RSS Feed LinkedIn Instagram Twitter Facebook
FMG Law Blog Line

Posts Tagged ‘#databreach’

New Cybersecurity Trend: Data Security and Disposal Laws

Posted on: February 7th, 2019

By: David Cole & Amy Bender

Tales of data breaches flood our news reports these days. By now, you hopefully are aware that all 50 states have laws requiring persons and organizations that own or maintain computerized data that includes personal information to notify affected individuals, and sometimes the government, in the event of a data breach involving their personal information. (You know those letters you’ve received from hospitals, retail stores, and other companies advising you that they experienced a data breach that may have exposed your personal information? They didn’t notify you out of the goodness of their hearts – it’s the law!)

In the past, these laws have focused solely on notifying affected individuals about compromises to their personal information. Outside of specific industries, such as healthcare or financial services, which are regulated by laws applicable only to them, such as HIPAA and the Gramm-Leach- Bliley Act, respectively, there have not been laws of general applicability regulating the standard of care required for protecting personal information in the first place. Recently, however, a trend has emerged among state legislatures to take this next step in cybersecurity legislation by setting standards for businesses’ protection of consumers’ personal information.

The majority of states now have enacted data security and/or data disposal laws that place affirmative obligations on entities (or, in some instances, certain types of industries) that own or use computer data containing personal information to safeguard and/or dispose of or encrypt that data. Below is a current list of states that have adopted these laws:

(Click here for our discussion of the significant and comprehensive data security law California passed last year.)

Unfortunately, there is not one universal standard for how to secure and destroy data containing personal information, but rather, the standard varies by state. Organizations that operate in multiple states thus may have to comply with multiple and differing requirements. In addition, many of these laws only provide general, and often vague, guidelines that do not specify particular technologies or data security measures that should be implemented. For instance, many laws only require that businesses implement “reasonable” administrative, physical, and/or technical safeguards to protect personal information from unauthorized use or disclosure, and then describe “reasonable” measures as those “appropriate based on the size of the business and the nature of information maintained.” That may be clear as mud, but at least it’s a start and enough to put businesses on notice that doing nothing is not an option.

For these reasons, we recommend that businesses work with legal counsel to understand the laws of the states where they do business and to conduct a security risk assessment to evaluate the information they maintain, the potential risks to it, and the current measures in place to protect it. Working with legal counsel, businesses should then work with an experienced cybersecurity provider to translate that risk assessment into an actionable plan for improving data security and privacy within their organization. The legal standards still might be vague, but going through a process like this will put businesses in the best position to demonstrate good faith and reasonable efforts to meet their legal obligations if and when an incident occurs or a claim is made by a third party.

Please contact David Cole, Amy Bender, or one of the other members of our Data Security, Privacy & Technology team at FMG for additional questions or to discuss conducting a risk assessment for your organization.

Sixth Circuit Becomes Latest Court to Find Standing in a Data Breach Lawsuit

Posted on: September 23rd, 2016

By: David Cole

The majority of lawsuits filed by consumers over data breaches in recent years have been successfully defended by arguments that the plaintiffs lacked standing to bring the lawsuit. To have standing, a plaintiff must be able to show that he or she has suffered injury that is “concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.” Clapper v. Amnesty Intern. USA, ___ U.S. ___, 133 S. Ct. 1138, 1146 (2013). Based on this rule, businesses have successfully argued that the mere theft personal information does not result in any actual injury that is sufficient to confer standing, absent some evidence that the personal information has been misused. While this continues to be a strong argument in most jurisdictions, a few cases decided within the past year may indicate a shift in the way courts analyze this issue. Earlier this month, the Sixth Circuit became the latest court to join this trend.

In its decision in Galaria v. Nationwide Mut. Ins. Co., no. 15-3386 (6th Cir. Sept. 12, 2016), the U.S. Court of Appeals for the Sixth Circuit held that plaintiffs had standing to assert claims arising from hackers’ alleged theft of their personal information, even though there are no allegations that the information has been misused. The lawsuit is based on a 2012 data breach in which hackers stole data that Nationwide collected for underwriting life insurance policies. Plaintiffs received written notice of the data breach, which explained that hackers had stolen data including the names, dates of birth, marital status, genders, occupations, employers, Social Security numbers, and driver’s license numbers of individuals who applied for insurance. Nationwide provided all affected individuals one year of free credit monitoring and identity-theft protection insurance. Based on those protections and plaintiffs’ failure to allege any actual misuse of their stolen information, the district court granted Nationwide’s motion to dismiss for lack of standing.

