Defending Data Security Class Actions - Morgan Lewis

Kris HenningTom Sullivan

May 31, 2012

Defending Data Security Class Actions

• Since 2005, there have been an estimated 2,800 data breaches resulting in 543 million records lost. Of the reported breaches, approximately 4% of those instances resulted in federal litigation.

• Odds of being sued in federal court because of a data breach –• Greater

• When individuals experience actual financial harm (3.5x)• When loss of data is caused by improperly disposing of data, as opposed to stolen or

lost data (3x)• When the information lost is financial, as opposed to medical or other information (6x)• Size of breach – i.e., the number of records disclosed

• Lower• Firm (potential defendant) provides free credit monitoring or insurance (6x)

Reference: Romanosky, S., Hoffman, D., & Acquisti, A. (2012). Empirical Analysis of Data Breach Litigation. Heinz College of Public Policy and Information Systems, Carnegie Mellon University & Beasley School of Law, Temple University Research Paper. Available at SSRN:http://ssrn.com/abstract=1986461.

2Defending Data Security Class Actions

Overview

• Likelihood of settling a case involving a data breach –• Greater

• Plaintiffs allege actual harm through financial loss (30% more often)• Class is certified (30%)• Loss/breach caused by “cyber-attack” (10 times greater)• Medical information is disclosed (31%)

• The finding that the odds of being sued are higher if information is improperly disposed of or disclosed, as opposed to lost or stolen, suggests individuals are more inclined to “punish” companies that behave negligently.

• Average settlement award was approximately $2,500 per plaintiff, and average attorneys’ fees were $1.2 million.

Reference: Romanosky, S., Hoffman, D., & Acquisti, A. (2012). Empirical Analysis of Data Breach Litigation. Heinz College of Public Policy and Information Systems, Carnegie Mellon University & Beasley School of Law, Temple University Research Paper. Available at SSRN:http://ssrn.com/abstract=1986461.


Overview

Overview

• Trends:• Claims generally dismissed for lack of cognizable injury-in-

fact under Article III.

• Courts seem more likely to find injury-in-fact and allow claims to survive the motion to dismiss stage where there was a theft of data or the defendant’s negligence contributed to the loss.


• In re Facebook Internet Tracking Litig., 5:12-md-023-EJD (N.D. Cal., filed May 17, 2012)

Consolidated complaint filed May 17, 2012 in the Northern District of California accusing Facebook of improperly tracking users even after they logged out of their accounts.


These cases are not going away….

• Computer Fraud and Abuse Act, 18 U.S.C. §§ 1030 et seq., criminalizes certain unauthorized access to computers to obtain protected information or further some fraudulent conduct.

• Stored Communications Act, 18 U.S.C. §§ 2701 et seq., prohibits an “electronic communication service” from knowingly divulging the contents of any communication in electronic storage by that service, and prohibits a remote computing service from divulging the contents of communications carried or maintained on that service.

• Wiretap Act, 18 U.S.C. § 2511, prohibits an entity providing an electronic communication service to the public from intentionally divulging contents of any communication while in transmission on that service to any person or entity other than the addressee or intended recipient, or its agent.

• Children's Online Privacy Protection Act of 1998 requires companies operating websites or online services to obtain parental consent before collecting, using, or disclosing personal information for children under the age of 13.

• State Notification of Breach Laws – As of February 2012, 46 states, Washington, D.C., Puerto Rico, and the Virgin Islands had enacted legislation requiring notification of security breaches involving personal information.


Statutes

• Personal Data Privacy and Security Act Pending in the Senate Creates new federal crimes targeting unauthorized access to personal data Also requires certain entities to establish a data privacy and security program, engage in

periodic risk assessments, and provide data breach notices

• Data Breach Notification Act Pending in the Senate Would create national standard requiring federal agencies and any person or business

engaged in interstate commerce that possesses data containing sensitive personally identifiable information to disclose any breach of such information


Pending Legislation

• Internal employee’s mistake

• Industrial espionage by competitors

• Hackers

• Phishing – masquerading as a trustworthy entity in an electronic communication (very prevalent now)

• Organized crime

• Foreign governments


Many Sources and Types of Data Security Breaches

Claims Come in Many Forms: • Loss from identity theft

• Emotional distress

• Cost of preventing future losses (i.e., credit monitoring)

• Increased risk of future harm (i.e., risk of future identity theft)

• Trespass to chattels

• Violation of state consumer protection statutes

• Violation of federal and state computer crime laws9Defending Data Security Class Actions

Theories of Harm

State Consumer Protection Statutes – California:• Consumer Legal Remedies Act (CLRA), Cal. Civ. Code § 1750:

• Prohibits “unfair methods of competition and unfair or deceptive acts or practices.” Cal. Civ. Code § 1770.

