Target Settlement a First Step for Companies Looking to Avoid Data Breach Litigation

Target ends its multi-state data breach litigation over its 2013 data breach with an $18.5 million settlement to 47 states. While the settlement outlines the type of security measures companies should employ in order to not be found negligent with customer data, it doesn’t go far enough to improve organizational security. The bulk of the settlement terms are still defensive in nature when it comes to data breaches. As such, companies looking to follow the terms of Target’s settlement should be cautioned to use offensive tactics to prevent such attacks if they want to avoid litigation.

In 2013, while Target’s security systems had detected the breach, no one understood the significance of, or acted upon, the alerts, resulting in the massive data breach given the delay in response time. Target has since toughened its security systems and made significant improvements. The terms of the settlement give Target 180 days to develop, implement, and maintain a comprehensive security program. However, this requirement refers to the changes the retailer has already implemented. While the settlement reiterates some of the basics, such as having a comprehensive security program, segmenting the network, and implementing stricter access control policies to sensitive networks and data, future data breach lawsuits may use the Target settlement to try to prove an organization did not go far enough in protecting personal information and other sensitive data. As such, abiding by the terms of the Target settlement is a first step for companies looking to avoid data breach litigation, but further tactics will be required for companies to go on the offensive to prevent breaches as the plaintiffs’ bar will try to use the Target settlement as a varying degree of negligence in pushing forward with future litigation.

Plaintiffs in P.F. Chang’s Data Breach Litigation Survive Standing Challenge

In response to an April 2014 data breach, P.F. Chang’s Bistro, Inc. effected a rapid response plan in an attempt to minimize potential injury to its consumers. The restaurant announced that its computer system had been hacked and card data had been stolen, conceding that it did not know how many consumers were affected, whether the breach was limited to certain locations, or how long the breach lasted. As an additional precautionary measure, P.F. Chang’s also switched to a manual card-processing system and encouraged all customers to monitor their credit reports for new activity.

Last week, in Lewert v. P.F. Chang’s China Bistro, Inc., No.14-3700, (7th Cir. Apr. 14, 2016), the Seventh Circuit Court of Appeals again held that two plaintiffs who filed a class action suit against it had the Article III standing required to survive dismissal. Citing to its July, 2015 decision in Remijas v. Neiman Marcus Group, LC, 794 F.3d 688 (7th Cir. 2015)), the Court concluded that the P.F. Chang’s plaintiffs’ alleged injuries were sufficient to support a lawsuit – the consumers were at an increased risk of fraudulent charges and identity theft.

In reaching its decision, the Seventh Circuit pointed to P.F. Chang’s remedial efforts to prevent consumers’ exposure to the breach. Specifically, P.F. Chang’s addressed customers who dined at all of its restaurants in its initial press release, and advised consumers to monitor their credit reports, “rather than simply the statements for existing affected cards.” The court explained that by doing so, the company implicitly acknowledged that there could be a substantial risk of harm from the data breach. P.F. Chang’s eventually determined that only thirty-three of its restaurant locations had been affected, an argument which the court stated could create a factual dispute on the merits, but that would not destroy standing.

The Seventh Circuit’s decision underscores that the initial Article III hurdle for data breach plaintiffs is not high, and should serve to mold a company’s public reaction to a potential breach.

Insurance industry takes protective stance against constant threat of data breaches

Over 1,000 Medicaid identification numbers may have been compromised in a recent breach of security protocol in North Carolina. An employee of the North Carolina Department of Health and Human Services inadvertently sent an email without first encrypting it, which contained protected health information for Medicaid recipients, including the individual’s first and last name, Medicaid identification number, provider name, and provider identification number. While the Department has no reason to believe that any information was compromised, the Department advised affected patients to take steps to protect themselves, such as putting a fraud alert on their credit files and monitoring their financial statements for unauthorized activity.

Individual insurance companies have also fallen victim to cyberattacks. The National Association of Insurance Commissioners (NAIC) has made efforts to strengthen the insurance industry’s security position by launching the Cybersecurity Task Force, which is creating a framework for insurance companies to follow in the event of a security breach. The NAIC recently proposed a Cybersecurity Bill of Rights, which outlines the expectations of insurers when a data breach occurs and remedies for consumers who have suffered harm due to a breach. Consumer advocates, as well as insurance groups representing life, health, and property/casualty carriers, support the Cybersecurity Bill of Rights, but are pushing for changes, arguing that the document may create confusion for consumers because currently it implies that certain rights, which are not contained in all applicable state and federal laws, exist for all consumers. While the Cybersecurity Bill of Rights will not likely become a binding document, the Cybersecurity Task Force has been working alongside state insurance regulators, conducting examinations of insurance carrier’s protocols to determine whether sensitive data and confidential information are properly protected. One thing is for certain – the increase in data breaches nationwide will lead to more regulations affecting all areas of industry and eventually leading to additional lawsuits in compliance with said regulations.

