Lessons From Recent Data Security Cases

Transcription

1 Lessons From Recent Data Security Cases Mobile Payments Law, Law Seminars International Palo Alto, California, November 22, 2013 Randy Gainer, Attorney, CISSP

2 Topics What types of alleged damages allow data breach plaintiffs to avoid dismissal of their claims? Does the economic loss doctrine bar card issuers negligence claims against hacked merchants and processors? Does the FTC have jurisdiction to issue unfair practice complaints related to data security? What must card brands establish to justify fines and assessments against merchants for violating the PCI DSS? Are criminal prosecutions the only recourse against hackers? 2

3 Current law Courts often dismiss claims filed by private plaintiffs after data breaches. Claims typically include breach of contract, negligence, fraud, and unfair trade practices, among others. Unless the lead plaintiffs can show they have incurred economic damages, the claims will almost always be dismissed due to lack of standing or failure to adequately plead the damages component of the claims. 3

4 Current law See, e.g., Katz v. Pershing, LLC, 672 F.3d 64 (1st Cir. 2012) (no standing); Reilly v. Ceridian Corp., 664 F.3d 38 (3rd. Cir. 2011) (same), cert. denied, 132 S. Ct (2012); In re Barnes & Noble Pin Pad Litig., No. 12-cv-8617 (N.D. Ill. Sept. 3, 2013) (same) Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d (E.D. Mo. 2009) (same); Hendricks v. DSW Shoe Warehouse, 444 F. Supp. 2d 775 (W.D. Mich. 2006) (dismissing Michigan CPA claims, holding There is no existing Michigan statutory or case law authority to support plaintiff s position that the purchase of credit monitoring constitutes either actual damages or a cognizable loss. ); Paul v. Providence Health System-Oregon, 351 Or. 587, 273 P.3d 106 (Or. 2012) (affirming dismissal of Oregon UTPA claims; finding allegation that money was spent to forestall threatened losses after backup tapes were stolen did not plead ascertainable loss ). 4

5 Current law If a plaintiff pleads economic damages, courts may deny a motion to dismiss. See, e.g., Resnick v. Avmed, Inc., 693 F.3d 1317, 1323 (11th Cir. 2012) ( Plaintiffs allege that they have become victims of identity theft and have suffered monetary damages as a result. This constitutes an injury-in-fact under the law. Plaintiffs also alleged unjust enrichment, which the Court agreed could proceed); Anderson v. Hannaford Bros. Co., 659 F.3d 151, (1st Cir. 2011) (holding that plaintiffs who pled that they were forced to pay card-replacement fees, or had to purchase insurance, after their credit and debit card data was stolen and thieves made fraudulent charges, could proceed on negligence and breach of implied contract claims). 5

6 Current law After remand, the court in Resnick v. AvMed, Inc., No. 1:10-cv JLK (S.D. Fla. Oct. 25, 2013), granted an unopposed motion for preliminary approval of class action settlement, which sought $3 million in damages, including: reimbursement for losses caused by identity theft; up to $10 per year for each class member who paid for insurance before the data breach, subject to a $30 limit, for unjust enrichment damages; $750,000 for class counsel s attorney s fees and costs; $10,000 to be split among the class representatives. 6

7 Current law The preliminary settlement in Resnick also includes mandatory security improvements: security awareness training for all company employees; training on appropriate laptop use and security for all company employees whose employment responsibilities include accessing information on company laptops; upgrading of all company laptops with additional security mechanisms; full disk encryption technology on all company desktops and laptops; physical security upgrades at company facilities to further safeguard workstations from theft; and revision of written policies and procedures to enhance information security. 7

8 Current law Among alleged economic harms courts have held sufficient to avoid dismissal are claims that vendors inaccurate security and privacy representations caused consumers to overpay for smartphones. E.g., Pirozzi v. Apple, Inc., 2013 U.S. Dist. LEXIS , at *11-27 (N.D. Cal. Aug. 5, 2013) In re Apple iphone Litig., 844 F. Supp. 2d 1040, (N.D. Cal. 2012) Goodman v. HTC America, Inc., 2012 WL , at *1-2, 5-6 (W.D. Wash. June 26, 2012) 8