• Any “consumer who suffers any damage as a result of the use or employment by any person of a method, act, or practice declared to be unlawful by Section 1770 may bring an action against such person.” Cal. Civ. Code § 1780(a).

• Allows for restitution, injunctive relief, compensatory damages, and punitive damages.

• Unfair Competition Law (UCL), Cal. Bus. & Prof. Code § 17200:• Provides cause of action to those who have “suffered injury in fact and . . . lost money or

property as a result of the unfair competition.”• Equitable remedies in the form of injunctive relief and/or restitution.


Theories of Harm

State Consumer Protection Statutes – California (continued):• Ticketmaster Corp. v. Stearns, No. 11-983:

• Putative class action alleging that defendants deceived participants into signing up for rewards programs, causing them to incur fees.

• Ninth Circuit reversed order denying certification of UCL claims. See Stearns v. Ticketmaster Corp., 655 F.3d 1013 (9th Cir. 2011).

• On April 23, 2012, the U.S. Supreme Court denied certiorari.


Theories of Harm

• It has been widely held that the risk of future economic harm or identity theft from the unauthorized collection, disclosure, loss, or theft of data is not actionable:

• Reilly v. Ceridian Corp., No. 11-1738, 2011 WL 6144191 (3d Cir. Dec. 12, 2011) (affirming dismissal of claim over increased risk of injury or identity theft resulting from hacker infiltrating system and “potentially gain[ing] access to personal and financial information”)

• Gaos v. Google, Inc., No. 10-CV-4809, 2012 WL 1094646 (N.D. Cal. Mar. 29, 2012) (granting motion to dismiss nonstatutory claims because no proof of injury resulting from unauthorized dissemination of search queries, and information disclosed did not create inference of imminent danger or harm)

• Worix v. MedAssets, Inc., No. 11 C 8088, 2012 WL 787210 (N.D. Ill. Mar. 8, 2012) (finding increased risk of identity theft, even accompanied by credit-monitoring costs, is insufficient to constitute present injury under state-law negligence claim)


Selected Case Law Rejecting Data Claims

• It has been widely held that the risk of future economic harm or identity theft from the unauthorized collection, disclosure, loss, or theft of data is not actionable:

• Paul v. Providence Health System, No. CC 060101059, 2012 WL 604183 (Or. Feb. 24, 2012) (plaintiffs alleged that defendant failed to protect and safeguard stolen information, but claim was dismissed because information was never viewed or misused)

• Whitaker v. Health Net of California, No. CIV S-11-0910, 2012 WL 174961 (E.D. Cal. Jan. 20, 2012) (branding prospective harm stemming from loss of plaintiffs’ data as “precisely the type of conjectural and hypothetical harm that is insufficient to allege standing”)

• Hammond v. The Bank of NY Mellon Corp., No. 08 Civ. 6060, 2010 WL 2643307 (S.D.N.Y. June 25, 2010) (data tapes containing payment card information lost; court granted summary judgment in defendant’s favor because “increased risk of identity theft (in the future) is not a cognizable claim” under Article III or state consumer protection law)



• Courts have rejected attempts to assign economic value to personal information based on defendant’s alleged unauthorized collection or tracking of plaintiffs’ personal data:

• Low v. LinkedIn Corp., No. 11-CV-01468, 2011 WL 5509848 (N.D. Cal. Nov. 11, 2011) (dismissing claim because economic value of personal information allegedly accessed was “too abstract and hypothetical” to establish standing)

• In re iPhone Application Litigation, No. 11-MD-02250-LHK, 2011 WL 4403963 (N.D. Cal. Sept. 20, 2011) (dismissing claims where plaintiffs failed to identify concrete harm traceable to alleged unauthorized collection of personal information/data)

