FCC Adopts Updated Data Breach Notification Rules

On December 13, 2023, the Federal Communications Commission (FCC) voted to update its 16-year old data breach notification rules (the “Rules”). Pursuant to the FCC update, providers of telecommunications, Voice over Internet Protocol (VoIP) and telecommunications relay services (TRS) are now required to notify the FCC of a data breach, in addition to existing obligations to notify affected customers, the FBI and the U.S. Secret Service.

The updated Rules introduce a new customer notification timing requirement, requiring notice of a data breach to affected customers without unreasonable delay after notification to the FCC and law enforcement agencies, and in no case more than 30 days after the reasonable determination of a breach. The new Rules also expand the definition of “breach” to include “inadvertent access, use, or disclosure of customer information, except in those cases where such information is acquired in good faith by an employee or agent of a carrier or TRS provider, and such information is not used improperly or further disclosed.” The updated Rules further introduce a harm threshold, whereby customer notification is not required if a carrier or TRS provider can “reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach,” or where the breach solely involves encrypted data and the encryption key was not affected.

How a Zero-Day Flaw in MOVEit Led to a Global Ransomware Attack

In an era where our lives are ever more intertwined with technology, the security of digital platforms is a matter of national concern. A recent large-scale cyberattack affecting several U.S. federal agencies and numerous other commercial organizations emphasizes the criticality of robust cybersecurity measures.

The Intrusion

On June 7, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) identified an exploit by “Threat Actor 505” (TA505), namely, a previously unidentified (zero-day) vulnerability in a data transfer software called MOVEit. MOVEit is a file transfer software used by a broad range of companies to securely transfer files between organizations. Darin Bielby, the managing director at Cypfer, explained that the number of affected companies could be in the thousands: “The Cl0p ransomware group has become adept at compromising file transfer tools. The latest being MOVEit on the heels of past incidents at GoAnywhere. Upwards of 3000 companies could be affected. Cypfer has already been engaged by many companies to assist with threat actor negotiations and recovery.”

CISA, along with the FBI, advised that “[d]ue to the speed and ease TA505 has exploited this vulnerability, and based on their past campaigns, FBI and CISA expect to see widespread exploitation of unpatched software services in both private and public networks.”

Although CISA did not comment on the perpetrator behind the attack, there are suspicions about a Russian-speaking ransomware group known as Cl0p. Much like in the SolarWinds case, they ingeniously exploited vulnerabilities in widely utilized software, managing to infiltrate an array of networks.

Wider Implications

The Department of Energy was among the many federal agencies compromised, with records from two of its entities being affected. A spokesperson for the department confirmed they “took immediate steps” to alleviate the impact and notified Congress, law enforcement, CISA, and the affected entities.

This attack has ramifications beyond federal agencies. Johns Hopkins University’s health system reported a possible breach of sensitive personal and financial information, including health billing records. Georgia’s statewide university system is investigating the scope and severity of the hack affecting them.

Internationally, the likes of BBC, British Airways, and Shell have also been victims of this hacking campaign. This highlights the global nature of cyber threats and the necessity of international collaboration in cybersecurity.

The group claimed credit for some of the hacks in a hacking campaign that began two weeks ago. Interestingly, Cl0p took an unusual step, stating that they erased the data from government entities and have “no interest in exposing such information.” Instead, their primary focus remains extorting victims for financial gains.

Still, although every file transfer service based on MOVEit could have been affected, that does not mean that every file transfer service based on MOVEit was affected. Threat actors exploiting the vulnerability would likely have had to independently target each file transfer service that employs the MOVEit platform. Thus, companies should determine whether their secure file transfer services rely on the MOVEit platform and whether any indicators exist that a threat actor exploited the vulnerability.

A Flaw Too Many

The attackers exploited a zero-day vulnerability that likely exposed the data that companies uploaded to MOVEit servers for seemingly secure transfers. This highlights how a single software vulnerability can have far-reaching consequences if manipulated by adept criminals. Progress, the U.S. firm that owns MOVEit, has urged users to update their software and issued security advice.

Notification Requirements

This exploitation likely creates notification requirements for the myriad affected companies under the various state data breach notification laws and some industry-specific regulations. Companies that own consumer data and share that data with service providers are not absolved of notification requirements merely because the breach occurred in the service provider’s environment. Organizations should engage counsel to determine whether their notification requirements are triggered.

