Recent Court Rulings May Affect Protection Responsibilities

Transcription

1 FINPRO Practice april 2013 Recent Court Rulings May Affect Companies Cyber and Data Protection Responsibilities Contents: Krottner v. starbucks corp. page 2 Clapper v. amnesty international page 3 Amgen, Inc. v. connecticut retirement plans page 4 Addressing cyber and privacy risks page 5

2 Most organizations today are exposed to increasingly complex information and computer security risks. The evolution of the hacking community from essentially cyber-vandals defacing websites into organized crime targeting valuable data such as customer account and/or medical/prescription information has created a thriving black market for stolen information. Companies also face an increasingly stringent regulatory, and they must comply with a wide range of laws and regulations, including Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) amendment, state privacy breach notification laws, and the standards imposed by the credit card associations, known as Payment Card Industry (PCI) standards. And just one cyber security failure or privacy breach could create legal liability, regulatory scrutiny, and civil litigation. Historically, the risk of litigation as a result of a privacy breach or failure of data security was not great, as courts effectively insulated potential defendants by requiring plaintiffs to meet a heavy burden of proof, to prove not only that an event occurred, but also that damages had been suffered. Courts were reluctant to allow plaintiffs to move forward if the allegations did not go beyond a perceived or potential future harm. The following summary of recent litigation developments is based on the observations and experience of Marsh as an insurance broker and claims advocate in this area and does not constitute legal advice. Krottner v. Starbucks Corp. A US Court of Appeals for the Ninth Circuit decision in December 2010 had the potential to increase companies litigation risk. In Krottner v. Starbucks Corp. (No ), the court reviewed a district court order ruling that plaintiffs whose personal information was stolen but not yet misused had suffered an injury sufficient to constitute standing under Article III of the United States Constitution. At the time, this was thought to be precedent setting in that a claim for damages due to lost personal information had to overcome seemingly well settled defense challenges based on a lack of standing (i.e., proof of actual harm or imminent threat of harm). In Krottner, plaintiffs were current and former Starbucks employees who claimed their personal information was compromised when a laptop containing their names, addresses, and social security numbers was stolen from Starbucks. Plaintiffs filed two separate lawsuits that each brought claims under Washington state law against Starbucks for negligence and breach of implied contract. Plaintiffs complaints were primarily based on the threat of an increased risk of future identity theft rather than any harm actually suffered. Starbucks challenged, among other things, the plaintiffs standing to assert such a cause of action, arguing that in order to have standing one must sufficiently allege an injury-in-fact. 2 Recent Court Rulings May Affect Companies Cyber and Data Protection Responsibilities

3 The court of appeals affirmed the district court s ruling and held that plaintiffs did indeed have standing under Article III because an increased risk of identity theft constitutes sufficient injury-in-fact. The court examined cases from other jurisdictions that compared a threat of injury due to identity theft to a threat of injury due to toxic substance and environmental claims, both of which are often based on future harm. The court stated that [i]f a plaintiff faces a credible threat of harm and that harm is both real and immediate, not conjectural or hypothetical the plaintiff has met the injury-in-fact requirement for standing under Article III. Here, [plaintiffs] have alleged a credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal data. Although the court of appeals ruled that plaintiffs had adequate standing to bring their lawsuit, it also affirmed the district court s holding that plaintiffs failed to adequately state a claim under Washington state law. In an accompanying opinion, the court held that an individual may suffer an injury as defined by Article III and yet fail to plead a proper cause of action. As a result, both cases were dismissed. Despite dismissing the cases, it was thought that the Ninth Circuit s ruling could have significant risk implications for companies facing private cause of action lawsuits due to the loss of others private personal information. Plaintiffs lawyers may have used this opinion (as well as the similar 2007 Seventh Circuit opinion of Pisciotta v. Old National Bancorp [499 F.3d 629]) to defeat a defendant s challenges to plaintiffs standing. Once the injury-in-fact requirement has been met, a plaintiff need only find a state law allowing it to proceed on some type of legal theory based on the fear of harm due to lost private personal information. Clapper v. Amnesty International A recent US Supreme Court decision took a different stance. In Clapper v. Amnesty International (No ), the court by a narrow majority held that assertions of reasonable likelihood of potential future injury or costs incurred to avoid potential threatened injury are insufficient to establish standing by plaintiffs in federal court. The court essentially rejected a challenge to the constitutionality of a federal electronic surveillance statute and held that Because they do not face a threat of certainly impending interception under the statute, their costs are simply the product of their fear of surveillance, which is insufficient to create standing. The statute at issue concerned Section 1881a of the Foreign Intelligence Surveillance Act, which authorizes the government to regulate certain governmental electronic surveillance of communications for foreign intelligence purposes. Signed into law after the September 11, 2001, attacks, the act authorized the National Security Administration to conduct warrantless wiretapping of telephone and communications where one party to the communication was located outside of the United States and a participant to the communication may have been reasonably believed to be a member of or affiliated with a terrorist organization. The act was amended in 2008 to provide that the government may intercept electronic communications of foreign nationals without establishing probable cause. Marsh 3

