May 13-11-30 am-primer-to-cyber-security-(topical issues)

v

Topics For Discussion

• What is a “data security breach”?

• Why do you need a response plan?

• Responding to a data security breach

• State statutory requirements

• Regulatory (and quasi-regulatory) update

• Regulatory enforcement actions and litigation

2

2013 Statistics

• In 2013, there were 63,437 security incidents and 1,367 confirmed data breaches (which represents a 120% increase from the number of data breaches reported in 2012).– Web App Attacks (35%)– Cyber-espionage (22%)– Point-of-Sale Intrusions (14%)– Card Skimmers (9%)– Insider Misuse (8%)

Source: Verizon 2014 Data Breach Investigations Report.

3

2012 Statistics

• According to a survey of 583 U.S. companies, in 2013:– 90% reported being hacked in the past year– 59% reported being hacked two or more times in

the past year– 41% reported damages in excess of $500,000– 52% reported that 10% or less of their budget

dedicated to security

Source: Study conducted by Ponemon Institute on behalf of Juniper Networks

4

2013 Statistics

• The FTC filed 79 consumer protection enforcement actions.

• The FTC obtained 137 consumer protection orders. • The FTC ordered civil penalties totaling $20 million.• Identity theft represents the largest category of

consumer complaint received by the FTC (approximately 14%).Source: Federal Trade Commission’s 2013 Annual Highlights.

5

Cost Of A Data Security Breach

• In 2013, data breaches cost organizations an average of $5.9 million, up from $5.4 million in 2012.– $201 per record– Includes direct costs (communications, investigations,

legal) and indirect costs (lost business, public relations)

– Compare to costs of having preventative measures in place (e.g., policies related to passwords, firewalls, mobile devices), training employees and encrypting sensitive information

Source: 2014 Cost of Data Breach Study: United States. Sponsored by IBM. Study independently conducted by Ponemon Institute LLC.

.

6

Cost Of A Data Security Breach

• Data breaches resulting from a malicious attack yielded the highest cost.– $246 per record

• Organizations that had a formal incident response plan in place before the incident reduced the cost by approximately $17 per record.

Source: 2014 Cost of Data Breach Study: United States. Sponsored by IBM. Study independently conducted by Ponemon Institute LLC.

.

7

Types Of Data Security Breaches

• Hacking

• Devices are lost or stolen

• Insider or employee misuse

• Unintended disclosure

• Security patches are not installed

• Malware

8

What Is The Objective?Fill In The Gap

• Protection/Security• Compliance• Audits

• Criminal prosecution• Civil liability

How to Manage the Data Security Breach

9

Why Do You Need AResponse Plan?

Thoughtful and Prepared Reaction

Better Decision Making

Minimized Risk and Loss

10

Collect Relevant Information

• Data location lists• Confidentiality

agreements• Customer contracts• Third-party vendor

contracts• Privacy policy

• Information security policy

• Ethics policy• Litigation hold

template• Response team

contact list

11

Create A First Response Team

• Information technology (computer & technology resources)

• Information security (physical security & access)

• Human resources (private employee information - health & medical, SSN(s), payroll, tax, retirement)

12

Create A First Response Team

• Legal counsel (in-house and/or outside counsel)

• Compliance

• Business heads (consumer and customer information)

• Public relations/investor relations

13

Assign Tasks To Members Of The First Response Team

• Establish a point person• Identify key personnel for each task• Prioritize and assign tasks• Calculate timelines and set deadlines• Communicate with management• Establish attorney-client privilege for

investigation and communications

Project Management Is Critical

14

Determine The Nature And Scope Of The Breach

• Investigate facts

• Interview witnesses

• Notify law enforcement, FBI, USSS, State AG(s)

Preserve Company’s Assets, Reputation and Integrity

15

Determine The Nature And Scope Of The Breach

• Determine type of information that may have been compromised; ongoing threat

• Identify and assess potential kinds of liability

• Identify individuals potentially at risk and determine state or country of residence

Preserve Company’s Assets, Reputation and Integrity

16

Understand Data Breach Notice Laws

• State laws:– What constitutes personal information?– When is a notice required?– Who must be notified? (e.g., State Attorney General)– Timing?– What information must be included in the notice?– Method of delivering notice?– Other state specific requirements?

