Richard Raysman and Peter Brown (ljh)
As of late, data breaches at businesses, governmental entities and others that are repositories for confidential information have occurred almost quotidian. For example, in late March the California Department of Motor Vehicles disclosed that it was investigating a theft of credit card numbers from the payment component of its website. In the same vein, a public university in Maryland revealed in the same week that an attack to its computer network resulted in potential loss of personal information. In fact, this was the second such attack at this university since late February of this year. In another well-publicized breach, as many as 40 million customers had credit and debit card numbers released as a result of a malware attack. It was later disclosed by the same company that 70 million more customers had their personal information stolen in the same attack.
These incidents are hardly isolated. According to an industry report, in 2013 more than 47,000 security incidents occurred, with 621 of them classified as “certified data breaches.” Of the breaches, 75 percent exposed insufficient security procedures and 29 percent arose as a result of contact via social tactics, tactics which include using email, phone and social media communications to elicit confidential information. At this point, data breaches are so commonplace that they have crossed the Rubicon into popular culture. Case in point: In March of 2014 it was revealed that a major studio had optioned the rights to the story of the blogger who broke a well-known data breach incident.
Unsurprisingly then, courts have begun to confront a myriad of legal questions arising from these incidents. Companies and employees have heretofore been subject to suit in myriad jurisdictions as a result of data breaches and disclosures. Heretofore, the results have not been consistent and remain largely contingent on the facts of a specific controversy. This article will discuss several pressing issues in the rapidly evolving area of law responsive to data breaches, including: litigating class action claims following a breach of consumer personal data; instances of settlement of data breach claims; and particularized data breach claims that arise after an involuntary divulgence of medical records.
Disclosure of Information
Theft, disclosure and subsequent dissemination of personally identifiable (PII) and/or financial information create a daunting set of problems for each party involved. The individuals whose privacy has been breached thereafter live in fear of identity theft and manipulation of their bank accounts and credit reports. In the instance of stolen credit or debit card numbers, issuers are often forced to replace each card, often at significant expense. The entity specifically breached suffers reputational damage, financial loss and generally must spend significant sums to implement an internal security system sufficient to prevent future breaches.
Moreover, the entity targeted by a successful attack can confront years of costly litigation. In recent years, a spate of suits have materialized that focus squarely on entities that have been subject to a data breach. For example, in Galria v. Nationwide Mut. Ins. Co., – F. Supp. 2d –, 2014 WL 689703 (S.D. Ohio 2014), a class action was filed after an insurance company disclosed to prospective insured’s that thieves had hacked into a portion of its network to steal and subsequently disseminate the PII of the plaintiffs. The class action complaint alleged, among other causes of action, violations of the Fair Credit Reporting Act (FCRA), negligence and invasion of privacy.
The court ultimately rejected all of these claims. With respect to the FCRA claim, the court held that the plaintiffs did not have standing, even though the defendant had initially conceded to the contrary. See Simon v. E. Ky. Welfare Rights Org., 426 U.S. 26 (1976) (noting that in order to have standing the plaintiff must show that the injury to himself is likely to be redressed by a favorable decision). However, as the court possessed an “independent duty” to undertake an inquiry into plaintiff’s standing vis-à-vis FCRA claims, it did so. What this inquiry entailed was primarily an analysis of the text of the FCRA. Specifically, the plaintiffs cited solely to the statement of purpose of the FCRA as evidence that the insurance company committed a violation of it. The court found this wanting. It held that because the plaintiff did not “allege injury arising from the violation of a particular statutory requirement or prohibition” in the FCRA, the plaintiffs did not have standing.
The state law claims against the insurer similarly failed, albeit based on a different, more substantive rationale. First, it noted that because allegations by the plaintiffs of an “increased risk of harm” from identity theft were “speculative” and not “certainly impending,” the injury-in-fact element in the context of standing in data breach cases was unsatisfied. See Clapper v. Amnesty Intern. USA, 133 S. Ct. 1138 (2013) (holding that “allegations of possible future injury are not sufficient” to establish standing). Additionally, the court held that because the putative injury to plaintiffs from the data breach was contingent on the actions of third-party independent entities, the injury-in-fact was too conjectural to warrant standing. Finally, as a substantive matter, the court held that the plaintiff’s study claiming that customers who receive a data breach notification had a 19 percent fraud incidence rate hardly illustrated that the injury alleged as a result of the breach was fait accompli, or even remotely likely.
Another federal case arising out of a disclosure of PII following a data breach likewise concluded that the plaintiff could not claim standing. See Strautins v. Trustware Holdings, – F. Supp. 2d –, 2014 WL 960816 (N.D. Ill. 2014). Like the insurance case discussed above, the court held that the plaintiff did not have standing because the allegations of injury only concerned future harm. Specifically, the plaintiff argued that the inadequate notification of the data breach by defendant engendered an increased risk of identity theft and identity fraud. This argument failed. In citing to the insurance case discussed above, the risk of imminent harm from a data breach cited by the plaintiff was premised both on the actions of third parties and the occurrence of a statistically unlikely event. As such, this “chain of attenuated hypothetical events” could not confer standing.
