Data Law Insights

Data Law Insights

Legal insights on navigating privacy, data protection, cybersecurity, information governance, and e-discovery

Home Depot Settles Major Data Breach Suit with Financial Institutions for $25 Million

Posted in Data Breach
Maida Oringher LernerJustin Kingsolver

On Wednesday, in one of the most high-profile data breach settlements to date, The Home Depot agreed to pay $25 million to settle a consolidated class action involving more than 60 nationwide financial institutions harmed by the retailer’s September 2014 data breach.  That month, the home improvement giant announced that hackers had installed malware on Home Depot’s checkout kiosks and, over a five-month period, stolen credit card information of more than 56 million shoppers.  Immediately thereafter, financial institutions filed more than 25 suits seeking compensation for reissuance fees and fraudulent transaction reimbursements, suits that were then consolidated before a federal court in Atlanta.

The agreement requires the retailer to establish a $25 million settlement fund to reimburse financial institutions for the reissuance of credit cards compromised by the data breach.  The Home Depot has also agreed to a series of additional security measures, including implementing new safeguards developed through a risk exception process and enacting new vendor security programs.

Prior to Wednesday’s announcement, Home Depot had already spent more than $140 million to settle claims by many of the nation’s large credit card issuers – including MasterCard, Visa, American Express, and Discover – for damages sustained in this breach.

CFAA Conviction for Accessing and Damaging Former Employer’s Computer System

Posted in Cybersecurity / Data Security
Jeffrey L. PostonKate M. GrowleyCharles Austin

Last week, a federal court sentenced a former systems administrator convicted of accessing his former employer’s computer network and uploading malicious code designed to disrupt and damage the company’s manufacturing operations.

Brian P. Johnson worked for years as an information technology specialist and systems administrator at Georgia-Pacific’s Port Hudson, LA facility.  In February 2014, Georgia-Pacific terminated Mr. Johnson’s employment and had him escorted from the  premises.  During the following two weeks, Mr. Johnson remotely and repeatedly accessed the computer system at the Port Hudson facility and uploaded malicious code that damaged the facility’s automated operations for making paper towels, causing more than $1.1 million worth of damage.  His activity stopped only after federal agents executed a search warrant at his home and seized his computer that was, at the time of the search, connected to Georgia-Pacific’s network.  Mr. Johnson pleaded guilty to a criminal violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(5)(A).

This conviction is yet another reminder of the danger of lax network access policies, especially with regard to employee departures.  Companies should consider creating and enforcing robust protocols for network access, including prompt revocation and termination of access rights for employees who leave, particularly those with access to critical systems.  Companies should also consider implementing routine review of access credentials and taking steps to repossess company hardware and data from departing employees.

Vizio Agrees to $2.2M Settlement Regarding Data Collection Practices

Posted in Government Agencies, Information Management, Internet of Things, Privacy, Uncategorized
Charles Austin

Last week, the Federal Trade Commission (“FTC”) announced an agreement settling claims against a television manufacturer arising from the alleged unauthorized collection of television viewing data.  The FTC, along with the State of New Jersey, alleged that certain “smart TVs” manufactured and sold by VIZIO, Inc. and its subsidiary VIZIO Inscape Services (collectively, “VIZIO”) failed to adequately inform consumers that viewing data—which VIZIO later sold to or otherwise shared with third parties—would be collected and disclosed.  In settling the charges, VIZIO agreed to pay $2.2 million, cease unauthorized data tracking and collection, and update its collection and disclosure notices.  For more on VIZIO’s practices, the allegations, and important lessons from the settlement, see the recent blog entry by Lauren Aronson of our Advertising and Product Risk Management team.

December 2016 Monthly Update

Posted in Cybersecurity / Data Security, Data Breach, Ethics, Government Agencies, Health IT, Privacy, Rules
Crowell & Moring

Kansas Judge Rules that Class Action over CareCentrix Data Breach may Proceed

On December 19, 2016, in Hapka v. Carecentrix, the United States District Court for the District of Kansas denied CareCentrix, Inc.’s (CareCentrix) motion to dismiss a class action suit arising from a data breach affecting CareCentrix’s personal and tax information regarding thousands of employees.  The Court found that plaintiff Sarah Hapka, individually and on behalf of all others similarly situated, met the Article III standing requirements and sufficiently alleged a claim upon which relief could be granted.

