Insurance Carrier Must Defend Its Insured Who Inadvertently Published Private Medical Records on the Internet

The Fourth Circuit Court of Appeals affirmed a Virginia Federal District court’s decision that examined the language of a commercial general liability (CGL) policy and held that an insurance carrier was required to defend its insured medical records company in a class-action lawsuit when its insured inadvertently published private patient medical records on the Internet. See Travelers Indem. Co. of Am. v. Portal Healthcare Sols., L.L.C., No. 14-1944 (4th Cir. Apr. 11, 2016).

Both the Virginia District Court and the Fourth Circuit rejected the insurance company’s argument that there cannot be a “publication” unless its insured intended to communicate information to others. In so doing, the courts reasoned that the insurance carrier had a duty to defend because its CGL policy did not provide clear enough language as to what conduct constituted a “publication.”

This decision shows that there may be coverage for data breaches outside of the policies written specifically for data breach scenarios, i.e., cyber liability insurance policies. To this extent, the Travelers opinion should be limited to inadvertent publications by an insured, rather than a hacker breaking into a network and then publishing information on the Internet.

Plaintiffs in P.F. Chang’s Data Breach Litigation Survive Standing Challenge

In response to an April 2014 data breach, P.F. Chang’s Bistro, Inc. effected a rapid response plan in an attempt to minimize potential injury to its consumers. The restaurant announced that its computer system had been hacked and card data had been stolen, conceding that it did not know how many consumers were affected, whether the breach was limited to certain locations, or how long the breach lasted. As an additional precautionary measure, P.F. Chang’s also switched to a manual card-processing system and encouraged all customers to monitor their credit reports for new activity.

Last week, in Lewert v. P.F. Chang’s China Bistro, Inc., No.14-3700, (7th Cir. Apr. 14, 2016), the Seventh Circuit Court of Appeals again held that two plaintiffs who filed a class action suit against it had the Article III standing required to survive dismissal. Citing to its July, 2015 decision in Remijas v. Neiman Marcus Group, LC, 794 F.3d 688 (7th Cir. 2015)), the Court concluded that the P.F. Chang’s plaintiffs’ alleged injuries were sufficient to support a lawsuit – the consumers were at an increased risk of fraudulent charges and identity theft.

In reaching its decision, the Seventh Circuit pointed to P.F. Chang’s remedial efforts to prevent consumers’ exposure to the breach. Specifically, P.F. Chang’s addressed customers who dined at all of its restaurants in its initial press release, and advised consumers to monitor their credit reports, “rather than simply the statements for existing affected cards.” The court explained that by doing so, the company implicitly acknowledged that there could be a substantial risk of harm from the data breach. P.F. Chang’s eventually determined that only thirty-three of its restaurant locations had been affected, an argument which the court stated could create a factual dispute on the merits, but that would not destroy standing.

The Seventh Circuit’s decision underscores that the initial Article III hurdle for data breach plaintiffs is not high, and should serve to mold a company’s public reaction to a potential breach.

EMV Chip Cards – Falling Behind the Curve Could Mean Liability for Merchants and Card Issuers Alike

During the holiday season, stores throughout the United States process millions of credit card transactions per day. Although this flurry of sales activity is good for business, it also comes with a potential risk of liability if the credit cards used in those transactions are equipped with the chip-card technology that the merchants’ payment processing machines are not capable of handling.

12-14During the past year, credit card issuers have been transitioning to the Europay, Mastercard, Visa (“EMV”) chip cards, which contain smart microprocessor chip technology. Using the chip reader in the credit card payment terminal, the chip serves as the communication conduit between the card issuer and the merchant’s bank to authenticate the card and complete the sales transaction. Unlike magnetic stripe credit cards, chip cards generate a unique transaction code that cannot be reused. This “dynamic” data technology helps to guard against credit card fraud arising out of data or security breaches where the credit card information is compromised. For some chip cards, the users may also be required to enter a PIN. This new chip card technology requires new payment processing terminals that many merchants have not yet implemented.

Although the card issuers themselves have not completed their issuance of EMV chip cards to replace existing magnetic stripe cards, the issuers imposed an October 2015 deadline on merchants and card payment processors to become EMV-ready. After October 2015, under the modified terms of their agreements with the credit card payment processors or networks (e.g., VISA, MasterCard, American Express, Discover), merchants who accept credit cards and who are not EMV-ready may be liable for any fraudulent transactions and possibly fined and/or sanctioned by the Payment Card Industry Security Standards Council, an industry organization that promulgates data and cybersecurity standards for the credit card sector. Liability will be shifted to the party who used the lower level of security and compliance with the EMV standards. This means that, for example, a merchant may be assigned liability for the fraudulent transaction if the purchase was made with a chip card but the merchant was not capable of processing the chip card payment, using instead the magnetic stripe method. Conversely, the card issuer may be assigned liability if the merchant was EMV-capable but the card issuer has not issued a chip card to the consumer.