Conversely, in a case involving loss of credit card numbers after a compromise of the defendant’s computer systems by hackers, the defendant decided to settle rather than litigate extensively. See In re Heartland Payment Systems Customer Data Sec. Breach Litigation, 851 F. Supp. 2d 1040 (S.D. Tex. 2012). Instead of fighting myriad allegations from the class plaintiffs, the defendant structured a settlement in which it paid a minimum of $1 million and a maximum of $2.4 million depending on the number of claimants. However, only 11 valid claims were filed, thereby minimizing the reimbursement funds dispensed by the defendants. As a result, almost all of the $1 million dollar payment was dispended as cy pres to a number of organizations dedicated to protecting consumer privacy.
Characterizing attacks as a seizure of financial data and PII is an overarching way to describe the preponderance of previously occurring data breaches. However, one specialized type of attack that has become increasingly favored among its perpetrators is one that looks to seize and exploit medical records. Medical records have also been released by providers or its contractors or vendors as a result of negligence. As the cases below will illustrate, the purposes behind a theft of medical records range from financial gain, to a desire to besmirch the reputation of an individual within the relevant community.
Breaches of Medical Records
It is decidedly noncontroversial to observe that a patient’s medical records contain some of the most confidential information about a particular person. As such, disclosure, particularly of adverse health conditions or diagnoses can be emotionally devastating and financially injurious. For instance, in a recent state case, the disclosure of a patient’s adverse diagnosis by an employee of the medical provider led to a suit based in tort. In C.E. v. Prairie Family Medicine P.C., – N.W.2d –, 287 Neb. 667 (Neb. 2014), the plaintiff sued a local medical clinic (the clinic) after an employee of the clinic allegedly disclosed the plaintiff’s positive HIV test to a third party, thereby leading to the spread of this positive test to the surrounding community. This surrounding community consisted of plaintiff’s friends and business associates, and thus the disclosure significantly damaged her reputation therein. As a result, it also led to claims of invasion of privacy and intentional and negligent infliction of emotional distress.
At the lower court level, the plaintiff’s claims were dismissed as a matter of law because there had not been a showing of causation. Specifically, this court held that the plaintiff could not produce any “competent evidence” illustrating that the clinic or its agents were negligent in releasing the details of the positive HIV test, and thus there was no connection between the clinic and the plaintiff’s request for damages. On appeal, the Supreme Court of Nebraska considered whether any issue of material fact existed showing that the clinic or its employees had disclosed the positive HIV test. In overturning the lower court, the court held that the applicable standard for these sorts of claims was whether the allegations of the plaintiff could show tortious conduct by the clinic, and not a showing of causation. Applying this revised standard, the court held that the plaintiff had shown by circumstantial evidence that there was a possibility that the clinic had caused the tortious conduct alleged in the case. As such, it remanded the proceedings to the lower court.
Other claims resulting from a breach of medical records have produced varying outcomes. For example, after a data breach led to emergency room patients having information posted online for almost a year, the hospital, its contractors and its subcontractors agreed to settle. See Springer v. Stanford Hosps. and Clinics, No. BC470522 (Cal. Super. Ct, settlement filed March 13, 2014). The plaintiffs had initially filed a complaint alleging violations of California’s Confidentiality of Medical Information Act after the names and diagnoses of roughly 20,000 patients had been displayed online on a website of a student helper of the hospital. In another case, a patient brought a putative class action after an employee of a medical services provider had a laptop containing unencrypted personal medical information stolen from a car. See Polanco v. Omnicell, – F. Supp. 2d –, 2013 WL 6823265 (D.N.J. 2013). The presiding court ultimately held that the plaintiff lacked standing for a number of reasons: (1) the provider had informed the plaintiff that her confidential information was not located on the stolen laptop; (2) the purported increased expenditures by the plaintiff was based on speculative belief that the information was in fact stolen; and (3) the plaintiff has willingly incurred costs to mitigate a speculative increased risk of identity theft is insufficient to evince an actual or imminent injury required to have standing. Finally, in Worix v. MedAssets, 857 F. Supp. 2d 699 (N.D. Ill. 2012), allegations that a company that handled confidential information for hospitals that was subsequently stolen were inadequate to sustain a negligence claim since they failed to demonstrate neither actual damages nor a legally cognizable injury.
If recent months are any harbinger, data breaches are a threat that will not disappear in the near future. If anything, as hackers become more sophisticated and continue to outpace attempts to thwart their attacks, businesses should prepare for the increasing frequency, scope and damage of potential data breaches. For companies who are particularly susceptible to these attacks, the U.S. Supreme Court has in the past year circumscribed the types of harm plaintiffs can allege that result from data breaches, thereby appreciably limiting eligible plaintiffs in this type of action. By eliminating possible future harm from the type of injury that can confer standing upon a plaintiff, those whose allegations are conjectural or rely primarily on future actions by unrelated third parties will now confront a higher burden simply to get their case into court. Nonetheless, the cases above are emblematic of the types of actions that inevitably arise from a data breach, from a voluminous class action to a state court single-plaintiff tort case.
Richard Raysman is a partner at Holland & Knight and Peter Brown is the principal at Peter Brown & Associates. They are co-authors of “Computer Law: Drafting and Negotiating Forms and Agreements” (Law Journal Press).