9 Current law Most courts have held that an alleged diminution of the value of personal information is not sufficient to avoid dismissal: In re Google Inc. Cookie Placement Consumer Privacy Litig., 2013 WL , at *2-3 (D. Del. Oct. 9, 2013) Goodman v. HTC America, Inc., 2012 WL , at *7-8 (W.D. Wash. June 26, 2012) But see Claridge v. RockYou, Inc., 785 F. Supp. 2d 855, 861 (N.D. Cal. 2011) 9

10 Current law Courts have held that payment card issuers negligence claims against merchants and payment processors were barred by the economic loss doctrine. E.g., In re TJX Cos. Retail Security Breach Litig., 564 F.3d 489, (1st Cir. 2009) Sovereign Bank v. BJ s Wholesale Club, Inc., 533 F.3d 162, (3d Cir. 2008) 10

11 A recent case may change the law Lonestar Nat l Bank v. Heartland Payment Sys., Inc., 2013 WL , at *2-6 (5th Cir. Sept. 3, 2013) (New Jersey s economic loss doctrine does not bar card issuer banks negligence claim against hacked card processor, reversing dismissal) 11

12 Current law The FTC may claim breach of 5 of the FTC Act, regardless of whether individuals incurred damages. The FTC has filed complaints at least 19times against companies that have suffered data breaches, alleging either that the company violated its privacy policy and thereby committed a deceptive practice or the company s failure to deploy adequate security was an unfair practice. 12

13 Current law See, e.g., In the Matter of HTC America Inc., FTC File No (Agreement containing Consent Order, Feb. 22, 2013) available at In the Matter of BJ s Wholesale Club, Inc., FTC File No (Agreement containing Consent Order, June 16, 2005), available at In the Matter of The TJX Companies, Inc., FTC File No (Agreement containing Consent Order, March 27, 2008),available at In the Matter of Sears Holdings Management Corporation, FTC File No (Agreement containing Consent Order, September 9, 2009), available at In the Matter of DSW Inc., FTC File No , (Agreement containing Consent Order, Dec. 1, 2005), available at In the Matter of Dave & Buster's, Inc., FTC File No (Agreement containing Consent Order, March 25, 2010), available at See generally Thomas J. Smeddinghoff, Data Security Requirements for Non- Regulated Business Sectors, 14 th Annual Institute on Privacy and Data Security, Vol. 2, Ch. 9 (May 2013) 13

14 Current law Reasonable or appropriate security measures can be determined from the FTC cases, regulations under other U.S. statutes, and industry standards: Assign Responsibility Identify Information Assets Conduct Risk Assessments Select and Implement Responsive Security Controls Monitor Effectiveness Regularly Review Program Address Third Party Issues Smeddinghoff, Data Security Requirements,

15 Current law E.g., In the Matter of HTC required HTC to: Designate an employee to coordinate security Identify internal and external threats Conduct risk assessments Implement reasonable safeguards including security testing Retain service providers capable of maintaining security practices consistent with the order Evaluate and adjust the security program as needed 15

16 Pending cases may change the law FTC v. Wyndham Worldwide Corp., No. 2:13-cv (D.N.J.): Wyndham provided certain computer services for its hotel franchisees Attackers accessed the hotels networks, allegedly though Wyndham s network and stole payment card data three times Wyndham s privacy policy made representations about its data security but disclaimed responsibility for the franchisees' security 16

17 Pending cases may change the law Wyndham declined to enter into an Agreement and Consent Order with the FTC The FTC sued Wyndham, alleging both unfair and deceptive practices 17

18 Pending cases may change the law Wyndham moved to dismiss, arguing: The FTC Act does not extend to data security regulation The FTC may not announce data security standards through consent orders rather than through rulemaking The Act requires the FTC to show substantial injury to consumers, which doesn t exist because consumers are reimbursed for payment card fraud The unfairness claim fails to allege how Wyndham s security measures were inadequate or caused losses The deceptive practice claim fails to meet Rule 9(b) The deceptive practice claim ignores franchise law. The deceptive practice claim fails to plead facts to support how Wyndham s own security measures were inadequate 18

