Cyber Security Summit – October 22-23, 2013

The National Law Review is pleased to bring you information about the upcoming Cyber Security Summit.

cyber security

When:

Where:

Will a New California Ballot Initiative Usher in the Next National Shift in Privacy Law?

Poyner Spruill

Just 10 years ago, California enacted the first breach notification law and unwittingly transformed the landscape of American privacy and data security law. To date, 45 other states, multiple federal agencies, and even local governments have followed suit. California residents may soon find themselves voting on a ballot initiative that could have an equally dramatic effect on this area of law.

computer broadcast world

The ballot initiative, known as the California Personal Privacy Initiative, is designed to remove barriers to privacy and data security lawsuits and also would promote stronger data security and an “opt-in” standard for the disclosure of personal information. Specifically, the initiative would amend the California Constitution to:

  1. Create a presumption that “personally identifying information” collected for a commercial or governmental purpose is confidential

  2. Require the person collecting such information to use all reasonably available means to protect it from unauthorized disclosure

  3. Create a presumption of harm to a person whenever her confidential personally identifying information has been disclosed without her authorization.

Notwithstanding the presumption of harm, the amendment would permit the disclosure of confidential personally identifying information without authorization “if there is a countervailing compelling interest to do so (such as public safety or protected non-commercial free speech) and there is no reasonable alternative for accomplishing such compelling interest.”

Turning first to the impact on litigation, plaintiffs have largely been unsuccessful in privacy and data security litigation because they have failed to show harm resulting from an alleged unlawful privacy practice or security breach. The obligation to show harm arises at two stages when a case is litigated in federal court: first, the plaintiff must establish that he has suffered an “injury in fact” in order to meet the requirements for Article III standing, and second, the plaintiff must satisfy the harm requirement that applies to the relevant cause of action (e.g., negligence). If the case is litigated in state court, the standing requirement does not apply, but most, if not all, privacy and data security breach class actions have been litigated in federal court.

The ballot initiative would create a presumption of harm that could allow more lawsuits to satisfy the injury-in-fact standard (step one, above) and the harm requirement for the underlying cause of action (step two, above). Without that barrier, business would be stripped of the most effective means of prevailing on a motion to dismiss for certain causes of action. And in some scenarios, business would be forced to rely on untested or tenuous defenses, making companies more likely to settle, rather than fight, previously unsustainable causes of action.

Other components of the initiative would exacerbate the uptick in litigation, including the presumption that personally identifying information collected for a commercial purpose is confidential and the requirement that organizations use reasonable measures to prevent unauthorized disclosure of that information. Plaintiffs’ claims are sometimes based on an allegation that promises made in the defendant’s privacy notice regarding security measures are deceptive. Currently, companies can protect themselves against these claims by making only conservative representations about privacy and security. But the ballot initiative could create a general duty to adopt reasonable privacy and security measures, raising the prospect that plaintiffs could more successfully pursue negligence-style claims, which companies cannot deter solely by adopting conservative privacy notices.

The initiative also employs a very broad definition of personally identifying information: “any information which can be used to distinguish or trace a natural person’s identity, including but not limited to financial and/or health information, which is linked or linkable to a specific natural person.” (The definition does not cover publicly available information lawfully made available to the public from government records.) This expansive definition would force organizations to apply stricter security to types of information that might not otherwise receive those protections. Furthermore, the definition is particularly problematic when considered in conjunction with the presumption of harm discussed above because identifiable data such as names, email addresses, and device identifiers are routinely shared by businesses without consent. If this initiative succeeds, the increased threat of litigation will incentivize businesses to default to an opt-in standard for disclosures of information.

There is, however, at least one reason to believe that the initiative may not be as detrimental to business interests as some are predicting. Showing a nominal harm for the underlying cause of action does not necessarily equate to an award of damages so, even if the ballot initiative is successful, there would in some cases remain a practical limitation on the plaintiff’s ability to recoup money damages. Where statutory damages are available, or where a plaintiff can show some actual monetary harm, money awards would be possible. But in cases where statutory damages are not available and a plaintiff must show actual monetary harm to procure a monetary award, the ballot initiative may not save such claims. For example, the damages award flowing from a negligence claim is generally based on the actual damages incurred by a plaintiff. Therefore, even if the plaintiff could state a cause of action for the purpose of defeating a motion to dismiss, the plaintiff may not be entitled to anything more than a nominal damages award if the plaintiff cannot demonstrate monetary damage such as the cost of credit monitoring, identity theft insurance, or perhaps even therapy bills. On the other hand, courts could interpret the amendment as requiring recognition of a new type of harm, similar to emotional distress, that is compensable through money damages—even without a showing of some concrete financial harm to the plaintiff.

