Cyber Security, Information Governance & Privacy

The Pennsylvania Supreme Court has ruled that employers have a legal duty to use reasonable care to safeguard the sensitive personal information of employees stored on an Internet-accessible computer system.

In Dittman v. UPMC, former and present employees of the University of Pittsburgh Medical Center filed a putative class action against UPMC arising from a data breach in which the personal and financial information – including names, birth dates, Social Security numbers, addresses, tax forms, and bank account information – of all 62,000 employees and former employees were accessed and stolen from UPMC’s computer systems.

The employees alleged that the stolen data, which consisted of information UPMC required employees to provide as a condition of employment, was used to file fraudulent tax returns on behalf of victimized employees, resulting in actual damages. Based on these allegations, the employees asserted claims for negligence and breach of implied contract against UPMC. The employees further alleged that UPMC undertook a duty of care to ensure the security of their information in light of the special relationship between the university and its employees, whereby UPMC required them to provide the information as a condition of their employment.

The Court reversed the Superior Court’s grant of UPMC’s preliminary objections, holding that UPMC had an existing duty of reasonable care to safeguard the employees’ data from the foreseeable risk of a data breach. The Court found that the personal and financial information was stored without the use of adequate security measures, including proper encryption, adequate firewalls, and an adequate authentication protocol.

While the Court noted that generally there is not a duty to protect someone who is at risk due to circumstances that a defendant did not create, the employees alleged sufficiently that UPMC’s affirmative conduct created the risk of a data breach. Therefore, by collecting and storing the employees’ data on its computer systems, UPMC owed the employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising from those actions.

Significantly, the Court rejected UPMC’s argument that the presence of third-party criminality eliminates the duty it owed to the employees. The Court found that cybercriminal activity was within the scope of the risk created by UPMC and, therefore, did not alleviate UPMC of its duty to protect employees’ personal and financial information from that breach.

The Court also rejected UPMC’s economic loss argument, holding that under Pennsylvania law, recovery for purely pecuniary damages is permissible under a negligence theory provided that the plaintiff can establish that the breach of a legal duty arising under common law is independent of any duty assumed pursuant to contract.

Typically, if a duty owed arises under a contract between the parties, a tort action cannot be brought arising out of a breach of that duty. However, if the duty arises independently of any contractual duties between the parties, then a breach of that duty may support a tort action. The Court in this case held that UPMC’s legal duty to act with reasonable care in collecting and storing its employees’ personal and financial information on its computer systems exists independently from any contractual obligations between the parties. Therefore, the economic loss doctrine did not bar the employees’ claim.

This is a significant ruling by the Pennsylvania Supreme Court as courts generally are reluctant to expand duties of care. But in this interconnected world and given well-known risks of cyber-intrusions, the Court found that an employer has a duty to exercise reasonable care to safeguard employees against the foreseeable risk of a data breach. This ruling may open the floodgates to lawsuits involving data breaches in Pennsylvania, and other plaintiffs will likely test the theory in other jurisdictions. Companies should conduct cybersecurity audits, engage in comprehensive reviews of cybersecurity insurance policies, and exercise vigilance in protecting sensitive data and personal information.

Finally, at last, the end may be near,
For the multiple class actions that Yahoo did bear.
Arising from three data breaches that occurred in the past,
A proposed settlement has been reached, let’s start with the class.  

The proposed settlement class under Rule 23,
Includes residents and small businesses, both U.S. and Israeli.
Who from 2012 to 2016 had Yahoo accounts,
Of course, this will not include those who validly opt out. 

This proposed settlement class covers about a billion accounts,
Upwards of 200 million individuals, almost too many to count!
Drafted deliberately broad to cover users from 2012 to 16,
This is notable since the first breach occurred in 2013.  

Despite this being the case, there was an expert report that had shown
Multiple intrusions occurring in 2012, with damages unknown.
To provide robust protection and cover all who may have suffered,
The class period was drafted to provide a small buffer.  

Critical to the proposed settlement is enhanced data security,
In response to what the plaintiffs identified as Yahoo’s deficiencies.
The proposed business practice commitments lay out new security rules,
Like increasing the security team headcount and enhanced intrusion detection tools. 

The settlement also requires $50 million to be paid
After the court enters the Final Approval of Order and Judgment, within 20 days.
The fund will compensate settlement class members for out-of-pocket costs,
An
d will reimburse those who paid for email services 25 percent of what they have lost.  