A Call to Action

This cyberattack serves as a reminder of the sophistication and evolution of cyber threats. Organizations using the MOVEit software should analyze whether this vulnerability has affected any of their or their vendors’ operations.

With the increasing dependency on digital platforms, cybersecurity is no longer an option but a necessity in a world where the next cyberattack is not a matter of “if” but “when;” it’s time for a proactive approach to securing our digital realms. Organizations across sectors must prioritize cybersecurity. This involves staying updated with the latest security patches and ensuring adequate protective measures and response plans are in place.

© 2023 Bradley Arant Boult Cummings LLP

For cybersecurity legal news, click here to visit the National Law Review.

Ankura CTIX FLASH Update – January 3, 2023

Malware Activity

Louisiana’s Largest Medical Complex Discloses Data Breach Associated to October Attack

On December 23rd, 2022, the Lake Charles Memorial Health System (LCMHS) began sending out notifications regarding a newly discovered data breach that is currently impacting approximately 270,000 patients. LCMHS is the largest medical complex in Lake Charles, Louisiana, which contains multiple hospitals and a primary care clinic. The organization discovered unusual activity on their network on October 21, 2022, and determined on October 25, 2022, that an unauthorized actor gained access to the organization’s network as well as “accessed or obtained certain files from [their] systems.” The LCMHS notice listed the following patient information as exposed: patient names, addresses, dates of birth, medical record or patient identification numbers, health insurance information, payment information, limited clinical information regarding received care, and Social Security numbers (SSNs) in limited instances. While LCMHS has yet to confirm the unauthorized actor responsible for the data breach, the Hive ransomware group listed the organization on their data leak site on November 15, 2022, as well as posted files allegedly exfiltrated after breaching the LCMHS network. The posted files contained “bills of materials, cards, contracts, medical info, papers, medical records, scans, residents, and more.” It is not unusual for Hive to claim responsibility for the associated attack as the threat group has previously targeted hospitals/healthcare organizations. CTIX analysts will continue to monitor the Hive ransomware group into 2023 and provide updates on the Lake Charles Memorial Health System data breach as necessary.

Threat Actor Activity

Kimsuky Threat Actors Target South Korean Policy Experts in New Campaign

Threat actors from the North Korean-backed Kimsuky group recently launched a phishing campaign targeting policy experts throughout South Korea. Kimsuky is a well-aged threat organization that has been in operation since 2013, primarily conducting cyber espionage and occasional financially motivated attacks. Aiming their attacks consistently at entities of South Korea, the group often targets academics, think tanks, and organizations relating to inter-Korea relations. In this recent campaign, Kimsuky threat actors distributed spear-phishing emails to several well-known South Korean policy experts. Within these emails, either an embedded website URL or an attachment was present, both executing malicious code to download malware to the compromised machine. One (1) tactic the threat actors utilized was distributing emails through hacked servers, masking the origin IP address(es). In total, of the 300 hacked servers, eighty-seven (87) of them were located throughout North Korea, with the others from around the globe. This type of social engineering attack is not new for the threat group as similar instances have occurred over the past decade. In January 2022, Kimsuky actors mimicked activities of researchers and think tanks in order to harvest intelligence from associated sources. CTIX continues to urge users to validate the integrity of email correspondence prior to visiting any embedded emails or downloading any attachments to lessen the risk of threat actor compromise.

Vulnerabilities

Netgear Patches Critical Vulnerability Leading to Arbitrary Code Execution

Network device manufacturer Netgear has just patched a high-severity vulnerability impacting multiple WiFi router models. The flaw, tracked as CVE-2022-48196, is described as a pre-authentication buffer overflow security vulnerability, which, if exploited, could allow threat actors to carry out a number of malicious activities. These activities include stealing sensitive information, creating Denial-of-Service (DoS) conditions, as well as downloading malware and executing arbitrary code. In past attacks, threat actors have utilized this type of vulnerability as an initial access vector by which they pivot to other parts of the network. Currently, there is very little technical information regarding the vulnerability and Netgear is temporarily withholding the details to allow as many of their users to update their vulnerable devices to the latest secure firmware. Netgear stated that this is a very low-complexity attack, meaning that unsophisticated attackers may be able to successfully exploit a device. CTIX analysts urge Netgear users with any of the vulnerable devices listed in Netgear’s advisory to patch their device immediately.

For more cybersecurity news, click here to visit the National Law Review.

Copyright © 2023 Ankura Consulting Group, LLC. All rights reserved.