• Bose v. Interclick, No. 10-CV-09183, 2011 WL 4343517 (S.D.N.Y. Aug. 17, 2011) (unauthorized tracking of information, without more, is insufficient to state claim under Computer Fraud and Abuse Act)

• La Court v. Specific Media, Inc., SA CV 10-1256, 2011 U.S. Dist. LEXIS 50543 (C.D. Cal. Apr. 28, 2011) (holding plaintiffs lacked Article III standing in part because they did not allege particularized example of economic harm from unauthorized collection/disclosure of personal information)



• Although most courts have found that an increased risk of identity theft does not confer standing, there are exceptions:• Krottner v. Starbucks, 628 F.3d 1139 (9th Cir. 2010) – plaintiffs had standing to sue over

increased risk of future identity theft stemming from theft of a laptop containing their unencrypted personal data.

None of the plaintiffs experienced financial loss; one plaintiff alleged that his bank notified him that someone attempted to access his bank account.

May be limited to facts and circumstances of case – the court focused on the theft of the laptop, noting that “if no laptop had been stolen, and Plaintiffs sued based on the risk that it would be stolen at some point in the future – we would find the threat far less credible.”

• Pisciotta v. Old National Bancorp., 499 F.3d 629 (7th Cir. 2007) – “sophisticated, intentional and malicious” hacker obtained access to bank customers’ personal information. Court held that plaintiffs whose data had been compromised but not yet misused satisfied injury-in-fact requirement based on threat of future harm.

Still, court affirmed dismissal because credit monitoring damages were not compensable under Indiana law.


Selected Case Law Allowing Data Claims

• Moreover, some courts have allowed claims based on loss in “value” of personal data:• Claridge v. RockYou, Inc., 785 F. Supp. 2d 855 (N.D. Cal. 2011).

Plaintiff alleged that developer of online services failed to use commercially reasonable methods to secure and safeguard its users’ sensitive personally identifiable information (PII). As a result of a security breach, plaintiff allegedly lost “some ascertainable but unidentified ‘value’ and/or property right inherent in the PII.”

Defendant acknowledged its database security was substandard and had been hacked.

Plaintiff’s theory of injury called “novel,” and court expressed “doubts about plaintiff’s ultimate ability to prove his damages theory in this case.” Nevertheless, the court found plaintiff alleged a generalized injury-in-fact for Article III purposes, as well as damages under plaintiff’s contractual and negligence claims.

• Fraley v. Facebook, Inc., No. 11-CV-01726, 2011 WL 6303898 (N.D. Cal. Dec. 16, 2011). Plaintiffs alleged that appropriation of personal endorsements without consent or compensation

constituted injury because information potentially led to advertising revenue.



Cases alleging benefit of the bargain loss and trespass to chattels have survived the pleading stage:

• Doe 1 v. AOL LLC, 719 F. Supp. 2d 1102 (N.D. Cal. 2010) (plaintiffs who paid fees for defendant’s services sufficiently alleged injury where AOL, contrary to representations regarding privacy and security, collected and disclosed members’ sensitive information)

• Bose v. Interclick, No. 10-CV-09183, 2011 WL 4343517 (S.D.N.Y. Aug. 17, 2011) (use of tracking cookies “arguably sufficient” to state claim for trespass to chattels)



• Traditionally rejected by courts where there has been no wrongful use of personalinformation: Reilly v. Ceridian Corp., No. 11-1738, 2011 WL 6144191 (3d Cir. Dec. 12, 2011) (“costs

incurred to watch for a speculative chain of future events based on hypothetical futurecriminal acts” are not actual injuries)

Paul v. Providence Health System, 273 P.3d 106 (Or. 2012) (no claim for credit monitoringservices not resulting from present injury, but only anticipation of possible future data)

Hendricks v. DSW Shoe Warehouse Inc., 444 F. Supp. 2d 775 (W.D. Mich. 2006)(dismissing plaintiff’s claims for expenses to purchase credit monitoring product)

• However, may be permissible where identity theft perpetrated and resulted in actualfinancial injury: Anderson v. Hannaford Brothers Co., 659 F.3d 151 (1st Cir. 2011) (purchase of insurance

and credit monitoring services and payment of credit card replacement fees constitutedreasonable mitigation damages compensable under negligence and contract theoriesbecause many plaintiffs or those similarly situated had experienced actual misuse – i.e.,identity theft or unauthorized charges)


