October 10, 2014

Cybersecurity Litigation Monthly Newsletter October 2014

By Ronald A. Sarachan and Zoë K. Wilhelm

Significant Case Developments 

P.F. Chang’s Seeks Dismissal of Data Breach Class Actions, Arguing the Existence of an Express Contract and Lack of Damages Preclude Claims
Lewert v. P.F. Chang’s China Bistro, Inc., No. 1:14-cv-04787 (N.D. Ill.).

As we described in July and September, P.F. Chang’s was hit with three putative class actions following its announcement of a point-of-sale data breach. On August 29, P.F. Chang’s moved for dismissal of the first two cases, now consolidated in the Northern District of Illinois. In their complaints, plaintiffs John Lewert and Lucas Kosner alleged that by failing to safeguard customer information, P.F. Chang’s breached an implied contract and violated consumer protection laws. The plaintiffs did not bring a breach of express contract claim. P.F. Chang’s argues that the plaintiffs acknowledge the existence of an express contract by alleging that “a portion of the services [they] purchased” at P.F. Chang’s was “compliance with industry-standard measures” for data security and that they were “deprived of the full monetary value of [their] transaction.” The existence of an express contract, P.F. Chang’s argues, precludes the implied contract and consumer fraud claims. In addition, P.F. Chang’s further argues that the plaintiffs failed to allege harm because, inter alia, they are not responsible for paying any fraudulent charges, purchasing credit monitoring services is “an unreasonable response to the data compromise,” and payment of menu prices is not “overpayment” since they could not have negotiated a discount.

In a response brief filed September 22, the plaintiffs deny the existence of an express contract and argue that even if one does exist, it is silent as to data security obligations and therefore does not preclude the other claims. They also maintain that they have adequately alleged actual harm through specific fraudulent charges on Mr. Kosner’s debit card, the deprivation of reward points while Mr. Kosner waited for his card to be reissued, the purchase of credit monitoring services, and the payment for meals that  the plaintiffs would not have purchased had they “known that their information would be stolen.”

Texas Court Exercises Personal Jurisdiction Over Virginia Defendants Based on Alleged Hacking Activities “Directed at” Texas Resident
Francis v. API Technical Servs., LLC, No. 4:13-cv-00627, 2014 U.S. Dist. LEXIS 127129, 2014 BL 254883 (E.D. Tex. Sept. 11, 2014).

In a September 11 opinion, an Eastern District of Texas court adopted the magistrate judge’s recommendation and ruled that allegations of “purposeful activities directed at a known resident of Texas” were sufficient to subject the two Virginia defendants to suit in Texas court. These purposeful activities included allegedly accessing or directing others to access the plaintiff’s Gmail accounts, using the plaintiff’s emails, and hacking into the plaintiff’s home IP address. The defendants face claims of fraud, breach of contract, intrusion on seclusion, and violations of the Computer Fraud and Abuse Act, Stored Communications Act, an unspecified “Federal Wiretapping Statute,” and the “Texas Wiretapping Statute.” Meanwhile, the defendants in this case have separately filed suit against the plaintiffs in Virginia court alleging a “systematic campaign to steal API’s confidential and proprietary business information, unlawfully interfere with API’s business, and usurp API’s business opportunities.”

Cybercrime in the News

Signaling Post Snowden Era, New iPhone Locks Out NSA, N.Y. Times (Sept. 26, 2014).

Companies’ Worst Hacking Threat May Be Their Own Workers, Bloomberg Businessweek (Sept. 26, 2014) [Subscription required].

Security Experts Expect ‘Shellshock’ Software Bug in Bash to Be Significant, N.Y. Times (Sept. 25, 2014).

Jimmy John’s Reveals Breach of Credit, Debit Data, Chicago Tribune (Sept. 24, 2014).

The Masked Avengers, New Yorker (Sept. 8, 2014).

Europol Launches Taskforce to Fight World’s Top Cybercriminals, The Guardian (Sept. 1, 2014).

