Data Law Insights

Data Law Insights

Legal insights on navigating privacy, data protection, cybersecurity, information governance, and e-discovery

Seventh Circuit Revives Data Breach Case Despite No Evidence Of Monetary Harm

Posted in Cybersecurity / Data Security
Nathanial J. WoodMatthew B. Welling

The U.S. Court of Appeals for the Seventh Circuit (the “7th Circuit”) recently issued an opinion in Heather Dieffenbach, et al. v. Barnes & Noble, Inc. that is potentially concerning for current and potential defendants in class action claims related to data breaches.  The case relates to a 2012 incident where Barnes & Noble discovered that attackers had compromised some of the PIN pads they used to verify customer payment information.  The attackers then used these devices to acquire customer data including names, payment card information and PINs. 

Because of this incident, some Barnes & Noble customers temporarily lost use of their funds while waiting for their banks to reverse unauthorized charges, spent money on credit monitoring services, and lost time dealing with impacts of this data breach.  Suing under Illinois and California state law, plaintiffs seek to collect damages from Barnes & Noble, as well as the data thieves.

Barnes & Noble moved to dismiss the complaint.  The district court granted Barnes & Noble’s motion in 2013, holding that the representative plaintiffs suffered no loss and therefore lacked Article III standing to bring their claims.  But subsequent 7th Circuit case law undercut that ruling, as the Circuit court held in Remijas (2015) and Lewert (2016) that customers who experience a loss of data have standing.  The district court, bound by those decisions, held that the plaintiffs had standing, but nevertheless dismissed plaintiffs’ complaint, finding that it did not adequately plead damages for any of the alleged claims.

The 7th Circuit reversed the trial court’s decision, in an expansive ruling that appeared determined to find standing and permit the case to advance.  With respect to the California plaintiff, the court permitted the plaintiff’s claims to survive based on the “damages” allegations that she did not have access to certain funds for three days and was inconvenienced by having to take time “sorting things out” as a result of the breach.  In so doing, the court was dismissive of California law holding that time spent filling out paperwork is insufficient to allege damages, and relied on factually distinguishable and unpublished California authority (which is not precedential, and may not even be cited under California procedure) to find that loss of use of money was a cognizable form of damages.  And for the Illinois plaintiff, who alleged she had purchased credit monitoring as a result of the breach, the Seventh Circuit flatly disregarded published Illinois appellate authority rejecting the plaintiff’s alleged damages theory, on the basis that the court believed—without citation to any Illinois state authority—that the Illinois Supreme Court would not agree with the state appellate court.    

While the court somewhat tempered its decision by declaring that the question of whether Barnes & Noble violated any state laws by failing to prevent the thieves from stealing customer information remained open on remand, and questioned whether a class could be certified, this decision should nevertheless be concerning to companies in the Seventh Circuit who, like Barnes & Noble, find themselves victims of data thieves, even where years have passed and it is clear that the impacts to consumers are de minimis.

Political Data Firm Improperly Accessed Facebook Users’ Data

Posted in Cybersecurity / Data Security
Jeffrey L. PostonPeter B. Miller, CIPP/G/US, CIPP/E, CIPM, CIPTBrandon C. Ge

Facebook faces government investigations on both sides of the Atlantic after recent revelations that Cambridge Analytica, a British political data firm with ties to President Trump’s 2016 campaign, collected and used the personal information of more than 50 million Facebook users in a manner that violates Facebook’s stated policy regarding access, disclosure, and use of personal information. Legislators in the U.S. and the UK have called for hearings.

The Federal Trade Commission (“FTC”) has confirmed it is conducting an investigation into whether Facebook violated the terms of its November 2011 consent decree requiring it to, among other things, “not misrepresent . . . the extent to which it maintains the privacy or security of [personal] information,” and “establish and implement, and thereafter maintain, a comprehensive privacy program that is reasonably designed to (1) address privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of [personal] information.” Several state attorneys general have also announced investigations, and Facebook faces at least one a shareholder lawsuit alleging that Facebook did not properly disclose the third-party access to users’ personal information. Continue Reading

Ninth Circuit Revives Data Breach Class Action, Finds Risk of Identity Theft Without Actual Harm Sufficient to Establish Standing

Posted in Uncategorized
Brandon C. GeNathanial J. WoodJeffrey L. Poston

Last week, the U.S. Court of Appeals for the Ninth Circuit revived a class action lawsuit related to a 2012 data breach, determining that the future risk of identity theft suffices to establish Article III standing, even where there has been no actual harm. At issue in the case, In re, was whether the plaintiffs had standing to bring claims based on a January 2012 data breach where hackers allegedly stole the personal information of more than 24 million Inc. customers—names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information.