The ballot initiative’s proponents must obtain 807,615 signatures before Californians would have the opportunity to vote on it. If the signatures are collected, then the initiative will appear on the ballot without further opportunity to seek amendments to address business concerns. If the initiative appears on the ballot, it would require only a simple majority vote to pass. Interested organizations should work to ensure that public debate over the initiative includes a discussion of the heavy burden on business that could result from the initiative.

 
 of

A Different Kind of Adobe Update: Adobe Announces Data Breach Compromising Information of 2.9 Million Customers

MintzLogo2010_Black

Adobe Systems Inc.,(ADBE -1.24%) announced earlier today that has been the victim of a cyber attack that has compromised information of 2.9 million of its customers.  In a blog post Thursday morning, Adobe’s Chief Security Officer Brad Arkin referred to such attacks as “one of the unfortunate realities of doing business today” and added that the attack on customer information is believed to be linked to an attack in which hackers obtained source code for certain Adobe products, including its Cold Fusion web application platform and its Acrobat family of products.

Adobe Systems Inc. reported what it called a sophisticated attack on its computer network, involving illegal access to both customer information and source code related its programs

The scope of the breach was first disclosed by security blogger, Brian Krebs in his blog, Krebs on Security.  The customer information accessed by the hackers includes names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.  At this time Adobe does not believe that decrypted credit or debit card numbers were obtained.  Adobe has reset passwords for certain customers and will be notifying customers whose debit or credit card information is believed to have been accessed.  For those customers whose credit or debit card information has been accessed, Adobe will offer a complimentary one-year membership with a credit monitoring service.

This latest incident is a reminder that cyber attacks are not only an “unfortunate reality” of doing business, but are also increasingly common.  If your business collects customer or user information, there is no time like the present to make sure you have a response plan in place.

Read more:

New York Times – Adobe Announces Security Breach

PCWorld – Adobe Reports Massive Security Breach

Wall Street Journal — Hackers Hit Adobe Systems Network 

AllThingsD

Article By:

 of

Cyber Security Summit – October 22-23, 2013

The National Law Review is pleased to bring you information about the upcoming Cyber Security Summit.

cyber security

When:

Where:

White House Previews List of Incentives to Support Adoption of its Cybersecurity Framework

Bracewell & Giuliani Logo

As its latest step in a broader effort to prioritize cybersecurity, the White House released last week a list of possible incentives that may be offered to companies that own or operate critical infrastructure systems and assets to encourage adoption of a national Cybersecurity Framework, scheduled for release in February 2014. The list of possible incentives—which the Departments of Homeland Security, Commerce, and Treasury identified in response to a February 12, 2013 Executive Order—includes grants, liability limitation, public recognition, and cybersecurity investment rate recovery, among others. Some of the identified incentives could be created from existing federal agency authorities, while others would require legislative action from Congress. Over the next few months, agencies will seek input from critical infrastructure stakeholders in examining their preliminary lists and determining which to implement and how.

In the same February 12, 2013 Executive Order, the President directed the National Institute of Standards and Technology (NIST), an agency of the Department of Commerce, to lead the development of a national Cybersecurity Framework to reduce cyber risks to critical infrastructure. The President called for the Framework to include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks, and directed NIST to incorporate voluntary consensus standards and industry best practices to the fullest extent possible. NIST released a draft outline of the Framework on July 1, 2013, and a full draft of the Framework is scheduled for release in October.

Exactly how the Cybersecurity Framework will interact with or complement the North American Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards is unclear. The Cybersecurity Framework is intended to provide cross-sector security standards, while the NERC CIP standards were developed by, and for the use of, the electricity sub-sector. The Administration intends for NIST to consult its peers, as the President directed the Secretary of Homeland Security to “engage and consider the advice” of sector-specific and other relevant agencies. The Secretary must also identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations, which would presumably include NERC. Whether NERC has been consulted and how their input thus far has been considered is unclear.