On appeal, however, the plaintiffs successfully argued that the district court did not fully appreciate the injury they had suffered. Because hackers target personal information for the very purpose of misusing it, plaintiffs argued that the risk of injury was neither speculative nor remote. And, even absent actual misuse of data, plaintiffs argued that instituting credit monitoring and other protections against identity theft imposed a cost in time and money on affected individuals. The Sixth Circuit agreed, holding that the criminals’ intentional theft of plaintiffs’ personal information created an immediate, serious, and tangible risk that compelled plaintiffs to take protective action, resulting in concrete injury sufficient to give them standing.

The decision in Galaria may reflect an increasing willingness of courts to find standing where personal information has been stolen. The ruling follows two recent cases from the U.S. Court of Appeals for the Seventh Circuit which found standing in data breach lawsuits even without allegations that the plaintiffs’ stolen information had been misused. See Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016); Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015). In Remijas, for example, the Seventh Circuit concluded that “customers should not have to wait until hackers commit identity theft or credit card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.” Similarly, in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), the Ninth Circuit found standing because the plaintiffs alleged a sufficiently “credible threat of real and immediate harm” as a result of the theft of a laptop containing their unencrypted personal data.

Businesses and insurance carriers should be mindful of these decisions and the shifting legal landscape they may represent. It is possible that if more cases survive early challenges to standing, more of them will be filed. While litigation arising from data breaches has, for the most part, been limited to large-scale breaches at big businesses, a change in judicial perspective about standing in the context of data breaches could give rise to more claims on a smaller scale. All of this underscores the importance of working with experienced legal counsel to properly respond to a data breach when it occurs and being proactive before a breach occurs to review your data security policies and practices, as well as your incident response procedure, to make sure you are well-positioned to protected against and respond to a data breach. In all of these areas, our attorneys in our Cyber Liability, Data Security & Privacy practice group are here to help.


Wendy’s Hit with EMV Related Data Breach Class Action Lawsuit

Posted on: February 19th, 2016

By: Behnam Salehi and Jonathan Romvary       

A class action lawsuit has been filed against the fast food chain Wendy’s claiming it failed to adequately safeguard customer payment and other personally identifiable information (“PII”). The lawsuit also alleges that Wendy’s failed to timely and adequately notify Plaintiff regarding the breach and precise nature of PII involved.

On January 27, 2016, Wendy’s announced that it discovered malicious software, or malware, designed to steal customer payment data, on computers that operate the payment processing system. In Torres v. The Wendy’s Company, filed February 8, 2016 in the Middle District of Florida, plaintiff Jonathan Torres alleges that Wendy’s failed to provide sufficient security measures, allowing hackers to steal his payment card information (“PCI”) and fraudulently charge nearly $600 worth of purchases at other retailers.  Plaintiff also alleges breach of contract and violations of the Florida Unfair and Deceptive Trade Practices Act.

The basis of the complaint is that Wendy’s violated its obligation to abide by industry standards and best practices in protecting its customer’s PII. Additionally, the complaint alleges that Wendy’s failed to timely and adequately notify customers that the breach may have affected their PII or PCI, preventing customers to fully understand the scope of the breach and their ability to protect themselves from potential harm. The lawsuit further alleges that Wendy’s should have implemented better security measures. This suit is one of the first to directly target a retailer for failing to implement new industry standards regarding payment card transactions.

Major credit card vendors are transitioning to new, more secure chip card technology, referred to as EMV. EMV cards have an embedded microprocessor chip that creates a dynamic authentication code for each transaction. Unlike credit cards, which use a magnetic strip to store PCI, EMV cards employ a code that is unique to each transaction and cannot be used more than once.  Under the current zero-liability regulations, the card issuers are responsible for losses due to fraud. Effective October 1, 2015, merchants are now liable for: (1) failing to update POS terminals to EMV chip-enabled technology; (2) accepting a counterfeit magnetic strip card; (3) conducting “fallback transactions;” and (4) accepting a lost or stolen card. This liability shift was developed as an incentive for both merchants and card issuers to increase card security and reduce counterfeit fraud.

In the wake of mass data breaches by other retailers, it is critical that merchants understand the implications of the liability shift regarding non-compliance with EMV technology standards. As Wendy’s is now aware, a failure to employ industry standards and best practices may lead to significant exposure. 


The Wrong Way to Respond to a Data Breach

Posted on: November 5th, 2015

By: Dave Cole

In a recent interview with Entrepreneur Magazine, the former general counsel for the National Security Agency shared his top three mistakes that businesses make when responding to a data breach.  You can read the complete article here, but these are the highlights:

1. Treating cybersecurity like it is only a “tech department” issue.  In reality, it should be a core value in every organization, which means it must originate from the top, have buy-in from everyone in the organization, and be a consideration in every facet of your business.

