Data breaches, unfortunately, are not entirely uncommon. A question that has arisen is whether there is standing to sue for people whose data has been stolen but who have not yet suffered actual damages. The Circuit Courts of Appeal have been split on the issue, with a recent decision by the D.C. Circuit, In re U.S. Office of Personnel Management Data Security Breach Litigation, 928 F.3d 42 (D.C. Cir 2019) (“OPM“), extending standing in this context farther than before in a case that may make its way to the U.S. Supreme Court. Continue reading “Risks From Data Breach Sufficient For Standing?”
States are taking online consumer protection into their own hands given a perceived lack of sufficient protection at the federal level. Maine now has jumped in.
Indeed, Janet Mills, the Governor of Maine, just signed into law arguably one of the strongest privacy bills in the country. This law, called the Act to Protect the Privacy of Online Consumer Information and which goes into effect on July 1, prohibits internet service providers from using, selling, or distributing data from consumers without obtaining their consent. And, according to The Hill, this new state law bars internet service providers from refusing to serve consumers, penalizing consumers or offering them discounts to seek to gain their permission to sell their data.
Consumer Affairs and Privacy
This bold step by Maine follows in the footsteps of California, a state which passed a complicated online privacy law last year. That law has been both applauded by privacy activists and criticized in certain respects by the tech industry.
At first blush, the new Maine law may be even more robust than the California law. The Maine law is opt-in in nature, requiring explicit consent from consumers before internet service providers can sell their data. The California law is opt-out in effect, making consumers affirmatively request that their data not be sold. Continue reading “Another State Passes Law to Protect Consumer Data”
On November 21, 2018, the Pennsylvania Supreme Court ruled that the University of Pittsburgh Medical Center (UPMC) had a legal duty to exercise reasonable care to protect sensitive employee information against an unreasonable risk of harm when that information is stored on an internet-accessible computer system. Dittman v. UPMC, No. 43 WAP 2017 (Pa. Nov. 21, 2018). In doing so, the Court made clear that the criminal acts of third parties who may breach a computer system do not alleviate the legal duty on a business to protect such information. The Court further held that the economic loss doctrine (a doctrine that precludes tort cases where the loss is purely monetary) did not apply in this case because the legal duty to protect sensitive employee information exists independently from any contractual obligations between the parties.
Corporate America and companies around the globe are spending vast amounts of money trying to keep up with all sorts of threats in this new digital age. So, how are companies really doing?
Unfortunately, not so well. Indeed, according to PwC’s 2017 Digital IQ Survey, as reported by PR Daily, barely more than half of IT executives from the US and 52 other countries reported that their companies have a “strong digital IQ.” This is down from 67 percent so reporting in 2016, and 66 percent in 2015. Continue reading “Tech Acumen: Many Companies Falling Behind”
The unprecedented cyberattack on October 21, 2016, which crippled many of the Internet’s most widely trafficked sites, should be a wakeup call for businesses about the potential for hackers to weaponize common Internet-enabled devices and cripple businesses.
The cyberattack was caused in part by malware directed to more than 10 million Internet-connected devices, including DVRs, thermostats and closed-circuit video cameras. It caused a distributed denial-of-service attack (i.e., service interruption) that hit in three waves. Dyn, an Internet services company that directs Internet traffic, reported that the attack hit all of its 18 data centers globally. Early reports show that the disruption may be responsible for up to $110 million in lost revenue and sales. Perhaps most troubling is that the group claiming responsibility said the attack is merely a dry run for much larger attacks.
Since the Supreme Court’s decision in Spokeo v. Robins, courts have begun to ratchet back prior decisions on the minimum standard to plead an injury sufficient to establish Article III standing. The recent Eighth Circuit opinion in Braitberg v. Charter Communications adds to the growing number of cases defendants will rely upon to get data breach cases dismissed at the pleadings stage. Braitberg addressed standing in the context of the retention, use, and protection of personally identifiable information. Although the case did not involve a data breach, its holding is however instructive when defending against such cases.
In Braitberg, plaintiff alleged that he was required to provide personally identifiable information to purchase cable services and that the cable provider improperly retained his information long after he cancelled the services in violation of the Cable Communications Policy Act (“CCPA”).
Prior to Spokeo, such claims would have been sufficient to establish Article III standing because the Eighth Circuit permitted the actual injury requirement to be satisfied solely by pleading that there was an invasion of a legal right that Congress created. The Supreme Court in Spokeo held that Article III standing requires a “concrete injury” even in the context of a statutory violation.
With the benefit of Spokeo’s guidance, the Eighth Circuit acknowledged that Spokeo superseded its prior precedent. Accordingly, the panel affirmed the district court’s dismissal of the complaint for lack of Article III standing and failure to state a claim. In doing so, the panel rejected arguments that CCPA created standing to sue where the defendant merely retained the data in violation of the statute with no other injury. It further rejected an economic argument that retention of the data deprived plaintiff of the full value of the services received from the company.
This decision is important for two reasons. First, the Eighth Circuit further narrowed the scope of allegations that will give rise to Article III standing in a post-Spokeo world. Second, in denying the economic argument, the court cut off an alternative avenue by which plaintiffs have successfully alleged harm.
Just when you thought the state breach notification laws could not get more cumbersome, states continue to amend their breach notification laws in an effort to expand the content and reach of the notice.
Texas Amendment Requires Notification to Affected Residents in All 50 States
Texas recently amended its data breach notification law by expanding the notification requirements to cover affected non-residents. Prior to the amendment, Texas required that entities conducting business in Texas notify residents when sensitive personal information was believed to have been acquired by an unauthorized person. Continue reading “The Ever Expanding Data Breach Notification Laws…”
As we head toward the Labor Day Weekend, it is a good time to point out a couple of noteworthy state level legislative developments in the Information Security and Privacy space.
On August 22nd the California State Assembly passed SB 914 which amends the California Penal Code to make clear that police must acquire a search warrant in order to search an individual’s cell phone or other portable electronic device incident to the arrest of that individual.
Another data breach carried out by the “hactivist” group known as “Anonymous” provides an opportunity for businesses to become reacquainted with several important data security concepts. First let’s briefly review the background of the incident.
This time Anonymous hacked the Bay Area Rapid Transit system, commonly known as BART. BART is the second largest public transportation system in Northern California and carries about 40,000 riders a day. Anonymous was able to access and steal personal information on about 2400 BART customers who utilize the myBART website to manage their accounts. The information taken was reported by Anonymous to include system user names and passwords, individual last names, addresses, and telephone numbers.
In October 2005 the Federal Financial Institutions Examination Council (FFIEC) issued updated information security guidance for financial institutions offering internet-based financial products and services. The 2005 Guidance discussed the need for financial institutions to (1) utilize effective and well considered risk assessments in order to carefully evaluate the risk to an institution’s data in light of the nature and scope of the data services offered online; and (2) employ customer awareness and education as an effective means of reducing or eliminating risks associated with online banking.