Carlock Copeland Cyber Liability

logoCyber Liability

Carlock, Copeland & Stair, a civil litigation firm, has a reputation for forceful, creative and cost-effective advocacy on behalf of its clients. Formed in 1970 with five attorneys operating out of a downtown Atlanta office, we now have over 80 civil litigation attorneys handling legal matters across the Southeast from offices in Atlanta, GA, Charleston, SC and Chattanooga, TN.

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Print this pageEmail this to someone

Office of Civil Rights Issues Phishing Email Alert

On November 28, 2016, the Office of Civil Rights of the Department of Health and Human Services, the entity responsible for HIPAA administration, issued an alert about a potential “phishing” email scam. The email purports to come from OCR’s Director, Jocelyn Samuels, and targets employees of covered entities and business associates. The email appears legitimate and includes a link concerning the audit program. By clicking on the link, the user is redirected to a cybersecurity firm marketing website.

For those who may not be familiar with the term, “phishing” refers to an email that looks official or legitimate, but then redirects the person to an unaffiliated website. Common “phishing” emails mimic requests from credit card companies for personal information, auction sites for login information, and banks for updated privacy information. As always, if you have received an email that you did not expect and have questions about it, contact the alleged source directly to verify before opening.

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Print this pageEmail this to someone

Sixth Circuit Lowers the Bar for Standing in Data Breach Suits

Galaria v. Nationwide Mutual Ins. Co., U.S. Court of Appeals, 6th Cir. (September 12, 2016)

This case arises out of an October 3, 2012 hack into Nationwide Mutual Insurance Company’s computer network, which exposed the personal information of the putative class action Plaintiffs and 1.1 million others.  Nationwide informed the Plaintiffs of the breach by letter, advising that they should take steps to prevent or mitigate misuse of the stolen data, including monitoring bank statements and credit reports for unusual activity.  Nationwide offered a year of free credit monitoring and identity fraud protection of up to $1,000,000 through a third-party vendor.  Nationwide also suggested that victims set up a fraud alert and place a security freeze on their credit reports.  Nationwide acknowledged that such a security freeze could, however, impede consumers’ ability to obtain credit and could cost between $5.00 to $20.00 to place and/or remove.  Nationwide did not offer to pay for expenses associated with a security freeze.

Multiple putative class action complaints were filed, alleging willful and negligent violations of the Fair Credit Reporting Act (FCRA), negligence, invasion of privacy by public disclosure of private facts, and bailment.  Plaintiffs contended that the Nationwide data breach created an “imminent, immediate and continuing increased risk” that Plaintiffs and other class members would be subject to identity fraud.  As risk, Plaintiffs referenced the illicit international market for stolen data used to obtain identification, government benefits, employment, housing, medical services, financial services, and credit and debit cards.  Plaintiffs also pointed to the potential that a victim’s identify could be used by identity thieves when arrested, resulting in warrants issued in victim’s name.  Plaintiffs cited a study purporting to show that in 2011, recipients of data breach notifications were 9.6 times more likely to experience identity fraud, and had a fraud incident rate of 19%.

Plaintiffs further alleged victims of identity theft and fraud typically spend hundreds of hours in personal time and hundreds of dollars in personal funds, incurring an average of $354.00 in out- of- pocket expenses and $1,513.00 in total economic loss to mitigate the risk.  Plaintiffs alleged that they had suffered and would continue to suffer both financial and temporal costs to continue monitoring their credit information.

Nationwide filed a Motion to Dismiss, which was granted by the district court. The lower court agreed with Nationwide’s arguments that Plaintiffs did not have statutory standing under the FCRA and thus dismissed those claims for lack of subject matter jurisdiction.  The district court also dismissed the negligence and bailment claims, finding that Plaintiffs did not have Article III standing because they had not alleged a cognizable injury.  Lastly, the district court held that Plaintiffs had standing to bring their invasion of privacy claim but failed to state a claim for relief and dismissed that claim with prejudice.  Plaintiffs appealed the dismissal of all counts except for the invasion of privacy claim.

Article III of the U.S. constitution limits the jurisdiction of federal courts to Cases and Controversies.  The doctrine of standing gives meaning to these constitutional limits by identifying those disputes which are appropriately resolved through the judicial process.  Constitutional standing consists of three elements: (1) Plaintiff must have suffered an injury in fact; (2) that is fairly traceable to the challenged conduct of a Defendant; and (3) that is likely to be redressed by a favorable judicial decision.

To establish injury in fact, a Plaintiff must show he or she suffered “an invasion of a legally protected interest that is concrete and particularized and actual or imminent, not conjectural or hypothetical.  When standing is based on an imminent injury, the Supreme Court has explained that threatened injury must be certainly impending to constitute injury in fact and allegations of possible future injury are not sufficient.  However, standing can be based on a “substantial risk” that harm will occur, which may prompt Plaintiffs to reasonably incur cost to mitigate or avoid that harm, even where it is not “literally certain the harms they identify will come about.”

