New Bills Concerning Encryption and Retail Liability

The New Year is bringing renewed attempts to legislate data security. Michigan and Washington both have bills pending that would make retailers liable for payment card data security breaches (Michigan bill – Washington bill). The Washington bill explicitly requires compliance with the Payment Card Industry Data Security Standard to avoid liability.

Both States also have bills that require encryption of personal data (Michigan bill – Washington bill). Both bills require encryption of stored personal data consistent with generally accepted industry standards (undefined). The Michigan bill sets forth criminal penalties for non-compliance, including imprisonment for up to 30 days and a fine of up to $1,000, or both.

New Jersey Security Requirements (including encryption of personal information)

A proposed New Jersey regulation that may be come law in 2008. It has very specific requirements around encryption of personal information at rest and in transit. In particular, if these rules pass organizations would be required to encrypt according to the Federal Information Processing Standard (FIPS) recommended standard, which is the Advanced Encryption Standard (AES) 128-bit to 256-bit. This law also has 20 other fairly specific security requirements.

How will these specific requirements related to other State, Federal, International security requirements? Do the specifics in this regulation harken a movement away from a "technology neutral" approach to information security regulation?

Blogged with Flock

Sears Privacy/Security Double Whammy.

After the resolution of some aspects of the TJX matter in 2007, it looks like another huge retailer has stepped on the privacy/security porcupine for 2008.

Privacy: Sears is suffering some bad press for allegedly placing "spyware" on its customer's computers that allows Sears (and Kmart) to track their Internet usage, including websites visited, searches engaged in and the headings of emails (click here for story)

Security: In addition, Sears has been sued in a $5 million class action for an alleged security breach related to its managemyhome.com website. Apparently, the website allowed any user to type in a customer's name, addresss and phone number (or some combination thereof) and get a complete history of that customer's purchasing history at Sears (click here for story)

So, question to my readers, in the ever-increasing world of e-commerce, how much tracking of customer behavior/Internet usage is too much? And when should it be permissible (if ever) to engage in the type of activity Sears was engaged in?

P.S. Copy of the complaint can be found here.

Stollenwerk v. Tri-West Health – Rise of the Phoenix?

Ninth Circuit Partially Reverses Motion for Summary Judgment on Issue of Damages in Data Breach Case

One of the biggest obstacles for consumer plaintiffs in personal data breach lawsuits has been establishing the “damages” element for a negligence claim. Several courts have dismissed such suits ruling that plaintiffs could not provide sufficient evidence that they suffered an injury as the result of a data breach. Ironically one of landmark cases against establishing damages, Stollenwerk v. Tri-West Health Care Alliance (D. Ariz. 2005), may give plaintiffs’ attorneys some additional ammunition. The United States Court of Appeals for the Ninth Circuit (“Appellate Court”) recently ruled on the Stollenwerk appeal and provided the plaintiffs with a partial victory on the issue of proving damages that could clarify the liability landscape for data breach lawsuits (see Stollenwerk v. Tri-West Health Care Alliance (9^th Cir. November 20, 2007). The ruling may allow more data breach suits involving victims of actual identity theft to get in front of a jury and achieve more favorable settlements.

Stollenwerk Background & District Court’s Ruling

In December 2002, Tri-West Healthcare Alliance (“Tri-West”), a contractor managing a large government health insurance program, suffered a burglary that resulted in the theft of computer hard drives containing the personal information of the program’s members (mainly military personnel). Three individuals brought a class action lawsuit against Tri-West in the U.S. District Court of Arizona (“District Court”) alleging numerous claims, including common law negligence. One of the plaintiffs (William Brandt – hereinafter “ID Theft Plaintiff”) alleged that unknown individuals used his personal information after the burglary to open (or attempt to open) unauthorized credit accounts in his name (e.g. identity theft). The two other plaintiffs (Michael Stollenwerk and Andrea DeGatica – hereinafter “Credit Monitoring Plaintiffs”), while not alleging they suffered identity theft, alleged that they needed to purchase credit monitoring services and identity theft insurance to prevent potential future identity theft.

In its September 2005 opinion, the District Court dismissed all of the plaintiffs’ claims on the grounds that they could not establish that they suffered any injury as a result of the Tri-West data breach. The Credit Monitoring Plaintiffs attempted to analogize financial credit monitoring expenses to medical monitoring expenses in “toxic tort” cases (e.g. asbestos lawsuits where otherwise healthy individuals exposed to asbestos paid doctors to monitor their health prior to any adverse affects manifesting). The District Court indicated that enhanced risk of future injury is generally insufficient to establish a negligence claim, but in the case of toxic tort lawsuits an exception was justified because of the importance of preserving public health. In addition, since the plaintiffs could not establish that the target of the burglary was their personal information (as opposed to the physical hard drives themselves), the court ruled that the Credit Monitoring Plaintiffs failed to provide evidence that such information was significantly exposed or that plaintiffs were at significantly increased risk of suffering identity fraud.