Hapka claimed that in February 2016, an unauthorized person posed as one of CareCentrix’s employees and emailed a request for current and former employees’ Internal Revenue Service (IRS) Wage and Tax Statements (W-2 Forms). One of CareCentrix’s employees complied with the request, providing the W-2 Forms which included employees’ names, addresses, birth dates, wages, and Social Security Numbers.  Hapka alleged that shortly after this data breach, she received a letter from the IRS indicating that someone filed a fraudulent tax return in her name.  She later brought the underlying putative class action claiming that CareCentrix negligently permitted the data breach and that she and the class of plaintiffs will suffer imminent and certain impending injury of fraud and identity theft.

CareCentrix conceded that Hapka suffered some form of actual, concrete injury due to the filing of a false tax return. However, it argued that the other allegations of injury—the impending costs of countering the current tax fraud and heightened risk for future identify theft—are too speculative to meet the Article III standing bar set by the Supreme Court’s decision in Spokeo, Inc. v. Robins, which required plaintiffs to show an invasion of a legally protected interest and allege a concrete injury.  The Court rejected CareCentrix’s attempt to look at the plaintiff’s alleged injuries in a vacuum, stating that “[t]he fact that her stolen information has been used once has a direct impact on the plausibility of future harm.” Although the Court acknowledged that federal courts have disagreed about whether an alleged increased risk of identity theft is a sufficient injury to meet standing requirements, it followed the line of cases finding standing because the plaintiffs suffered from identity theft after a data breach.  Ultimately, the Court held that the plaintiffs met standing requirements.

The Court further rejected CareCentrix’s claim that Hapka failed to adequately plead the negligence claim because it did not have a statutory duty of care regarding employee information, and that plaintiff failed to allege any common-law duty. The Court found that identification of a statutory duty was unnecessary, and that the allegations that the harm was foreseeable established a common-law duty to exercise reasonable care.

This case further highlights how the Supreme Court’s decision in Spokeo earlier this year has produced varied results in breach litigation.  The Kansas Court acknowledged the split among federal courts on standing requirements, but effectively avoided ruling on the issue since Hapka actually suffered injury due to the filing of a false tax return.  If the plaintiffs did not have this example demonstrating that a concrete injury had in fact occurred, it is questionable whether the Kansas Court would have decided to deny CareCentrix’s dismissal motion on standing grounds.

Continue Reading

Missouri District Court Relieves Insurer of Duty to Defend TCPA Suit

Posted in Insurance, Privacy
Ellen MacDonald FarrellRachel RaphaelThomas Kinney

On December 15, 2016, in The Travelers Indemnity Co. of Connecticut v. Max Margulis, et al., the U.S.  District Court for the Eastern District of Missouri ruled that an insurer did not have a duty to defend its policyholder in a suit alleging a violation of the Telephone Consumer Protection Act (“TCPA”). Margulis is one of several cases addressing the scope of insurance coverage for TCPA violations to come out of the Eastern District of Missouri.  Since automated dialing and other forms of targeted marketing are common business solicitation techniques, insurers and policyholders should pay careful attention to this case and the scope of coverage under their policies.

The underlying suit arose when the policyholder, Surrey Vacation Resorts, Inc., d/b/a Grand Crowne Resorts (“Surrey”) allegedly solicited Max Margulis using an automated telephone dialing system without his consent. Margulis filed suit against Surrey, alleging a violation of the TCPA, and Surrey sought a defense from Travelers, its commercial liability insurer. Travelers initially defended Surrey under a reservation of rights, but soon thereafter filed a declaratory judgment action asserting that coverage for the TCPA suit was excluded by the policies at issue.

In this regard, Travelers issued four commercial general liability policies to Surrey, and each contained an endorsement expressly excluding coverage for claims arising from “Unsolicited Communications.” The first three policies defined “Unsolicited Communications” as “any form of communication, including but not limited to … communications which are made or allegedly made in violation of the Telephone Consumer Protection Act … and/or local or state statutes that bar, prohibit or penalize such communications.” The fourth policy defined “Unsolicited Communications” as “any communication, in any form, that the recipient of such communication did not specifically request to receive.”