Notably, the EMV standards do not apply to purchases where the cards are not physically presented, including online and telephone transactions.

Although they impose increased liability and breed disputes between potentially liable parties, EMV chip cards and their attendant standards and rules are intended to provide more consumer protection and create an incentive for merchants, card issuers, and payment processors alike to conform with best practices in an ever-evolving world of data and cybersecurity challenges.

Sony’s Interview Quagmire: A Watershed Moment for Cyberinsurance

Gordon & Rees Partner, Matthew Foy, recently co-authored an article published in DRI’s In-House Defense Quarterly, entitled “Sony’s Interview Quagmire: A Watershed Moment for Cyberinsurance.” The article addresses the implications of the November 2014 Sony data breach and discusses why companies of all sizes should be giving a hard look at the cyberinsurance market and not simply relying on their CGL policies. To learn more about this topic, please see the full article, which is available here.

Insurance industry takes protective stance against constant threat of data breaches

Over 1,000 Medicaid identification numbers may have been compromised in a recent breach of security protocol in North Carolina. An employee of the North Carolina Department of Health and Human Services inadvertently sent an email without first encrypting it, which contained protected health information for Medicaid recipients, including the individual’s first and last name, Medicaid identification number, provider name, and provider identification number. While the Department has no reason to believe that any information was compromised, the Department advised affected patients to take steps to protect themselves, such as putting a fraud alert on their credit files and monitoring their financial statements for unauthorized activity.

Individual insurance companies have also fallen victim to cyberattacks. The National Association of Insurance Commissioners (NAIC) has made efforts to strengthen the insurance industry’s security position by launching the Cybersecurity Task Force, which is creating a framework for insurance companies to follow in the event of a security breach. The NAIC recently proposed a Cybersecurity Bill of Rights, which outlines the expectations of insurers when a data breach occurs and remedies for consumers who have suffered harm due to a breach. Consumer advocates, as well as insurance groups representing life, health, and property/casualty carriers, support the Cybersecurity Bill of Rights, but are pushing for changes, arguing that the document may create confusion for consumers because currently it implies that certain rights, which are not contained in all applicable state and federal laws, exist for all consumers. While the Cybersecurity Bill of Rights will not likely become a binding document, the Cybersecurity Task Force has been working alongside state insurance regulators, conducting examinations of insurance carrier’s protocols to determine whether sensitive data and confidential information are properly protected. One thing is for certain – the increase in data breaches nationwide will lead to more regulations affecting all areas of industry and eventually leading to additional lawsuits in compliance with said regulations.

Illinois Appellate Court Finds Increased Risk of Harm from Data Breach Insufficient to Confer Standing

As has been previously reported here, a series of recent federal court decisions has suggested a trend in data breach litigation – that an increased risk of harm will be sufficient to satisfy the injury-in-fact requirement for Article III standing. In fact, less than three weeks ago, the Seventh Circuit Court of Appeals revived a previously-dismissed data breach class action lawsuit, ruling that plaintiffs did not have to wait until hackers actually committed identity theft in order to establish standing. On August 6, 2015, the Illinois Appellate Court held exactly the opposite.

In Maglio v. Advocate Health and Hospitals Corporation, several plaintiffs sued Advocate Health and Hospital after computers containing patients’ personal information were stolen. 2015 IL App (2d) 140782 (August 6, 2015). Plaintiffs did not allege that their personal information was used in any unauthorized manner as a result of the burglary, but they claimed that they faced an increased risk of identity theft and identity fraud. Advocate Health moved to dismiss the complaint, arguing that mere stolen information is insufficient to establish standing, because an increased risk of identity theft and/or identity fraud is too speculative to constitute cognizable injury-in-fact.

Affirming the trial court’s dismissal of the action, the Illinois Appellate Court agreed with the defendant’s argument, concluding that the increased risk of harm arising out of a data breach is inadequate to confer standing on consumers. The Illinois Appellate Court noted the similarity between Illinois’ and federal standing principles, and relied for the most part on federal decisions, including Clapper v. Amnesty International USA, Inc., 133 S.Ct. 1138 (2013) – a case which the Seventh Circuit interpreted as not completely foreclosing on the use future injuries to support Article III standing. Yet, in stark contrast to recent federal court decisions, the Illinois Appellate Court opined that where no identity theft had yet occurred, the elevated risk of such harm was too speculative and conclusory to be considered a distinct and palpable injury.