Alternative Theories –Mitigation Costs

Courts have generally been reluctant to permit claims for emotional distress damages:

• Reilly v. Ceridian Corp., No. 11-1738, 2011 WL 6144191 (3d Cir. Dec. 12, 2011) (rejecting claim for emotional distress based on risk of future identity theft)

• Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046 (E.D. Mo. 2009) (emotional distress damages allegedly caused by increased risk of future identity theft not recoverable)

• Paul v. Providence Health Sys., 273 P.3d 106 (Or. 2012) (same)

• But see Krottner v. Starbucks, 628 F.3d 1139 (9th Cir. 2010) (finding allegation that one plaintiff had “generalized anxiety and stress” was a present injury sufficient to confer standing)


Alternative Theories –Emotional Distress Damages

• Putative class action alleging that certain HP LaserJet printers were designed in such a manner that they could be subject to criminal hacking by third parties.

• Plaintiff alleges that HP violated New York General Business Law Section 349 by not disclosing the alleged design defect.

• Plaintiff, however, does not allege that his printer was ever hacked or that any of his personal information was ever accessed or received by an unauthorized third party.


Sinacori v. Hewlett-Packard Co., No. 11-CV-05779, (N.D. Cal.)

New York law does not impose a duty upon a manufacturer to make a product that is impervious to criminal tampering:

• Fagan v. AmerisourceBergen Corp., 356 F. Supp. 2d 198 (E.D.N.Y. 2004) (“Moreover, generally, a manufacturer does not have a duty to anticipate and prevent criminal conduct by third parties, or to design its product in such a way as to anticipate and frustrate criminal tampering.”)

• Elsroth v. Johnson & Johnson, 700 F. Supp. 151 (S.D.N.Y. 1988) (“The notion that manufacturers should nonetheless be forced to write-off the consequences of determined, criminal tampering by third parties as a cost of doing business would be an unprecedented extension of the common law.”)

21[Defending Data Security Class Actions


Moreover, New York law does not recognize lawsuits over an unmanifested defect:

• In re Canon Cameras Litigation, 237 F.R.D. 357 (S.D.N.Y. 2006) (explaining that plaintiff’s New York General Business Law Section 349 claim based on defendant’s allegedly knowing sale of defective product requires actual malfunction resulting from alleged defect)

• Frank v. DaimlerChrysler Corp., 292 A.D.2d 118 (N.Y. App. Div. 2002) (dismissing plaintiff’s New York General Business Law Section 349 claim based on sale of allegedly defective product where plaintiff did not allege malfunction resulting from alleged defect)

Plaintiff instead claims that he was injured because he paid an unidentified “premium” for his printer



• Identify sensitive data collected by the company• Comply with relevant state and federal laws regarding categories of

data• Collect only data necessary for needs of the business• Understand how data is used and with whom it is shared• Develop data breach security plan• Document processes for storage, archiving, transmission, and

destruction of sensitive information• Train employees• Incorporate protections and compliance monitoring into vendor

agreements


Preventing Data Security Breaches

• Determine whether to notify law enforcement• Understand affected businesses and business partners• Evaluate notice to credit bureaus• Notify individuals – consider the nature of the compromise, type of

information, likelihood of misuse• Understand state notification laws• www.ftc.gov• Notify your insurance carrier• Consult with regulators – can be a strong defense against claims that

decision not to notify was unreasonable• Offer free credit-monitoring services or identity theft insurance immediately

following discovery of a security breach


Detecting and Responding to Data Security Breaches

• Many states have security breach notification laws

• There are key differences among the state notification laws

• Many state laws are now requiring proactive steps to prevent data breaches (e.g., Massachusetts)

• Generally, the law of the state where the individual resides controls data breach notification requirements


State Data Breach Statutes and Notification Requirements

• Security Breach Information Act

• Covers California state agencies and any person or business that conducts business in California and owns or licenses computer data

• Covers unencrypted personal information of a California resident that was or is believed to have been acquired by an unauthorized person

• Notice to owner “in the most expedient time possible and without unreasonable delay”

• Notice can be written or electronic (with prior consent)

• Substitute notice for large breaches

• Private right of action26Defending Data Security Class Actions

State Data Breach: California Notification Requirements

• Applies to natural persons, including business entities that own, license, maintain or store datathat includes personal information about residents of the state.