• Applicable industry-specific laws • Applicable international laws

17

Determine Appropriate Notices

• Consumers• Employees• Law enforcement

(Federal/State)• Federal regulatory

agencies• State agencies (State

Attorney General)

• Consumers reporting agencies

• Business partners• Insurers• Media

18

Data Security Breach Notification

• Alabama, New Mexico and South Dakota are the only states that do not have a data security breach notification statute.

• California statute served as a model for later state statutes.– State involvement began in California, after series

of breaches received national attention.– Passed in 2002, went into effect in mid-2003.

19


• “Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” See Cal. Civ. Code § 1798.29.

20


• “Personal information”– First name or initial and last name with one or

more of the following (when either name or data element is not encrypted):

• Social Security number; • Driver’s license number; • Credit card or debit card number; or• Financial account number with information such as

PINs, passwords or authorization codes.

21


• Some states have expanded the definition of “personal information” to include:– California: Medical information or health

insurance information; – Indiana: Biometric data;– North Dakota: Mother’s maiden name,

birth/death/marriage certificate and electronic signature.

22


• On September 27, 2013, California’s governor signed S.B. 46 to expand the definition of “personal information” to include:– “a username or email address, in combination

with a password or security question and answer that would permit access to an online account.”

– S.B. 46 became effective January 1, 2014.

23


• “Breach of the security of the system”– Some states expressly require notice of

unauthorized access to non-computerized data.• Hawaii: includes “personal information in any form

(whether computerized, paper, or otherwise).”

24


• Generally, only need “reasonable” belief the information has been acquired by unauthorized person to trigger notification requirements.– Certain states require harm

• Arkansas: no notice if “after a reasonable investigation the person or business determines that there is no reasonable likelihood of harm to customers.”

• Michigan: no notice if “not likely to cause substantial loss or injury to, or result in identity theft.”

25


• Distinguish between entity that “owns or licenses” data and entity that “maintains” data.– Data owner has ultimate responsibility to notify

consumers of a breach.– Non-owners required to notify owners.

26

Prepare State Law Notices

• General description of the incident• Type of information that may have been

compromised• Steps to protect information from further

unauthorized access• Contact information (e.g., email address; 1-800

number)• Advice to affected individuals (e.g., credit

reporting, review account activity)

27

Prepare State Law Notices

• Delivery method (e.g., certified letters, email, website)

• Timing of notices• Tailor notices based on recipient• Use single fact description for all notices

28

Prepare Answers To Inquiries

• Draft FAQs with responses• Establish hotline• Assign group of contact employees• Train employees to respond to inquiries• Develop clear escalation path for difficult

questions• Track questions and answers

29

Prepare Press Release

• Include the following information:– Facts surrounding the incident– Actions to prevent further unauthorized access– Steps to prevent future data security breaches– Contact information for questions

• Review by legal counsel

30

Consider Offering Assistance To Affected Individuals

• Free credit reporting

• Free credit monitoring with alerts

• ID theft insurance

• Access to fraud resolution specialists

• Toll-free hotline

31

Regulatory Update NIST And The Framework

• On February 12, 2013, President Obama signed an Executive Order titled “Improving Critical Infrastructure Cybersecurity.”

• The Executive Order directed the National Institute of Standards and Technology (NIST) to work with relevant stakeholders to develop a voluntary framework for reducing cyber risks to Critical Infrastructure.

32


• On October 29, 2013, NIST issued the Preliminary Cybersecurity Framework, which outlines a customizable set of steps that entities may use to assess and prioritize potential cybersecurity risks, as well as identify ways to improve defenses and responses to outside intrusions.– Relies on existing standards, guidance, and best

practices.– Complements (does not replace) an organization’s

existing risk management process.

33


• Stakeholders had an opportunity to comment on the Preliminary Cybersecurity Framework.– The public comment period closed on December

13, 2013.– 2,500 public comments received by NIST – all are

available on its website.• NIST used these comments to prepare the Final

Cybersecurity Framework.– Issued on February 12, 2014.

34


• Generally, Critical Infrastructure includes:– Communications– Manufacturing– Energy– Food and agriculture– Financial– Healthcare and public health– Information technology– Transportation

35


• The Framework is organized into five core functions:– Identify: Institutional understanding to manage risks to

data.– Protect: Safeguards to ensure delivery of critical

infrastructure services.– Detect: Activities to identify the occurrence of a

cybersecurity event.– Respond: Actions in response to a detected

cybersecurity event.– Recover: Activities to restore capabilities impaired as

a result of cybersecurity event.

