RSS Feed LinkedIn Instagram Twitter Facebook
FMG Law Blog Line

Archive for October, 2015

Data Breaches Expected to Fuel D&O Claims Premised on Inadequate Board Oversight Over Cyber Security Risks

Posted on: October 30th, 2015

By: John Goselin and Mike Wolak

With the recent filing of a shareholder derivative action against several directors and officers of The Home Depot following the company’s severe data breach in 2014, questions concerning the adequacy of board oversight over cybersecurity risks will be at the forefront of derivative claims that are expected to increase in frequency following data breaches at publicly-traded companies.  Indeed, with cyber-attacks growing in number and strength, directors and officers must incorporate cybersecurity management into their risk oversight functions to ensure they are adequately discharging their fiduciary duties to the corporation and its shareholders.

The derivative complaint, filed in federal court in Atlanta in August 2015, alleges that eleven current and former directors and officers of The Home Depot breached their fiduciary duties of loyalty and good faith by failing to adequately oversee the company’s cybersecurity functions and ensure that information concerning more than 50 million customers was protected.  The complaint alleges, among other examples, failure to ensure the use of sufficient firewalls and antivirus software, failure to ensure that network access was monitored, and failure to ensure that customer information was encrypted.  The complaint claims the data breach damaged the company by exposing it to massive consumer litigation, regulatory investigations, and millions of dollars in related fees and costs.

While state corporation law, such as Delaware’s which governs the Home Depot litigation, is careful not to permit shareholders to use the duty of oversight to second-guess every well-informed business decision adopted by the board of directors, inadequate oversight over corporate risk can serve as a basis for individual board member liability where (i) the directors consciously failed to implement any reporting or information system or controls; or (ii) the directors, having implemented such system or controls, consciously failed to oversee its operations and thus failed to be informed of risks.  The seminal Delaware case defining the scope of the board’s duty of oversight is In re Caremark International Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996).

The Home Depot litigation, like the derivative lawsuit filed by shareholders following the Target data breach, is premised on the “inadequate oversight” theory of liability first articulated in Caremark.  Experts expect this trend to continue as derivative actions become more common following data breaches.  In the wake of this trend, boards must proactively manage cybersecurity risks by implementing and adequately documenting procedures to prevent and prepare for data breaches.  With this in mind, companies should consider the following:

  • Educate the company’s directors and officers on cybersecurity risks, including the use of outside consultants and experts to keep the board informed and updated regularly as to new cybersecurity threats and control measures.
  • Establish a committee of directors and officers, or appoint one director, to assume responsibility for cybersecurity oversight.
  • Ensure that all activity related to cybersecurity oversight is documented and retained, including minutes of board and committee meetings.
  • Perform a cybersecurity risk assessment to evaluate the company’s current monitoring and controls regarding the security and protection of its electronic information and data, including using outside consultants and experts to assess where the current controls may be vulnerable to cyber-attacks.
  • Establish a cybersecurity management plan consisting of policies and procedures designed to prevent data breaches.
  • Establish a response plan for an actual breach that is consistent with the best practices for companies in the same industry.  FMG’s new Data Breach Toolkit is available to provide your organization with everything it needs from a document standpoint to help prevent a data breach from occurring and to respond effectively if one happens.
  • Ensure that the company has adequate cybersecurity insurance coverage, including coverage for directors and officers alleged to have breached their fiduciary duties in connection with a data breach.

With public companies facing a growing threat of cyber-attacks and resulting data breaches, directors and officers will be exposed to an increasing number of claims by shareholders alleging that the board failed to adequately oversee its cybersecurity functions.  It is thus critical that boards minimize their liability exposure by incorporating cybersecurity management into their oversight functions and document all aspects of cybersecurity oversight to help ensure that they properly discharge their fiduciary duties.

