backD.C. District Court Dismisses Cybersecurity Suit Against The IRS – On November 2, 2016, Judge Rosemary Collyer of the U.S. District Court for the District of Columbia dismissed a class action cybersecurity lawsuit against the Internal Revenue Service (“IRS”) for lack of standing and failure to state a claim.
The lawsuit stems from a breach in the IRS’s Get Transcript system, which operated from January 2014 to May 2015. The system was designed to allow taxpayers to access their prior-year tax information online. It was shut down in May 2015 when the IRS noticed unusual activity, leading to the discovery that 330,000 records had been improperly accessed by hackers between February and May 2015. The records included a broad range of taxpayer information, including personally identifiable information (“PII”).
The plaintiffs—three individual taxpayers—brought the class action suit against the IRS in August 2015 after the agency’s disclosure. According to the complaint, two of the plaintiffs had fake tax returns filed in their name. The third plaintiff was notified by the IRS that her information was compromised by the Get Transcript system and thereafter suffered two instances of fraud on her bank accounts.
In the suit, the plaintiffs alleged that (i) the IRS’s operation of the Get Transcript system violated the federal Privacy Act, (ii) the release of their PII violated the Internal Revenue Code, and (iii) the IRS’s failure to abide by federal information security laws and regulations was “arbitrary and capricious” such that the IRS should be enjoined under the Administrative Procedure Act. The complaint referenced a report by the Treasury Inspector General for Tax Administration, which stated that certain IRS security systems did not meet federal guidelines and specifically recommended higher security for the Get Transcript system.
Relying heavily on the Supreme Court’s 2013 decision in Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013), and on the 2014 D.C. District Court’s decision in In re Science Applications International Corp. Backup Tape Data Theft Litigation, 45 F. Supp. 3d 14 (D.D.C. 2014) (“SAIC”), Judge Collyer dismissed much of the suit on standing grounds, including all of the claims asserted by one of the plaintiffs.
As to one of the plaintiffs, the court specifically found that she had failed to demonstrate that the fraudulent activity in her bank accounts was caused by the breach of the Get Transcript system. The only evidence this plaintiff offered in the complaint was that the fraudulent activity occurred after the IRS data breach and that she had not received notification of any other breaches of her PII. Under SAIC, which is one of the leading cases in the data breach standing area, a plaintiff must put forward sufficient facts to show that the injuries can be traced to the specific breach incident. Thus, this temporal connection, the court found, was not enough to confer standing.
The court held that the other two plaintiffs had standing for their Privacy Act and Internal Revenue Code claims, but only as to identity theft related to the fake tax filings. Those plaintiffs’ other claimed injuries—risk of future harm, costs of credit monitoring, and diminished value of personal information—were held to be too ephemeral to confer standing. Here, the court specifically relied upon Clapper and SAIC, which held that similar speculative harms, as well as harms that a plaintiff imposes on herself to protect against such speculative harm, cannot create standing, even if the fears of such harms are rational. The court also dismissed the Administrative Procedure Act claims for lack of standing on the grounds that the plaintiffs had failed to demonstrate a risk of continuing harm justifying injunctive relief.
The court then dismissed the remaining claims for failure to state a claim. Specifically, Judge Collyer held that the Privacy Act requires claims of actual damages, and because the only harm that the plaintiffs adequately pled—duplicate tax returns—did not cause them monetary harm, the complaint could not support a claim under the Privacy Act. The court also held that the plaintiffs’ claims under the Internal Revenue Code were barred by sovereign immunity. The Internal Revenue Code only allows a suit where an IRS employee knowingly or negligently releases taxpayer information. Here, however, the plaintiffs’ claim was that the IRS failed to properly design the Get Transcript system to safeguard the information, leading to disclosure. This claim, the court found, was too attenuated to meet the sovereign immunity exception under the Internal Revenue Code.
Reporter, Alex Yacoub, Atlanta, +1 404 572 2758, ayacoub@kslaw.com.