The decision is likely to have a significant impact on data breach litigation given the number of such cases filed in the Ninth Circuit. The circuits are currently split on the standard for establishing Article III standing in data breach litigation, a split that will likely continue until the Supreme Court addresses the issue.

The Ninth Circuit’s decision also creates a need for companies to revisit their standard breach notification language, as the court revived the claims against Zappos in part because Zappos warned its customers in its notice that they should consider changing their passwords due to the breach, which the court considered evidence that consumers were at risk of harm from the incident.

Click here to read Crowell & Moring’s full alert.

PayPal Settles FTC Claims Regarding Venmo’s Disclosure, Privacy, and Security Practices

Posted in Cybersecurity / Data Security
Brandon C. GePeter B. Miller, CIPP/G/US, CIPP/E, CIPM, CIPT

On February 27, 2018, the Federal Trade Commission (“FTC”) announced a proposed administrative settlement with PayPal, Inc. over allegations that the company failed to make adequate disclosures to users regarding its Venmo peer-to-peer payment service. The settlement underscores the importance of effectively disclosing material information to consumers, including accurately communicating privacy and security practices and user control over optional settings.

Specifically, the FTC alleged that Venmo

Continue Reading

Learn about how Regulation Will Shape Digital Transformation in Crowell & Moring’s 2018 Regulatory Forecast Cover Story: “Digital Transformation: The Sky’s The Limit”

Posted in Cybersecurity / Data Security, Litigation
Crowell & Moring

Crowell & Moring has issued its “Regulatory Forecast 2018: What Corporate Counsel Need to Know for the Coming Year.”

The Forecast cover story, “Digital Transformation: The Sky’s the Limit,” provides a look at how technology is helping companies soar to new heights and how regulation can help companies to succeed.

It is clear digital technology is driving the future of business across a wide range of industries and Washington, as well as state and global regulators, is forging the appropriate balance between fostering innovation and protecting consumers. This report is the companion piece to the firm’s 2018 Litigation Forecast, which was published in January and also focused on the opportunities and challenges general counsel face in navigating the Big Data revolution.

Be sure to follow the conversation on Twitter with #RegulatoryForecast.


U.S. Securities and Exchange Commission Ups the Ante for Addressing Corporate Cyber Risks

Posted in Cybersecurity / Data Security
Data Law InsightsPaul Rosen

On February 21, 2018, the U.S. Securities and Exchange Commission (“SEC”) voted unanimously to disseminate its Statement and Guidance on Public Company Cybersecurity Disclosures, an “interpretive guidance” designed to help publicly-traded companies satisfy their cybersecurity risk disclosure obligations. The new guidance supplements the SEC’s initial October 13, 2011 Cybersecurity Disclosure Guidance, which was relatively broad, by: 1) articulating the SEC’s expectations regarding the adequacy of disclosures; and, for the first time, 2) recommending the implementation of policies and procedures that address disclosure controls as well as insider trading.  Continue Reading

Is Government Data at Risk? Study Finds Industry Cybersecurity Lagging Government

Posted in Cybersecurity / Data Security
Paul RosenKate M. Growley, CIPP/G, CIPP/USMichael G. Gruden, CIPP/G

Security ratings firm BitSight recently released a report citing a gap in cybersecurity performance between the U.S. Government and contractors. 

The report was the result of a comparative security assessment between 1,212 randomly selected government contractors and 122 federal agencies. The assessment found that federal agencies were at least 15 points better than the mean for government contractor security ratings, albeit on a broad scale of 250 to 900.

The study found that almost half of all contractors were graded “below C” for Protective Technology countermeasures recommended by the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. The overall highest scoring industries were aerospace and defense, business services, and health care; while the technology, engineering, and manufacturing sectors were the lowest. Specific to data breaches, the health care industry fared the worst among all sectors with 8 percent reporting a breach since 2016. This was closely followed by the aerospace and defense industry with 5.6 percent reporting a breach.

The report attributed low cybersecurity scores in part to deficient network encryption, lack of email protection, and outdated internet browsers.  