In its draft outline of the Cybersecurity Framework, NIST indicates that the voluntary program is intended to complement rather than to conflict with current regulatory authorities, and the draft compendium, attached to the outline, includes reference to the NERC CIP Standards. In fact, NERC submitted comments in response to NIST’s February 26, 2013 Request for Information seeking input to help shape the draft Framework. However, the content of the Framework is still unknown, and until the draft is released in October, the exact relationship between the two sets of standards remains uncertain. In the meantime, as NERC stated in its comments to NIST, NERC feels strongly that a second set of potentially conflicting or redundant standards could create undue hardship on the electricity sub-sector. NERC also stated that, “while a framework of cybersecurity standards that is applicable to all sectors is possible, the framework may need flexibility to have certain common elements to be valuable or effective. Some sectors, such as the electricity sub-sector, are far more advanced in their cybersecurity efforts; other sectors may need time to meet minimum (voluntary) standards. The framework must build on existing standards and programs to develop a comprehensive approach to cybersecurity.”

As national-level cybersecurity efforts have progressed this year, so have NERC’s efforts to improve the CIP standards. NERC Reliability Standards are generally written as performance standards; that is, they prescribe a measurable end-state or goal, and attempt to remain technology- and method-neutral. However, utilities widely criticized earlier versions of the standards as being focused primarily on compliance documentation as opposed to security principles. With input from stakeholders, NERC significantly revised its CIP standards in Version 5, which were filed with FERC on January 31, 2013. Much of industry considers the revised CIP program to be an improved framework for critical asset cybersecurity protection, with a renewed risk-based focus on security. NERC stated that it stands ready to share its industry-driven approach with NIST as it endeavors to develop the Cybersecurity Framework.

Google, Yahoo, and Ad Networks Agrees to Set of Best Practices to Combat Online Piracy

Mintz Logo

The United States Intellectual Property Enforcement Coordinator Victoria Espinel recently blogged about a new effort to combat online piracy of intellectual property.  The broad-based effort attempts to leverage the participation of several large internet/publishing companies (GoogleYahooMicrosoft, AOL and Condé Nast), advertising networks (24/7 MediaAdtegrity) and the Interactive Advertising Bureau.  The parties have agreed to voluntarily adopt a set of best practices to remove advertising from websites that are primarily engaged in copyright piracy (movies, video games, music, books, etc.) or selling counterfeit goods.

In addition to efforts by companies to combat a similar problem using the Copyright Alert System, which we have previously covered, the current agreement takes aim at shutting down the profitability (and it is hoped, the major incentive) of these piracy websites to attenuate their proliferation.

The parties have agreed to implement these procedures and establish a system whereby a rights holder will send an initial informal complaint to one of the participating ad networks alleging that the website at issue is “principally dedicated to” engaging in copyright piracy and/or counterfeiting goods.  Further, the website must have no “substantially non-infringing uses.”  Upon receipt of a complaint, the ad networks will investigate and determine whether to take action, which can range from requesting the website cease from engaging in the alleged activity, to an embargo on advertisements placed by that ad network on the website until such time as the alleged violations are removed, or ultimately, removing the website from the ad network altogether.  While not required to, the ad network may also consider any evidence provided by the website owner that it is either not principally dedicated to counterfeiting or copyright piracy, or has substantial non-infringing uses.  Any such “counter notice” should include the content prescribed in the Digital Millennium Copyright Act (17 U.S.C. §512(g)(3)).  In addition, the participating ad networks will be certified by the Interactive Advertising Bureau’s Networks and Exchanges Quality Assurance Guidelines.

It is important to note that the burden to initiate the process is squarely on the rights holder, the guidelines explicitly noting that (i) there is no burden on the ad networks to police or actively monitor the websites on which their ads are placed; and (ii) by participating in this program, the ad networks do not prejudice their ability to maintain any “safe harbor” status they may otherwise be entitled to.

These best practices certainly have the critical mass to succeed.  The critical question, however, will be the quality of the analysis by the ad networks in response to allegations of piracy or counterfeiting, and the efficacy of this avenue of redress as perceived by the rights holders.  Regardless, this agreement, which may be refined going forward, is another step towards alleviating some of the pressure search engines have been under recently to take more proactive steps toward protecting intellectual property.

Article By:

 of

Zappos and It's Effect On "Browswrap" Agreements

Lewis & Roca

Key Takeaways For An Enforceable Terms of Use Agreement

In light of the recent Nevada federal district court decision In re Zappos.com, Inc., ‎Customer Data Security Breach Litigation, companies should review and update their ‎implementation of browsewrap agreements to ensure users are bound to its terms. MDL No. ‎‎2357, 2012 WL 4466660 (D.Nev. Sept. 27, 2012).