Government Enforcement

FDIC Chairman Remarks on Cybersecurity

During his September 22 remarks at the American Banker Regulatory Symposium in Arlington, Virginia, FDIC Chairman Martin J. Gruenberg called cybersecurity an issue of “highest importance” for the FDIC and discussed the FDIC’s recent initiatives to address cybersecurity as a critical operational risk for large and small banks alike, including:

  • A new framework for conducting IT examinations in partnership with the Federal Financial Institutions Examination Council (FFIEC), including “published standards, examination procedures, routine on-site inspections, and enforcement capability.”
  • The Cybersecurity and Critical Infrastructure Working Group, an inter-agency liaison with law enforcement to help the banking agencies share information, collaborate regarding examination policy, and coordinate responses to cybersecurity incidents. Chairman Gruenberg announced that the Working Group is undertaking an assessment of the banking sector's overall readiness to address a significant cyber threat.
  • The FDIC "Cyber Challenge," an online resource designed to help community banks assess their own preparedness to address a cybersecurity incident.
  • A new requirement that community banks’ third-party technology service providers (TSPs) update their client financial institutions on any operational concerns the FDIC identifies at the TSP during an examination, and clarifying the FDIC’s expectations with regard to actions community banks should take when problems are identified at their TSP, including “zero-cost resources that can assist them in assessing their vulnerability to cyber threats.”

Chairman Gruenberg also emphasized that “internet cyber threats have rapidly become the most urgent category of technological challenges facing U.S. banks,” and that cybersecurity “needs to be engaged at the very highest levels of corporate management.”

International

EU Data Protection Working Party Opines on Level of Protection Needed for Smart Devices

On September 23, the Article 29 Working Party, an independent European advisory body on data protection and privacy set up under Article 29 of Directive 95/46/EC, released an opinion on safeguarding data in the internet of things. The “internet of things” (IoT) refers to connected devices other than computers and smart phones. The Working Party opinion focused on three types of IoT applications: wearable devices (e.g., Google Glass, Apple Watch), quantified self devices (e.g., Fitbit), and home automation devices or “domotics” (e.g., smart thermostats). According to the Working Party, IoT devices raise particular data protection and privacy concerns because:

  • Data subjects generally have less control over and/or a lack of awareness of what information is collected;
  • The lack of information about what data is collected and used for interferes with data subjects’ ability to consent to the data’s collection;
  • The increased amount and aggregation of data can lead to data repurposing and behavior profiling;
  • Devices have a limited ability to allow users to remain anonymous; and
  • Efficiency often trumps security.

The Working Party maintains stakeholders in any IoT device present in the European Union may qualify as data controllers and therefore be subject to EU privacy and data protection laws, whether or not the stakeholders are themselves present in the European Union. Stakeholders include device manufacturers, third-party application developers, and social platforms that interact with device data. After discussing the legal requirements that apply to data controllers and the rights of data subjects, the Working Party made numerous specific, practical recommendations. A small selection of these recommendations are:

  • Implement privacy by design or by default;
  • Perform privacy impact assessments;
  • Give data subjects the maximum control over their data;
  • Inform data subjects about what data is collected and frequently remind them that sensors are collecting data;
  • Provide tools that allow data subjects to read and edit the data before it is processed;
  • Notify users when security vulnerabilities are detected; and
  • Delete raw data when it is no longer needed.

New Filings

Company Spoofed in a Spear Phishing Scheme Hit with a Data Breach Class Action
Rogers v. SP Plus Corp., No. 2014-CH-15575 (Ill. Cir. Ct., filed Sept. 25, 2014).

After applying for a job at SP Plus Corporation, a parking, transportation, maintenance, security and event logistics services provider, plaintiff Travis Rogers allegedly received an email appearing to be from SP Plus’ recruiting department that requested him to provide certain personal information in a docusign file. Mr. Rogers later received an email from SP Plus revealing that the docusign email was not legitimate and was in fact a “Spear Fishing attack.” On September 25, Mr. Rogers filed a putative class action on behalf of all Illinois residents “who applied for employment with [SP Plus] and who was subject to a Spear Fishing [sic] attack” alleging that SP Plus’s failure to prevent the spear phishing attack constituted negligence, breach of implied contract, and a violation of the Illinois consumer fraud statute. According to the complaint, Mr. Rogers and the putative class members suffered “damages including, but not limited to loss of money and costs incurred as a result of increased risk of identity theft.”