After examining the language in the policies and the allegations in the underlying complaint, the district court concluded that the TCPA is a “law that restrict or prohibits the sending, transmitting or distributing of ‘unsolicited communication[s]’.” As such, the court found that the policyholder’s alleged violation of the TCPA was excluded from coverage by the “Unsolicited Communications” endorsements appearing in all four policies. In doing so, the court noted that similar exclusions had previously been applied and enforced to exclude coverage for TCPA violations. As no coverage was available under any of the four policies, the court found that Travelers had no duty to defend Surrey in the underlying lawsuit.

Join us for an ABA Webinar on Evolving HIPAA Issues: Cloud, Mobile Apps, Access, and More

Posted in Cloud Computing, Health IT
Jodi G. Daniel

Please join Crowell & Moring’s Jodi Daniel and Elliot Golding on January 31, 2017 for an ABA webinar called Evolving HIPAA Issues: Cloud, Mobile Apps, Access, and More

This in-person panel discussion (with simultaneous webinar broadcast) will provide perspectives from the HHS Office for Civil Rights (OCR), the former director of the HHS Office of the National Coordinator for Health Information Technology, and industry experts on recent HIPAA guidance that OCR has issued and the business opportunities the guidance creates. Among other topics, the speakers will address individual access rights, cloud computing, and mobile applications.  Anyone who deals with health information on regular basis – such as Covered Entity providers and health plans, and Business Associates such as technology companies and other health care vendors – and companies thinking about working more in the health care sector will benefit from this engaging discussion.  CLE credit will be provided.

Illinois’ First Settlement under Biometric Law; AMA Adopts Principles for Mobile Health Apps; Ecuador to Enact Data Privacy Law

Posted in Cybersecurity / Data Security, Data Breach, Health IT
Jodi G. DanielAdeoye Johnson

Illinois State Court Issues First Settlement under Biometric Law

On December 1, 2016, the Cook County Circuit Court in Illinois approved what is being reported as the first settlement under the state’s Biometric Information Privacy Act, 740 ILCS 14/1 (BIPA or the Act).  BIPA provides a private right of action against companies that fail to satisfy certain requirements for the collection, retention, and destruction of biometric information, and is an example of the more broad form of state legislation in this area.  BIPA defines biometric information as any information based on an individual’s biometric identifier including iris scans, fingerprints, voiceprints, or scan of hand or face geometry.  The Act requires companies to obtain consent before collecting such information and develop a written policy establishing a retention schedule and guidelines for destruction.  This recent settlement demonstrates that despites its wide-breadth, BIPA and similar state laws could overcome significant enforceability hurdles.

In Sekura v. L.A. Tan, a class of tanning salon customers alleged that L.A. Tan Enterprises Inc. (L.A. Tan), which used fingerprint scanning technology rather than key fobs for membership, violated BIPA by failing to obtain prior written consent to collect this biometric information.  The complaint further alleged that L.A. Tan failed to provide customers with a policy on how the information will be retained and ultimately destroyed.  In a $1.5 million settlement, each class member will receive $125 and L.A. Tan will institute processes to comply with BIPA or destroy all biometric information within its possession.

As technology that collects biometric information continues to increase through cell phone applications and social media websites, such as most smartphones’ finger print unlocking ability and Snapchat Inc.’s facial template feature, companies face greater risk of similar class action litigation. Although there currently is no specific federal law that imposes requirements for the collection, retention, and destruction of biometric data, a few states have enacted legislation in this space and companies can expect more to follow in the future.  Texas’ own biometric law, Texas Business and Commercial Code Annotated, § 503.001, imposes similar notice and consent requirements to collect biometric information as the Illinois BIPA. Further, these state laws can impose liability for data practices beyond the loss of information due to a security breach.  Indeed, the plaintiffs in Sekura alleged that L.A. Tan did not treat the data as carefully as required by BIPA, not that there was a data breach involving the biometric information.  Companies that use biometric information in its everyday practice should be vigilant in establishing written policies for the handling of such data, and obtain prior consent when required.