Of potential interest to contractors, the report also made recommendations to federal agencies regarding cybersecurity gaps existing in industry. BitSight encouraged agencies to conduct cybersecurity audits of potential contractors, as well as requiring prime contractors to more strictly monitor subcontractors’ adherence to cybersecurity requirements beyond mere “flow down” requirements of current contract clauses. Lastly, BitSight cautioned government to closely monitor risks posed by technology services and cloud computing services. 

These findings may further sharpen the U.S. Government’s focus on enhancing cybersecurity among its supply chain, and highlight the importance of assessing cybersecurity risk within contractors’ business operations. 


Former IT Administrator Sentenced to Prison for Hacking Canadian Pacific Railway Network

Posted in Cybersecurity / Data Security
Data Law Insights

Yesterday, U.S. District Judge Patrick Schiltz sentenced a former IT administrator to 366 days in federal prison following a Consumer Fraud and Abuse Act conviction.

Christopher V. Grupe was employed as an IT professional by Canadian Pacific Railway from September 2013 to December 2015. In December of 2015, Grupe was suspended for insubordination after a confrontation with his supervisor. After learning that Canadian Pacific Railway planned to terminate him, Grupe issued a letter of resignation in which he stated he would return company-owned devices to the Minneapolis, MN headquarters. Prior to returning his company-issued laptop and remote access token, Grupe leveraged his administrator credentials, which were still active, to infiltrate the transcontinental railway system’s core switches. Once inside, he deleted key permissions, passwords, and files on the network hardware, resulting in outages across parts of Canadian Pacific Railway’s system. Although Grupe wiped his laptop’s hard drive before returning it, Canadian Pacific Railway hired an outside security company to identify the source of the intrusion and forensically link Grupe’s activity to the outage. A jury found Grupe guilty to one count of intentional damage to a protected computer. 

As we noted in March of 2017, the prevalence of cyberattacks perpetrated at the workplace, particularly in the context of employee separations, is increasing. Companies should develop comprehensive insider risk programs that focus on potential threats and key vulnerabilities in both virtual and physical environments. This may include the use of policies, training, technology, behavioral analysis, and stakeholder support to detect, prevent, and respond to such threats. Insider threat mitigation programs should define the behavioral expectations of the workforce through clear and consistently enforced policies that articulate defined consequences for violating them. Companies should trust their employees, but balance that trust with independent verification to avoid a single point of failure.


National Archives Issues New, But Limited, CUI Contract Guidance

Posted in Cybersecurity / Data Security
Michael G. Gruden, CIPP/GKate M. Growley, CIPP/G, CIPP/US

The Information Security Oversight Office (“ISOO”) within the National Archives and Records Administration (“NARA”) recently issued guidance for all non-executive branch entities  (such as elements of the legislative or judicial branches of the Federal Government; state, tribal or local government elements; and private organizations including contractors) concerning controlled unclassified information (“CUI”).  Specifically, the ISOO  issued CUI Notice 2018-01, which provides CUI guidance regarding information sharing agreements with non-executive branch entities (herein “IS agreements”) that are not governed by the forthcoming CUI Federal Acquisition Regulation (“FAR”) Clause.  Examples of applicable IS agreements include certain contracts, grants, licenses, memoranda of understanding, and information-sharing arrangements.  The ISOO guidance provides both mandatory and recommended language for inclusion in IS agreements:

Continue Reading

Fourth Circuit Raises Bar for DMCA Safe Harbor Defense

Posted in Advertising & Product Risk Management, Cybersecurity / Data Security, Litigation, Uncategorized
Data Law InsightsChristopher A. Cole

Last Thursday, the Fourth Circuit decided a closely followed case on one of the safe harbor defenses under the Digital Millennium Copyright Act (DMCA). See BMG Rights Management (US) LLC v. Cox Communications, Inc., No. 16-1972 (4th Cir. Feb. 1, 2018). The court also addressed the intent standard for contributory copyright infringement.

BMG, an owner of copyrights in digital music files, sued Cox, an internet service provider, for contributory copyright infringement by Cox subscribers engaging in “peer-to-peer” music file sharing. The district court held that Cox was not entitled to the safe harbor defense under Section 512(a) of the DMCA because Cox did not satisfy the conditions under Section 512(i)(1)(A) that it “adopted and reasonably implemented … a policy that provides for the termination in appropriate circumstances of subscribers … who are repeat infringers.” At trial, a jury found Cox liable and awarded BMG $25 million.

Continue Reading