Posted on December 22, 2011 by HL Chronicle of Data Protection

District Court Dismisses Most Claims Related to Heartland Data Breach

This blog entry was contributed by Steven Spagnolo, an associate in the Privacy and Information Management group in Hogan Lovells' Washington, DC office

A federal judge dismissed all but one of the claims (PDF) brought against Heartland Payment Systems, a payment card processor, in a class action lawsuit stemming from a breach of Heartland’s computer systems, demonstrating that it may be difficult to hold companies legally responsible for breaches of their data. The plaintiffs of the class action lawsuit, nine financial institutions that issued payment cards to consumers affected by the breach, balked at Heartland’s settlement offers and instead sought relief from the court, alleging breach of contract, negligence, misrepresentation, and violations of several states’ consumer-protection statutes. Only the alleged violation of Florida’s consumer-protection statute survived Heartland’s motion to dismiss, an outcome which may deter future plaintiffs affected by data breaches from rejecting settlement offers to litigate their claims.

As early as December 2007, a ring of hackers, led by notorious cyber-criminal Albert Gonzalez, gained access to Heartland’s computer systems and installed programs that allowed them to obtain the payment-card information stored on those systems. The breach continued over the course of many months before Heartland discovered the rogue programs in January 2009, by which time the hackers had already obtained the payment-card information of approximately 130 million consumers.

As a result of the massive breach, one of the largest ever involving payment-card information, numerous lawsuits were filed against Heartland by both consumers whose payment-card information was compromised and financial institutions that issued payment cards to the affected consumers. Those lawsuits were consolidated and split into two tracks, one that addressed the claims of the consumers and one that addressed the claims of the financial institutions.

Heartland has settled the majority of the lawsuits stemming from the breach. Last year, Heartland settled the consumers’ claims, agreeing to pay up to $175 to each consumer to cover out-of-pocket expenses and charges incurred due to the breach and up to $10,000 to victims of identity theft resulting from the breach.  Heartland also agreed to settlements with the four major payment card brands and the financial institutions that utilize their networks to issue credit to consumers, agreeing to pay $3.6 million to American Express, $60 million to Visa, $41.1 million to MasterCard, and $5 million to Discover. However, the financial institutions were not bound by these settlements unless they chose to accept their terms. Although most financial institutions did so, some determined that the proposed settlements did not adequately cover their losses from the breach and instead elected to reject the settlements and litigate the matter.

The resulting litigation is an on-going class action lawsuit against Heartland. The financial institution plaintiffs alleged that the breach of Heartland’s computer systems resulted from Heartland’s failure to adequately safeguard its computer systems and caused the plaintiffs to incur significant expenses replacing credit and debit cards and reimbursing fraudulent transactions. The financial institution plaintiffs’ complaint (PDF) asserted claims for breach of contract and implied contract; negligence and negligence per se; negligent and intentional misrepresentation; and violations of the consumer-protection statutes in California, Colorado, Florida, Illinois, New Jersey, New York, Texas, and Washington. 

In a December 1, 2011 opinion, Judge Lee Rosenthal of the U.S. District Court for the Southern District of Texas granted Heartland’s motion to dismiss (PDF) with respect to all but one of the claims asserted by the financial institution plaintiffs. Judge Rosenthal dismissed the contract claims due to the fact that the plaintiffs were: (1) not in a direct contractual relationship with Heartland; (2) not third party beneficiaries of Heartland’s contracts with other banks; and (3) not entitled to consequential damages. He dismissed the negligence claims because the plaintiffs’ damages were solely economic in nature and thus barred by the economic loss doctrine. The consumer-protection claims were dismissed for various reasons including that the plaintiffs were not “consumers” protected by the state statute.

Heartland’s alleged violation of the Florida Deceptive and Unfair Trade Practices Act (FDUTPA) was the lone claim that survived Heartland’s motion to dismiss. Heartland argued in its motion to dismiss that the plaintiffs lacked standing to assert a claim under the FDUTPA because only consumers, as the word is traditionally used, may assert such claims. In denying Heartland’s motion to dismiss, Judge Rosenthal highlighted that in 2001 the Florida Legislature amended the statutory provision that creates a private right of action for violations of the FDUTPA to use the word “persons” instead of “consumers” when identifying who may bring a claim. To this point, he stated that the “Florida Legislature’s use of word ‘person’ in creating a private right of action suggests a broader reach than the word ‘consumer.’”