Former Uber Security Chief Found Guilty in Criminal Trial for Failure to Disclose Breach to FTC

On October 5, 2022, former Uber security chief Joe Sullivan was found guilty by a jury in U.S. federal court for his alleged failure to disclose a breach of Uber customer and driver data to the FTC in the midst of an ongoing FTC investigation into the company. Sullivan was charged with one count of obstructing an FTC investigation and one count of misprision, the act of concealing a felony from authorities.

The government alleged that in 2016, in the midst of an ongoing FTC investigation into Uber for a 2014 data breach, Sullivan learned of a new breach that affected the personal information of more than 57 million Uber customers and drivers. The hackers allegedly demanded a ransom of at least $100,000 from Uber. Instead of reporting the new breach to the FTC, Sullivan and his team allegedly paid the ransom and had the hackers sign a nondisclosure agreement. Sullivan also allegedly did not report the breach to Uber’s General Counsel.  Uber did not publicly disclose the incident or inform the FTC of the incident until 2017, when Uber’s new chief executive, Dara Khosrowshahi, joined the company.

This case is significant because it represents the first time a company executive has faced criminal prosecution related to the handling of a data breach.

For more Privacy Law news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Federal Bill Would Broaden FTC’s Role in Cybersecurity and Data Breach Disclosures

Last week, the House Energy and Commerce Committee advanced H.R. 4551, the “Reporting Attacks from Nations Selected for Oversight and Monitoring Web Attacks and Ransomware from Enemies Act” (“RANSOMWARE Act”).  H.R. 4551 was introduced by Consumer Protection and Commerce Ranking Member Gus Bilirakis (R-FL).

If it becomes law, H.R. 4551 would amend Section 14 of the U.S. SAFE WEB Act of 2006 to require not later than one year after its enactment, and every two years thereafter, the Federal Trade Commission (“FTC”) to transmit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate a report (the “FTC Report”).  The FTC Report would be focused on cross-border complaints received that involve ransomware or other cyber-related attacks committed by (i) Russia, China, North Korea, or Iran; or (ii) individuals or companies that are located in or have ties (direct or indirect) to those countries (collectively, the “Specified Entities”).

Among other matters, the FTC Report would include:

  • The number and details of cross-border complaints received by the FTC (including which such complaints were acted upon and which such complaints were not acted upon) that involve ransomware or other cyber-related attacks that were committed by the Specified Entities;
  • A description of trends in the number of cross-border complaints received by the FTC that relate to incidents that were committed by the Specified Entities;
  • Identification and details of foreign agencies, including foreign law enforcement agencies, located in Russia, China, North Korea, or Iran with which the FTC has cooperated and the results of such cooperation, including any foreign agency enforcement action or lack thereof;
  • A description of FTC litigation, in relation to cross-border complaints, brought in foreign courts and the results of such litigation;
  • Any recommendations for legislation that may advance the security of the United States and United States companies against ransomware and other cyber-related attacks; and
  • Any recommendations for United States citizens and United States businesses to implement best practices on mitigating ransomware and other cyber-related attacks

Cybersecurity is an area of recent federal government focus, with other measures recently taken by President Bidenthe Securities and Exchange Commissionthe Food and Drug Administration, and other stakeholders.

Additionally, H.R. 4551 is also consistent with the FTC’s focus on data privacy and cybersecurity.  The FTC has increasingly taken enforcement action against entities that failed to timely notify consumers and other relevant parties after data breaches and warned that it would continue to apply heightened scrutiny to unfair data security practices.

In May 2022, in a blog post titled “Security Beyond Prevention: The Importance of Effective Breach Disclosures,” the FTC’s Division of Privacy and Identity Protection had cautioned that “[t]he FTC has long stressed the importance of good incident response and breach disclosure as part of a reasonable information security program, and that, “[i]n some instances, the FTC Act creates a de facto breach disclosure requirement because the failure to disclose will, for example, increase the likelihood that affected parties will suffer harm.”

As readers of CPW know, state breach notification laws and sector-specific federal breach notification laws may require disclosure of some breaches.  However, as of May 2022 it is now expressly the position of the FTC that “[r]egardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.”  This is a significant development, as notwithstanding the absence of a uniform federal data breach statute, the FTC is anticipated to continue exercise its enforcement discretion under Section 5 concerning unfair and deceptive practices in the cybersecurity context.

© Copyright 2022 Squire Patton Boggs (US) LLP

Ransom Demands: To Pay or Not to Pay?