AMA Adopts Principles to Support Mobile Health Applications

The AMA has adopted a set of principles to more effectively integrate the use of mobile health applications (mHealth apps) and devices in everyday clinical practice. While many have touted the potential health benefits of mHealth apps and digital devices, the AMA also raises concerns about the potential health and safety risks that these apps can pose to patients and privacy and security risks.  Accordingly, the AMA has prescribed the following set of principles to support the use of mHealth apps and devices:

  • Support the establishment or continuation of a valid patient-physician relationship;
  • Have a clinical evidence base to support their use in order to ensure mHealth app safety and effectiveness;
  • Follow evidence-based practice guidelines, to the degree they are available, to ensure patient safety, quality of care and positive health outcomes;
  • Support care delivery that is patient-centered, promotes care coordination and facilitates team-based communication;
  • Support data portability and interoperability in order to promote care coordination through medical home and accountable care models;
  • Abide by state licensure laws and state medical practice laws and requirements in the state in which the patient receives services facilitated by the app;
  • Require that physicians and other health practitioners delivering services through the app be licensed in the state where the patient receives services, or be providing these services as otherwise authorized by that state’s medical board; and
  • Ensure that the delivery of any services via the app be consistent with state scope of practice laws.

The AMA acknowledges how the increase in health technology through the use of mHealth apps and devices will cause increased risk to patient privacy and data security, including the risk that data breaches. Given the lack of regulation on these apps, the AMA advises physicians to alert patients of the potential privacy and security risks for any mHealth apps that they recommend and document the patient’s understanding of these risks.  They also advise physicians to consult with legal counsel to ensure that mHealth apps and devices meet privacy and security laws.

It is clear that as physicians are increasingly incorporating digital health tools such as mHealth apps into their practice and advice to patients that the AMA needs to demonstrate a willingness to adapt to such innovation while reconciling some of their long held positions on the roles of physicians, licensure laws, and the need for evidence, which are reflected in their principles. It is interesting to see that they stayed clear of including recommendations on privacy and security in their principles, but felt the need to raise concerns and advice to physicians with respect to data protection.

Ecuador Debates Enactment of Data Privacy Law Prior to February Election

Ecuador’s National Assembly has begun debates over the proposed national data privacy law that would regulate the public and private use of personal information, and unify disparate data protection requirements found in various laws in the country. The proposed law is among many that President Rafael Correa is pushing to be approved prior to the general elections on February 19, 2017.  The stated objective of the law is “to protect and guarantee the rights of all people to privacy in the treatment of personal data in databases or archives, in physical or digital format, in public or private entities.”  The law establishes rights for the data subject regarding the collection, use, and destruction of personal information, specifically requiring consent prior to collecting such data.  However, if enacted the proposed law would also create a government controlled database containing personal information and companies would be required to register.  It would further create the National Authority for Personal Data Protection to oversee compliance with the law’s requirements.

Though most critics recognize the importance of establishing unified guidelines and principles to protect personal data, much of their larger concern with this proposed legislation is that it would provide the government of Ecuador with a strong interventionist role and sweeping powers over data generally. Such requirements would be imposed on multinational companies doing business in Ecuador or engaging in international data transfers.  Accordingly, critics of the proposed law argue that the requirement to register with a database under the government’s control could potentially discourage foreign investment in the country.

Privacy-Cybersecurity Weekly News Update—Week of November 20 and November 27

Posted in Cybersecurity / Data Security, Data Breach, Privacy
Leigh Colihan

Discussion headlines: UMass settles alleged HIPAA violations; FCC combatting robotexts and robocalls; TCPA class certification; failed investor suit over data breach; UK surveillance bill became law

UMass pays $650,000 to settle alleged HIPAA violations

The University of Massachusetts Amherst (UMass) reached an agreement to pay $650,000 to settle alleged HIPAA violations based on the disclosure of electronic protected health information (ePHI) of 1,670 individuals.  In June 2013, UMass reported to HHS’s Office of Civil Rights (OCR) that a workstation in its Center for Language, Speech, and Hearing (Center) was infected with a malware program, which infiltrated the system because UMass did not have a firewall in place.  Mistakenly believing that the Center was not a covered health care component, UMass failed to put in place policies and procedures at the Center to ensure compliance with HIPAA.  In effect, UMass failed to designate all of its health care components when it “hybridized.”  A hybrid entity is an entity that performs both covered and non-covered functions as part of its business.  Universities that also double as health care providers can elect to become a “hybrid entity,” and thereby have functions that fall outside the scope of HIPAA.  To do so, universities must designate in writing the components that perform functions covered by HIPAA.  While hybridization is a convenient option for legal entities that perform both covered and non-covered functions, it is important to scrutinize each of the business operations to determine whether it meets the definition of a covered entity.  This settlement suggests that OCR might be scrutinizing more hybrid entities in the future.