Although all of the plaintiffs’ other claims were dismissed, the court granted the plaintiffs leave to amend their claims for breach of contract and implied contract (but only in certain limited situations); express misrepresentation; negligent misrepresentation based on nondisclosure; and violations of the California, Colorado, Illinois, and Texas consumer-protection statutes. However, the claims for negligence and violations of the consumer-protection statutes in New Jersey, New York, and Washington were dismissed with prejudice and without leave to amend. The plaintiffs must file the amended complaint by December 23, 2011.
Tags: , , , ,
Posted on September 6, 2011 by Timothy Tobin

California Amends its Data Breach Notification Law

A new amendment to California’s security breach notification statute establishes specific content requirements for data breach notifications and imposes a new Attorney General notification requirement for breaches affecting more than 500 California residents. Senate Bill 24 (“SB 24”) was signed on August 31, 2011 by California governor Jerry Brown and will take effect January 1, 2012.  Since 2003, following California's enactment of the first of its kind data breach notification laws (Cal. Civ. Code §§ 1798.29 & 1798.82) California law has required any person, business or state agency that owns or licenses computerized data that includes certain personal information to notify individuals when there has been a breach of personal information, but did not specify the type of information that should be contained in the notification.  California now joins the ranks of several other states whose data breach notification laws contain breach notification content mandates. 

SB 24 requires all breach notifications to include the name and contact information of the notifying person or entity and a list of the types of personal information compromised, or reasonably believed to have been compromised. The notifying person or entity must also provide the toll-free telephone numbers and addresses of the three major credit reporting agencies – TransUnion, Equifax and Experian – if the breach exposed a Social Security number, driver’s license, or California card identification number.   Notifications must also be written in “plain language” and provide a general description of the breach if this information has been determined.

If it is possible to determine at the time of the breach, the notification must provide the date of the breach, an estimated date of the breach, or a date range within which the breach occurred. Each notice should include the date of the notice. The notification must also state whether the notification was delayed because of a law enforcement investigation.  The law allows, but does not require, the person or business to provide information regarding what the person or business has done to protect individuals whose information has been breached and recommendations on how individuals can protect themselves.

Special requirements also apply to larger-scale breaches. The law requires any agency, person or business that notifies more than 500 California residents to submit a single sample copy of the notification - excluding any personally identifiable information - to the Attorney General. 

In addition, SB 24 provides that HIPAA covered entities following the HITECH Act breach notice requirements will be deemed in compliance with the SB 24 content requirements, but such entities will still have to comply with the Attorney General notice provision.

SB 24 follows recent proposals at the federal level to implement a nationwide data breach notification requirement. See our recent post here for more information.    
Tags: , , , , , , , , , , , , , ,
Posted on August 29, 2011 by Winston Maxwell

France Implements EU Requirements for Data Breach Notification, Audits and Cookies Applicable to Electronic Communications Service Providers

This entry was drafted by Winston Maxwell and Lionel de Souza.

On August 26th,  France published a Presidential Order (Ordonnance) that implements the November 25, 2009 package of EU telecoms directives. The Ordonnance contains measures on data breach notifications, data security audits and cookies. These measures are  limited to providers of electronic communications services and therefore are not, for the time being, applicable to all data controllers.

Data Security Breaches.    All providers of public electronic communications services are required immediately to inform the French data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL) of any data security breach.  A data security breach is defined as "any security breach that results accidentally or in an illicit manner in the destruction, loss, alteration, disclosure or unauthorized access to personal data which is processed in the context of the supply to the public of electronic communications services." The Ordonnance does not contain any materiality threshold. Consequently each and every breach, no matter how small, must be reported to the CNIL. Every provider of public electronic communications services must also keep a journal of data breaches, indicating the details of the breach, its effect and the remedial measures taken. The journal must be shown to the CNIL on request. 

Notification to data subjects: if the data breach "can adversely affect the personal data or privacy of a subscriber or other individual, the operator must also immediately inform the interested party." However, this notification requirement can be waived if the CNIL finds that "appropriate protection measures were taken by the provider to ensure that the data are incomprehensible to any unauthorized person and such measures were applied to the data concerned by the breach." The Ordonnance contains no materiality threshold here either. Yet the Ordonnance states that the CNIL can, "after examining the seriousness of the breach, order the provider also to inform the interested party." This provision suggests that there may in fact be a "seriousness" threshold after all in connection with notifications to data subjects, but that the decision would be the CNIL's and will certainly depend on the reactivity and containment measures demonstrated by the service provider.