The District Court also dismissed the negligence claim of the ID Theft Plaintiff. Although the plaintiff suffered identity theft on several occasions six weeks after the burglary, the Court held that the circumstantial timing of the burglary and identity theft was insufficient evidence that the burglary was the cause of such theft.

The Appellate Court’s Decision

In November 2007, the Appellate Court reversed the District Court’s decision concerning the ID Theft Plaintiff, but upheld the lower court’s ruling on the Credit Monitoring Plaintiffs.

The Credit Monitoring Plaintiffs

With respect to the Credit Monitoring Plaintiffs, the 9^th Circuit agreed that the analogy to toxic tort cases was not justified because credit monitoring does not directly involve health and human safety. However, the court did not reject the analogy entirely, noting that:

“In both circumstances the individual may manifest more obvious injury, such as identity fraud or disease, after some period of time, and in neither instance is the later manifestation of patent injury guaranteed, although the certainty with which such a development may be anticipated may be greater for toxic torts.”

The Appellate Court also noted that under the facts of this case, even if the toxic tort analogy were apt, the Credit Monitoring Plaintiffs had not established the requisite elements to support their claim, including: (1) significant exposure of sensitive personal information; (2) a significantly increased risk of identity fraud as a result of that exposure; and (3) the necessity and effectiveness of credit monitoring in detecting, treating, and/or preventing identity fraud. The Court held that the plaintiffs did not provide sufficient evidence that their personal data was targeted or accessed. Moreover, the Court indicated that the plaintiffs’ expert failed to objectively quantify the reduction of risk that would result from credit monitoring.

The ID Theft Plaintiff

The Appellate Court’s opinion was much more forgiving for the ID Theft Plaintiff. In this case, the ID Theft Plaintiff allegedly was the victim of identity theft on six occasions after the burglary of Tri-West’s hard drives. The Court did not make a distinction between “attempts” to open accounts and successful account openings – the Court appeared to conclude that both constituted identity theft. Significantly, the Court’s opinion appears to simply accept that “identity theft” constitutes an injury, and instead focused on whether the ID Theft Plaintiff established that the burglary was the proximate cause of the identity theft.

On the issue of causation, to survive a motion for summary judgment, the plaintiff needed provide evidence from which a reasonable jury could conclude that ID Theft Plaintiff’s injuries were the result of the burglary rather than other causes. Direct or circumstantial evidence is permitted, but this plaintiff was only able to offer circumstantial evidence, including:

(1) Possession: the ID Theft Plaintiff provided Tri-West with his information; (2) Type of Information: the personal information stored on the Tri-West hard drives is the type of information that can be used to open credit card accounts;

(3) Timing -- Identity Theft Incidents: the six alleged identity theft incidents all occurred after burglary, and the first began about six weeks after the burglary (the last happened about 3 – 4 months after the burglary);

(4) Timing – Prior Incidents: the plaintiff had never suffered identity theft prior to the burglary (despite having his wallet stolen five years earlier); and

(5) Limited Opportunities for Other Causes: the plaintiff testified that he had never transmitted his personal information over the Internet and that he shreds all mail in the form of credit card applications, approvals and pre-approvals.

The 9^th Circuit ruled that this circumstantial evidence on the issue of causation was sufficient for purposes of summary judgment and reversed the District Court’s grant of summary judgment to the Defendants.

Conclusion

The Stollenwerk decision is largely a mixed bag for both plaintiffs and defendants. The 9^th Circuit’s decision is good for defendants because it largely validates that the purchase of credit monitoring services or insurance to decrease the likelihood of potential future identity theft is not sufficient to establish damages for purposes of a negligence lawsuit. This ruling most likely decreases the risk of successful class action lawsuits involving massive numbers of plaintiffs whose personal information is exposed in a data breach. However, because its decision was based mainly on public policy grounds, and because it noted some similarities between toxic tort injuries and data breach injuries, the Court appeared to leave the door open a little for plaintiffs to make the toxic tort analogy in other jurisdictions.

The Court’s ruling was favorable for plaintiffs that actually suffer identity theft after a data breach situation. The Court was lenient in its acceptance of purely circumstantial evidence -- most of the evidence provided was very loosely tied to the actual burglary. As a result of this ruling, plaintiffs that were the victims of identity theft will have a better chance to get their case in front of a jury in the 9^th On the flip side, since it appears that most data breaches never actually result in identity theft (see GAO Report (June 2007)), plaintiffs’ lawyers may find it difficult to establish large classes that make these suits financially attractive to pursue. In all, this decision and other cases dismissing breach data cases seem to indicate that successful and severe consumer litigation (e.g. large successful class action suits) is still elusive for the plaintiffs’ bar Circuit, which increases both the likelihood of success in litigation and the leverage plaintiffs will have to force a settlement.