• Personal information is first name and last name or first initial and last name in combination withSocial Security number, driver’s license number, or financial account number.

• Breach is an unauthorized acquisition or use of data maintained by an entity that creates asubstantial risk of identity theft or fraud against a resident of the state.

• Notice (written or electronic) to affected residents, as soon as practicable and withoutunreasonable delay, when the entity knows or has reason to know of a breach of security, or whenthe entity knows or has reason to know that the personal information of a resident was acquired orused by an unauthorized person or used for an unauthorized purpose.

• The state may take the position that any unauthorized acquisition or use by a third party triggersthe notification obligation, regardless of materiality or ownership of the data.

• Notice with particulars must be provided to state attorney general (AG) and director of consumeraffairs.

• Must also provide notice to consumer reporting agencies.• AG enforcement – penalties include civil penalties, damages, and injunctive relief.


State Data Breach: MassachussettsNotification Requirements

• Develop warnings and disclosures in privacy policies and customer agreements regarding risks of data security breaches• The reality is that no commercial network is hack-proof• There is a risk in providing personal information• Use clear, conspicuous and prominent language, akin to product warnings• Consider requiring users to acknowledge that they read and understand terms of

service/user agreement and privacy policy• May be less effective where breach is caused by a company’s improper handling of data

• Terms of service or user agreement could include a class action waiver/arbitration clause for data security disputes

• Terms of service or user agreement could also include a provision capping consequential damages

• Protect personal information using industry standard and/or commercially reasonable methods compliant with any applicable regulatory or statutory requirements


Minimizing the Litigation Risks of Data Security Breaches

• Final report “sets forth best practices for businesses to protect privacy of American consumers and give them greater control over the collection and use of their personal data.”

• Implements recommendations for protecting privacy based mainly on:• Privacy by design – recommends companies build in privacy protections at every

stage. Reasonable security for consumer data, limited collection and retention, and reasonable procedures to promote data accuracy.

• Simplified choices – provide consumers the option to decide what information is shared about them, and with whom. Should include “Do Not Track” mechanism.

• Greater transparency – companies should disclose details about their collection and use of consumers’ information and provide consumers access to data collected about them.

• Plaintiffs’ lawyers may try to use this


Federal Trade Commision (FTC) Final Report on Protecting Consumer Privacy

• Do Not Track – browser vendors

• Mobile – short, effective, and accessible privacy disclosures

• Data brokers – more transparency about how they collect and use consumer data

• Large-platform providers – concerns about tracking

• Interested in developing industry-specific codes of conduct. If companies do not honor the codes they can be subject to FTC enforcement actions

• Be mindful of follow-on class actions – A select review of class actions with related FTC actions found that FTC actions tend to

follow the class actions Nevertheless, plaintiffs’ lawyers are likely monitoring FTC news releases closely. See, e.g.,

Hendricks v. DSW Shoe Warehouse Inc., 444 F. Supp. 2d 775 (W.D. Mich. 2006) (court noted that amended complaint contained allegations derived from FTC complaint).


FTC’s Main Action Items

• Cognizable injury and/or economic harm not provable without individualized inquiries

• Defense could potentially be enhanced by prospective measures, like alerting credit reporting agencies upon a breach and/or providing identity theft insurance:• Several cases have denied class certification in consumer class actions because a voluntary

recall and/or refund program provided a superior method of compensating putative class members:

• Webb v. Carter’s Inc., 272 F.R.D. 489 (C.D. Cal. 2011) (denying certification, among other reasons, because of refund and reimbursement policy)

• In re Aqua Dots Prods. Liab. Litig., 270 F.R.D. 377 (N.D. Ill. 2010) (“Where available refunds afford class members a comparable or even better remedy than they could hope to achieve in court, a class action would merely divert a substantial percentage of the refunds' aggregate value to the class lawyers.”)

