Crowell & Moring

Kansas Judge Rules that Class Action over CareCentrix Data Breach may Proceed

On December 19, 2016, in Hapka v. Carecentrix, the United States District Court for the District of Kansas denied CareCentrix, Inc.’s (CareCentrix) motion to dismiss a class action suit arising from a data breach affecting CareCentrix’s personal and tax information regarding thousands of employees.  The Court found that plaintiff Sarah Hapka, individually and on behalf of all others similarly situated, met the Article III standing requirements and sufficiently alleged a claim upon which relief could be granted.

Hapka claimed that in February 2016, an unauthorized person posed as one of CareCentrix’s employees and emailed a request for current and former employees’ Internal Revenue Service (IRS) Wage and Tax Statements (W-2 Forms). One of CareCentrix’s employees complied with the request, providing the W-2 Forms which included employees’ names, addresses, birth dates, wages, and Social Security Numbers.  Hapka alleged that shortly after this data breach, she received a letter from the IRS indicating that someone filed a fraudulent tax return in her name.  She later brought the underlying putative class action claiming that CareCentrix negligently permitted the data breach and that she and the class of plaintiffs will suffer imminent and certain impending injury of fraud and identity theft.

CareCentrix conceded that Hapka suffered some form of actual, concrete injury due to the filing of a false tax return. However, it argued that the other allegations of injury—the impending costs of countering the current tax fraud and heightened risk for future identify theft—are too speculative to meet the Article III standing bar set by the Supreme Court’s decision in Spokeo, Inc. v. Robins, which required plaintiffs to show an invasion of a legally protected interest and allege a concrete injury.  The Court rejected CareCentrix’s attempt to look at the plaintiff’s alleged injuries in a vacuum, stating that “[t]he fact that her stolen information has been used once has a direct impact on the plausibility of future harm.” Although the Court acknowledged that federal courts have disagreed about whether an alleged increased risk of identity theft is a sufficient injury to meet standing requirements, it followed the line of cases finding standing because the plaintiffs suffered from identity theft after a data breach.  Ultimately, the Court held that the plaintiffs met standing requirements.

The Court further rejected CareCentrix’s claim that Hapka failed to adequately plead the negligence claim because it did not have a statutory duty of care regarding employee information, and that plaintiff failed to allege any common-law duty. The Court found that identification of a statutory duty was unnecessary, and that the allegations that the harm was foreseeable established a common-law duty to exercise reasonable care.

This case further highlights how the Supreme Court’s decision in Spokeo earlier this year has produced varied results in breach litigation.  The Kansas Court acknowledged the split among federal courts on standing requirements, but effectively avoided ruling on the issue since Hapka actually suffered injury due to the filing of a false tax return.  If the plaintiffs did not have this example demonstrating that a concrete injury had in fact occurred, it is questionable whether the Kansas Court would have decided to deny CareCentrix’s dismissal motion on standing grounds.

U.S. DOT Announces Proposed Rule for Connected Vehicle Technology

The United States Department of Transportation (USDOT) announced a proposed rule that would enable vehicle-to-vehicle (V2V) communication technology for new light-duty vehicles.  Over the past several years, USDOT collaborated with the Federal Highway Administration (FHWA), Federal Transit Administration (FTA), Federal Motor Carrier Safety Administration (FMCSA), and the National Highway Traffic Safety Administration (NHTSA) to research and deploy V2V technology in order to reduce millions of crashes on U.S. roadways that result in thousands of fatalities.  V2V technology would provide connectivity between and among vehicles based on a communication system that is similar to WiFi.  It would allow vehicles to effectively “talk” to each other by continuously sharing safety and mobility information.  The system would also provide a mechanism for vehicles to communicate wirelessly with traffic signals, work zones, toll booths, schools zones, and other infrastructure.  The proposed rule would require automakers to include V2V technology in all new light-duty vehicles, and incorporate standardized messaging that will be developed with the automobile industry.

Given the numerous and substantial privacy and cybersecurity risks that such technology could pose to consumers, NHTSA sought to address these concerns in the new proposed rule. For example, the rule provides for a general exclusion from the basic safety information emitted by a vehicle of data elements that would link specific individuals to a vehicle.  The NHTSA has further drafted a privacy statement that automobile manufacturers will be required to provide to consumers.  Finally, the rule requires an additional hardening of the on-board V2V equipment beyond normal automotive grade specifications to reduce the risk of physical compromise.  The proposed rule demonstrates that potential cybersecurity risks can be addressed prospectively and will not deter the U.S. government’s general move towards using emerging technologies to restructure the transportation industry.

EU’s Article 29 Working Party Issues First Set of Guidance on the GDPR

On December 13, 2016, the Article 29 Working Party issued the first set of official guidance on the EU’s new general data protection regulation (GDPR), set to replace the 1995 EU Data Protection Directive in May of 2018.

The Guidelines on Data Protection Officers (‘DPOs’) emphasizes that in addition to public authorities and bodies, organizations (both controllers and processors)  for whom the regular and systematic monitoring of individuals on a large scale is a core activity, will be required to designate a DPO that has expertise in the national and European data protection laws and practices.  The Guidelines provide guidance on how to interpret “core activities”, “large scale” and “regular and systematic monitoring”.  With respect to the “core activities”, it is noteworthy to mention that according the Article 29 Working Party, an organization’s payroll or IT activities are necessary to support the organization’s business and therefore are rather ancillary activities that would not, on themselves, trigger the obligation to appoint a DPO.  The DPO itself would not be personally responsible for the organization’s non-compliance with the GDPR, such responsibility remaining with the organization itself.  The Article 29 Working Party encourages the voluntary appointment of DPO’s but underlines the different nature of DPO’s as compared to current functions such as CPO’s.