As the threat of ransomware attacks against companies has skyrocketed, so has the burden on companies forced to decide whether to pay cybercriminals a ransom demand. Corporate management increasingly is faced with balancing myriad legal and business factors in making real-time, high-stakes “bet the company” decisions with little or no precedent to follow. In a recent advisory, the U.S. Department of the Treasury (Treasury) has once again discouraged companies from making ransom payments or risk potential sanctions.

OFAC Ransom Advisory

On September 21, 2021, the Treasury’s Office of Foreign Assets Control (OFAC) issued an Advisory that updates and supersedes OFAC’s Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, issued on October 1, 2020. This updated OFAC Advisory follows on the heels of the Biden Administration’s heightened interest in combating the growing risk and reality of cyber threats that may adversely impact national security and the economy.

According to Federal Bureau of Investigation (FBI) statistics from 2019 to 2020 on ransomware attacks, there was a 21 percent increase in reported ransomware attacks and a 225 percent increase in associated losses. All organizations across all industry sectors in the private and public arenas are potential targets of such attacks. As noted by OFAC, cybercriminals often target particularly vulnerable entities, such as schools and hospitals, among others.

While some cybercriminals are linked to foreign state actors primarily motivated by political interests, many threat actors are simply in it “for the money.” Every day cybercriminals launch ransomware attacks to wreak havoc on vulnerable organizations, disrupting their business operations by encrypting and potentially stealing their data. These cybercriminals often demand ransom payments in the millions of dollars in exchange for a “decryptor” key to unlock encrypted files and/or a “promise” not to use or publish stolen data on the Dark Web.

The recent OFAC Advisory states in no uncertain terms that the “U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands.” OFAC notes that such ransomware payments could be “used to fund activities adverse to the national security and foreign policy objectives of the United States.” The Advisory further states that ransom payments may perpetuate future cyber-attacks by incentivizing cybercriminals. In addition, OFAC cautions that in exchange for payments to cybercriminals “there is no guarantee that companies will regain access to their data or be free from further attacks.”

The OFAC Advisory also underscores the potential risk of violating sanctions associated with ransom payments by organizations. As a reminder, various U.S. federal laws, including the International Emergency Economic Powers Act and the Trading with the Enemy Act, prohibit U.S. persons or entities from engaging in financial or other transactions with certain blacklisted individuals, organizations or countries – including those listed on OFAC’s Specially Designated Nationals and Blacked Persons List or countries subject to embargoes (such as Cuba, the Crimea region of the Ukraine, North Korea and Syria).

Penalties & Mitigating Factors

If a ransom payment is deemed to have been made to a cybercriminal with a nexus to a blacklisted organization or country, OFAC may impose civil monetary penalties for violations of sanctions based on strict liability, even if a person or organization did not know it was engaging in a prohibited transaction.

However, OFAC will consider various mitigating factors in deciding whether to impose penalties against organizations for sanctioned transactions, including if the organizations adopted enhanced cybersecurity practices to reduce the risk of cyber-attacks, or promptly reported ransomware attacks to law enforcement and regulatory authorities (including the FBI, U.S. Secret Service and/or Treasury’s Office of Cybersecurity and Critical Infrastructure Protection).

“OFAC also will consider a company’s full and ongoing cooperation with law enforcement both during and after a ransomware attack” as a “significant” mitigating factor. In encouraging organizations to self-report ransomware attacks to federal authorities, OFAC notes that information shared with law enforcement may aid in tracking cybercriminals and disrupting or preventing future attacks.

Conclusion

In short, payment of a ransom is not illegal per se, so long as the transaction does not involve a sanctioned party on OFAC’s blacklist. Moreover, the recent ransomware Advisory “is explanatory only and does not have the force of law.” Nonetheless, organizations should consider carefully OFAC’s advice and guidance in deciding whether to pay a ransom demand.

In addition to the OFAC Advisory, management should consider the following:

  • Ability to restore systems from viable (unencrypted) backups

  • Marginal time savings in restoring systems with a decryptor versus backups

  • Preservation of infected systems in order to conduct a forensics investigation

  • Ability to determine whether data was accessed or exfiltrated (stolen)

  • Reputational harm if data is published by the threat actor

  • Likelihood that the organization will be legally required to notify individuals of the attack regardless of whether their data is published on the Dark Web.

Should an organization decide it has no choice other than to make a ransom payment, it should facilitate the transaction through a reputable company that first performs and documents an OFAC sanctions check.

