News & Insights

Newsletter

July 18, 2016

Data, Privacy & Security Practice Report – July 18, 2016


Federal District Court Dismisses Data Breach Class Action Complaint Against Scottrade – On July 12, 2016, the United States District Court for the Eastern District of Missouri granted Scottrade’s motion to dismiss a putative class action complaint that was predicated on the alleged theft of personal information from Scottrade. 

Based on the allegations in the complaint, Scottrade sells brokerage, banking, and retirement planning services.  When a customer opens an account with Scottrade, the customer must give the firm various types of personal information.  Between September 2013 and February 2014, hackers accessed Scottrade’s customer databases and downloaded the personal information of approximately 4.6 million customers.  Scottrade did not know about the incident until August 2015, when the FBI contacted Scottrade about it.  In October 2015, Scottrade started to notify customers about the incident.  The firm also offered to provide a year of credit monitoring and identity theft insurance.

After Scottrade publicly announced the incident, multiple customers filed putative class action lawsuits.  Eventually, the various suits were consolidated in the United States District Court for the Eastern District of Missouri.  The plaintiffs’ consolidated complaint alleged multiple causes of action, including breach of contract, breach of implied contract, negligence, and violations of various state consumer protection statutes.

To satisfy the United States Constitution’s jurisdictional case or controversy requirement, plaintiffs must establish that they have standing to sue.  This requires a statement of sufficient facts at the pleadings stage to show that plaintiffs “(1) suffered an injury in facts, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.”  An injury in fact is “an invasion of a legally protected interest” that is (1) “concrete and particularized” and (2) “actual or imminent, not conjectural or hypothetical.”  Scottrade contended that the plaintiffs lacked standing because they had not suffered an injury in fact.  The plaintiffs alleged that they had suffered a variety of injuries, but the court rejected each one as a basis for standing.

First, the plaintiffs alleged that they had an increased risk of identity theft and identity fraud.  The court concluded that these “increased risks” were not “actual” or “imminent” because the plaintiffs did not allege that anyone had used or intended to use their stolen personal information to commit identity theft, identity fraud, or any other conduct that had harmed them or would harm them.  Additionally, the court noted that two years had passed since the incident and the plaintiffs had not alleged that a single instance of identity theft or identity fraud had occurred.

Second, the plaintiffs alleged that they had suffered the financial or temporal cost of monitoring their credit, monitoring their financial accounts, and mitigating their damages.  The Court noted that, in data breach cases, the cost of mitigating the risk of future injury cannot be an injury in fact unless the future injury being mitigated against is imminent.  The Court, however, had already determined that the future injuries being mitigated against—identity theft and identity fraud—were not imminent.  Given the lack of an imminent future injury to mitigate against, the Court concluded these alleged facts did not satisfy the injury in fact requirement.

Third, the plaintiffs alleged that they did not receive the full benefit of their bargain with Scottrade because the brokerage and financial services that they had received were less valuable than the ones that they thought they had purchased.  Fourth, the plaintiffs alleged that the data breach deprived them of the value of their personal information.  Specifically, the plaintiffs alleged that, after the data breach, their information became less valuable—especially to them—because they were no longer the only people able to monetize the information.  The Court rejected the plaintiffs’ third and fourth alleged injuries because the plaintiffs had not alleged facts that could sufficiently support them.

Finally, the plaintiffs alleged that the data breach caused an invasion of their privacy and a breach of the confidentiality of their personal information.  The Court, however, concluded that the plaintiffs had not alleged any facts that demonstrated that the alleged invasion of privacy or breach of confidentiality used any damages or injury.

A copy of the Scottrade decision is available by clicking here

In a different data breach putative class action lawsuit, a Wendy’s customer alleged that the company had failed to adequately safeguard the financial information of customers.  On July 15, 2016, the United State District Court for the Middle District of Florida granted Wendy’s motion to dismiss the class action complaint because the plaintiff had failed to satisfy the injury in fact component of the Constitution’s standing requirement.  The Court, however, gave the plaintiff the opportunity to file an amended class action complaint to cure the deficiencies in the class action complaint that the Court dismissed.

A copy of the Wendy’s decision is available by clicking here.

Reporter, Barrett R. H. Young, Washington, D.C., +1 202 626 2928, bryoung@kslaw.com.

HHS Releases Guidance On Ransomware And HIPAA – On July 11, 2016, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) published new guidance on the how HIPAA applies to ransomware prevention and attacks.  Specifically, the guidance lays out OCR’s view of what HIPAA requires covered entities do to prepare for ransomware attacks, and makes clear that a ransomware attack on protected health information (PHI) could be a breach that would need to be reported under the HIPAA breach notification rule. 