The plaintiffs in Maglio also tried to achieve standing by alleging that they suffered emotional injury as a result of the data breach, such as anxiety, and that their privacy had been invaded. Again, the court found such allegations to be speculative and therefore insufficient, absent allegations of actual disclosure of personal information.

We expect to see fewer data breach class actions being filed in Illinois state courts – long criticized as plaintiff-friendly venues – and an uptick in federal court filings. The full opinion is available here.

Fiat Chrysler Recall Highlights Potential Need for Regulatory Changes

Last week, Fiat Chrysler issued a recall of more than 1.4 million vehicles after security researchers from Wired Magazine exposed major security flaws that would allow potential hackers to take over a vehicle’s crucial systems remotely.

In a controlled demonstration, Charlie Miller and Chris Valasek hacked into a Jeep Cherokee as it was traveling 70 m.p.h. down a St. Louis highway. The hackers were able to take control of the vehicle’s air conditioning, entertainment system, and at one point were able to cut the Jeep’s accelerator. The hackers also revealed the capability to cut the Jeep’s brakes, as well as the ability to track a targeted vehicle’s GPS coordinates via its navigation system.

The experiment revealed vulnerabilities contained within Fiat Chrysler’s Uconnect system, the internet-connected computer feature that controls navigation, enables phone calls, and even offers a Wi-Fi hot spot in hundreds of thousands of Fiat Chrysler vehicles. According to Wired Magazine, a hacker need only know a car’s IP address in order to potentially gain access to the vehicle from anywhere in the country.

Last week’s recall illustrates how the rapidly-developing “Internet of Things” (i.e., the increasing use of interconnected devices in everyday life) can implicate not just issues of personal privacy and data security, but physical safety. It also raises serious questions of accountability for both automakers and government regulators. On July 21, 2015, Senators Edward J. Markey (D-Mass) and Richard Blumenthal (D-Conn.), who followed Miller and Valasek’s research, introduced legislation that would direct the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal performance standards that would protect drivers’ privacy and secure vehicle software systems. The Security and Privacy in Your Car (SPY Car) Act would establish a rating system that would inform consumers about how well the vehicle protects drivers’ security and privacy beyond the minimum standards set forth by the Act. The SPY Car Act also contains proposed limitations on automakers’ disclosure, retention, and use of information collected by the on-board software systems featured in most modern vehicles.

Whether or not the SPY Car Act becomes law, it is not difficult to imagine that future real-world data breaches or injuries resulting from vulnerabilities in on-board computer systems could result in significant liability for car manufacturers, especially if they were to occur on a widespread scale. Accordingly, the auto industry should be cognizant of these vulnerabilities and take steps to ensure their vehicles are secured from digital attacks.

Gordon & Rees LLP’s Privacy & Data Security Group will continue to monitor and report on the implications of vehicle security breaches.

Seventh Circuit Revives Consumer Class Action Relating To Neiman Marcus Data Breach

On Monday July 20, 2015, the Seventh Circuit Court of Appeals weighed in on the hotly-contested issue of standing in data breach class action litigation. In so doing, the Court reversed the district court’s dismissal of a consumer class lawsuit against luxury department store Neiman Marcus, holding that the plaintiffs had successfully alleged the concrete, particularized injuries necessary to support Article III standing.

This lawsuit arose in January of 2014, when Neiman Marcus publicly disclosed that it had suffered a major cyberattack, in which hackers collected the credit card information of approximately 350,000 customers. Soon after this disclosure was made, a number of consumers filed a class action lawsuit in the United States District Court for the Northern District of Illinois, alleging that Neiman Marcus put them at risk for risk for identity theft and fraud by waiting nearly a month to disclose the data breach. In September 2014, the district court dismissed the case, ruling that both the individual plaintiffs and the class lacked standing under Article III of the Constitution.

On appeal, the Seventh Circuit analyzed the injuries the Neiman Marcus consumers claimed to have suffered in order to determine whether they constituted the type of “concrete and particularized injury” required to establish standing. In this instance, plaintiffs alleged lost time and money spent in protecting against fraudulent charges and future identity theft, as well as two “imminent injuries:” an increased risk of future fraudulent charges and greater susceptibility to identity theft. The Seventh Circuit ultimately determined that these allegations sufficiently established standing, as they showed a “substantial risk of harm” from the Neiman Marcus data breach. Importantly, the Court explained that the Neiman Marcus customers did not have to wait until hackers actually committed identity theft or credit-card fraud to obtain class standing, as there was an “objectively reasonable likelihood” that such an injury would occur. The full opinion is available here.