36


• Within each of these five core functions– Cybersecurity activities are split into categories:

• e.g., Awareness and training

– And then categories are split into subcategories:• e.g., Third-party stakeholders must understand roles and

responsibilities

– Each subcategory is tied to an Informative Reference, which provides current industry best practices for that cybersecurity activity

– Informative References refer to one of five existing standards

37


• Informative References:– Council on CyberSecurity Critical Security Controls

(CCS CSC)– Control Objectives for Information and Related

Technology (COBIT)– International Society of Automation (ISA) 99.02.01– International Organization for

Standardization/International ElectrotechnicalCommission (ISO/IEC) 27001

– NIST Special Publications

38


• Framework is “voluntary.”– However, many (or all) these best practices may

develop into de facto standards through:• Governmental incentives (e.g., federal grants);• Sector-specific regulation; or • Private litigation.

– If Framework is widely adopted, it may be viewed as what constitutes “reasonable security practices” in the industry.

39


• Recommended Actions– Conduct a self-assessment

• Based upon the Framework, identify gaps and prioritize remediation efforts

– Promote adoption of the Framework internally– Continue to improve upon cybersecurity activities– Work with industry colleagues and government

organizations

40

Regulatory UpdateCalifornia’s Do-Not-Track Law

• Assembly Bill 370 • Went into effect on January 1, 2014• First state in the country to adopt do-not-track

disclosure law• Requires operators of websites, online services

and mobile applications to amend their privacy policies

41


• Requires operators’ privacy policies to:– Disclose how they respond to do-not-track signals

from Internet browsers or other consumer choice mechanisms regarding the collection of behavioral tracking data; -OR-

– Link to an online location containing a description of a consumer choice program the operator follows and explain the effects of this program.

• Requires operators to disclose the type and nature of any third-party tracking on their sites, services or apps.

42


• Best practices (suggested by AG Staff):– Disclosures should not be limited to tracking for online

behavioral advertising purposes, but should extend to other purposes for which behavioral data is collected by a website, online service or app (e.g., market research, fraud detection, website analytics).

– Include language explaining the effects of any opt-out options (e.g., opt-out of targeted advertising, but continue to track for fraud).

• AG plans to release a Best Practices Guideline.

43

Regulatory UpdateCalifornia’s Right To Know Act

• Assembly Bill 1291. • Would require businesses that collect consumer

information to provide customers with the names and addresses of all data brokers, advertisers and others who were granted access to the information, as well as details regarding the data that was disclosed.

• Businesses would have 30 days to answer a request for the information.

44


• Applies to businesses who “retain” personal data or disclose the information to a third party.

• Defines “retain” to mean “store or otherwise hold personal information” whether the information is collected or obtained directly from the consumer or any third party.

45


• Faced opposition by companies such as Google and Facebook.

• Assemblywoman Bonnie Lowenthal delayed action on the bill by turning it into a two-year bill.

• Lowenthal plans to spend the remainder of the year educating her colleagues about the importance of the proposed legislation.

• Assembly will consider AB 1291 again in 2014.

46

Regulatory UpdateCalifornia’s Data Breach Report

• On July 1, 2013, the California Attorney General released a report that provides a summary of the types of breaches reported to her office during 2012, as well as recommendations about how to decrease the likelihood of experiencing a data breach.

47


• Key Findings:– 131 data breaches affecting more than 500

California residents– Average incident involved information relating to

22,500 individuals– More than 2.5 million California residents at risk

because of data breaches in 2012

48

Regulatory UpdateCalifornia’s Data Breach Report (cont’d)

• Key Findings:– More than 1.4 million of those California residents

would not be at risk, if the data had been encrypted

– More than half of the breaches were the result of intentional intrusions by outsiders or by unauthorized insiders

– The average reading level of the breach notices submitted was 14th grade

49


• Recommendations:– Encrypt personal information when in transit, on

portable devices or in emails– Review and strengthen security controls used to

protect personal information– Prepare breach notification letters in an easy-to-

understand format

50


• Recommendations (cont’d):– Offer mitigation products to victims of breaches

that involve Social Security numbers or driver’s license numbers

– Consider amending breach notification laws to require reporting of breaches that involve usernames and passwords

51

Enforcement Actions

• Federal Trade Commission – Section 5 of FTC Act– Enforce privacy policies and challenge data security

practices deemed “deceptive” or “unfair”• State Attorney General – State Notification Statutes

– Connecticut: “Failure to comply . . . shall constitute an unfair trade practice . . .”