A browsewrap agreement refers to the online Terms of Use agreement that binds a web ‎user merely by his continued browsing of the site, even when he is not aware of it. Any ‎somewhat experienced web user is no stranger to the Terms of Use link that leads to the ‎browsewrap agreement. Yet, the users tend to ignore the link’s existence, and rarely think of it ‎as a “contract” with any practical effects. In Zappos, the court questioned the browsewrap ‎agreement’s validity particularly because of this tendency among web users. The court ruled the ‎arbitration clause in Zappos’ browsewrap Terms of Use was unenforceable because the users did ‎not agree to it and Zappos had the right to modify the terms at any time. ‎

Background of the Case

Founded in 1999, Zappos.com is a subsidiary of Amazon.com and one of the nation’s ‎biggest online retailers for footwear and apparel. Currently headquartered in Henderson, ‎Nevada, the company has more than 24 million customer accounts. In mid-January 2012, its ‎computer system experienced a security breach in which hackers attempted to access the ‎company’s customer accounts and personal information.

After Zappos notified its customers about the incident, customers from across the country ‎filed lawsuits against Zappos, seeking relief for damages arising from the breach. The cases were ‎transferred to and consolidated in Nevada. Zappos then sought to enforce the arbitration clause ‎contained in its Terms of Use, which would stay the litigation in federal court and compel the ‎case for arbitration. The court denied Zappos’ motion on two grounds: there was no valid ‎agreement to arbitrate due to the lack of assent by the plaintiffs and the contract was ‎unenforceable because it reserved to Zappos the right to modify the terms at any time and ‎without notice to its users.

Lessons Learned from the Browsewrap

Mutual Assent Must Be Clear 

Arbitration provisions are a matter of contract law, and the traditional elements of a ‎contract must be met even though Zappos’ Terms of Use was presented in electronic, ‎browsewrap form on the website. An essential element of contract formation is mutual assent by ‎the parties to the contract, which the court found was missing in this case as there was no ‎evidence of the plaintiffs’ assent.

The court compared the browsewrap agreement with another popular form of online terms ‎of use agreement, the “clickwrap” agreement. Clickwrap agreements require users to take ‎affirmative actions, such as clicking on an “I Accept” button, to expressly manifest their assent to ‎the terms and conditions.‎

Since Zappos’ browsewrap agreement did not require its users to take similar affirmative ‎action to show their assent to the terms and conditions, there was no direct evidence showing ‎that the plaintiffs consented to or even had actual knowledge of the agreement, including the ‎arbitration clause.‎

Link It Front and Center 

Furthermore, the court found Zappos’ Terms of Use hyperlink was inconspicuous and ‎thus did not provide reasonable notice to its users. The link was a) “buried” in the middle or ‎bottom of each page and became visible when a user scrolls down, b) appeared “in the same size, ‎font, and color as most other non-significant links,” and c) the website did not “direct a user to ‎the Terms of Use when creating an account, logging in to an existing account, or making a ‎purchase.” The court concluded that under ordinary circumstances, users would have no reason ‎to click on the link.‎

Unilateral Right to Modify or Terminate Won’t Work

Another problem with Zappos’ browsewrap agreement was that it was illusory and thus ‎unenforceable. In the agreement, the company “retain[ed] the unilateral, unrestricted right to ‎terminate the arbitration agreement” and had “no obligation to receive consent from, or even ‎notify, the other parties to the contract.” Users would unsuspectingly agree to the changes by ‎continuing to use the site. Under this provision, Zappos could seek to enforce the arbitration ‎clause, as it did here, or not enforce it by modifying the clause without notice to its users when it ‎was no longer in its interest to arbitrate. In either circumstance, the users would still be bound to ‎the agreement.

Implications for Companies

As a result of this decision, companies should carefully reassess the display and content ‎of the online terms of use they adopt to ensure their enforceability. In a narrow sense, the ‎decision means an arbitration clause in a browsewrap agreement similar to Zappos’ may be ‎deemed unenforceable. More broadly, this decision threatens the validity and enforceability of ‎other terms and conditions contained in a browsewrap agreement, which may deprive the ‎company of the agreement’s protection and favorable terms. ‎

Clickwrap agreements seem to provide the solution to Zappos’ problem. The court ‎suggested a clickwrap agreement could obtain a user’s assent to the terms and conditions. A ‎company may implement the clickwrap agreement through account registration or purchase ‎check-out, tailored to the nature of the company’s business and user interaction. The system may ‎require a user to click “I Accept” to secure the user’s assent to be bound by the agreement before ‎he can proceed further on the website. ‎