FCC clarifies restrictions on robocalls and robotexts

The Federal Communications Commission issued an Enforcement Advisory on November 18th to explain its position on autodialed text messages or “robotexts.”  Last year, the FCC expanded the definition of “automatic telephone dialing systems” under the Telephone Consumer Protection Act of 1991 (“TCPA”).  Since the change, the FCC has issued a series of clarifications.  The Advisory clarifies that the TCPA bars autodialed calls or texts to cellphones or mobile devices unless prior express consent is provided and the robotext sender has the burden of proving that it had prior express consent.  The mere presence of a consumer’s wireless number on a contact list does not, by itself, establish consent to receive robotexts.  Recipients can revoke their consent using any reasonable method.  Beyond obtaining concrete consent from its customers, companies are foreclosed from using text messages to advertise its products.  And proving that a company obtained consumer consent can be difficult to show, especially since consumers can revoke their consent.

The agency is also focused on taking robocall and robotext enforcement beyond US borders. The FCC has partnered with international law enforcement agencies to combat robocall scams.  On November 21st, Enforcement Bureau Chief Travis LeBlanc published a blog post where he claimed unsolicited calls and text messages are a “global problem” and that they are “more than just a nuisance these days.”  They are used to commit criminal fraud and phishing frauds.  The FCC recently signed a Memorandum of Understanding (MOU) with Canada and members of the Unsolicited Communications Enforcement Network, which will allow participating agencies to share enforcement data.  FCC continues to be focused on implementing consumer-focused initiatives and seems intent on aggressively cracking down on any robotext or robocall abuses.  It appears the FCC is using the telecommunications arena to illustrate its ability to regulate in the privacy/cybersecurity space.

TCPA plaintiff denied class certification

Suits alleging TCPA violations often take the form of a class action lawsuit and defendants can sometimes successfully challenge the suit through class certification. In a suit against Dick’s Sporting Goods Inc., U.S. District Judge Cormac J. Carney allowed the suit to go forward but denied the request for class certification.  The judge concluded that the plaintiff “alleg[ed] a concrete and particularized injury by laying out the elements of a TCPA violation,” but failed to present evidence that he was a suitable class representative.  The crux of Dick’s defense, the court concluded, would be centered on whether the plaintiff did or did not sign up for its mobile alert programs.  Therefore, the focus will be on issues and defenses unique to the plaintiff and not on the claims of the class.  This case demonstrates that defendants may be able to avoid class certification by placing emphasis on facts illustrating individualized, including consent.  Since proving lack of consent is an element of a TCPA claim, the issue of whether the entire class provided (or did not provide) consent can be problematic for a plaintiff.

Home Depot executives avoid investor suit

On November 29th, a Georgia federal judge ruled that investors in The Home Depot Inc. could not pursue a shareholder derivative lawsuit against members of the board of directors relating to the 2014 customer data breach.  Two shareholders filed suit in August 2015 alleging that current and former members of the board breached their duty of loyalty by failing to implement safeguards against a security breach or take measures to address one.  The shareholders could not prove beyond a reasonable doubt that the board “consciously failed to act in the face of a known duty to act,” which, according to the judge, “is an incredibly high hurdle for plaintiffs to overcome.” The shareholders simply alleged that the board moved too slowly to address the security breach, which was insufficient to show a breach of loyalty or a waste of corporate assets.  The court acknowledged that the board could have done more, but it was protected by the Business Judgment Rule—a judicially created presumption that, in making business decisions, directors act on an informed basis and in the best interest of the company.  The court’s ruling illustrates the high evidentiary burden that plaintiffs face in seeking to pursue fiduciary claims against directors following a data breach.

UK surveillance bill became law

On November 29th, a British surveillance bill—the Investigatory Powers Act 2016—became law after receiving royal assent.  The law requires communications companies to retain records such as users’ browser history for a year and permits authorities to see which websites individuals have visited, including apps or social media accessed on a smartphone.  The law also outlines, for the first time, rules governing authorities’ powers to hack computers to gain access to communications.  Opponents claim the bill permits mass surveillance without proper oversight. Home Secretary Amber Rudd called the act “world-leading legislation”  that is essential to combat terrorism.  This is another example of the growing requirements placed on telecommunications companies from government surveillance efforts.

