The President and his team put forward a revised version of their 2011 proposal, taking into account all that has been learned in the intervening years from specific cyber breaches and industry feedback. But that proposal has been met with little enthusiasm by Congress. Even members of the President’s own party have refused to introduce the proposal, choosing instead to support committee hearings. Thus far, those hearings have highlighted the need for action and, ironically, demonstrated the high level of agreement between the parties and between the President and Congress on the goals of good legislation – share information, limit liability, restrict access to shared information under the Freedom of Information Act, and protect privacy.

The holdup, essentially, is not substantive, it is political. There is one contingent who believe that reform of the National Security Agency should come before legislation. Among those who agree that information must be shared more widely now, there are disagreements are over who should share it, when should it be shared, and how will it be protected after it is shared. And then there is the classic congressional fight over turf. At last count, three committees in the Senate and two committees in the House claim jurisdiction over this issue.

The one positive note is that several members seem determined to shake loose the stuck gears. Senator Angus King of Maine, an Independent, has called on Congress to set an internal deadline for compromise legislation on the issue. He sees a need to force an agreement between committee chairs and leadership in order to move forward. Senator Tom Carper of Delaware (D) is not waiting for such an agreement and is moving forward with his own legislation based on the President’s proposals. Neither senator’s approach is sure to work, but their efforts to move ahead where there is so much fundamental agreement are appreciated.

Posted in Data Security, Legislation