In addition to the $50 million, Yahoo has agreed to cover the fees
For two years of credit monitoring services from AllClear ID.
For settlement class members who do not need identity theft protection,
The settlement fund will be used to provide alternative compensation. 

And last, but not least, let’s discuss attorneys’ fees,
Thirty-five million dollars it is promised to not exceed.
And $2.5 million dollars in litigation costs and expenses,
Are you keeping track of Yahoo’s costs? They truly are tremendous.  

In exchange for all this, the settlement class members have agreed
To release all claims against Yahoo, for which they have grieved.
And while the parties reached a settlement, it is really for the court to decide,
Whether these terms are fair and reasonable, or if they are denied.  

Thus, while it seems like the end, there is still a ways to go
On November 29, the parties will hear from Honorable Judge Koh.
For now, let this proposed settlement be a lesson to us all:
While Yahoo can withstand it, a data breach could be a company’s downfall. 

Sadia Mirza is an Orange County-based attorney at Troutman Sanders LLP, a national law firm with offices across the country, including three in California. Mirza focuses on cybersecurity and privacy issues and compliance across the consumer financial services industry.

 

 

We are pleased to announce that Troutman Sanders attorney Ron Raether will be presenting during the 33rd Annual SoCal Security Symposium in Costa Mesa, California at the Hilton Orange County Hotel. Ron will present, “Cloudy with a Chance of Legal Action: Managing Cyber Risks in an Increasingly Outsourced World,” on October 25th at 8:30 a.m. The conference offers great opportunities to network, earn CLE credits, meet vendors and stay informed on cybersecurity.

Attendees will gain knowledge through the below key takeaways of Ron’s panel:

  • What is the legal landscape relating to the Cloud
  • Lessons learned from litigation experience
  • What steps should be taken as to governance and compliance to mitigate future of Cloud risks

To register or obtain additional information, visit the ISSA Website.

In the last few years, the right to privacy debate in the United States has increased in pace and volume. One issue at the center of this long debate is how best to implement the right privacy tools in a manner that does not disrupt business and technological innovation. The current criticisms fail to appreciate that the next technological paradigm is completely dependent on both the quality and quantity of data.

As connected things (IoT) explode in popularity, they make things such as augmented reality (AR) and autonomous vehicles possible. And as interconnectivity grows, so too do the opportunities. The companies that fail to properly leverage new technologies and data opportunities may find themselves falling behind their competitors.

In venturing into these emerging paradigms, companies should stay informed of recent enforcement actions, cases, and laws to determine how their role within new ecosystems may be impacted.

This publication covers the ongoing evolution of the legal landscape for data-centric products, so that organizations can continue to succeed in their development of data-centric products.

Click here to download the report

Illinois’ Biometric Information Protection Act (“BIPA”) requires entities collecting, using, and storing biometric data (such as face scans, retina scans, and fingerprint scans) to, among other things, inform and obtain consent from the owners of the data. Private entities storing an individual’s biometric information must also use a “reasonable standard of care” and treat the information in the same manner as they treat other confidential and sensitive information.

In past articles, we identified a trend involving Article III standing in cases brought under BIPA. Courts were drawing lines between cases where the plaintiff willingly submitted her biometric information (despite the defendant’s technical violation of BIPA), see, e.g., Santana v. Take-Two Interactive Software, No. 17-303, 2017 U.S. App. LEXIS 23446 (2d Cir. Nov. 21, 2017), and cases where the plaintiff’s biometric information was not given knowingly, see, e.g., Patel v. Facebook Inc., No. 3:15-cv-03747-JD, 2018 U.S. Dist. LEXIS 30727 (N.D. Cal. Feb. 26, 2018). Most courts were finding Article III standing only in the latter category of cases. This created a hurdle for plaintiff-employees suing their employers for BIPA violations based on the collection of their biometric information for time-keeping purposes (a common activity for employers) because in such situations, employees provide their biometric information willingly.