© 2021 Wilson Elser

For more articles about ransomware attacks, visit the NLR Cybersecurity, Media & FCC section.

Privilege Dwindles for Data Breach Reports

Data privacy lawyers and cyber security incident response professionals are losing sleep over the growing number of federal courts ordering disclosure of post-data breach forensic reports.  Following the decisions in Capital One and Clark Hill, another district court has recently ordered the defendant in a data breach litigation to turn over the forensic report it believed was protected under the attorney-client privilege and work product doctrines. These three decisions help underscore that maintaining privilege over forensic reports may come down to the thinnest of margins—something organizations should keep in mind given the ever-increasing risk of litigation that can follow a cybersecurity incident.

In May 2019, convenience store and gas station chain Rutter’s received two alerts signaling a possible breach of their internal systems. The same day, Rutter’s hired outside counsel to advise on potential breach notification obligations. Outside counsel immediately hired a forensic investigator to perform an analysis to determine the character and scope of the incident. Once litigation ensued, Rutter’s withheld the forensic report from production on the basis of the attorney-client privilege and work product doctrines. Rutter’s argued that both itself and outside counsel understood the report to be privileged because it was made in anticipation of litigation. The Court rejected this notion.

With respect to the work product doctrine, the Court stated that the doctrine only applies where identifiable or impending litigation is the “primary motivating purpose” of creating the document. The Court found that the forensic report, in this case, was not prepared for the prospect of litigation. The Court relied on the forensic investigator’s statement of work which stated that the purpose of the investigation was to “determine whether unauthorized activity . . . resulted in the compromise of sensitive data.” The Court decided that because Rutter’s did not know whether a breach had even occurred when the forensic investigator was engaged, it could not have unilaterally believed that litigation would result.

The Court was also unpersuaded by the attorney-client privilege argument. Because the forensic report only discussed facts and did not involve “opinions and tactics,” the Court held that the report and related communications were not protected by the attorney-client privilege. The Court emphasized that the attorney-client privilege does not protect communications of fact, nor communications merely because a legal issue can be identified.

The Rutter’s decision comes on the heels of the Capital One and Clark Hill rulings, which both held that the defendants failed to show that the forensic reports were prepared solely in anticipation of litigation. In Capital One, the company hired outside counsel to manage the cybersecurity vendor’s investigation after the breach, however, the company already had a longstanding relationship and pre-existing agreement with the vendor. The Court found that the vendor’s services and the terms of its new agreement were essentially the same both before and after the outside counsel’s involvement. The Court also relied on the fact that the forensic report was eventually shared with Capital One’s internal response team, demonstrating that the report was created for various business purposes.

In response to the data breach in the Clark Hill case, the company hired a vendor to investigate and remediate the systems after the attack. The company also hired outside counsel, who in turn hired a second cybersecurity vendor to assist with litigation stemming from the attack. During the litigation, the company refused to turn over the forensic report prepared by the outside counsel’s vendor. The Court rejected this “two-track” approach finding that the outside counsel’s vendor report has not been prepared exclusively for use in preparation for litigation. Like in Capital One, the Court found, among other things, that the forensic report was shared not only with inside and outside counsel, but also with employees inside the company, IT, and the FBI.

As these cases demonstrate, the legal landscape around responding to security incidents has become filled with traps for the unwary.  A coordinated response led by outside counsel is key to mitigating a data breach and ensuring the lines are not blurred between “ordinary course of business” factual reports and incident reports that are prepared for litigation purposes.

© 2021 Bracewell LLP

Fore more articles on cybersecurity, visit the NLR Communications, Media, Internet, and Privacy Law News section.

Data Breach Litigations: 2020 Year in Review

2020 has been a year for the record books, and the area of data breach litigation is no exception.   Several key developments, when considered individually or in conjunction, will likely make breach litigation a top of mind data privacy issue going into the next year.  So fasten your seatbelts and read on as CPW recaps what you need to know going into 2021.

Overview of Industries Impacted by Data Breach Litigation in 2020

What industries were impacted by data breach litigations in 2020?  The short answer: all of them.

Despite the widespread adoption of cybersecurity policies and procedures by organizations to safeguard their proprietary information and the personal information of their clients, consumers, and employees, data breaches are all too common.  CPW has covered previously how “[t]echnical cybersecurity safeguards, such as patching, are obviously critical to an effective cybersecurity program.  However, many of the most common vulnerabilities can be addressed without complex technical solutions.”  Top five practical recommendations to reduce cyber risk can be reviewed here.