Sanctions: The criminal sanction for failing to notify data breaches is up to 5 years in prison and three hundred thousand euro (300,000 €) fine. The sanction is in line with other criminal sanctions for failure to comply with French data protection legislation. With regards to the fine, it should be noted that the maximum sanction for companies is multiplied by five (5), thus bringing the maximum sanction to up to one and a half million euro (1,500,000 €).  

Security Audits. The Ordonnance empowers the French government to order security audits of any operator's networks, systems and services. The operator must bear the cost of the audit, and must give the government approved auditors access to all relevant equipment and to the operator's "documents relating to its security policy." A future decree will be adopted to provide details on these requirements. However, one takeaway from this new provision is that operators should probably conduct preventive data and network security audits and make sure their security policies are up to date and applied.

Cookies. Implementing the revised ePrivacy Directive, the Ordonnance provides that users of electronic communications services must not only receive clear information about the use of cookies and tools available to block them (this was already a requirement under French law), but also that users give their consent before the cookies or similar measures are implemented. The Ordonnance states that "the consent can result from appropriate parameters in [the user's or subscriber's] connection system or any other system under [the user's or subscriber's] control." This suggests that browser settings might constitute sufficient prior consent, although the recent Article 29 Working Party opinion on consent (Opinion 15/2011) appears to take a different view.

As before, an exception exists for cookies that are designed to facilitate the communication, or that are strictly necessary for the provision of the Internet application or service requested by the user.
Tags: , , , , , , , , , , , , , ,
Posted on June 15, 2011 by Michael Epshteyn

House Subcommittee Holds Hearing on Breach Notification Proposal

A House subcommittee held a hearing yesterday on the SAFE Data Act, a draft data security and breach notification bill that, among other things, would require businesses to minimize the amount of personal information they maintain about consumers and notify law enforcement within a very short time frame -- within 48 hours of discovering a breach. The draft legislation, which was presented by Rep. Mary Bono Mack (R-CA), is based upon a similar proposal that passed the House in 2009 but stalled in the Senate.

 

Rep. Bono Mack, the Chairman of the House Subcommittee on Commerce, Manufacturing, and Trade, called the draft bill “an upgraded, 2.0 version of data-security legislation, encompassing many of the lessons learned in the aftermath of massive data breaches at Sony and Epsilon, which put more than 100 million consumer accounts at risk.” The proposed legislation would:

  • Preempt the breach notification laws that have been passed in 46 states and the District of Columbia;
  • Require companies and other entities that hold personal information to establish and maintain appropriate security policies to prevent unauthorized acquisition of that data (in accordance with regulations that would be issued by the FTC);
  • Require covered organizations to establish a data minimization plan providing for the elimination of consumers’ personal data that is no longer necessary for business purposes or other legal obligations;
  • Require the notification of law enforcement within 48 hours after discovery of a breach, unless the breach was an innocent or inadvertent breach unlikely to result in harm;
  • Require companies and other entities to notify the FTC and to begin notifying consumers 48 hours after completing an assessment of a breach (unless the assessment indicates that there is “no reasonable risk of fraud, identity theft, or other unlawful conduct” from the breach); and
  • Allow the FTC to issue regulations modifying the definition of “personal information.”  

These requirements would be enforced by the FTC and state attorneys general. The draft bill does not provide for a private right of action, and it specifically exempts from coverage entities subject to GLBA and HIPAA data security requirements. 

At yesterday’s hearing before the Subcommittee on Commerce, Manufacturing, and Trade—which also held a hearing on June 2 regarding the Sony and Epsilon breaches, as well as a general hearing on May 4 about the ongoing threat of data breaches to consumers—reactions to the Bono Mack proposal were mixed. FTC Commission Edith Rodriguez, a witness at the hearing, expressed concern that the draft bill did not set a specific deadline for the risk assessment that a company must complete following a breach. “There out to be some form of cutoff period to ensure that consumers receive appropriate notification,” Rodriguez said. 

One lawmaker criticized the draft bill’s data minimization requirements, noting that data about consumers may be retained for a long period of time for good reason, while others said the proposal went too far by giving the FTC authority to change the definition of personal information and by requiring notification when there is a “reasonable” risk of harm (instead of the narrower “significant” risk standard). 