The Guidelines on the right to data portability  further clarifies the right of data subjects to receive from the controller, under certain conditions, their own personal data in a readable format, and permits the direct transmission of personal data from one data controller to another.  Notably, the guidance adopts a very broad interpretation of the scope of the data portability right, so that it will not only include personal data provided by the data subject “knowingly and actively” to the controller, but also data generated by the data subject’s activity.  Inferred or derived data generated by the controller (such as a profile) would not be included  The guidance also states that this right does not impose additional obligations on the data controller to retain personal data for longer than necessary, or commence retention efforts simply to service a data request.  However, the guidance does encourage data controllers to begin developing mechanisms to adequately respond to such requests, and cooperate in order to create a common set of interoperable standards.

Finally, the Guidelines for identifying a controller or processor’s lead supervisory authority discusses the so-called “One-Stop-Shop” principle in cases of cross-border processing activities.  Noteworthy for U.S. businesses is that non-EU controllers without an establishment in the EU (but who are subject to the GDPR because, for instance, they offer goods and services to data subjects in the EU), cannot benefit from the One-Stop-Shop, but must deal with the local supervisory authority of each Member State where they are active.  The Guidelines also make it clear that different supervisory authorities may still be the lead supervisory authority depending on the various types of processing.  It underlines that there will be many borderline and complex situations on which, ultimately, the European Data Protection Board will have to decide.

The three separately issued guidance tackles some of the numerous questions raised since the new GDPR was approved in May 2016, and lends some clarity to the obligations of data controllers and processors that will be affected by the new law but leaves open many questions.

The Article 29 Working Party welcomes any comments to these guidelines until the end of January 2017. Additional Guidelines on the Data Protection Impact Assessment and Certification are announced for the course of 2017.

FTC Announces Million-Dollar Settlement with Ashley Madison Website over 2015 Data Breach

The Federal Trade Commission (FTC or Commission) announced a $1.6 million dollar settlement with the operators of the Ashley Madison website due to a 2015 data breach that resulted in the publishing of personal account and profile information of 36 million users.  In August 2015, hackers gained access to the company’s network and published almost 10 gigabytes of sensitive profile and billing information.  Victims of the data breach allegedly included users who paid an additional fee for a “Full Delete” service to ensure that their data was removed from the site.

In a joint investigation with 13 states, the Office of Privacy Commissioner of Canada, and the Office of the Australian Information Commissioner, the FTC identified several of the company’s allegedly lax data-security practices. According to the complaint, the company allegedly failed to establish a formal written information security policy, failed to implement reasonable access controls, failed to provide adequate security training to employees, and failed to monitor the effectiveness of their security system.  The complaint further claimed that the operators of the website lured customers into becoming paid members with fake profiles of women and misrepresented that they had made reasonable efforts to ensure that the site was secure.  The settlement required the company to institute a comprehensive data-security program and pay a $1.6 million penalty, reduced from the initial $17.5 million penalty due to the company’s inability to pay.

As FTC Chairwoman Edith Ramirez stated, “this case represents one of the largest data breaches that the FTC has investigated to date, implicating 36 million individuals worldwide.” The million dollar settlement demonstrates the FTC’s willingness to use the FTC Act’s prohibition against unfair business practices to institute litigation for egregious data-security violations.  Each of the website’s claimed inadequate data security measures in this case have already been highlighted exhaustively in the basic principles the FTC outlined in its Start with Security guide for businesses.  Companies that collect personal information should follow these principles to ensure that they employ adequate data security measures and help lower the risk of future expensive litigation.  Further, companies that have made promises to protect consumer data should take this guidance into account.

OCR/ONC Issue Guidance on Public Health Disclosures Under HIPAA

The U.S. Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) and Office of Civil Rights (OCR) have published a new fact sheet explaining how providers are permitted to share protected health information (PHI) with public health agencies without obtaining an individual’s written authorization for public health activities.  Like the previous fact sheets for treatment and for health care operations, the new fact sheet is intended to address confusion on how the Health Insurance Portability and Accountability Act (HIPAA) supports the exchange of electronic PHI for legitimate purposes permitted under HIPAA.  The fact sheet describes numerous scenarios where the exchange of PHI would be permitted, including reporting diseases, public health surveillance, public health investigations, and public health interventions.  As the fact sheets demonstrate, HIPAA is important for protecting patients from improper disclosures of PHI, but also provides a mechanism to ensure the open flow of information to support public health activities.

FDA Issues Cybersecurity Guidance for Medical Devices

The U.S. Food and Drug Administration (FDA) issued guidance on December 28, 2016, regarding cybersecurity vulnerabilities for the use of any marketed and distributed medical device as well as devices that are already on the market or in use.  Recognizing that premarket controls alone are insufficient to mitigate cybersecurity risks, the FDA issued this document to provide recommendations to manufacturers to monitor, identify, and address cybersecurity issues as part of their postmarket management of these devices.  The guidance emphasizes that manufacturers should develop a process to conduct a risk evaluation and determine whether a cybersecurity vulnerability presents an acceptable or unacceptable risk.  It further provides a risk-based framework for assessing reporting obligations pursuant to 21 C.F.R. Part 806, requiring device manufacturers or importers to report any actions concerning device corrections and removals to the FDA.   Importantly, the guidance encourages efficient cybersecurity risk management and therefore does not require premarket notification and review for routine cybersecurity software updates.  Such an obligation would have proved costly to manufacturers that are constantly strengthening the security of their devices as technology develops.  The FDA has planned a webinar for January 12, 2017 to address any industry questions or concerns.