In this case, the Court of Appeals found that Plaintiffs’ allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, were sufficient to establish a cognizable Article III injury at the pleading stage of the litigation.  The Court held there was no need for speculation where Plaintiffs alleged their data had already been stolen and was now in the hands of ill-intentioned criminals.  Indeed, the Court pointed to the fact that Nationwide seemed to recognize the severity of the risk, given its offer to provide credit monitoring and identity theft protection.  Thus, although it might not be “literally certain” that Plaintiffs’ data will be misused, there was sufficiently substantial risk of harm that incurring mitigation cost was reasonable. The 6th Circuit held that all of the required elements were met, and thus, the Plaintiffs adequately alleged Article III standing.

In reaching its decision, the 6th Circuit pointed to two recent 7th Circuit cases with similar findings and a 9th Circuit case finding Article III standing as well.  However, the Court (and the dissent) noted the current split between these decisions and other Circuits.

The precedential effect of this opinion will be difficult to tell for some time.  As an unpublished, divided opinion, its citing authority may be limited.  However, its discussion and analysis of Article III standing may well signal that the bar has been lowered for future claims and defense of these claims will have to shift to other grounds.

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Print this pageEmail this to someone

Tennessee Modifies Breach Notification Statute

The Tennessee legislature recently amended that state’s data breach notification statute. Tennessee now requires information holders to disclose any security or data breach to Tennessee residents “immediately, but no later than fourteen (14) days from the discovery or notification of the breach.” There is an exception if more time is needed for a legitimate law enforcement reason.

Also, the Tennessee legislature changed the rule regarding disclosure of access to encrypted data as well as unencrypted data. Finally, the legislature broadened the definition of “unauthorized user” to include employees of the information holder.

The Governor signed the bill and the law becomes effective July 1, 2016.

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Print this pageEmail this to someone

FBI Issues Warning for Ransomware Malware

The Federal Bureau of Investigation is warning all businesses about the risks of “ransomware.” Ransomware is malware – a malicious program embedded inside of a message or web page. The message may come in the form of an innocuous message directed towards a specific person in the organization, such as a controller, accountant, or risk manager. The message typically includes an attachment, like document (.pdf), text file (.txt), or spreadsheet (.xls) that appears legitimate, such as a bill or a letter. Alternatively, the message may direct the user to a website that appears valid. When the user opens the attachment or goes to the website, the malicious program encrypts – that is, hides – files and folders containing the user’s information and data. The person or organization who sent the message then contacts the user and demands a ransom – money for the return of the information and data.

There has been an increase in the number of ransomware attacks. The FBI does not advocate paying a ransom for the return of data. The FBI has set up a Cyber Task Force to assist in the event of a ransomware attack (www.fbi.gov/contact-us/field). The FBI recommends employee training, keeping all operating systems, software, and antivirus/malware protection systems up to date, and maintaining robust file access privileges across an organization.

If a health care provider, covered entity, or business associate is hit with a ransomware attack, there may be additional reporting requirements under HIPAA, depending on the circumstances. Remember, many insurance policies provide data breach services that include assistance with reporting and remediation.

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Print this pageEmail this to someone

Home Depot Settles Data Breach Claim

Home Depot settled a class action lawsuit based on a massive data breach involving private information of up to 56 million people who used the self-check kiosks at the company stores. According to published reports, Home Depot is paying $13 million in damages, including out of pocket expenses and substantiated losses up to $10,000 per claimant. In addition, Home Depot will pay qualified claimants up to $75 for time spent remedying any identity theft issues. Home Depot agreed to remediate with new security measures. Lastly, Home Depot agreed to pay the lawyers involved in the multi-district litigation nearly $8.5 million in legal fees and $300,000 in expenses. The settlement is unique in that it included compensation for time spent by the claimants to undo the damage.

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Print this pageEmail this to someone

Welcome to the Blog!

Welcome to the blog for the Data Privacy and Breach practice group of Carlock, Copeland & Stair!  Our experienced attorneys handle data breach responses, coverage issues, and risk management consulting for companies of all sizes.

In our first installment of the blog, we are reporting on legal developments arising out of a massive data breach involving health insurer Anthem. Multiple lawsuits were filed alleging putative class action claims against Anthem.  The multi-district litigation was consolidated and transferred to the Northern District of California. On Sunday evening, Judge Lucy Koh entered an order dismissing several claims brought under various state and federal laws, including common-law negligence claims.  Notably, Judge Koh ruled that Indiana does not recognize a private right of action for negligence arising in a data breach situation.  In addition, Judge Koh conditionally dismissed a claim based on Georgia’s Insurance Information and Privacy Protection Act (O.C.G.A. §33-39-14) with leave to replead the claim.

The order is significant because it continues the trend of rejecting attempts to turn data breaches into damages claims. While data privacy and protection is a heavily regulated part of doing business, most claimants have not been able to develop theories of liability that enable them to collect tort damages in breach cases.

The case is In Re Anthem Inc. Data Breach Litigation, U.S. District Court, Northern District of  California, No. 5:15-MD-02617.

 

 

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Print this pageEmail this to someone