However, a creative way has been found to clear the Article III hurdle. In Dixon v. Washington & Jane Smith Cmty., No. 17-cv-8033, 2018 U.S. Dist. LEXIS 90344 (N.D. Ill. May 31, 2018), the court found Article III standing because the complaint included allegations that plaintiff Cynthia Nixon’s employer disclosed her fingerprint information to Kronos, a third-party biometric timeclock vendor, without her notice or consent. “The allegation that [the employer] disclosed [the employee’s] fingerprint data to Kronos without informing her distinguishes this case from others in which alleged violations of BIPA were determined insufficiently concrete to constitute an injury in fact for standing purposes.” The court added, “this alleged violation of the right to privacy in and control over one’s biometric data, despite being an intangible injury, is sufficiently concrete to constitute an injury in fact that supports Article III standing.” The court employed the same logic to deny the defendants’ motions to dismiss under Fed. R. Civ. P. 12(b)(6). “Even though this may not be a tangible or pecuniary harm, it is an actual and concrete harm that stems directly from the defendants’ alleged violations of BIPA.”

Employees are apparently gaining insight from Dixon, as some have begun to amend their complaints to add allegations that their biometric information was disclosed to third parties, often the company supplying and maintaining the employer’s fingerprint scanner, as in Barnes v. Arytza, No. 2017-CH-11312, Cameron v. Polar Tech Indus., Inc. (co-defendant ADP Inc.), No. 2018-CH-10001, Edmond v. DPI Specialty Foods, Inc. et al. (co-defendant Ceridian HCM Holding Inc.), No. 2018-CH-9573, and Battles v. Southwest Airlines Co. (co-defendant Kronos Inc.), No. 2018-CH-9376, all filed in the Chancery Division of the Circuit Court of Cook County.

It will be interesting to see if these additional allegations of third-party disclosure are enough to avoid dismissal in Illinois state courts for a lack of standing. Third parties, like Kronos or ADP, may not necessarily have accessed, or even had the ability to access, employees’ biometric data, but instead likely merely host the servers that retain the data. We have yet to see any actions alleging the selling or theft of biometric data, but at least in Dixon, the mere allegation of third-party disclosure, however minor, was enough to find Article III standing.

 Under the Fair Credit Reporting Act, a potential employer generally may not procure a consumer report on an applicant unless the employer provides a disclosure, in a document that consists “solely of the disclosure,” informing the applicant that a consumer report may be obtained.  In Williams v. TLC Casino Enters., the District Court for the District of Nevada has joined a growing chorus of courts finding that a plaintiff cannot bring a “solely of the disclosure” claim in federal court when he or she has suffered no actual harm separate from the perceived failure to properly format the disclosure.

Specifically, in Williams, the plaintiff alleged (on a class basis) that TLC Casino Enterprises violated the FCRA by obtaining a consumer report on her without providing her with a “stand-alone document of a legal disclosure.” According to Williams, TLC only provided her “with a written conditional offer to hire that included, inter alia, the following statement: ‘Continuation of this position and your employment is dependent upon your passing any Background Check or Drug Screen that may be required for your position.’” This document, in Williams’ view, was not a disclosure that consisted “solely of the disclosure” that a consumer report may be obtained for employment purposes.

TLC Casino Enterprises moved to dismiss Williams’ complaint for lack of standing, arguing that her claim amounted to nothing more than a bare procedural violation of the FCRA. According to the defendant, Williams could not state a claim in federal court because the bare procedural violation of a statute alone does not satisfy the injury-in-fact requirement for Constitutional standing.

The Court agreed with TLC Casino Enterprises. In its decision, it drew on the Supreme Court’s decision in Spokeo, Inc. v. Robins to conclude that Williams must allege a “concrete injury in fact” separate from the procedural violation of a statute in order to demonstrate standing.  Williams could not do that here. According to the Court, Williams framed TLC Casino Enterprises’ alleged FCRA violation as having “failed to provide the disclosure in a format required by the FCRA.” But “[a] formatting error such as this is a procedural issue that does not satisfy the requirement that plaintiff demonstrate a concrete, particularized injury.”

Although plaintiffs’ counsel often argue that disclosure claims are straightforward and easily certifiable as a purported class action, the Williams decision demonstrates that this is not the case. Indeed, courts are increasingly dismissing disclosure claims when plaintiffs allege nothing more than the violation of a procedural FCRA requirement.

We will continue to track this and other developments regarding the intersection of FCRA claims and standing to sue in federal court.

 

On July 13, 2018, in Dutta v. State Farm Mutual Automobile Insurance Company, the Ninth Circuit affirmed the district court’s decision granting summary judgment to State Farm in a putative Fair Credit Reporting Act class action. The decision presents another helpful application of the U.S. Supreme Court’s 2016 Spokeo decision. The Dutta decision highlights the importance of continuing to challenge standing at all stages of a case even in the face of a statutory violation.