2. Share the right amount of information at the right time.  You need to find a balance between rushing to notify people before you know all of the details, and going in the opposite direction and losing credibility by not sharing enough or sharing it too late, and thereby losing credibility.  It is important to work with counsel who is experienced in data breach responses to help you make these decisions and find the right balance.

3. Not having all of the relevant players in the loop ASAP.  Having your response team established ahead of time is critical to ensuring that everyone on the same page and able to contribute to the response process and communicate effectivity and cohesively.

These are good tips and echo many of the points we have discussed before in this blog in and in our seminars.  They underscore the importance of having a data breach response plan in place and taking the time to prepare in advance for the potential of a data breach.  The FMG Cyber Toolkit is designed for just that reason and provides everything your organization needs from a document standpoint to be prepared. To discuss the toolkit for your organization, as well as training that is available for your workplace, please contact one of our Data Security, Privacy & Cyber Liability practice team  attorneys.


Data Breaches Expected to Fuel D&O Claims Premised on Inadequate Board Oversight Over Cyber Security Risks

Posted on: October 30th, 2015

By: John Goselin and Mike Wolak

With the recent filing of a shareholder derivative action against several directors and officers of The Home Depot following the company’s severe data breach in 2014, questions concerning the adequacy of board oversight over cybersecurity risks will be at the forefront of derivative claims that are expected to increase in frequency following data breaches at publicly-traded companies.  Indeed, with cyber-attacks growing in number and strength, directors and officers must incorporate cybersecurity management into their risk oversight functions to ensure they are adequately discharging their fiduciary duties to the corporation and its shareholders.

The derivative complaint, filed in federal court in Atlanta in August 2015, alleges that eleven current and former directors and officers of The Home Depot breached their fiduciary duties of loyalty and good faith by failing to adequately oversee the company’s cybersecurity functions and ensure that information concerning more than 50 million customers was protected.  The complaint alleges, among other examples, failure to ensure the use of sufficient firewalls and antivirus software, failure to ensure that network access was monitored, and failure to ensure that customer information was encrypted.  The complaint claims the data breach damaged the company by exposing it to massive consumer litigation, regulatory investigations, and millions of dollars in related fees and costs.

While state corporation law, such as Delaware’s which governs the Home Depot litigation, is careful not to permit shareholders to use the duty of oversight to second-guess every well-informed business decision adopted by the board of directors, inadequate oversight over corporate risk can serve as a basis for individual board member liability where (i) the directors consciously failed to implement any reporting or information system or controls; or (ii) the directors, having implemented such system or controls, consciously failed to oversee its operations and thus failed to be informed of risks.  The seminal Delaware case defining the scope of the board’s duty of oversight is In re Caremark International Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996).

The Home Depot litigation, like the derivative lawsuit filed by shareholders following the Target data breach, is premised on the “inadequate oversight” theory of liability first articulated in Caremark.  Experts expect this trend to continue as derivative actions become more common following data breaches.  In the wake of this trend, boards must proactively manage cybersecurity risks by implementing and adequately documenting procedures to prevent and prepare for data breaches.  With this in mind, companies should consider the following:

  • Educate the company’s directors and officers on cybersecurity risks, including the use of outside consultants and experts to keep the board informed and updated regularly as to new cybersecurity threats and control measures.
  • Establish a committee of directors and officers, or appoint one director, to assume responsibility for cybersecurity oversight.
  • Ensure that all activity related to cybersecurity oversight is documented and retained, including minutes of board and committee meetings.
  • Perform a cybersecurity risk assessment to evaluate the company’s current monitoring and controls regarding the security and protection of its electronic information and data, including using outside consultants and experts to assess where the current controls may be vulnerable to cyber-attacks.
  • Establish a cybersecurity management plan consisting of policies and procedures designed to prevent data breaches.
  • Establish a response plan for an actual breach that is consistent with the best practices for companies in the same industry.  FMG’s new Data Breach Toolkit is available to provide your organization with everything it needs from a document standpoint to help prevent a data breach from occurring and to respond effectively if one happens.
  • Ensure that the company has adequate cybersecurity insurance coverage, including coverage for directors and officers alleged to have breached their fiduciary duties in connection with a data breach.

With public companies facing a growing threat of cyber-attacks and resulting data breaches, directors and officers will be exposed to an increasing number of claims by shareholders alleging that the board failed to adequately oversee its cybersecurity functions.  It is thus critical that boards minimize their liability exposure by incorporating cybersecurity management into their oversight functions and document all aspects of cybersecurity oversight to help ensure that they properly discharge their fiduciary duties.