Privacy-Cybersecurity Weekly News Update—Week of November 13

Posted in Cybersecurity / Data Security, Internet of Things
Crowell & Moring

Discussion headlines:  New guidelines for IoT; Russia blocks access to LinkedIn; Standing under the TCPA; Long distance search warrant power

The DHS and NIST Release Guidelines for the IoT

This week, both the Department of Homeland Security and the National Institute of Standards and Technology released a set of guidelines intended to secure the IoT.  Both the DHS and NIST offered standards and other security principles that focused on redesigning the main infrastructure of the device and emphasized the need to incorporate security practices early on in the design of an IoT device.

On November 16th, a joint hearing of two House Energy and Commerce subcommittees was held to investigate ways to better secure internet-connected devices and to mitigate future attacks.  Experts testified that internet-connected devices are compromised by a minimal interest in security by both the manufacturers and the consumers.  The overall lack of incentive to implement security mechanisms on these goods can be rectified by an increased regulatory presence in this industry.    Rep. Jan Schakowsky (D-Ill.), the ranking member of the Commerce, Manufacturing and Trade Subcommittee, suggested that the Federal Trade Commission needs to take on a larger role in this industry to protect the consumers.  Rep. Michael C. Burgess (R-Texas) wanted to shy away from creating hard and fast rules and, instead, develop a set of best practices or industry standards for the IoT industry to follow.  He believed regulations could be an “innovation killer.”  Regardless of the approach adopted, the comments made at the hearing echoed the incentive behind DHS’s and NIST’s guidelines:  cybersecurity must be part of the early design of an internet-connected device.  The new guidelines and joint hearing on the IoT reflect a new focus on the security of IoT devices.

LinkedIn is Shown the Door in Russia

On November 10th, after determining that LinkedIn Corp. violated Russia’s data localization law, a Moscow court affirmed an August district court decision that blocked the company from providing online services within Russia.  The law, which went into effect in September 2015, requires websites to store Russians’ personal information on servers located in Russia.  This ruling was the first time a Russian court enforced the law.  Even though LinkedIn does not have any offices or personnel located within Russia, the company still has to comply with the law simply because Russians can sign up to use its services.  Consequently, if multinational companies want to engage with Russian users, they will likely need to build data centers in Russia or store their data with local storage centers.  Adhering to this law will likely grant Russian officials a more direct and easier access to customer and corporate data.  One week after the decision, Russia’s communications regulator ordered access to LinkedIn’s website to be blocked to users in Russia.  As companies look to expand their businesses, data localization laws could prove to be an obstacle to expansion.

A Single Text Constitutes an Injury-in-Fact under the TCPA

On Nov. 15th, U.S. District Judge Leigh Martin May ruled that an alleged violation of the Telephone Consumer Protection Act (TCPA) is enough to file suit in federal court.  Under the TCPA, a company cannot use automated telephone dialing systems to send unsolicited calls or text messages to a consumer without prior consent.  The plaintiff claimed that Hooters knowingly violated the TCPA by sending a text message to diners who had opted out of receiving the messages.  In applying the recent Supreme Court ruling in Spokeo, Inc. v. Robins, the judge concluded that a per se violation of the TCPA is suffice to establish standing.  And, in fact, “sending a single text message in violation of the TCPA constitutes an injury-in-fact.”  This ruling could be a significant business risk for many companies as it makes it easier for plaintiffs to satisfy the initial standing requirement

Long Distance Search Warrant Power

On December 1st, the revised Federal Rule of Criminal Procedure 41 will take effect, which allows federal judges, with authority in any district, to issue a warrant requesting remote access to search electronic devices.  Rule 41 would apply in two circumstances: first, if a suspect uses technological means to hide the location of his or her computer and; second, if, in an investigation of a crime that involves criminals hacking computers, the computer is located in five or more judicial districts, Rule 41 would only require one judge to review an application for a search warrant rather than submitting separate applications in each district where a computer is affected.  A judge can grant a warrant even if the owner is not aware of how the computer is being misused—for example, an infected personal laptop that has been used in a cyberattack.  Companies will have to wait to see how prosecutors will utilize Rule 41 warrants.  In the interim, Rule 41 could make it increasingly difficult for companies to protect users’ information.