– Virginia: “The Attorney General may bring an action to address violations.” Moreover, “nothing in this section shall limit an individual from recovering direct economic damages.”

• Litigation in federal and state courts.

52

Federal Trade Commission

• In June 2012, the FTC instituted litigation in federal court against Wyndham Worldwide Corporation.

• In its complaint, the FTC alleges that, beginning in April 2008 and through January 2010, cybercriminals hacked into Wyndham’s computer network and the networks of certain Wyndham hotels, exposing credit card information of hotel guests.

53


• The FTC alleges that hackers compromised administrator accounts and installed memory-scraping malware to access credit card information.

• The FTC contends that hackers compromised more than 619,000 credit card account numbers and that the incidents caused more than $10.6 million in fraud losses.

54


• Under Section 5 of the FTC Act, which prohibits “unfair and deceptive acts or practices,” the FTC alleges that:– Wyndham’s data security protections amounted

to “unfair” trade practices because they were not “reasonable and appropriate”; and

– Wyndham “deceived” consumers by stating on its website that it used “commercially reasonable efforts” to secure credit card information that it collects from consumers.

55


• In an unprecedented move, Wyndham refused to settle this dispute and filed a motion to dismiss the complaint.– Wyndham argues that the FTC is overreaching its

authority because “Section 5’s prohibition on ‘unfair’ trade practices does not give the FTC authority to prescribe data-security standards for all private businesses.”

– Wyndham argues that, because Congress has not yet passed data security legislation, the FTC has the authority to regulate data security in limited contexts (e.g., Gramm-Leach-Bliley Act).

56


• Wyndham (cont’d)– Wyndham further argues that Section 5 of the FTC Act

“provides no meaningful notice to regulated parties” because it does not contain any guidance about what practices might be deemed “unfair” or “deceptive.”

– Similarly, the FTC has not published any rules or regulations “explaining what data security practices a company must adopt to be in compliance with the statute.”

– As such, “businesses are left to guess as to what they must do to comply with the law.”

57


• Case is pending in the U.S. District Court for the District of New Jersey (Civ. A. No. 13-01887).

• In November 2013, the Court held a hearing on Wyndham’s motion to dismiss the case.

• Although to date the Court has not issued an opinion, the Court expressed some skepticism about Wyndham’s argument stating:– “ . . . if Congress never intended to give authority to

the FTC [to regulate data security under Section 5], why would Congress not have acted years ago.”

58


• This is the first litigated case challenging the FTC’s authority under Section 5 of the FTC Act related to data security.

• Generally, FTC enforcement actions result in a settlement.– FTC provides a defendant with a proposed draft

complaint.– FTC “negotiates” the terms of a consent order.

59

Federal Trade CommissionRecent Enforcement Actions

• FTC v. LabMD Inc., (N.D. Ga. 2012):– In 2009, the FTC learned that PII belonging to

consumers was publicly available on peer-to-peer file sharing networks (P2P) including, but not limited to, a spreadsheet that contained information related to approximately 9,000 of LabMD’s customers.

– The FTC issued civil investigative demands (CIDs) to LabMD.

– LabMD refused to respond to CIDs.

60


• FTC v. LabMD Inc., (N.D. Ga. 2012):– In the U.S. District Court for the Northern District

of Georgia, FTC filed a petition to enforce CIDs.– LabMD answered the petition stating that the FTC

lacks statutory authority to tell companies how to secure their data.

– Court granted petition and ordered LabMD to respond to CIDs.

61


• FTC v. LabMD Inc., (N.D. Ga. 2012):– The Court held, in part, “[a]lthough the Court finds there is

significant merit to Respondents’ argument that Section 5 does not justify an investigation into data security practices and consumer privacy issues, it is a plausible argument to assert that poor data security and consumer privacy practices facilitate and contribute to predictable and substantial harm to consumers in violation of Section 5 because it is disturbingly commonplace for people to wrongfully exploit poor data security and consumer privacy practices to wrongfully acquire and exploit personal consumer information.”