This ruling is consistent with decisions from several other courts across the country. See, e.g., In re Sony Gaming Networks and Customer Data Security Breach Litigation, 996 F.Supp.2d 942 (S.D. Cal. 2014); Moyer v. Michaels Stores, Inc., No. 14 C 561, 2014 U.S. Dist. LEXIS 96588, 2014 WL 3511500 (N.D. Ill. July 14, 2014); In re Adobe Systems Inc. Privacy Litigation, No 13-cv-05226-LHK, 2014 U.S. Dist. LEXIS 124126, 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014); Michael Corona, et al. v. Sony Pictures Entertainment, Inc., No. 2:14-cv-09600-RGK-E (C.D. Cal. June 15, 2015). Earlier this year, in a comprehensive article on standing in data breach cases (available here), our firm questioned whether opinions of this nature were indicative of a trend or anomalies. The Seventh Circuit’s ruling this week and the Central District of California’s ruling in Corona last month suggest it is in fact a trend. If the trend continues, consumers nationwide may find it easier to survive a motion to dismiss based on a lack of standing.

Please continue to monitor our blog for the latest news on data breach litigation and other privacy laws.

Update to “What’s Up Next on the Hacking Block?”

On Friday, July 10, 2015, the Director of the Office of Personnel Management (“OPM”), Katherine Archuleta, resigned amid the two massive data breaches of OPM’s information technology systems that occurred within the last year. The breaches have affected approximately 22.1 million individuals. Beth Cobert, the Deputy Director of Management of the Office of Management and Budget, will replace Archuleta. Lawmakers have also called for the resignation of Donna Seymour, OPM’s Chief Information Officer, but it is not clear whether she will resign or remain the CIO.

Our Privacy & Data Security Group will continue to monitor and report on the implications of government data breaches.

What’s Up Next on the Hacking Block?

Security concept: Lock on digital screenFrom Home Depot to Target to Sony, the world is not lacking in the massive-data-breach department. These hacks have opened up a host of problems for the companies involved, including lawsuits and the implementation of more secure systems to protect sensitive data, as well as for the individuals whose personal and/or financial information may have been compromised. But surely our federal government is safe from hackers, right? The answer, unfortunately, is no.

The Office of Personnel Management (“OPM”) is a federal governmental organization that is “responsible for personnel management of the civil service of the Government,” and it strives “to make the Federal government America’s model employer for the 21st century.” But in April 2015, OPM discovered and began investigating a data breach of up to 4.2 million of its employees’ records. The information included the employees’ names, Social Security numbers, and dates of birth. Then on June 8, 2015, OPM announced that it was looking into a second breach, this one involving “background investigations of current, former, and prospective Federal government employees.” On June 18, 2015, however, OPM officials acknowledged that this second hack occurred a full year ago. Individuals affected by the first data breach were notified between June 8, 2015, and June 19, 2015. The investigation regarding the second breach is still ongoing, but it is now estimated that up to 14 million people will be affected by the two breaches. Id.

It is thought that Chinese hackers are responsible for both hacks in a possible attempt to compile an extensive database on government workers. Id. President Obama is considering economic sanctions against China, but at this point it is not clear that the Chinese government was behind the attacks. And it must be crystal clear that these were Chinese-government-sponsored hacks, or the U.S. will be placed in a very difficult position: China has an undeniably strong position in the global economy, and the U.S. and Chinese economies are closely intertwined. Any sanctions efforts by the U.S. would almost certainly be met with staunch opposition from China that could affect the U.S. economy.

It is important to investigate who is responsible for the hacks, but the House Oversight and Government Reform Committee (“Committee”) is also inquiring as to how OPM allowed the hacks to occur. The Committee conducted a hearing on June 16, 2015, regarding the OPM breaches. Many lawmakers placed the blame on the policies and systems on which OPM relied for data protection and stated that OPM’s leadership should resign. The Committee wanted to know why OPM did not abide by the 2014 recommendation of the Office of the Inspector General to shut down eleven of its computer security systems. OPM blamed legacy systems dating back to 1985 because they could not be encrypted.

It is unclear whether OPM’s leadership will resign in the face of this hacker disaster. But what is clear is that more research and investigation into what went wrong and how to prevent future attacks will continue. Our Privacy & Data Security Group will continue to monitor and report on the implications of government data breaches.