Alabama District Court Relieves Carrier of a Duty to Defend or Indemnify Policyholder Following Data Breach

Posted in Cybersecurity / Data Security, Data Breach, Insurance, Privacy
Rachel Raphael

On October 25, in the case of Camp’s Grocery, Inc. v. State Farm Fire & Casualty Company, the District Court for the Northern District of Alabama granted summary judgment in favor of State Farm Fire and Casualty Company (“State Farm”), concluding that State Farm did not have to defend or indemnify its policyholder, Camp’s Grocery Inc. (“Camp’s”) in an underlying lawsuit brought by credit unions following a breach of Camp’s computer network.  Camp’s Grocery illustrates the importance of carefully evaluating an insurance policy terms and conditions and having a complete understanding as to which losses are covered and which are not.  Additionally, this case highlights the different entities (here, credit unions) that may sue a policyholder after a data breach.

In August 2015, three credit unions sued Camp’s in an Alabama circuit court alleging that a hack of Camp’s computer network compromised customers’ confidential data, such as credit card, debit card, and check card information.  The credit unions argued they suffered losses as a result of the breach.  For example, the credit unions had to reissue cards to customer and reimburse customers for fraud losses.  Among other things, the credit unions also incurred administrative expenses associated with investigating, correcting and preventing fraud.

State Farm had issued a business owners insurance policy to Camp’s.  This policy covered damages because of “bodily injury, “property damage,” or “personal and advertising injury.”  However, “property damage” was limited to harm to “tangible property.” And “tangible property” was defined not to include “electronic data.”  The policy also expressly excluded “damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”

The State Farm policy also included two endorsements: (1) Inland Marine Conditions (“IMC”), and (2) Inland Marine Computer Property Form (“IMCPF).  The IMCPF specifically covered accidental direct physical loss to computer equipment and removable data storage media used in Camp’s business.

In February 2016, Camp’s sued State Farm in an Alabama federal district court seeking a declaration that State Farm had a duty to defend and indemnify Camp’s in the credit unions’ lawsuit.  Both Camp’s and State Farm filed motions for summary judgment.  State Farm argued that coverage was not available under the policy because the Credit Unions’ claims in the underlying suit did not allege “bodily injury”, “property damage,” or “personal and advertising injury” as defined in the policy.  It also argued that, to the extent, Camp’s was relying on IMCPF for coverage, the endorsement was a “first party” insuring agreement, not a “third party” insuring agreement.  As a result, the endorsement only covered losses sustained directly by Camp’s, not claims brought by third parties.

Camp’s relied primarily on the two endorsements to argue that State Farm was obligated to provide defense and indemnity. It argued that State Farm assumed a duty to defend the underlying lawsuit based on a provision in the IMC which stated that State Farm “may elect to defend” Camp’s at State Farm’s expense, “against suits arising from claims of owners of property.” According to Camp’s, the phrase “may elect to defend” was ambiguous.

The district court agreed with State Farm. The court explained that IMCPF covered “accidental direct physical loss.” This phrase unambiguously afforded first-party coverage.  It did not impose a duty to defend or indemnify Camp’s against claims for harm allegedly suffered by third parties.  The court also explained that coverage was not otherwise available under the policy because the underlying suit was brought by plaintiffs alleging purely economic loss (not “bodily injury” or “personal and advertising injury”).  The court also rejected Camp’s argument that the phrase “may elect to defend” obligated State Farm to defend Camp’s in the underlying suit.  The court concluded that on its face this phrase unambiguously vested discretion in the insurance carrier.  As a result, the carrier had the option to defend Camp’s but it did not have a duty to do so.

Camp’s had also argued that physical debit cards were “tangible property” that could be “touched and handled,” and as a result, the credit unions’ loss in connection with replacing these cards was covered “property damage” under the State Farm policy.  Again, the court disagreed, explaining that (1) the credit unions’ claims were based on the compromised intangible electronic data contained on the cards that rendered the cards unusable, and (2) the policy specifically excluded damages arising out of the loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”

For years courts have grappled with and have been split on the issue of whether cyber-related losses constitute harm to tangible property; the court in this case came down on the side of a data breach not constituting harm to tangible property.  This case also emphasizes the importance of policy wording (particularly exclusions concerning electronic data) and, as mentioned above, it highlights the different entities that may sue policyholders following a data breach.