Target Ends Dispute With Mastercard Over 2013 Data Breach

4-20Following the highly publicized data breach affecting Target retail stores in 2013, the retail giant has agreed to pay up to $19 million to MasterCard credit card issuers worldwide to compensate them for the costs of canceling accounts, creating new accounts, and issuing new cards. MasterCard is urging card issuers to accept the deal, which calls for Target to pay the card issuers by the end of the second quarter.

In late 2013, Target suffered a massive data breach in which 110 million customer records were stolen, which included 40 million credit card numbers. In an attempt to be proactive, Target informed financial institutions about credit cards that may have been compromised and offered free credit counseling to its consumers to combat the onslaught of litigation that was to follow. As a result of the breach, which was highly publicized, many other retail establishments became victims of their own data breaches, spurring numerous lawsuits nationwide.

Apart from individual consumers filing class action lawsuits across the country against Target, credit card issuers, which include banks, credit card companies, and other financial firms, incurred hard costs of cancelling accounts and issuing replacement cards with new account numbers. While individual consumers filing data breach lawsuits had to overcome Clapper in arguing that an injury-in-fact did occur instead of speculative damages, credit-card issuers and financial institutions had actual damages to move forward on their claims. As a result, Target has negotiated a deal only with MasterCard to this point.  It is possible that Target is also negotiating a similar agreement with Visa.


Image courtesy of Flickr by Mike Mozart

Security Threatening Dating Apps and its Affect on Employers

PVCY BLOG_online datingIBM released a study this month after reviewing 41 percent of the most popular dating apps for cyber security. According to the study, 60 percent of the apps are “vulnerable to potential cyberattacks that could put personal user information and organizational data at risk.” The study showed that hackers could have access to users’ locations, photos, contacts, microphone, billing information, and even the ability to change one’s dating profile. Even more concerning, the study revealed that 50 percent of companies have employees who use dating apps on their work devices, putting potentially confidential company information at risk.

Companies and online daters should be aware of the security risks these apps may pose. Companies may want to consider policies prohibiting or limiting the use of dating and other potentially risky apps on work devices to prevent exposure to confidential company information. Online daters should remember to keep their profiles vague, review app permissions regularly, and delete their profiles once they have found that special someone.  Those who do not use dating apps should consider similar self-protective privacy measures when using any app.  At a minimum, companies and their employees should have a set policy and procedure in place to counter the risks associated with these personal apps to prevent the potential breach or loss of both personal and company information.

With Data Breach Class Actions on the Rise, Clapper Provides a Viable Defense

With recent data breaches at Home Depot, Target, Jimmy John’s, eBay, Neiman Marcus, P.F. Chang’s, Goodwill Industries, CNET, and others, there has been a resultant explosion of cybersecurity litigation.  Despite the rise in this area of litigation, data breach lawsuits still have to overcome a major hurdle – the standing requirement enunciated in Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138 (2013).

PVCY BLOG_targetIn Illinois, a number of such lawsuits were filed in the wake of Advocate Medical Group’s revelation that four laptops were stolen from its offices, containing the unencrypted personal health information of more than 4 million patients.  In one such putative class action, Vides v. Advocate Health and Hospitals Corp., the state court followed the rationale of Clapper in rejecting the plaintiffs’ argument that an increased risk of identity theft is sufficient in and of itself to satisfy the “injury-in-fact” requirement necessary to establish standing.

In Vides, the plaintiffs’ theories of liability included common law negligence, violation of the Illinois Consumer Fraud and Deceptive Business Practices Act, violation of the Illinois Personal Information Protection Act, public disclosure of private facts, and intentional infliction of emotional distress.  The court found that none, including the purported statutory violations, were adequate to confer plaintiffs standing, and that the damages asserted were too speculative to establish an injury in fact.  In coming to that conclusion, Judge Mitchell Hoffman reasoned that there are a number of variables that would have to be answered in the affirmative to establish an injury in fact, such as whether a person’s data was actually taken, whether that data was sold or transferred, whether anyone attempted to use the person’s data, and whether they succeeded in using it.  Because the plaintiffs could not allege that a threatened injury was certain as a result of the breach, the suit was dismissed in its entirety.

In coming to this ruling, the court noted that courts across the country had rejected the argument that risk of harm could equate to an injury in fact sufficient to satisfy Article III of the U.S. Constitution.  In its survey of law on data breach class actions across the country, the court also distinguished Seventh U.S. Circuit Court of Appeals decisions holding that the mere increased risk of identity theft was sufficient to confer standing, since these decisions predated Clapper.  Therefore, Clapper remains a tenuous obstacle for data breach lawsuits to overcome.

While the Clapper decision provides an excellent defense to data breach lawsuits, cybersecurity litigation remains on the rise.  As such, companies should continue to be proactive in assessing their internal systems and procedures to prevent any data breaches from occurring.

Image courtesy of Flickr by Mike Mozart