If the draft legislation is formally introduced in the House—and Bono Mack has said she is hoping to move the bill through the chamber before the August recess—it will join a growing number of privacy and data security bills that have been introduced in Congress this year. Indeed, on the same day as the hearing on the Bono Mack proposal, Senators John Rockefeller and Mark Pryor introduced legislation that would also require companies to safeguard personal information and inform consumers in the event of a breach.  Separately on that day, Senators Al Franken and Richard Blumenthal introduced a bill that would require mobile device makers and app developers to obtain consumers’ express consent before collecting and sharing their location information.  
Tags: , , , , ,
Posted on February 18, 2011 by Christopher Wolf

Upcoming Webinars on Privacy Developments in Washington and Data Security Breach Notification Laws

Two webinars, one afternoon.  On Thursday, February 24, Hogan Lovells Privacy and Information Management Practice Director Chris Wolf will participate in a BNA webinar (along with Senior Governmental Affairs Advisor Nancy Granese of Hogan Lovells and Jules Polonetsky of the Future of Privacy Forum) on privacy developments in Washington, and an Experian webinar on data security breach notification laws (along with Reed Freeman of Morrison & Foerster and Tony Hadley of Experian).  Both pay-to-view programs are open for sign-up now.

What to Expect from Washington in Privacy Law in 2011

Privacy is a non-partisan issue, and 2011 is being viewed as the year in which significant changes may emerge. Media attention has focused on online collection and use of consumer data for marketing purposes, and government access to personal data stored in the “cloud”. Meanwhile, proposals for change in the US privacy framework have emerged from the Federal Trade Commission, Department of Commerce, and the U.S. Congress. Additionally, proposals for privacy law reform have been proposed in the European Union.

This BNA webinar will focus on Washington’s influence on privacy law reform, and provide the insiders' view of what changes are likely coming in 2011.

Program Highlights:

  • Learn what the realistic prospects are for new privacy laws and regulations.

  • Which privacy best practices may emerge from the recent proposals for reform?

  • What will the FTC and the Department of Commerce do in the privacy and data security realm?

  • Hear an evaluation of the role of self-regulation.

  • Who are the players in Washington who can affect privacy policy changes

You may register here.

State Legislation Past and Present:  The Effects of Data Breach Notification and Resolution

In 2010, security breach-related legislation was revised or newly enacted in five states and introduced in at least 18 additional states. Join us for a discourse on the effects and new developments state laws have imposed on data breach notification and resolution. 

Learn how companies that have experienced breaches have fared given the new laws and what lessons have been learned. Our panel of privacy experts will address specific examples of how data breaches occur and what steps their clients have taken to mitigate the risk of a breach in the first 72 hours. They will investigate how these laws have been applied in real-life scenarios and the implications for:

  • Data breaches resulting from third party vendors
     
  • Data leakage and referring headers
     
  • How breach laws affect medical laws already in place
     
  • Cyber risk insurance and what it means to compliance

You may register here.

 

Tags: , , ,
Posted on November 27, 2009 by Andrea Ward

UK Takes Step That Likely Will Result in Significantly Increased Penalties for Data Breaches

In a move that likely will result in a significant increase in civil penalties that can be assessed in the UK for data security breaches, this month the UK Ministry of Justice began consultation on the introduction of a maximum civil monetary penalty for serious breaches of the Data Protection Act 1998 (DPA), entitled ‘Civil Monetary Penalties: Setting the maximum penalty’.

The prospect of a maximum financial penalty was introduced into the DPA in 2008 by the Criminal Justice and Immigration Act 2008, but has yet to be implemented. After the consultation closes on 21 December 2009 it is likely to become law in April 2010.

 

The focus of the consultation is whether the current sanctions available to the ICO are sufficient. Last month we reported on the government’s consultation on possible prison sentences for serious breaches of the DPA and this latest consultation builds on the same theme. The current maximum financial penalty the ICO can impose against a data controller for data breaches is £5,000, which is fairly negligible and seriously undermines the ICO’s authority. Other regulators, such as the FSA have much greater powers and may impose severe penalties of up to 10% of an organisation’s turnover; the disparity in approach is obvious. The government’s aim therefore, is to increase the monetary penalties available to the ICO, to increase compliance with the DPA as well as increase public confidence in the system. It is noted that incidences of data loss and other serious breaches of the DPA are increasing, yet the ICO has limited powers to address the problems.

The question posed by the consultation is very simple: “Do you consider that a penalty of up to £500,000 provides the ICO with a proportionate sanction for serious contraventions of the data protection principles?” We might predict a resounding ‘yes’ to this, but must wait and see. We do know however, that, due to the likely administrative burden, the ICO have already rejected an assessment of penalties based on a data controller’s turnover, so a fixed maximum penalty of up to £500,000, (or possibly a different sum) will be adopted.