Background

In Dutta v. State Farm, the plaintiff Bobby S. Dutta alleged that State Farm violated section 1681b of the FCRA, by failing to provide him with a copy of his consumer report, notice FCRA rights and an opportunity to challenge inaccuracies in the report before State Farm denied his employment application. As background, Dutta applied for employment with State Farm through the company’s Agency Career Track, or ACT, hiring program. State Farm examines the 24-month credit history of every ACT applicant, and if an applicant’s credit report indicates a charged-off account greater than $1,000, the applicant is automatically disqualified.

View full article published on Law360.

On June 21, 2018, the U.S. District Court for the District of Oregon dismissed a putative class action complaint alleging that a potential employer violated the disclosure and pre-adverse action notification requirements of the Fair Credit Reporting Act in Walker v. Fred Meyer Inc.[1] The Walker decision highlights several key lessons associated with FCRA class actions, particularly related to the disclosures employers must provide to prospective employees.

Background

Daniel Walker applied for a job with Fred Meyer Inc. As part of the application process, Fred Meyer provided Walker with separate disclosure and authorization forms regarding its intent to procure a background report on Walker. Fred Meyer presented the disclosure and authorization forms together, each in separate documents. The disclosure form mentioned both a general consumer report and an investigative consumer report.

View full article published on Law360.

In June 2018, Wired reported that Exactis, a marketing and data-aggregation firm, leaked an estimated 340 million records in what is shaping up to be one of the largest data breaches in the United States to date. 

The leak was discovered by Vinny Troia, security researcher and founder of Night Lion Security. Troia discovered Exactis’ leak while searching ElasticSearch, an internet database search engine. There he found Exactis’ database was accessible without any firewall protection. No information was provided concerning whether this leak has been accessed by unauthorized individuals. 

Exactis’ website claims to have gathered data on over 218 million individuals. This included 110 million households across the U.S. and 3.5 billion “consumer, business, and digital records.” Troia searched dozens of names ranging from those of personal acquaintances to celebrities and found that almost every one of them existed in Exactis’ system. 

The information that Exactis had gathered and stored included identifying information such as phone numbers, home addresses, and email addresses. It also included personal information such as religion, habits, and interests, as well as the number, age, and gender of the individual’s children.  

While the information leaked did not include Social Security numbers and credit card information, the leak is significant because millions of persons were affected, and the personal information leaked could be used for nefarious purposes, including impersonation of the individuals whose information was released.

Last night, California legislators passed Assembly Bill 375 (commonly known as the “California Consumer Privacy Act”) that would grant Californians “increased control” over their data. The new Act will have substantial effects on any business that has appreciable interactions with California, in how they store, share, disclose, and engage with consumer data.  The Act will be effective as of January 1, 2020.

To comply with the new Act, businesses will need to create internal processes to properly and timely respond to consumer requests for information, requests for deletion, and requests to opt out of having their information sold. Businesses will also need to update their privacy policies and websites to provide the more stringent disclosures and methods for consumers to exercise their newly acquired rights. Vendor management and controls will also need to be updated to ensure compliance with the limitations provided for in the Act. Businesses heavily reliant upon analyzing data will need to heighten technological capabilities to ensure that personal information is de-identified

For technology companies, this Act may create additional obstacles to innovation that leverage economies of scale across different organizations either through shared platforms or technologies.  Consider companies that have created tools to permit other companies to release consumer-facing mobile applications through various APIs and SDKs. While stakeholders often start with a common set of technologies, each partner may ultimately use the tools in their own unique way.  Consumers may argue that the web of privacy policies may ultimately need to be reconciled amongst the stakeholders because the ecosystem is presented to all consumers as one comprehensive application.

Practically, all parties involved in an ecosystem will likely be affected by the conduct of the others, which is a shift from the traditional American digital paradigms. However, the basic tenets are familiar to those of us who have worked with the Fair Credit Reporting Act and other statutory schemes that build off of the Fair Information Privacy Principles.  Partners and vendors will need to be carefully vetted prior to engagement by business teams and legal counsel. Each involved party will need to understand the data that the others are collecting, sharing, and selling, and obtain representations and warranties in their agreements to protect itself from a consumer class action or regulatory enforcement. Additionally, many contractual provisions such as licensing of data and indemnity will become greater points of contention in business-to-business deals and should be carefully discussed and reviewed with legal counsel.