62


• In the Matter of LabMD Inc., No. 102 9357– On August 29, 2013, the FTC instituted a formal

enforcement action and filed an administrative complaint against LabMD.

– In its complaint, the FTC alleges that a LabMDemployee installed LimeWire on his computer, which exposed a report containing personal information of 9,300 consumers.

– The FTC alleges that LabMD failed to reasonably protect consumers’ personal information.

63


• In the Matter of LabMD Inc., No. 102 9357– In the enforcement action, LabMD challenged the

FTC’s authority to regulate data security practices under the “unfair” prong of Section 5 of the FTC Act.

– LabMD filed a motion to dismiss the administrative complaint.

– On January 16, 2014, the FTC unanimously denied LabMD’s motion.

– LabMD has decided to wind down its operations citing “years of debilitating investigation and litigation” with the FTC.

64


• In the Matter of LabMD Inc., No. 102 9357– In its decision, the FTC stated:

• The fact that Section 5 does not “explicitly authorize” the FTC to regulate data security matters is irrelevant.

• "Congress could not possibly have had any 'specific intent' to deny the FTC authority over data security practices.”

• Instead, Congress intended “to delegate broad authority to the FTC to address emerging business practices — including those that were unforeseeable when the statute was enacted.”

65


• In the Matter of TrendNet, No. 122 3090– TrendNet sells Internet-connected video cameras.– FTC alleges that TrendNet’s improper security

measures allowed hackers to webcast live feeds from hundreds of its customers’ homes.

– TrendNet agreed to settle this action by entering into a consent order with the FTC.

• Consent order contains a requirement that TrendNetnotify customers involved in the incident (which the FTC has only recently begun including in its consent orders).

66


• In the Matter of Accretive Health, No. 122 3077:– In 2013, the FTC instituted an enforcement action

against Accretive Health alleging that, in July 2011, an employee’s laptop computer was stolen from his car.

– The laptop computer contained personal information (including sensitive health information) relating to 23,000 of Accretive’spatients.

67


• In the Matter of Accretive Health, No. 122 3077:– The FTC alleges that Accretive:

• Created unnecessary risks by transporting laptops that contained personal information in a way that left them vulnerable to theft.

• Failed to employ reasonable procedures to ensure that employees removed consumers’ personal information from their computers after they no longer needed such information.

• Failed to restrict adequately employee access to consumers’ personal information.

– On December 31, 2013, Accretive Health agreed to settle the action.

68

State Attorney GeneralRecent Actions

• Target Corp.– On December 19, 2014, Target announced that hackers

had stolen data from approximately 40 million debit and credit card users who visited its stores between November 27th and December 15th.

• Target made announcement 4 days after it “confirmed the issue.”

– On January 10, 2014, Target stated that hackers also stole personal information from 70 million of its customers.

69


• Target Corp.– Connecticut Attorney General leading a coalition

of more than 30 states investigating the incident.• State Attorneys General asked Target for

information about the incident including, but not limited to, information about how many of their citizens may have been victims.

• State Attorneys General stated that one area of major concern is the timeliness and adequacy of Target’s notification to consumers and appropriate government authorities.

70


• Kaiser Foundation Health Plan Inc.– In January 2014, the California Attorney General instituted a

state court action against Kaiser alleging that the company waited too long to notify more than 20,000 current and former employees about a data breach.

• In September 2011, Kaiser learned that an unencrypted hard drive containing Social Security numbers and other personal information related to its current and former employees was purchased at a public thrift shop.

• On March 19, 2012, Kaiser notified its current and former employees.

71


• Kaiser Foundation Health Plan Inc.– The Attorney General contends that, by December

2011, Kaiser completed an initial forensic examination of the hard drive and confirmed that the hard drive contained Social Security numbers and other personal information.

– The Attorney General alleges that, although Kaiser continued to inventory the hard drive until February 2012, the company had “sufficient information” to identify and notify “at least some individuals” between December 2011 and February 2012.

72


• Kaiser Foundation Health Plan Inc.– The Attorney General seeks:

• An injunction to permanently enjoin Kaiser from committing any acts of unfair competition;

• An order requiring Kaiser to pay $2,500 for each violation of the California data breach notification law (or approximately $50 million); and

• An order requiring Kaiser to pay the state’s costs of litigation and investigation of the matter.