In fact, the number of data breaches in 2020 was more than double that of 2019, with industries that were frequent targets including government, healthcare, retail and technology.  In this instance, correlation equals causation—as more and more companies experienced crippling security breaches, the number of data breach litigations is also on the rise.

What Has Changed with Data Breach Litigations in 2020?

Besides increasing in frequency, the considerations implicated by data breach litigation have also grown increasingly complex.  This is due to several factors.

First, plaintiffs bringing data breach litigations have continued to rely on common law causes of action (negligence and fraud, among others) in addition to asserting new statutory claims (although of course there are exceptions).  The reason for this boils down to the fact that while nearly every state has a data breach statute, many do not include a private right of action and are enforced by the state attorneys general.  Hence plaintiffs’ reliance on common law and tort based theories.  Insofar as statutory causes of action are concerned, the California Consumer Privacy Act (“CCPA”) has only been on the books since the start of this year, but emerged as a focal point for data breach litigations (be sure to check out our CCPA Year-in-Review coverage).  The first CCPA class action settlement was announced last month and will likely serve as a benchmark going forward (keep a close eye on organizations agreeing to adopt increased security and data privacy controls, as has been done on the regulatory front).

Secondthere was a monumental development in the spring that sent shockwaves through the data breach defense bar.  A federal judge ordered production of a forensic report prepared by a cybersecurity firm in the wake of the Capital One data breach.  The report was found not protected as attorney work product despite having been prepared at the direction of outside counsel.  [Note: A forensic report is usually prepared by a cybersecurity firm following a thorough investigation into a company’s cyberattack.  The report will address, among other areas, any vulnerabilities in a company’s IT environment that enabled the cyberattack.  Obviously, while these findings can help a company defend itself in subsequent litigation and mitigate risk, the utility of the forensic report can cut both ways.  Plaintiffs can also use this information to substantiate their claims.]  This ruling reaffirmed several key lessons for companies facing cyber incidents.  This includes that to shield a forensic report as work product, a company must demonstrate that the report would not have been created in essentially the same form absent litigation.  Notably, this burden is more difficult to meet where the company has a pre-existing relationship with the cybersecurity vendor that prepares the report.

And thirdas seen from a high profile case earlier this year, the legal fallout from a data breach can extend to company executives.  A company’s former Chief Security Officer (CSO) was charged with obstruction of justice and misprision of felony for allegedly trying to conceal from federal investigators a cyberattack that occurred in 2016, exposing the data of 57 million individuals.  Although an outlier, it is a significant reminder for companies and executives to take data breach disclosure obligations seriously—notwithstanding regarding murkiness in the law regarding when these obligations arise.

What Changed With Standing in Data Breach Cases in 2020?

Experienced litigators may be familiar with the classic requirements for standing, but even the most experienced of them are not likely familiar with standing as it applies to data breach litigation.  The reason for this discrepancy is simple:  although standing case law can be generally straightforward, this case law has not caught up to the unique challenges posted by data breaches.  This, when combined with the absence of national-level legislation for data privacy, has created a hodgepodge of circuit splits and differing interpretations.

As you will recall, Article III standing consists of three elements:  (1) an injury-in-fact that is concrete and particularized, as well as actual or imminent; (2) the injury must be fairly traceable to the defendant’s act; and (3) it must be “likely” that a favorable decision will compensate or otherwise rectify the injury.

When a data breach occurs, the penultimate standing question is whether the theft of data may, by itself, constitute a sufficient injury.  Is there an injury when leaked personal information is not copied or used to facilitate fraud or another crime?  Should an injury occur when only certain types of personal information, such as Social Security numbers, are leaked, or may the disclosure of other types of information, such as credit card numbers or addresses, be sufficient for injury?  These questions are the heart of data breach litigation, and 2020 brought us a few notable cases that are worth reflecting on at this time of the year.

Given the absence of uniform causes of action in data breach litigation, plaintiffs often employ a number of strategies when drafting their complaints.  One strategy has been to allege a negligence cause of action.  This year, this strategy drew increased attention when Wawa, a convenience store chain, moved to dismiss a class action lawsuit filed against it by a group of credit unions regarding an alleged data breach.  In In Re: Wawa Inc. Data Security Litigation, No. 2:19-cv-06019 (E.D. Pa.), a group of credit unions alleged that a convenience store chain’s failure to abide by the PCI DSS–the payment card industry’s data security standards–should be the standard of care for determining a negligence claim.  In opposition, the plaintiffs argued that Wawa had an independent and common law duty to use reasonable care to safeguard the data used by credit and debit cards for payments.  The parties held oral argument in November and a decision remains pending.  Our previous coverage provides more information.