Below is our summary and analysis of the Act:

What is “Personal Information”? Effectively adds the following categories of information:

  • Records of personal property, products, or services, and “consuming histories or tendencies”;
  • Biometric data;
  • Clickstream and “other electronic network activity information”;
  • Geolocation data;
  • Consumer sensory information;
  • Professional or employment-related information;
  • Educational information not publicly available;
  • “Inferences drawn” from personal information.

Does not include “public information” and “de-identified information.” But public information does NOT include: (1) information that is used in a way not compatible with its original purpose, or (2) de-identified or aggregate information.

When Is Personal Information “De-Identified”? Personal information is not considered “de-identified” unless the business (1) undertakes technical and business processes to prevent re-identification, (2) has processes to prevent inadvertent release of de-identified information, and (3) makes no attempt to re-identify the information
Consent and Proportionality Adds the concept of proportionality (i.e., “reasonably necessary”) to the definition of “business purpose,” which must have been permitted.
What Is “Selling” of Personal Information? “Selling” personal information includes “releasing, disclosing, disseminating, making available” for “valuable consideration.” Does not include third party processors who receive that information for only processing.
Consumers’ Right to Request

Collectors – (1) Consumers have right to request categories of information collected, (2) from whom it was collected, (3) the specific business purposes for which it was collected, and (4) with whom it is shared.

Sellers – (1) Consumers have right to request categories of information sold, and (2) to whom it was sold. “Sellers” appear to be also “collectors.”

Both may require a verifiable request. Certain exceptions to the above apply for truly “one time” uses.

Consumers’ Right to Delete Records Businesses that receive verifiable requests from consumers to delete their personal information, must delete, and direct any service providers to delete, such information. Compliance is not required if it is necessary for the business or service provider to maintain the personal information (such as for legal, security, or transactional needs).
Response In a “Readily [Machine] Useable Format” Disclose and deliver required information to consumer within 45 days in writing and delivered through consumer’s account, or by mail or electronically at consumer’s option if consumer does not maintain account, “in a readily useable format that allows consumer to transmit this information from one entity to another entity without hindrance.”
Forms of Disclosure Contains express form requirements for disclosures, including for opt-out notices and online webforms and links.
Consumers’ “Right to Say No,” And Opt-Outs & Opt-Ins

Consumers have a right to say no to the sale of their information at any time. Collectors have to provide an opt-out notice first before consumer information may be shared. Sellers have to obtain an “explicit notice” before they can sell information.

Minors under 16-years of age must “opt-in.”

Seller must provide clear and conspicuous link on homepage to allow consumer to opt out of sale of personal information.

Clearer exceptions for: (1) completion of the business purpose with the consumer, (2) security and debugging purposes, and (3) comply with a legal purpose.

Requirement of Privacy Statement

A privacy statement that describes:

(1) a description of consumers’ rights and the methods of submitting requests;
(2) a list of categories of information collected;
(3) a list of categories of information disclosed;
(4) a list of categories of information sold.

Discriminatory Use of Personal Information Prohibited

Requirement that business not discriminate against consumers for exercising their rights under the title, including by:

(1) Denying goods or services;
(2) Charging different prices or imposing penalties;
(3) Providing a different quality of service;
(4) Suggesting the above;

…unless the above is related to differences resulting from “the value provided to the consumer by the consumer’s data.”

Business may offer financial incentives to consumers, however, to obtain their personal information. But the practices for this entire subsection may not be “unjust, unreasonable, coercive, or usurious.”

Exceptions Exceptions:
(1) to comply with federal, state, or local laws;
(2) cooperate with law enforcement;
(3) all activities take place outside of California;
(4) HIPAA exception;
(5) FCRA exception, for generation of a consumer report;
(6) GLBA exception, for activities carried out for that purpose, “if it is in conflict with that law”;
(7) DPPA exception, for activities carried out for that purpose, “if it is in conflict with that law”;
(8) Small businesses not covered by the definition of “business.”
Enforcement

Enforcement:

(1) Private right of action by consumers for between $100-$750 per violation in statutory or actual damages, after 30-notice to cure, if it can be cured.   Consumer will then notify state AG, if any, whose action will terminate consumer action.
(2) State AG enforcement available for stiffer penalties (up to $7,500 per violation).   Also gives prescriptive authority to AG.