‘Twas the Season for Data Breaches

With the recent hacks into Sony’s system and the emails sent to Home Depot’s customers regarding the breach of its system, data breach is no longer some fantastical notion that only plays out in a 1980s sci-fi movie. It is a real threat to businesses and their employees and customers, and that threat rises during the holiday season, when the average consumer spends approximately $800 on gifts for family, friends, and co-workers.

Venture back with me to December 2013, when Target Corporation announced that it was hacked, which resulted in 110 million of its customers having their credit- and debit-card information stolen. When I came across a recent ruling in that case, my reaction was: “Oh, yes. I vaguely remember that happening,” and I might have even been a customer who received an email from Target explaining the breach. My point is that, as consumers, the shock has worn off, and we are not surprised to hear about such breaches. But businesses cannot be so cavalier—the courts require vigilance in the protection of data.

As we have reported on our blog, multiple lawsuits arose shortly after Target’s announcement, resulting in the consolidation of all federal cases into In re: Target Corp. Customer Data Security Breach Litig., which involved claims brought by financial institutions on one hand, and by consumers on the other.  Just last month, the District of Minnesota ruled largely in favor of the financial institutions on Target’s motion to dismiss, making it clear that Target breached its duty to maintain adequate security systems.

Just in time for the holiday season, the now famous Sony breach (which, in part, resulted in the cancellation of most theater showings of the movie, “The Interview”) has triggered at least five class-action complaints filed in California federal court against Sony Pictures Entertainment, Inc.  The hacking incident allegedly exposed volumes of confidential emails, social security numbers, and salary and medical information of Sony’s former and current employees.  The gist of the complaints is that Sony, despite being aware that hackers were able to breach their system, “failed to develop, maintain, and implement internet security measures on its corporate network,” and this led to the catastrophic data breach that one complaint calls an “epic nightmare.”  Just last week at the Consumer Electronics Show, Sony’s CEO, Kazuo Hirai described the hack, noting that Sony and its current and former employees “were the victim[s] of one of the most vicious and malicious cyber attacks in recent history.”

The class action filed in Los Angeles Superior Court also blames Sony for its decision regarding “The Interview,” since the film allegedly sparked the ire of hackers who were not pleased with the subject matter (a planned talk show assassination of North Korea’s leader, who was heavily parodied).  In addition to its limited theatrical release, it was recently reported that the film has earned over $30 Million in online and on demand sales.

It is too early to predict the outcome of these actions, but it is likely that the federal complaints regarding Sony will ultimately be consolidated.  As with most data breach cases, we anticipate heavily briefed motions to dismiss on standing and other grounds.  We will, or course, track these cases and provide updated reports as developments unfold.

Card Issuers Are Foreseeable Victim in Target Data Breach Cases

In an important decision on standing in data breach cases, the United States District Court in Minnesota issued an Order last week denying Target’s attempt to dismiss all claims brought by financial institutions.  The card issuing banks complaint alleges Target (1) was negligent in failing to have sufficient security in place to prevent hacking of customer data; was (2) violated and was negligent per se for violating Minnesota’s Plastic Security Card Act (the Act); and (3) is liable for negligent misrepresentation in failing to advise the plaintiffs of the insufficient security measures.

Target moved to dismiss the negligence claims on the grounds it had no duty and did not breach any duty to the plaintiffs because there was no special relationship between the parties, and the harm if any, was an unforeseeable result of a third party’s (the hackers’) conduct.  The court disagreed and found that plaintiffs had sufficiently alleged that, whether premised upon the hackers’ conduct or Target’s own alleged disabling of a security feature and failing to react to warning signs in its system, the harm to the card issuers was a foreseeable consequence.  In addition, the court found the existence of a duty was bolstered by legislative intent under the Act, which was designed to protect customer data associated with cards, such as those issued by plaintiffs.

With respect to the omission claim, i.e. Target’s purported failure to advise of security deficiencies and its disabling a security feature, the court found that plaintiffs had adequately pled Target’s knowledge of facts unknown to plaintiffs and specific claims that Target had misled the adequacy of its security in public representations (including Target’s online Privacy Policy and Target’s agreement to comply with Visa and MasterCard Operating Regulations).  However, the court noted that plaintiffs had failed to specifically allege reliance on the omissions, and, instead, only asserted they had suffered injury.  In light of the need to specifically plead the element of reliance, the court granted Target’s motion on this claim, with leave to for plaintiffs to amend their complaint to add facts/claims of reliance on the omissions.

With respect to the statutory claims, the Act prohibits the retention of cardholder data by persons or businesses conducting business in Minnesota and, following a data breach involving violation of the statute, requires reimbursement of costs to the card issuer.  The court found Target’s argument that the Act only applies to Minnesota transactions to be without merit, stating “it applies equally to Minnesota companies’ data retention practices with respect to in-state and out-of-state transactions.”.

Target’s other arguments on the statute are more interesting and create a debate between the parties as to whether the hackers’ theft of data from the cards’ magnetic stripe (though allegedly stored by Target servers prior to transmission to the hackers) versus the theft of data maintained by Target itself result in a violation of the Act regarding retained data.  While the resolution of that issue will eventually be determined if the case is adjudicated on the merits, the court found that, for purposes of the present motion, plaintiffs allegation that Target stored the information for longer than permitted under the Act, which increased the scope of the breach, was sufficient to state a claim upon which relief can be granted.

In sum, the claims pass muster (at least at the pleading stage), and the financial institutions have standing to proceed.

Image courtesy of Flickr by Mike Mozart