73


• Google Inc.– In March 2013, a group of State Attorneys

General settled with Google for $7 million in connection with its alleged unauthorized collection of personal data from unsecured Wi-Fi networks through Google’s Street View.

– In September 2013, Google agreed to pay $17 million to a separate group of State Attorneys General over its alleged circumvention of Apple Inc.’s Safari browser privacy settlings.

74

State Attorney General

• In May 2013, the Connecticut and Maryland Attorneys General questioned LivingSocial Inc. about the details of a data breach that exposed the personal information of approximately 50 million users.

• The Connecticut and Maryland Attorneys General issued to LivingSocial 15 written questions regarding the scope of the breach, as well as its privacy and security policies.

75


• Examples of questions posed by Attorneys General include:– Detailed timeline of the incident– Number of affected individuals in each state– Types of personal information compromised– Steps taken to determine that no financial or credit card

information was compromised– Steps taken to protect user passwords– How the company collects user data and how long it retains

such data– Copies of any privacy policies– Plans developed to prevent another breach

76


• Both Connecticut and Maryland have statutes that require a company to report a data security breach to the Attorney General, as well as to individual consumers.

• Questions posed by these Attorneys General provide guidance on issues companies should consider in responding to a data security breach.

77

State Attorney GeneralRecent Action

• State of Connecticut v. Citibank, N.A.:– Citibank’s Account Online banking system permitted

hackers to access multiple user accounts.– Hackers accessed accounts by logging in with

account number and password, and then changing a few characters in the URL bar to access additional accounts.

– Exposed personal information of 360,000 Citibank customers, including 5,066 Connecticut residents.

78

State Attorney GeneralRecent Action

• State of Connecticut v. Citibank, N.A.:– Vulnerability may have existed since 2008.– Citibank discovered breach on May 10, 2011.– Fixed vulnerability on May 27, 2011, but did not

begin notifying consumers until June 3, 2011.– Citibank settled action and agreed to:

• Pay $55,000 fine.• Obtain a third-party data security audit of its online

credit card account system.

79

LitigationTypical Claims By Plaintiffs

• Plaintiffs (consumers or employees) typically allege the following causes of action:– Negligence, breach of contract, breach of implied

covenant or breach of fiduciary duty.– Violations of state consumer protection statutes –

deceptive/unfair trade practices acts.– Violations of Computer Fraud and Abuse Act,

Electronic Communications Privacy Act or Stored Communications Act.

80

LitigationTypical Claims By Plaintiffs

• Historically, courts dismissed data breach cases because plaintiffs failed to allege:– Standing: “credible threat of harm” that is “both

real and immediate, not conjectural or hypothetical.”

• e.g., increased risk of identity theft– Damages: “cognizable injury” (i.e., economic

injury or actual pecuniary loss).• e.g., financial fraud, un-reimbursed charges

81

LitigationPlaintiffs Lack Standing

• In re LinkedIn User Privacy Litig. (N.D. Cal.):– Plaintiffs filed complaint against LinkedIn over a data

breach incident in which approximately 6.5 million users’ passwords and email addresses were stolen and posted on the Internet.

– Plaintiff argued that they had standing to sue because they suffered economic harm by not receiving the full benefit of the bargain they paid for premium memberships.

– On March 6, 2013, the Court granted LinkedIn’s motion to dismiss the complaint.

82


• In re LinkedIn User Privacy Litig. (N.D. Cal.):– The Court held that, “[t]o satisfy Article III

standing, plaintiff must allege: • an injury-in-fact that is concrete and particularized,

as well as actual and imminent;

• that injury is fairly traceable to the challenged action of the defendant; and

• that it is likely (not merely speculative) that injury will be redressed by a favorable decision.”

83


• In re LinkedIn User Privacy Litig. (N.D. Cal.):– Plaintiffs failed to allege that “included in Plaintiffs’ bargain

for premium membership was the promise of a particular (or greater) level of security that was not part of the free membership.”

– Plaintiffs did not allege that they relied upon (or even read) LinkedIn’s representations regarding safeguarding personal information.

– Plaintiffs’ allegation that their LinkedIn passwords were “publicly posted on the Internet” does not amount to a “legally cognizable injury, such as, for example, identity theft or theft of personally identifiable information.”