4 In Clapper, the plaintiffs consisting of attorneys and human rights, labor, legal, and media organizations whose work requires them to communicate with foreign nationals challenged the constitutionality of Section 1881a. Plaintiffs asserted that 1881a compromises their ability to locate witnesses, cultivate sources, obtain information and communicate confidential information to their clients. The majority opinion found that respondents lack standing because they cannot demonstrate the future injury they purportedly fear is certainly impending and because they cannot manufacture standing by incurring costs in anticipation of non-imminent harm. While Clapper was not a data breach case itself, the majority s decision on standing requirements is consistent with courts across the country that have dismissed breach actions attempting to rely on the threat or possibility of future injury. The majority also ruled that plaintiffs could not establish standing by pointing to costs voluntarily incurred. That holding may become a significant factor in defense efforts opposing data breach class actions seeking to recover the cost of credit monitoring or other typically incurred pre-loss costs. A major distinguishing factor between the Clapper claims and that of many privacy and breach-related claims is that the Clapper plaintiffs were challenging a federal statute. In light of the California attorney general s recent report calling for companies to take more stringent steps to protect consumer privacy, the Clapper decision should in no way suggest that companies handling personal consumer data become less careful in how they safeguard that data and maintain consumer privacy. Further, given the stringent enforcement of fines and penalties assessed by the applicable regulatory bodies for failing to keep information secure in conjunction with the large number of state data breach notification laws, companies would be well-advised to expect more privacy and data breach claims, not fewer. Amgen, Inc. v. Connecticut Retirement Plans Another recent Supreme Court decision, focusing on securities class actions, is also notable as it highlights the changing regulatory landscape. While Krottner and Clapper focused on overcoming standing, the ruling Amgen, Inc. v. Connecticut Retirement Plans (No ) focused on class certification. In Amgen, the court affirmed a Ninth Circuit decision and held that class action plaintiffs need not prove materiality at the class certification stage. The focus of this case was the interaction between federal securities fraud laws and the requirements for class certification. Specifically, after Amgen announced problems with two major products, the price of its stock declined. Shareholder plaintiffs then filed securities class actions, alleging that Amgen s stock price had been artificially inflated during the class period before the announcement because the company had misrepresented the safety, efficacy, and marketing of two of its flagship drugs. The plaintiffs alleged that the stock market was efficient and that Amgen s stock price therefore had reflected the alleged misrepresentations, affecting all market participants. 4 Recent Court Rulings May Affect Companies Cyber and Data Protection Responsibilities