Ransomware is malicious software designed to gain access to a victim’s computer systems and then render the data on those systems inaccessible, usually by encrypting it.  The user must then pay the hacker a ransom to get the key to unlock the data.  Ransomware has become increasingly prevalent as an attack vector, and in recent months several hospitals have reported ransomware, including a hospital in Los Angeles that paid a $17,000 ransom after losing access to its electronic medical records system for over a week, shutting down certain departments and forcing the hospital to transfer some patients elsewhere.

According to the guidance, HIPAA regulations require a covered entity to have procedures in place to prevent, identify, and recover from infections of ransomware.  For example, covered entities are required to perform a comprehensive risk analysis of the “potential risks and vulnerabilities to the confidentiality, integrity and availability of all of” the electronic PHI the entity possesses.  Entities must put security measures in place that reduce those risks to a “reasonable and appropriate level,” whether or not HIPAA rules and regulations otherwise specifically require the particular measures.  Specifically, the guidance indicates that covered entities must have in place a data backup plan that would allow for recovery in the case of a successful ransomware attack.

The guidance makes clear that a ransomware attack that successfully encrypts protected health information may be a breach that must be reported.  HHS’s view is that PHI that is encrypted is “acquired [by the ransomware] (i.e., unauthorized individuals have taken possession or control of the information),” and this “is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.”  In fact, even the presence of ransomware on a system is a security incident that HHS believes must be presumed to be a breach “[u]nless the covered entity . . . can demonstrate that there is a ‘... low probability that the PHI has been compromised,’ based on the factors set forth in the Breach Notification Rule.”

An entity can make this determination by undertaking a good faith risk assessment that reasonably determines that there was such a low probability of compromise, based on the four factors laid out in HIPAA—(1) the nature and extent of PHI involved, (2) the unauthorized person who accessed the PHI, (3) whether the PHI was actually acquired or viewed, and (4) the extent to which the risk to the PHI has been mitigated.  (See 45 C.F.R. § 164.402(2))  The entity must also retain the documentation supporting its assessment.

Notably, the guidance allows that a ransomware attack may not constitute a breach if the PHI to which the ransomware has access is already encrypted.  This is a fact-specific determination, and the guidance specifically indicates that the conclusion depends on how and where the ransomware was able to access the system.  For example, a laptop may contain information that is encrypted if lost or stolen and access to it is sought by an unauthorized user.  On the other hand, if the same laptop is powered up and in use by an authorized user, the information may be unencrypted and available for access by the ransomware during the period of authorized use.

While this guidance on reporting ransomware breaches is new, the underlying reporting regulations date back to January 2013.  To the extent that any entity has had an unreported ransomware attack since then, that entity should review and determine whether reporting is necessary in light of this new guidance.

Reporter, Alex Yacoub, Atlanta, +1 404 572 2758, ayacoub@kslaw.com.

Commenters Dispute FCC’s Proposed ISP Privacy Opt-In Rules The Federal Communications Commission ( “FCC”) received more than 276,000 public comments on its proposed broadband Internet service provider privacy rules. Of these, two academic submissions received near the July 6 deadline approach the matter from opposing viewpoints and differ in their prediction of the proposed rules’ effectiveness. These submissions reflect a wider debate among supporters and opponents of the measures as to whether the rules will help or hinder consumers’ privacy choices. 

In a July 11 letter, the International Center for Law and Economics ( “ICLE”) focused on the portion of the FCC’s Notice of Proposed Rulemaking that would require what the FCC’s 2015 Open Internet Order termed “Broadband Internet Access Service” (“BIAS”) providers to obtain an “opt-in” consent before using or sharing customer information for service delivery or non-communications marketing. The ICLE notes that this rule would not apply to other service providers in the Internet ecosystem (including “social media networks, operating systems, browsers, data brokers, and search engines”) that also access and may collect users’ personal information, but would remain subject to the Federal Trade Commission’s (the “FTC’s”) generally-applicable opt-out regime. By establishing a higher standard for a subset of service providers, the ICLE argues that the FCC would distort the market and potentially increase consumer costs. The ICLE suggests that the rule could also confuse consumers, who mistakenly expect that the opt-in election they make with their BIAS provider will apply to other services they use online.

In a comment submitted July 5, former co-chair of the World Wide Web Consortium’s Tracking Protection Working Group Aleecia M. McDonald positions the FCC’s opt-in proposal in the context of other online privacy regulations in the U.S. and internationally. She sees no support for the concern that an opt-in rule will confuse consumers, and cites the European Union’s invalidation of the U.S.-EU Safe Harbor as an independent reason to adopt an opt-in mechanism more in line with the European regime. Finally, McDonald cites the example of NebuAD, the company that in 2008 contracted with a number of Internet service providers to target advertising to customers using their browsing data on an opt-out basis. Referring to the difference between, on the one hand, the majorities of users who report in surveys that they do not want their information used for advertisements, and on the other hand the reported one percent of customers who actually opted out of NebuAD’s targeting, she suggests that such a stark difference confirms that opt-out regimes do not adequately protect consumers.