California, Again, Amends its Data Breach Notification Statute

Posted on: October 23rd, 2015

By: Kacie Manisco

On October 6, 2015, Governor Jerry Brown signed into law three separate bills amending California’s Data Breach Notification Statute. Together, the amendments, which take effect on January 1, 2016, expand the definition of “personal information,” provide a new definition for the term “encrypted,” and impose additional formatting and substance requirements for individual data breach notification letters. These amendments apply to all persons and businesses conducting business in California, as well as to all California governmental agencies.

The first amendment, Senate Bill 34, expands the definition of “personal information” to include “information or data collected through the use or operation of an automated license plate recognition (“ALPR”) system.” The Bill imposes specific requirements on ALPR operators, such as police departments, to maintain a specified record of access to ALPR information. It further requires ALPR operators to implement “reasonable safeguards” to protect ALPR data from unauthorized use or disclosure, although it does not specify exactly what safeguards should be implemented in order to be “reasonable.” The amendment also provides a private right of action to individuals harmed by violation of these security requirements.

The second amendment to the Data Breach Notification Statute, assembly Bill 964, attempts to clarify the meaning of the term “encrypted” since, under California law, like other state data breach laws, notification is generally not required for breaches of information that is encrypted. The amendment defines “encrypted” to include data that has been rendered “unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.”  However, the statute does not specify any particular method or level of encryption that is required. 

Lastly, upon a security breach, existing law requires California businesses and agencies to issue a security breach notification meeting specific requirements, including that the notification be written in plain language. Senate Bill 570 imposes additional requirements on the formatting and language used for such security breach notifications.  The amendment requires the notification to be titled “Notice of Data Breach,” and it must present information under the following headings: “What Happened,” “What Information was Involved,” “What are we Doing,” “What You Can Do,” and “For More Information.”

California businesses and agencies must be attentive to the ever-changing notice requirements, as these amendments mark the third time in three years California has amended its Data Breach Notification Statute.  As we have discussed before, these changes highlight the importance of being prepared ahead of time before a breach occurs, which includes having data breach response plan in place that will help you timely comply with notice obligations like these.  We have created our FMG Cyber Toolkit to help our clients for this very reason.  Please contact one of our Cyber, Data Security, and Privacy practice group attorneys for more information about developing a plan for your organization.


Addiction in the Workplace

Posted on: October 23rd, 2015

By: Tim Holdsworth

Last week, the University of Southern California fired their head football coach, Steve Sarkisian, for attending a practice under the influence of alcohol. This was purportedly not the first time that Sarkisian’s drinking affected his coaching duties.  In light of such a high-profile situation, it’s a good time for employers to review how the Americans with Disabilities Act and Family and Medical Leave Act treat use of alcohol and illegal drugs, and ensure they are implementing best practices to deal with such circumstances.

Under the ADA, alcoholism can be a disability and an employee could be entitled to a reasonable accommodation if he or she is (1) seeking treatment for their addiction, and (2) not currently abusing alcohol. But the ADA does not protect an employee’s misconduct due to their use of alcohol.  As to illegal drugs, an employer could terminate an employee who currently uses illegal drugs on that basis, but a former user could be a qualified individual under the ADA if he or she is currently participating in or has completed a drug rehabilitation program.  The ADA also provides that an employer “may hold an employee who engages in the illegal use of drugs or who is an alcoholic to the same qualification standards for employment or job performance and behavior that such entity holds other employees.”  42 U.S.C. § 12114.

Under the FMLA, if alcohol or illegal drug addiction constitutes a “serious health condition,” as defined by the statute, an employee could qualify to take FMLA leave for treatment of the abuse by or on the referral of a healthcare provider. But the FMLA might not cover absences due to use of the substance, rather than for treatment.  Additionally, even when an employee is currently exercising their right to take FMLA leave for treatment, an employer could potentially terminate that employee for misconduct related to use of alcohol or illegal drugs if the employer has a substance abuse policy that (1) is applied in a non-discriminatory manner and (2) has been communicated to all employees.  An employee could also qualify to take FMLA leave to care for a covered family member receiving treatment for substance abuse.