Community Health Systems Hit with Four More Health Care Data Breach Class Actions
Roman v. Community Health Systems, Inc., No. 3:14-cv-01705 (M.D. Pa., filed Aug. 29, 2014).
Lawson v. Community Health Systems, Inc., No. 3:14-cv-00712 (S.D. Miss., filed Sept. 11, 2014).
Glah v. Community Health Systems, Inc., No. 2:14-25783 (S.D. W. Va., filed Sept. 15, 2014).
Brito v. Alta Vista Regional Hospital, No. 412-CV-201400316 (N.M. Dist. Ct., filed Sept. 19, 2014).

Last month, we reported that patients had filed a putative class action in the Northern District of Alabama against hospital operator Community Health Systems following a data breach affecting 4.5 million patients. Community Health now faces four additional putative class actions in New Mexico state court and federal courts in Pennsylvania, Mississippi, and West Virginia. The Brito, Glah, and Lawson complaints were all modeled on the first-filed Alverson case with many paragraphs copied word for word. With some variation between cases, the claims alleged include breach of express and implied contract, breach of implied covenant of good faith and fair dealing, unjust enrichment, money had and received, negligence, negligence per se, wantonness, invasion of privacy, and violations of the Fair Credit Reporting Act. The Brito complaint also includes a claim for violation of the New Mexico consumer fraud statute. As in Alverson, the plaintiffs claim that they suffered damages because a portion of their payments to the hospitals was “intended to pay for the administrative costs of data security” and the data security was allegedly inadequate and because they will be forced to incur the cost of credit monitoring.

The Pennsylvania Roman complaint focuses on an alleged discrepancy between Community Health’s level of data protection and the “express promises” in its privacy policy, code of conduct, and statement of patient rights. According to the complaint, this discrepancy gives rise to claims for violation of the Pennsylvania consumer fraud statute, breach of express or implied contract, and unjust enrichment. Ms. Roman alleges that she and the putative class members would have paid less for services had they known of Community Health’s “substandard” data security.

Former Military Serviceman Files Putative Class Action Against Government Health Care Contractor Following Data Breach
Fernandez v. Leidos, Inc., No. 2:14-at-01208 (E.D. Cal., filed Sept. 26, 2014).

On September 26, Martin Fernandez filed suit in the Eastern District of California against Leidos, Inc. and Science Applications International, Inc. (SAIC) on behalf of a putative California class of current and former military servicepersons and their family members who participated in TRICARE, the military health benefits system of the Department of Defense. The defendants were government contractors that provided the Department of Defense with health care information management services for TRICARE. According to the complaint, backup tapes containing sensitive personal and medical information were stolen when a low-level employee left them unattended for eight hours in his vehicle in downtown San Antonio. Mr. Fernandez claims that as a result of the data breach, he has experienced several instances of identity theft and medical fraud. He also claims he was denied employment because of the impact of the identity theft on his credit report. The complaint alleges that the defendants’ failure to safeguard the data violated, inter alia, the California Confidentiality of Medical Information Act and the California Unfair Competition Law, and seeks compensatory and punitive damages.

Supervalu Faces Third Data Breach Class Action With New Damages Allegations
St. Pierre v. Supervalu Inc., No. 1:14-cv-13536 (D. Mass., filed Aug 29, 2014).

We reported last month that following an announcement of a point-of-sale data breach at 200 Supervalu stores, consumers filed two putative class actions in the Southern District of Illinois and District of Minnesota. Supervalu now faces a third putative class action, filed August 29 in the District of Massachusetts. In addition to negligence, breach of implied contract, and violations of state consumer fraud statutes – all claims alleged in the earlier filed suits, Mr. St. Pierre brings claims for negligent misrepresentation, unjust enrichment, strict liability and breach of fiduciary duty. The two previous plaintiffs allege damages in the form of unspecified unauthorized charges, the time and cost spent replacing cards and monitoring credit, and the increased risk of identity theft. One of the prior cases additionally alleges emotional distress and diminution in value of personal information. In his allegations of harm, Mr. St. Pierre claims that had he and the putative class members known the security risks, they would have paid less to shop at Supervalu stores or not shopped there at all. He also claims that participation in credit protection services impairs his and the putative class members’ ability to obtain credit.