China Promulgates New Cybersecurity Law – On Monday, November 7, 2016, the Standing Committee of the National People’s Congress of China promulgated a new cybersecurity law, providing the Chinese government with sweeping authority to regulate and monitor internet services. The impetus for the law was a perceived threat to local Chinese networks from malicious hackers, but the bill greatly affects both domestic and foreign companies operating within China’s borders and covers a wide range of activity relating to the use of the internet and information and communications technologies (“ICT”). Among other provisions, the new law imposes data localization, surveillance, and real-name requirements.
More than 40 business groups from the U.S., Europe, and Asia petitioned Chinese Premier Li Keqiang in August, arguing that the new law would isolate China from the wider digital economy and could actually have the unintended effect of putting data security at risk. The critics pressed the Chinese government to make major changes to the law, but contentious provisions remained in the final draft passed by China’s legislature last week.
Of particular concern to businesses, the data localization rules will require businesses operating in “critical” areas to store inside China any personal information or important data that they gather within the country. The law’s definition of “critical” is expansive, including ICT services, energy, transport, water resources, finance, and e-government. Multinational companies have expressed concern that the hindrance on cross-border flow of business data will require expensive new investments in infrastructure to carry on business and will actually increase the risk of data theft.
The surveillance requirement imposes a duty upon companies to report “network security incidents” to the Chinese government and to inform consumers of breaches, in addition to providing “technical support” to government agencies during investigations. These terms are undefined, and some fear this provision will require businesses to reveal proprietary technologies and turn over security keys for inspection.
The cybersecurity law will also mandate that instant messaging services and other internet companies require users to register with their real names and personal information, and to censor content that is “prohibited,” which is also an undefined term. Commentators have noted that real-name policies have a self-censoring effect on online communications. The new law also criminalizes certain categories of content, including that which encourages “overturn[ing] the socialist system,” “creating or disseminating false information to disrupt the economic or social order,” or “inciting separatism [or] undermining national unity.”
The broad array of regulations and potential punishments within the new law will serve primarily to enhance China’s control over domestic internet activity, but the method of implementation and enforcement remains to be seen, as the law is not slated to go into effect until June 1, 2017.
Reporter, Nicole M. Pereira, New York, NY, + 1 212 556 2132, npereira@kslaw.com.
Adobe Settles With 15 States For 2013 Data Breach – Adobe Systems, Inc. (“Adobe”) agreed to settle an investigation by 15 states related to an incident in 2013 in which Adobe was the victim of a data security breach that exposed the user name, account information, and credit card information of approximately 38 million individuals. The hackers were able to gain access to Adobe’s internal system through a public-facing server. Once within the system, the hackers accessed users’ credit card information and other account details by cracking Adobe’s encryption. At the time of the breach, Adobe was using the same encryption key for all passwords. The technology company first announced that the security breach affected three million users; however, its subsequent investigation revealed that it involved more than 30 million individuals.
In the wake of the security breach, Attorneys General from 15 states—Arkansas, Connecticut, Illinois, Indiana, Kentucky, Maryland, Massachusetts, Minnesota, Mississippi, Missouri, North Carolina, Ohio, Oregon, Pennsylvania, and Vermont—conducted an investigation of Adobe’s security breach response to determine whether Adobe had taken “reasonable measures” to protect itself from and detect the breach. (Of the millions of individuals who potentially had their information exposed, 534,000 affected individuals resided in these 15 states.) The multistate investigation concluded that Adobe’s security system was not reasonable because Adobe had public-facing servers, and it should have reasonably anticipated that these servers would be vulnerable to a security breach.
Last week, Adobe agreed to pay $1 million to be divided among these 15 states as well as comply with several additional security precautions in an Assurance of Voluntary Compliance Agreement (“Agreement”). The Agreement provides that Adobe will (i) conduct reviews of its security policies and procedures at least twice a year; (ii) timely notify individuals and respective State Attorneys General of any future breaches; and (iii) comply with state security statutes by integrating additional security measures into its system, such as effectively segregating payment card information from access by public-facing servers, employing tokenization for payment card numbers, and maintaining an alert process if its systems are not operating normally. In addition, within the next four months, Adobe must participate in an audit by a third party and provide the results to the Connecticut Attorney General, the lead state in the investigation, to ensure that its systems are, in fact, more secure. If Adobe fails to fulfill the terms of the Agreement, then the respective State Attorneys General may file civil claims against it.