Employers can take several affirmative steps to effectively handle situations involving employees with alcohol or illegal drug addiction:

  1. Make sure your employee handbook has adequate policies to address alcohol and illegal drug use,
  2. Ensure that your policies are enforced consistently,
  3. Train managers on the policies,
  4. Require proper medical documentation,
  5. Maintain up to date, detailed job descriptions, and
  6. Engage in a good faith, interactive process to attempt to identify reasonable accommodations where appropriate.

Employers should also remember that the ADA and FMLA can overlap in these situations. For example, an employee who has exhausted their twelve weeks of leave under the FMLA to attend rehabilitation may be entitled to an extended period of leave as a reasonable accommodation under the ADA.

Since this area of law is continuously evolving, feel free to contact counsel at Freeman Mathis & Gary if you have any questions or would like further guidance on these issues.

FMG Government Practice Section Obtains Summary Judgment in First-Of-Its-Kind Case in Eleventh Circuit Obtaining Qualified Immunity for Officers Accused of Burning a Woman with a Flash Bang Device

Posted on: October 14th, 2015

By: Wayne Melnick

In a truly team effort, Freeman Mathis & Gary partners Wayne S. Melnick and Brian R. Dempsey, along with of counsel Chuck Reed and associate Ali Sabzevari, won summary judgment in a first-of-its-kind case in the Northern District of Georgia.  This is the first ruling in the Eleventh Circuit regarding whether a SWAT officer’s use of a noise-flash diversionary device (“flash bang”) is protected by qualified immunity.

Plaintiff was severely burned by a flash bang during the execution of no-knock search warrant for narcotics.  Plaintiff alleged that she was asleep in bed with her boyfriend (the target of the warrant), when they were each awakened in the early morning hours by an explosion and the sound of breaking glass.  When she looked up and saw that  the bedroom window had been broken out (via a “break-and-rake” technique performed by a SWAT officer), she then saw was a round object land on the blanket covering her on the bed. The object exploded with a blinding flash and loud boom. Plaintiff alleged that she felt searing pain at that point and ran from the room into the bathroom across the hall where she was discovered and handcuffed by the officers searching for her boyfriend.

In her complaint, plaintiff brought a Section 1983 claim and related state law claims, alleging the officers knew that the bedroom was occupied and that the officer deploying the flash bang did so despite the known danger to the room’s occupants.

Earlier in the case, the district court denied a motion for judgment on the pleadings. In accepting plaintiff’s allegations as true, the court accepted plaintiff’s allegation that the officer intentionally tossed the flash bang onto a sleeping person, and that this was sufficient to demonstrate constitutional rules so clear that case law need not establish the unlawfulness of such conduct.  The court likewise found the allegations of an intentional, malicious act sufficient to deny official immunity on the state law claims.

However, at summary judgment, the court no longer had to accept plaintiff’s mere allegations as true. Although plaintiff alleged (and testified) that the officer deployed the flash bang through the window, this was specifically disputed by the officer who stated that he certainly did not know she was in the bedroom and he had actually made an aerial deployment of the flash bang outside the apartment.

Even accepting that the flash bang was actually deployed within the apartment as plaintiff testified, the court still found qualified immunity applied.  The court first found that no constitutional violation occurred because the use of the flash bang was reasonable based on the known facts (and not merely plaintiff’s unsupported allegations) of how plaintiff’s drug-dealer boyfriend operated and the fact that he was armed.  The court also noted that there was no evidence to support that the officer’s intended use for the flash bang was for anything other than diversionary purposes.

Not only did the court find that no constitutional violation was committed, it also found that the claimed constitutional right was not clearly established.  Noting no precedent in the Eleventh Circuit regarding flash bang usage, the court was unwilling to find that the “obvious clarity” exception to qualified immunity applied.  Importantly, the court noted that other courts around the nation have held that deploying a flash bang into a residence, even without surveying the room first, did not preclude qualified immunity.