• In re Phenylpropanolamine (PPA) Prods. Liab. Litig., 214 F.R.D. 614 (W.D. Wash. 2003) (holding that voluntary refund program was superior to class action to recover economic injuries resulting from purchase of recalled products)

• Likewise, there may be a good (and analogous) argument that a class action is not a superior method of resolution if protections are implemented after discovering breach


Defending Class Actions

• Compliance with federal and state regulatory and statutory requirements

• Causation – proving that harm resulted from defendant’s action as opposed to prevalent risk of identity theft

• Arbitration provisions – courts have applied the ruling in AT&T Mobility LLC v. Concepcion, 131 S. Ct. 1740 (2011) to online terms of service.• Vernon v. Qwest Commcns Int’l, Inc., No. 09-01840, 2012 WL 768125 (D. Colo. Mar. 8,

2012) (granting motion to compel arbitration in online early termination fee dispute); Swift v. Zynga, 805 F. Supp. 2d 904 (N.D. Cal. 2011) (granting motion to compel arbitration)

• Circuit split may be developing over Concepcion, however. Compare In re American Exp. Merchants’ Litig., 667 F.3d 204 (2d Cir. 2012) (finding waiver provision unenforceable because class action “only economically feasible means” of enforcing statutory rights), reh’g en banc denied, 06-1871-cv (2d Cir. May 29, 2012), with Coneff v. AT&T Corp., 673 F.3d 1155 (9th Cir. 2012) (disagreeing with American Express and enforcing provision because such policy concerns cannot undermine FAA under Concepcion)


Defending Class Actions


Presenter Biography

Kristofor T. Henning1701 Market St.Philadelphia, PA 19103-2921Phone: 215.963.5882 Fax: 215.963.5001 Email: [email protected]

Kristofor T. Henning is a partner in Morgan Lewis's Litigation Practice and is a member of the firm's Class Action Working Group. Kristofor T. Henning is a partner in Morgan Lewis’s Litigation Practice Group and is a member of the steering committee for the Firm’s Class Action Working Group. Mr. Henning’s practice encompasses a broad variety of commercial litigation, with particular emphasis on the defense of class actions in state and federal courts across the country. Mr. Henning has successfully defended consumer class actions asserting deceptive trade practice, warranty, false advertising, product liability, RICO and ERISA claims. In the technology industry, Mr. Henning has represented and continues to represent a large California-based computer and other technology product manufacturer in class actions across the country. Prior to joining the Firm, Mr. Henning served a federal judicial clerkship with Judge Eduardo C. Robreno of the U.S. District Court for the Eastern District of Pennsylvania.Mr. Henning earned his J.D., summa cum laude, from the Villanova University School of Law in 1999 where he served as an Associate Editor for the Villanova Law Review. He earned his B.A. magna cum laude, from Dickinson College in 1996, where he was a co-caption of the football team.Mr. Henning is admitted to practice in Pennsylvania and New Jersey.


Presenter Biography

Thomas J. Sullivan1701 Market St.Philadelphia, PA 19103-2921Phone: 215.963.5146 Fax: 215.963.5001 Email: [email protected]

Thomas J. Sullivan is a partner in Morgan Lewis's Litigation Practice. Mr. Sullivan's practice encompasses a variety of commercial and product liability litigation in state and federal trial and appellate courts, and focuses on the defense of class actions, mass torts, and other complex commercial litigation. He has represented corporations in numerous types of class actions, including consumer fraud, antitrust and unfair competition, RICO, ERISA, and securities. He has defended corporations in a number of product liability and mass tort cases including as lead national counsel.Mr. Sullivan has a wide range of commercial litigation experience, including experience representing life sciences companies in health care fraud cases, False Claims Act litigation, disputes regarding collaboration and development agreements, and against deceptive marketing claims. He also frequently represents corporations in disputes relating to real estate and indemnity obligations. Mr. Sullivan earned his Ph.D. in philosophy from the University of Pennsylvania in 2003, where he received the University's Outstanding Teaching Assistant Award. He has written in the areas of privacy law and constitutional theory. Mr. Sullivan received his J.D., cum laude, from the University of Pennsylvania Law School in 2001 and his M.A., with highest distinction, in moral, political, and legal philosophy from the University of Reading, England, in 1996. He earned his B.A., cum laude and Phi Beta Kappa, in philosophy from the College of the Holy Cross in 1995.

Defending Data Security Class Actions - Morgan Lewis

Documents

Transcript of Defending Data Security Class Actions - Morgan Lewis