This is not the first settlement that Adobe has reached to resolve legal action in the wake of the security breach. Six lawsuits were filed on behalf of individuals in federal court and consolidated before District Judge Lucy H. Koh of the Northern District of California. Adobe settled these cases for an undisclosed amount on August 13, 2015. As part of that settlement, Adobe agreed to pay $1.18 million in attorneys’ fees to plaintiffs’ counsel.
Adobe’s post-breach experience highlights that the lifecycle of dealing with the aftermath of a security breach can be years—rather than days or months—with ongoing settlements that continue to impact the company. Because the total amount paid by Adobe in settlements for the 2013 security breach are unknown, it is impossible to determine the financial impact of the 2013 breach to Adobe; however, based on the relatively low amount of the settlement with the State Attorneys General and the comparatively reasonable attorneys’ fees payment to end the civil litigation brought by the individuals affected by the breach, it appears that Adobe was able to manage this security breach to minimize its financial impact.
Reporter, Julie A. Stockton, San Francisco, CA, + 415 318 1256, jstockton@kslaw.com.
FTC Publishes Data Breach Response Guidelines – On October 25, 2016, the Federal Trade Commission (“FTC”) published a guide titled “Data Breach Response: A Guide for Business” outlining a high-level set of steps that businesses should take in order to prepare for and respond to data breaches. The guide is generally applicable to all businesses that handle personal information, and breaks data breach response actions into three categories: (i) securing operations, (ii) fixing vulnerabilities, and (iii) notifying appropriate parties. The FTC’s guide does not break new ground for data breach response best practices, but it does present a fairly accurate picture of practices that regulators generally consider reasonable.
In the wake of a data breach, in order to take the first step of securing operations, the FTC recommends engaging outside counsel with privacy and data security expertise and engaging a data forensics team to identify the source and scope of the breach. Companies should take steps to stop additional data loss while preserving evidence that could be pertinent to investigations. “Fixing vulnerabilities” entails assessing third-party service providers, checking system segmentation, and working with the forensics team to identify and carry out remedial measures.
The FTC guide is largely concerned with the third category: notifying appropriate parties. The guide acknowledges that there is a wide range of legal requirements depending on the applicable jurisdiction or jurisdictions and the type of information at issue. While the information provided is somewhat general, the guide does include links to additional resources. The guide also includes a model letter for consumer notification and a video explaining the guidance.
The FTC, which is the primary data privacy regulator for most consumer-facing industries, has also recently published two related guides: “Start with Security: A Guide for Business,” which contains lessons from recent FTC enforcement actions, and “Protecting Personal Information: A Guide for Business,” which describes proactive measures companies can take to secure data before a data breach occurs. The guides, taken together, are in line with current best practices and guidance issued by other regulators (including, for example, the Department of Justice’s 2015 guidance). The FTC’s guidance and enforcement on data privacy issues often sets the tone for other regulators, and the FTC has demonstrated a willingness to take a leadership role in collaborating with regulators like the Federal Communications Commission on enforcement actions.
Section 5(a) of the FTC Act gives the Commission broad authority to regulate “unfair or deceptive acts or practices in or affecting commerce.” The FTC maintains that a failure to comply with reasonable data privacy and security practices can constitute an “unfair” practice. Companies that handle customer information should therefore pay close attention to the practices that the FTC identifies as “reasonable,” including practices described in the data breach response guide and video. Establishing that a company’s practices in the aftermath of a data breach were in accordance with FTC guidance can be a substantial part of the reasonableness analysis that the FTC will undertake during an enforcement action. Additionally, companies that are already under a consent decree requiring them to maintain reasonable data breach response practices should look to the FTC’s data breach guide as a roadmap for structuring their practices and complying with their obligations.
Reporter, Tom Randall, Washington, D.C., +1-202-626-5586, trandall@kslaw.com.