While some commentators have reported a trend this year towards viewing standing in data privacy cases to be more permissive towards plaintiffs, at least one court this year paused this trend.  In Blahous v. Sarrell Regional Dental Center for Public Health, Inc., No. 2:19-cv-00798 (N.D. Ala.), a group of patients filed suit against a dental provider due to an alleged data breach.  After conducting an investigation, the defendant determined that there was no evidence that any breached files were copied, downloaded, or otherwise removed.  This factual finding was included in the notice that the defendant sent to its patients.

The court rejected the plaintiff’s argument and granted the defendant’s motion to dismiss.  Crucial to the court’s opinion was that there were no allegations that suggested any disclosure of the acquired data, “such as an actual review by a third party,” had occurred.  The court stated “the fact that the [b]reach occurred cannot in and of itself be enough, in the absence of any imminent or likely misuse of protected data, to provide Plaintiffs with standing to sue.”  The court looked to the notice of the data breach and observed “[t]he [n]otice upon whose basis the Plaintiffs sue, included as exhibits to their own pleading, denies that any personal information was copied, downloaded, or removed from the network, despite Plaintiffs’ mistaken belief to the contrary.”

Perhaps the biggest takeaway of Blahous is that the disclosure of a patient’s Social Security number and health treatment information were not sufficient for standing.  This was contrary to other decisions where the absence of a Social Security number in a data breach specifically led a court to conclude there was no injury.  See Antman v. Uber Technologies, No. 3:15-cv-01175 (N.D. Cal.) (allegations are not sufficient when the complaint alleged “only the theft of names and driver’s licenses. Without a hack of information such as social security numbers, account numbers, or credit card numbers, there is no obvious, credible risk of identity theft that risks real, immediate injury.”).

Another case highlighted the current circuit split concerning injury in data breaches.  In Hartigan v. Macy’s, No. 1:20-cv-10551 (D. Mass.), a Macy’s customer filed a class action lawsuit after his personal information was leaked due to a breach through Macy’s online shopping platform.  The court granted Macy’s motion to dismiss, attributing three reasons for its holding:  (1) the plaintiff did not allege fraudulent use or attempted use of his personal information to commit identify theft; (2) the stolen information “was not highly sensitive or immutable like social security numbers”; and (3) immediately cancelling a disclosed credit card can eliminate the risk of future fraud.

Hartigan has at least two takeaways.  First, the change brought by Blahous may be an anomaly.  In Blahous, the court found no standing when a Social Security number was disclosed.  The Hartigan court, however, specifically stated that the absence of any disclosed Social Security numbers was a reason why the plaintiff did not suffer an injury.  Although issued later in the year, the Hartigan court did not cite Blahous or any opinion from within the Eleventh Circuit.

Second, Hartigan highlighted the current circuit split regarding standing in data breach cases.  The court’s analysis was based on First Circuit precedent that was issued prior to the Supreme Court’s decision in Clapper.  The court then looked to six other circuits for guidance.  It cited opinions in the D.C. and Ninth Circuits that suggested the disclosure of “sensitive personal information,” like Social Security numbers, creates a substantial risk of an injury.  It then looked to opinions from the Fourth, Seventh, and Ninth Circuits that suggested post-theft criminal activity created an injury.  Finally, it noted that the Third, Fourth, and Eighth Circuits found no standing in the absence of criminal activity allegations, even when Social Security numbers were disclosed.

Finally, no year-in-review would be complete without additional discussion of the CCPA (including in the area of standing).  At least one notable standing opinion highlights what may be to come.  In Fuentes v. Sunshine Behavioral Health Group, LLC, No. 8:20-cv-00487 (C.D. Cal.), a Pennsylvania resident filed suit against an operator of drug and alcohol rehabilitation treatment centers regarding an alleged data breach.  A significant issue was whether the plaintiff, a Pennsylvania resident that stayed in one of the defendant’s California facilities for one month, may be a “consumer” under the CCPA for standing purposes.