Further details of the consultation and the proposed introduction of the maximum civil monetary penalty for serious breaches of the DPA can be accessed through the Ministry of Justice website. The link also includes the ICO’s draft guidance on the criteria and circumstances it will consider when using civil monetary penalties. As a rough guide, the seriousness of the breach and whether it was deliberate or not, will be important factors, as is the prospect of substantial damage and distress caused, or likely to be caused.
 
Tags: , , , , , , ,
Posted on November 18, 2009 by Winston Maxwell

French Senators propose data breach legislation; restrictions on cookie use

On November 6, 2009, French Senators Détraigne and Escoffier introduced a bill that would impose new data breach obligations, as well as strengthen the sanctioning power of the French data protection authority, the CNIL.  Senators Détraigne and Escoffier delivered last May a report on privacy in the digital age on behalf of the Senate's committee on legislation, and the new bill is a follow-up on the measures recommended in the May report.  

The proposed new bill would:

  • State that "any address or number identifying terminal equipment connected to a communications network" is personal data.  This provision is intended to end the debate in France on whether IP addresses are personal data.  Unfortunately, the effect of the proposed provision could be that in the future IP addresses of any device or object connected to the Internet, even a box of cereal, will be viewed as personal data;
  • Require that government agencies and certain companies appoint a data protection officer;
  • Increase notification obligations of data controllers before they process personal data;
  • Impose an opt-in regime for cookies unless they are strictly needed for communication purposes or to permit access to an online service;
  • Impose a broad security obligation on data controllers and an obligation to inform the CNIL of any data breaches.  The proposed language contains no minimum threshold after which a breach would be deemed significant enough to warrant a notification;
  • Facilitate data subjects' ability to request deletion of personal data; and
  • Increase the CNIL's sanctioning powers, and allow victims of privacy violations to bring suit before their own local court  instead of being obligated to sue in the court where the data controller is located.

The provisions facilitating data subjects' ability to access and delete personal data are part of a broader French government campaign to create a citizen's "right to be forgotten" on digital networks.  French Digital Minister Nathalie Kosciusko-Morizet organized a roundtable on the "right to be forgotten" on November 12, 2009, and indicated that the French government would raise the issue in Sharm El-Sheikh and the Internet Governance Forum.

Debates on the text will begin in March 2010.  It is not clear whether the proposed bill will be supported by the French government, which may prefer to defer legislation on some of the issues until final adoption of the revised ePrivacy Directive.  Given the recent statements of Digital Minister Nathalie Koscuisko-Morizet on the "right to be forgotten" on the Internet, it is likely that the provisions facilitating a citizen's right to access and delete personal information on the Internet will receive the immediate support of the French government, and this could result in legislation fairly soon.

Tags: , , , , , , ,
Posted on October 1, 2009 by Christopher Wolf

Rocky Mountain Bank Settles Gmail Disclosure Case: Controversial Case Sought to Avoid Breach Notification and Froze User's Account

It appears that Rocky Mountain Bank v. Google (ND CA), a dispute over the disclosure of a Gmail users' account, has been settled according to this newspaper report. When an employee of the bank sent a file containing names, addresses, tax ID numbers and loan information on more than 1,000 customers to a Gmail account by mistake, the Bank sued Google to get the transmittal back and to confirm that the information sent was not inappropriately accessed. The bank obtained a court order preventing Google or its unknown Gmail account holder from accessing the file, which froze e-mail access for the unknown user. This order created some controversy, as reflected here.

One of the purposes of the lawsuit was to determine whether data security breach notification obligations had been triggered. The bank sought to seal the entire record of the case but the district court refused to seal the proceedings regarding the Gmail account. A copy of the District Court's decision is here. Sealing the record was something the plaintiff bank wanted in order to avoid prematurely (and prehaps unnecessarily) announcing a data security breach. Indeed, a major goal of the lawsuit was to seek information that would allow the Bank to avoid announcing a data security breach, but that goal was undermined by the court's refusal to seal the fact of the lawsuit (although parts of the record itself were sealed).

For many companies who misdirect e-mails containing PII, it has been a given that the misdirection alone constitutes a "breach" requiring notification to the person whose PII was in the e-mail. This case suggests that even where e-mail is misdirected, if the facts reveal that the unauthorized recipient never opened the e-mail, or for other reasons did not access the information under the definitions in the breach laws, then notice may not be required.

Tags: , , ,