In the end, although plaintiff alleged that the officer intentionally deployed the flash bang into the room to hurt her, the defense was able to demonstrate those allegations were not supported by any evidence. Without that element, plaintiff’s section 1983 and state law claims failed as a matter of law.

As the now-lead case on point in the Eleventh Circuit, this case is expected to be cited any time a person claims injury due to flash bang deployment. By finding the law not clearly established on this point, this win will go a long way in helping defend flash bang cases as FMG’s Government practice section continues to do. If you would like a copy of the district court’s opinion, please contact Wayne directly at [email protected].

U.S. Supreme Court to Decide Whether California Courts Have Discretion to Not Enforce Arbitration Agreements With Substantively Unconscionable Provisions

Posted on: October 12th, 2015

By: Allison Shrallow

In 2013, a California district court denied Defendants’ Motion to Compel Arbitration in a case entitled Thomas Zaborowski, et al. v. MHN Government Services, Inc., et al.   This case involved an arbitration agreement which: (1) required Plaintiffs to initiate arbitration within 6 months, (2) allowed Defendants to unilaterally choose a pool of potential arbitrators, (3) called for Plaintiffs to pay significant forum costs, (4) permitted the prevailing party to recoup its attorneys’ fees and costs, and (5) prevented the arbitrator from awarding punitive damages. The Court found each of these provisions to be substantively unconscionable. Relying on the California Supreme Court case, Armendariz v. Foundation Health Psychcare Services, the court held that it had the discretion to either sever the unconscionable provisions or refuse to enforce the entire agreement if the agreement was so permeated with unconscionability that it was not severable. Notwithstanding the agreement’s severability clause, the court refused to sever the offending provisions, opting instead to find the entire agreement unenforceable.

In a 2-1 opinion, The Ninth Circuit Court of Appeals affirmed, finding the district court acted within its discretion in declining to sever the unconscionable provisions from the agreement.   Judge Gould wrote a separate opinion, concurring in the opinion insofar as it found that the agreement was both procedurally and substantively unconscionable; however, he dissented to the opinion with respect to the court’s finding that the district court did not abuse its discretion in not severing the unconscionable provisions. Relying on the United States Supreme Court case, AT&T Mobility LLC v. Concepcion—decided nearly a decade after Armendariz—Judge Gould concluded that the district court’s reliance on the discretionary severability rule in Armendariz had a disproportionate impact on arbitration agreements and as such should be preempted by the Federal Arbitration Act, which espouses a general policy favoring enforcement of arbitration agreements.

On October 1, 2015, the United States Supreme Court granted Defendants’ Petition for Writ of Certiorari. In their petition, Defendants contended that arbitration agreements in California stand on unequal footing with other contractual agreements: “for contracts generally, California courts honor the parties’ stated preference of severing invalid terms, as opposed to invaliding the entire agreement, whereas, the District Court failed to honor the parties agreement to arbitrate their disputes and in the event any terms of an agreement are deemed unconscionable, to excise the offending terms, and still honor the parties’ agreement to arbitrate.” Under Armendariz, a court may determine that an arbitration agreement is permeated by an unlawful purpose based on the mere existence of two or more unconscionable provision and simply refuse to enforce it on that basis. This, Defendants argue, results in California courts improperly applying a harsher standard, favoring nonenforcement of arbitration agreements, in direct conflict with the FAA, which was enacted “in response to widespread judicial hostility to arbitration agreements.” Further, Defendants argued, by ignoring the severability clause, reflecting the parties’ agreement that, rather than invalidating an entire agreement, only those provisions found to be unconscionable should be struck; California courts ignore the fundamental principle that arbitration is a matter of contract.

The United States Supreme Court will determine whether the purported “California arbitration-only severability rule” is preempted by the FAA. As of today, no oral argument date has been set.