The FCC’s Notice of Proposed Rulemaking is captioned In the Matter of Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, and was released April 1, 2016. It reflects the FCC’s 2015 Open Internet Order, which reclassified BIAS under Title II of the Communications Act. In addition to the opt-in requirements, the FCC’s notice also sought comment on whether to require BIAS providers to disclose their privacy policies, whether to provide additional protections for BIAS customers’ personal information depending on its content or category (such as geolocation data), and whether to impose minimum data security obligations on BIAS providers.

Reporter, Daniel Ray, Silicon Valley, +1 650 422 6715, dray@kslaw.com.

Michigan Court Holds That Pandora Users Are Not Customers Under State Law, Further Narrowing Streaming Privacy Laws On July 6, 2016, the Michigan Supreme Court held that a Pandora user was not a “customer” allowed to bring a class action under the Video Rental Privacy Act (“VRPA”) in Michigan. 

Plaintiff Peter Deacon brought a class action in the United States District Court for the Northern District of California against Pandora, claiming that the music-streaming company violated Michigan’s video privacy law by posting his music preferences on Facebook and making his preferences available via an internet search. The federal district court ruled in favor of Pandora, and on appeal, the U.S. Court of Appeals for the Ninth Circuit certified the following question to the Michigan Supreme Court:

“Has Deacon stated a claim against Pandora for violation of the VRPA by adequately alleging that Pandora is [in] the business of “renting” or “lending” sound recordings, and that he is a “customer” of Pandora because he “rents” or “borrows” sound recordings from Pandora?”

In a unanimous decision, the seven members of the Michigan court held that Deacon was not a “customer” under the VRPA because he neither rented nor borrowed anything from Pandora. The act is “intended to preserve personal privacy with respect to the purchase, rental, or borrowing of certain materials,” and prohibits the release of any information that indicates the identity of a customer. Accordingly, only customers can sue under the act. A customer is “a person who purchases, rents, or borrows a book or other written material, or a sound recording, or a video recording.”

Relying on a modern dictionary, the court held that Deacon failed to show that he met the requirement that renters contemplate some form of payment for services or goods rendered because he used the free Pandora streaming subscription. The court also held that he was not a borrower because he never intended to, nor actually returned, anything.

The court’s holding was narrow in that it did not address whether individuals who pay for subscriptions to Pandora’s commercial-free service are customers. The court also did not decide whether Pandora itself engages in the business of renting or lending music under the state law. As such, the court did not establish whether streaming is or should be considered “lending.” At oral arguments before the Ninth Circuit in February 2015, the plaintiff claimed that Pandora should be defined as a lender because users listen to songs on Pandora, but do not keep them permanently. In response, Pandora urged the Ninth Circuit to instead think of Pandora as a disc jockey who plays music for party-goers but does not lend them music.

The Michigan court’s holding is in line with those of the Third and Eleventh Circuits  (see Ellis v. Cartoon Network, Inc., 803 F.3d 1251 (11th Cir. 2015); In re Nickelodeon Consumer Privacy Litig., No. 15-1441, 2016 WL 3513782 (3d Cir. June 27, 2016)) on analogous state laws, limiting the expansion of decades-old privacy laws from only covering entities like Blockbuster to a wider range of emerging streaming services. But at least one other court has been more receptive to efforts to broaden privacy laws. The U.S. Court of Appeals for the First Circuit, for example, held in April 2016 that a USA Today app user whose information was disclosed was a “subscriber,” unlike a web user, and could bring a putative class action under the federal Video Privacy Protection Act against the newspaper’s parent company. The court defined a subscription as “[a]n agreement to receive or be given access to electronic texts or services,” and reasoned that the user subscribed by accepting the paper’s offer to download its app and directly receive texts and videos on the app, even though the user never paid for the app.

The Pandora case will now return to the Ninth Circuit, which will accept or reject the Michigan court’s interpretation.

The Michigan case is In Re Certified Question from the United States Court of Appeals for the Ninth Circuit (Deacon v. Pandora Media, Inc.), docket number 151104. The First Circuit case is Yershov v. Gannett Satellite Information Network, case number 15-1719.

Reporters, Bethany Rupert, Atlanta, GA, + 1 404 572 3525, brupert@kslaw.com, .