The defendant seized on the plaintiff’s residency issues for its motion to compel arbitration, or, in the alternative, to dismiss.  The defendant argued that the plaintiff’s one-month at a California treatment facility did not make him a “consumer.”  The CCPA defines a “consumer” as “a natural person who is a California resident,” as defined by California regulations.  Cal. Civ. Code § 1798.150(h).  That part of the California Code of Regulations includes in its definition of “resident”:  (1) individuals who are in California for other than a temporary or transitory purpose; or (2) individuals domiciled in California who are outside the state for a temporary or transitory purpose.

Unfortunately, the court did not evaluate this issue because the parties voluntarily dismissed the suit prior to a decision.

Trends in 2021

The nation’s political landscape and the pending circuit split will likely fuel developments in 2021.

With a new Congress arriving shortly, most eyes are watching to see whether the 117th Congress will finally bring about comprehensive federal data privacy legislation.  Of the previously introduced federal legislation, one point of difference has been whether there should be a private cause of action.  The CCPA, which permits private causes of action for California residents, may be one source of influence.  Should federal legislation recognize a private cause of action, cases like Fuentes may foreshadow a standing argument to come.

The change of administration will also likely influence data privacy trends.  The Vice President-Elect’s prior experiences with data privacy issues may place her on-point for any federal action.  When she was Attorney General of California, the Vice President-Elect had an active interest in data privacy issues.  In January 2013, her office oversaw the creation of the privacy Enforcement and Protection Unit of the California Attorney General’s Office, which was created to enforce laws related to data breaches, identity theft, and cyber privacy.  The Vice President-Elect also secured several settlements with large companies, some of which required creation of specific privacy-focused offices within settling companies, such as chief privacy officer (mirroring recent trends discussed above).

2021 may also be the year of the Supreme Court.  In recent years, the Supreme Court has denied several cert petitions in cases involving data breaches.  2021, however, may be the year when we see the nation’s highest court decide who has standing in a data breach and when an injury occurs.  Several high-profile data privacy cases have increased the public’s attention to data issues, such as the recent creation of two MDLs.  Additionally, the circuit split referenced in Hartigan may be coming to a head.  Finally, the implementation of the CCPA and possibility of federal legislation may make this the year of data privacy.

CPW will be there to cover these developments, as they occur.  Stay tuned.


© Copyright 2020 Squire Patton Boggs (US) LLP
For more, visit the NLR Corporate & Business Organizations section.

Small Business Administration Loan Portal Compromised

Following the devastating impact of the coronavirus on small businesses, many small businesses applied for a disaster loan through the Small Business Administration (SBA) for relief.

Small businesses that qualify for the disaster loan program, which is different than the Paycheck Protection Program offered by the SBA, can apply for the loan by uploading the application, which contains their personal information, including Social Security numbers, into the SBA portal www.sba.gov.

Unfortunately, the SBA reported last week that 7,913 small business owners who had applied for a disaster loan through the portal had their personal information, including their Social Security numbers, compromised, when other applicants could view their applications on the website on March 25, 2020. On top of the turmoil the businesses have experienced from closure, owners now have to contend with potential personal identity theft.

The SBA has notified all affected business owners and is offering them free credit monitoring for one year. The notification letter indicates that the information compromised included names, Social Security numbers, birth dates, financial information, email addresses and telephone numbers.


Copyright © 2020 Robinson & Cole LLP. All rights reserved.

For more on SBA Loans, see the National Law Review Coronavirus News section.

California DMV Exposes 3,200 SSNs of Drivers

The California Department of Motor Vehicles (DMV) announced on November 5, 2019, that it allowed the Social Security numbers (SSNs) of 3,200 California drivers to be accessed by unauthorized individuals in other state and federal agencies, including the Internal Revenue Service, the Small Business Administration and the district attorneys’ offices in Santa Clara and San Diego counties.

According to a news report, the access included the full Social Security numbers of individuals who were being investigated for criminal activity or compliance with tax laws. Apparently, the access also allowed investigators to see which drivers didn’t have Social Security numbers, which has given immigration advocates concern.

The DMV stated that the incident was not a hack, but rather, an error, and the unauthorized access was terminated when it was discovered on August 2, 2019. Nonetheless, the DMV notified the 3,200 drivers of the incident and the exposure of their personal information. The DMV issued a statement that it has “taken additional steps to correct this error, protect this information and reaffirm our serious commitment to protect the privacy rights of all license holders.”

 

Copyright © 2019 Robinson & Cole LLP. All rights reserved.
For more on data security, see the National Law Review Communications, Media & Internet law page.