On the other hand, the court did not conclude that browsewrap agreements are never ‎enforceable. Other courts have held that browsewrap agreements are generally enforceable. ‎Enforceability largely depends on how the company presents the link and terms to the users such ‎that the users would have reasonable notice of the information. Accordingly, a browsewrap ‎agreement may be enforceable if the hyperlink is conspicuously located and displayed. ‎

In addition, companies should communicate and secure a user’s assent to any ‎modification when the user has previously accepted the terms and conditions. The user may ‎consent through another clickwrap agreement showing the modified terms. With a browsewrap ‎agreement, notice of the changes should, at the minimum, be conspicuously displayed on the ‎webpage. ‎

What This Means 

The Zappos decision reflects a change in the public policy on web activities, and users ‎who do not affirmatively agree to the online Terms of Use may no longer be bound. Consumers ‎are increasingly turning to the web for goods and services. In reaction, courts are beginning to ‎look closer into the transactions and resulting issues that occur online. In this process, courts are ‎testing and requiring new standards for these Terms of Use agreements. Companies should be ‎aware of the court’s evolving attitude towards the different types of agreements. You are ‎encouraged to seek legal guidance to properly adapt your implementation of Terms of Use ‎agreements. Failure to update your Terms of Use agreements may leave you exposed to ‎unfavorable terms that the Terms of Use is designed to prevent.‎

Recent Data Breach Reports: And the Hits Keep on Coming….

Mintz Logo

The ”hits” to data bases, in any event.   Here is a rundown of some of the most recent data breach reports –

Oregon Health & Science University Data Breach Compromises 3,000 Patients’ Records in the Cloud.

Modern Healthcare (subscription may be required) reports that the Oregon Health & Science University announced it is “notifying more than 3,000 of its patients of a breach of their personally identifiable information after their data were placed by OHSU resident physicians on a pair of Google’s cloud-based information-sharing services.” The data breach, which involves “patients’ names, medical record numbers, dates of service, ages, diagnoses and prognoses and their providers’ names” posted to Gmail or Google Drive, was discovered in May by an OHSU faculty member.  According to  Healthcare IT News, this is OHSU’s “fourth big HIPAA breach since 2009 and third big breach just in the past two years, according to data from the Department of Health and Human Services.”

Citigroup Reports Breach of Personal Data in Unredacted Court Filings; Settles with Justice Department

American Banker reports that Citigroup recently admitted having failed to safeguard the personal data (including birthdates and Social Security numbers) of approximately 146,000 customers who filed for bankruptcy between 2007 and 2011. Citi apparently failed to fully redact court records placed on the Public Access to Court Electronic Records (PACER) system. “The redaction issues primarily resluted from a limitation in the technology Citi had used to redact personally identifiable information in the filings,” Citi said in a statement. “As a result of this limitation in technology, personally identifiable information could be exposed and read if electronic versions of the court records were accessed and downloaded from the courts’ online docket system and if the person downloading the information had the technical knowledge and software to restore the redacted information.”

In a settlement with the Justice Department’s U.S. Trustee Program, Citi has agreed to redact the customer information, notify all affected debtors and third parties, and offer all those affected a year of free credit monitoring.

University of Delaware Reports Cyberattack – 72,000 Records Affected

The University of Delaware is notifying the campus community that it has experienced a cyberattack in which files were taken that included confidential personal information of more than 72,000 current and past employees, including student employees. The confidential personal information includes names, addresses, UD IDs (employee identification numbers) and Social Security numbers.

Stanford University Reports Hack – Investigating Scope

Stanford University has announced that its information technology infrastructure has been breached, “similar to incidents reported in recent months by a range of companies and large organizations in the United States,” according to a Stanford press release. Though the school does not yet “know the scope of the intrusion,” an investigation is underway. “We are not aware of any protected health information, personal financial information or Social Security numbers being compromised, and Stanford does not conduct classified research.”

Japan’s Railway Company Apologizes for Unauthorized “Sharing”

The Wall Street Journal reported yesterday (registration may be required) that Japan’s national railway system has apologized for sharing its passengers’ travel habits and other personal information with a pre-paid fare card system without user consent, The Wall Street Journal reports. East Japan Railway admitted to selling the data to Suica—one of the pre-paid card businesses. The data included card holders’ ID numbers, ages, genders and where and when passengers got on and off the train. A transportation ministry official, however, said they will not investigate the issue for privacy violations because the railway company “told us that it wasn’t personal information, as it didn’t include names and addresses of users.” The Ministry of Internal Affairs and Communications is looking into the issue and has set up a team to research the matter, the report states.