5 The pivotal inquiry in this case, according to the court, was whether proof of materiality is needed to ensure that the questions of law or fact common to the class will predominate over any questions affecting only individual members as the litigation progresses. The court responded negatively citing two reasons: First, because materiality is judged according to an objective standard, it can be proved through evidence common to the class Second, a failure of proof on the common question of materiality would not result in individual questions predominating. Instead, it would end the case, for materiality is an essential element of a securities-fraud claim. The above decision is significant in light of the October 2011 SEC guidance on the issue of computer security breaches. The guidance seeks to clarify what cyber security risk factors a publicly traded company may be exposed to and what it should disclose in the event that it suffers a breach of its computer systems or network; the key guiding principle focuses on materiality. Addressing Cyber and Privacy Risks Given that over the past five years, more than 600 million confidential personal records have been reported as breached under various state and federal laws, it is likely only a matter of time until a plaintiff finds such a state statute or case that allows a lawsuit against a company that lost his or her information. With the changing legal landscape and ongoing erosion of available defenses, firms will need to factor in the very real potential for litigation, particularly class actions arising from events where information is lost not stolen. Most companies have come to realize that there is no single right way to manage or transfer the risks associated with information security and technology. The best approach remains a healthy respect for technology s capabilities, but armed with a robust and evolving set of policies and procedures to manage key risks. Even then, there remains residual risk that no amount of technology or any reasonable protocol can fully prevent. Companies should consider purchasing cyber insurance as a vital element of their loss prevention and risk management strategy. Cyber insurance is a comprehensive product that can protect a firm from high litigation and indemnity costs. It is not merely a niche product or discretionary purchase to cover the costs of sending out notices and offering credit monitoring. While evolving well beyond its roots in the dot.com bubble, cyber coverage and its procurement process remain a bit opaque and confusing. The veil can easily be lifted, though, if a company approaches the coverage in the context of how it manages its other operational risks, via: A thorough assessment, both empirical and objective, of the company s exposures. A subjective analysis that looks at the relative frequency and severity of the cyber and privacy perils. Marsh 5

6 Financial benchmarking analyses that provide an understanding of peers purchase decisions as well as the actual financial impact of the various risks. A better understanding of what is and is not covered by traditional lines of insurance, specifically in their portfolio. By approaching coverage in this way, companies will have the tools to make better informed decisions and properly evaluate the coverage options presented. For more than a decade, Marsh s Network Security and Privacy Practice has been a trusted advisor to leading businesses, helping them address their unique data and privacy needs. From the creation of the first cyber policy forms to newer innovations, Marsh continues to move and shape the market on behalf of its clients. As part of its service offerings, Marsh can assist businesses in evaluating their cyber risks through coverage gap analyses and scalable risk assessments. When appropriate, Marsh can help businesses to build competitive, comprehensive privacy and computer security liability insurance programs to address their unique risks. 6 Recent Court Rulings May Affect Companies Cyber and Data Protection Responsibilities

7 notes Marsh 7

8 To learn more, please contact your local Marsh representative or a one of the FINPRO Practice s cyber and privacy experts: Sandy Codding (617) sandy.codding@marsh.com Bob Parisi (212) robert.parisi@marsh.com Elissa Doroff (212) elissa.k.doroff@marsh.com Richard DePiero (212) richard.depiero@marsh.com John O Donnell (212) john.odonnell@marsh.com Rennie Muzii (503) rennie.muzii@marsh.com Tim Burke (303) timothy.n.burke@marsh.com Elisabeth Case elisabeth.case@marsh.com Marsh is one of the Marsh & McLennan Companies, together with Guy Carpenter, Mercer, and Oliver Wyman. This document and any recommendations, analysis, or advice provided by Marsh (collectively, the Marsh Analysis ) are not intended to be taken as advice regarding any individual situation and should not be relied upon as such. This document contains proprietary, confidential information of Marsh and may not be shared with any third party, including other insurance producers, without Marsh s prior written consent. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors. Any modeling, analytics, or projections are subject to inherent uncertainty, and the Marsh Analysis could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Except as may be set forth in an agreement between you and Marsh, Marsh shall have no obligation to update the Marsh Analysis and shall have no liability to you or any other party with regard to the Marsh Analysis or to any services provided by a third party to you or Marsh. Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or re-insurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage. Copyright 2013 Marsh Inc. All rights reserved. Compliance MA