84


• In re Barnes & Noble Pin Pad Litigation (N.D. Ill.):– Skimmers placed on PIN pad devices at 63 locations.– Plaintiffs argued a wide variety of damages:

• Increased risk of identity theft• Untimely and inadequate notification• Improper disclosure of PII• Invasion of privacy• Decreased value of PII• Anxiety and emotional distress• Overpayment for products

85


• In re Barnes & Noble Pin Pad Litigation (N.D. Ill.):– Relying on the U.S. Supreme Court decision in

Clapper v. Amnesty Int’l USA Inc., No. 11-1025 (2013), the Court granted Barnes & Noble’s motion to dismiss.

• Clapper: Held that private citizens lacked standing to challenge 2008 amendments to the Foreign Intelligence Surveillance Act because they could not show the government had actually spied on them.

86


• In re Barnes & Noble Pin Pad Litigation (N.D. Ill.):– No proof that an “injury in fact” is “certainly impending.”

• Speculation of future harm does not constitute actual injury.• Even if plaintiffs could prove statutory violations, such

violations would be insufficient to establish standing without actual injury.

• Increased identity theft expenses cannot establish standing for non-imminent harm.

• Emotional distress insufficient absent any imminent threat to PII.

• Fraudulent charges were reimbursed.

87

LitigationPlaintiffs Have Standing

• Harris v. comScore (N.D. Ill.): – Plaintiffs alleged that defendants improperly

obtained and used personal information after consumers downloaded and installed company’s software.

– comScore’s data collection violated the User License Agreement and the Downloading Statement.

– Court found standing based upon statutory damages available under the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act and the Stored Communications Act.

88


• Robins v. Spokeo, Inc. (9th Cir.):– Plaintiff filed complaint alleging that Spokeo violated the

Fair Credit Reporting Act by publishing inaccurate personal information about him.

– District Court granted motion to dismiss because plaintiff failed to prove an injury-in-fact and, thus, did not establish standing.

– The Ninth Circuit Court of Appeals reversed the District Court’s decision and held that “the statutory cause of action [FCRA] does not require a showing of actual harm when a plaintiff sues for willful violations.”

89


• In re: Sony Gaming Networks and Customer Data Security Breach Litig. (S.D. Cal.):– Hackers accessed the personal information of millions of

Sony’s customers.– Based upon plaintiffs’ allegations in their original

complaint, the Court found that plaintiffs did not have standing.

– After filing an amended complaint, on January 21, 2014, the Court found that plaintiffs’ allegations “that their personal information was collected by Sony and then wrongfully disclosed . . . was sufficient to establish standing at this stage.”

90


• In re: Sony Gaming Networks and Customer Data Security Breach Litig. (S.D. Cal.):– The Court held that plaintiffs “plausibly alleged a ‘credible threat’

of impending harm” and that plaintiffs were not required to allege that their data was actually accessed by a third party.

– Although plaintiffs overcame the standing hurdle, the Court dismissed 43 of 51 of plaintiffs’ counts (including breach of contract and negligence claims) for failure to state a claim.

• e.g., failed to prove causation and/or damages under common law claims

91


• In re: Sony Gaming Networks and Customer Data Security Breach Litig.(S.D. Cal.):– The Court allowed claims under consumer protection statutes to

proceed:• e.g., unfair competition, false advertising, deceptive and unfair trade

practices.• Claims mainly based upon alleged misrepresentations regarding

“reasonable security” and “industry-standard encryption.”• Misrepresentations caused plaintiffs to pay more for product than if

accurately described.• The elements of statutory causes of action are different than the

ones required for common law claims.

92

Avoid Future DataSecurity Breaches

• Understand what types of personal information is collected, how, where and how long it is stored, and who has access to it

• Collect only personal information necessary to conduct business

• Retain personal information for shortest time necessary to conduct business

• Limit access to personal information

• Encrypt data

93


• Establish internal policies to protect personal information– e.g., robust passwords, usage policies for laptops

and mobile phones, secure disposal policies• Comply with promises made to consumers or

employees regarding privacy and security of personal information– Disclosures about collection, maintenance, use

and dissemination of personal information must be accurate and complete

94


• Train employees• Conduct periodic audits• Update and revise policies and procedures regularly• Enhance technology to strengthen security and reduce

risk– e.g., strong firewalls, scans for vulnerabilities, up-to-

date anti-virus software• Use care when engaging third-party vendors and hold

them to high standards

95