Article By:

 of

Survey Says: Fortune 500 Disclosing Cyber Risks

Mintz Logo

Ever since our 2013 prediction, an ever increasing number of public companies are adding disclosure related to cybersecurity and data breach risks to their public filings.  We previously analyzed how the nation’s largest banks have begun disclosing their cybersecurity risks.   Now, it appears that the rest of the Fortune 500 companies are catching on and including some level of disclosure of their cyber risks in response to the 2011 SEC Guidance.

The recently published Willis Fortune 500 Cyber Disclosure Report, 2013 (the “Report”), analyzes cybersecurity disclosure by Fortune 500 public companies.  The Report found that as of April 2013, 85% of Fortune 500 companies are following the SEC guidance and are providing some level of disclosure regarding cyber exposures.  Interestingly though, only 36% of Fortune 500 companies disclosed that such risk was “material”, “serious” or used a similar term, and only 2% of the companies used a stronger term, such as “critical”.

Following the SEC’s recommendation in its guidance, 95% of the disclosing companies mentionedspecific cyber risks that they face.  The top three cyber risks identified by those companies that disclosed cyber risks were:

1)      Loss or theft of confidential information (65%).

2)      Loss of reputation (50%).

3)      Direct loss from malicious acts (hackers, viruses, etc.) (48%).

Surprisingly, 15% of Fortune 500 companies indicated that they did not have the resources to protect themselves against critical attacks and only 52% refer to technical solutions that they have in place to defend against cyber risks.

The Report notes that despite the large number of Fortune 500 companies that acknowledge cyber risks in their disclosure, only 6% mentioned that they purchase insurance to cover cyber risks.  This number runs contrary to a survey published by the Chubb Group of Insurance Companies in which Chubb indicates that about 36% of public companies purchase cyber risk insurance.  For whatever reason, it appears that many of the Fortune 500 companies are simply not disclosing that they purchase cyber risk insurance as a means of protecting against cyber risk.

Almost two years after its issuance, the Report findings indicate that the 2011 SEC Guidance is in full swing and making its way into reality.  As more large companies disclose cyber risks in their public filings, this will continue to trickle down to the smaller companies that rely on those filings for precedent and guidance.  The Report provides a clear snapshot of where things stand in cyber risk disclosure by Fortune 500 public companies.  The scope of the Report is expected to expand to include Fortune 1000 companies, and it will be interesting to see how this data changes, if at all, when comprised of a larger pool of public companies.

Stay tuned!

Article By:

 of

New Data Breach Class Action has Two Million Plaintiffs

RaymondBannerMED

Cyber breaches resulting in the release of personal identifiable information (PII) are increasingly common and now we are starting to see class action lawsuits filed as a result. In what will likely be the beginning of a wave of lawsuits filed as a result of cyber breaches, Schnucks Markets, operator of 100 supermarkets across the Midwest, recently removed a class action lawsuit filed against it to federal court stemming from a data breach that occurred in March in which 2.4 million credit card numbers were stolen.

The Class action complaint alleges Schnucks failed to properly and adequately safeguard its customer’s personal and financial data. In addition to common law negligence and disclosure, the plaintiffs allege a violation of the Illinois Personal Information Protection Act which requires a data collector of personal information to notify individuals in the most expedient manner possible and without unreasonable delay. The complaint alleges Schnucks waited over two weeks to notify its customers and then did so only through a press release as opposed to providing actual notice to individual consumers. Apparently Schnucks struggled to find the source of the breach and this delay may have continued to expose the PII of people who shopped at its stores.

cybercrime graphicSchnuck’s notice of removal to federal court states the grounds for removal include a class size of more than 100 people and damages at issue are greater than $5 million. Schnucks also explains that the data breach was the result of criminals hacking into its electronic payment systems at 23 stores. Further, during the relevant period, 1.6 million credit or debit card transactions took place at these stores. Schnucks calculates that 500,000 unique credit or debit cards were involved thus the putative class has at least 500,000 members.

Damages alleged by the plaintiffs include having their credit card data compromised, incurring numerous hours cancelling their compromised cards, activating replacement cards and re-establishing automatic withdrawal payment authorizations as well as other economic and non-economic harm. Given that data breaches are becoming increasingly common it is likely that there will be more lawsuits filed similar to Schnucks in the near future. Legal counsel experienced in cyber risk and insurance can assist retailers and insurance companies with handling such problems as they arise.