19 Pending cases may change the law The FTC responds to Wyndham: It pled specifically how Wyndham s security was deficient (Wyndham failed to use firewalls, stored PCI data in clear text, passwords were not complex, servers on connected networks were not patched, etc.) Consumers were injured due to unreimbursed fraud, lost access to credit, and increased costs; Wyndham s damages arguments raise fact issues The injuries were caused by Wyndham, e.g., being unable to determine the source of a brute force attack The FTC s authority is broad and includes data security Wyndham had notice through industry standards and FTC consent orders about what reasonable security required Case-by-case enforcement is appropriate Rule 9(b) does not apply but the FTC met it 19

20 Pending cases may change the law The Chamber of Commerce as an amicus argues the FTC is overreaching because: Congress reined in the FTC by adding the substantial injury requirement after the agency previously sought to extend its authority too far Congress excluded FTC consent orders from precedents for civil money penalties in 15 U.S.C. 45(m)(1)(B) The FTC has rulemaking authority under 15 U.S.C. 57a, which the agency failed to use to specify data security rules 20

21 Pending cases may change the law In the Matter of LabMD, Inc., FTC No (FTC Complaint, August 28, 2013), the FTC alleges: The lab had a copy of LimeWire P2P software installed on a billing computer in 2008 The lab generated insurance aging reports and day sheets, which included patients names and SSNs, and cancelled checks One of the lab s insurance aging reports was available on LimeWire and day sheets were in possession of an identity thief 21

22 Pending cases may change the law LabMD filed an Answer on September 17, 2013, alleging, among other things: The FTC has no subject matter jurisdiction The FTC Act does not give the FTC authority to regulate the acts alleged in the Complaint The alleged acts did not cause consumers substantial injury The FTC failed to provide fair notice and due process by failing to promulgate meaningful standards 22

23 Current law The payment card brands may impose fines and assessments through their fraud recovery rules if an attacker steals payment card data from a merchant and a forensic investigation shows the merchant failed to comply with any of the requirements of the PCI DSS 23

24 Pending cases may change the law Genesco, Inc. v. Visa U.S.A., Inc., 2013 WL (M.D. Tenn. July 18, 2013), denied Visa s motion to dismiss Genesco s California UCL and common law claims. Genesco alleged Visa s fines and assessments of $13.3 million violated the UCL, breached Genesco's contracts, violated the duty of good faith, unjustly enriched Visa, and entitled Genesco to restitution Visa moved to dismiss the UCL, unjust enrichment, and restitution claims 24

25 Pending cases may change the law The Genesco court denied Visa s motion, holding The UCL is broad and covers claims unconscionable commercial contract terms where the terms of the contract implicate the public interest Visa s contracts could be found to be harmful to merchant competition and may be unfair in the market for credit and debit card transactions if Genesco shows, as it alleges, that Visa imposed fines and assessments without a factual basis or in violation of Visa s standards and procedures Additionally, the fines and assessments may be unenforceable under California law because they may bear no relationship to actual losses 25

26 Pending cases may change the law Elavon, Inc. v. Cisero s Ristorante, Inc., Dist. Ct. No (Summit County, Utah): Acquiring bank and its parent company sued to recover card brand fines and assessments Merchant, represented by Constantine Cannon, counterclaimed seeking a declaratory judgment of nonliability, and alleging negligence, breach of contract, breach of good faith, conversion, and breach of fiduciary duty The court dismissed the negligence counterclaim as barred by the economic loss doctrine Discovery is ongoing 26

27 Current law The U.S. Department of Justice has prosecuted both U.S.-based and foreign hackers. E.g., Albert Gonzalez, a ring-leader in the Hannaford breach and many others, is currently serving a 20-year sentence. Four Russians and a Ukrainian were recently indicted for their roles in 14 different breaches in which million payment card datasets were stolen. U.S. v. Drinkman, et al., Second Superseding Indictment, Cr. No (D. N.J. July 25, 2013) 27

28 Pending cases may change the law Microsoft, working with the FBI, obtained a preliminary injunction seizing domain names and IP addresses used by criminals who ran the Citadel botnet. Microsoft v. John Does 1-82, Civ. No. 3:13- cv-319 (D.N.C. June 13, 2013). The injunction also enabled Microsoft to upload curative code that deleted botnet files from zombie computers controlled by Citadel command and control servers. The court also granted leave for Microsoft to conduct discovery to identify the Doe defendants. 28

29 Questions? Randy Gainer, Attorney, CISSP Davis Wright Tremaine LLP Seattle (206)