September 10, 2014

Cybersecurity Litigation Monthly Newsletter September 2014

By Ronald A. Sarachan and Zoë K. Wilhelm

Significant Case Developments

LabMD Continues to Challenge FTC Authority in Eleventh Circuit Appeal and Administrative Proceedings While House Oversight Battles Continue: the Plot Thickens

LabMD, the embattled cancer detection laboratory, fully briefed its appeal to the Eleventh Circuit, congressional inquiry into the FTC’s data security enforcement actions continued, and LabMD sought sanctions against the FTC in the ongoing administrative proceedings.

As we discussed in July, Tiversa, a “cyber-intelligence” company, notified the FTC in 2009 that a file containing the personal information of about 9,300 LabMD patients was available on a peer-to-peer file sharing network. The FTC filed an administrative action against LabMD in August 2013, alleging that LabMD’s failure to adequately safeguard its patients’ personal information was an “unfair or deceptive” act or practice in violation of Section 5 of the FTC Act.

The Northern District of Georgia dismissed LabMD’s suit to enjoin the FTC action as nonjusticiable, and LabMD appealed to the Eleventh Circuit. As of August 11, that appeal is fully briefed. In its briefing, LabMD argued that the FTC lacked authority under Section 5 to regulate personal health information data security practices because, inter alia, (1) HIPAA and HITECH provide the sole regulatory scheme applicable to health care data privacy practices, and (2) the FTC’s enforcement action violated due process because of the absence of any administrative guidance regarding what could be considered “unfair” data security practices under Section 5. LabMD called the FTC’s enforcement action an ultra vires “power grab” beyond its congressional grant of authority. The FTC responded by asserting broad authority under Section 5, which it asserted is consistent with HIPAA or HITECH. In late August, the Eleventh Circuit scheduled oral argument.

In the meantime, the House Oversight and Government Reform Committee (Oversight Committee) held a hearing on July 24 titled, “The FTC and its Section 5 Authority: Prosecutor, Judge and Jury,” as it continues to investigate the FTC’s relationship with Tiversa. Tiversa’s cooperation with the FTC on the LabMD and other data security cases was allegedly part of a scheme to extort lucrative data security contracts from health care providers under the threat of FTC action if they were not hired. The Oversight Committee chairman, Darrell Issa (R.- Calif.), reportedly was criticized by Senator Jay Rockefeller (D. - W. Va.) for inappropriately assisting LabMD’s lawyer because the lawyer was a former member of Issa’s staff.

The trial in the FTC’s administrative action stalled after key witness and former Tiversa employee Rick Wallace invoked his Fifth Amendment right against self-incrimination and approached the Oversight Committee with allegations that Tiversa may have manipulated information it gave the FTC regarding LabMD’s security practices. The administrative law judge ruled on August 22 that no action from LabMD is required until the Oversight Committee either grants or denies immunity to Wallace for his testimony to the committee or in the administrative proceedings. On August 14, LabMD asked the administrative law judge for sanctions against the FTC, accusing Tiversa of stealing the LabMD client data at issue and the FTC of failing to authenticate the data it received during its “secretive relationship” with Tiversa. The judge has yet to rule on LabMD’s motion for sanctions.

Court Refuses to Dismiss Class Action Over Allegedly Fraudulent Credit Card Processing Fees Following Data Breach
Wines, Vines, & Corks, LLC v. First National of Nebraska, Inc., No. 8:14-cv-82 (D. Neb., Aug. 20, 2014).

In a putative class action, Wines, Vines & Corks alleged that it has a credit card processing agreement with the defendants and that, as a result of a data breach at the defendants, it was charged fees for multiple unauthorized credit card transactions processed through its account. The defendants moved to dismiss all claims for breach of contract, negligence, and violations of the Nebraska consumer protection and deceptive trade practices acts—arguing that the factual allegations of a data breach were conclusory and that the economic loss doctrine barred all but the contract claim. The court disagreed, finding that the factual allegations were sufficient to survive a motion to dismiss and that the economic loss doctrine “has no applicability to this case.” As the court explained, rather than seeking to recover in tort for the failure to perform a purely contractual duty, the plaintiff is claiming that the defendants violated duties independent of the contract. The court stated, “There are duties and standards imposed on banks and credit card processing companies that are supplemental to the duties imposed in the contract.”. 

Cybercrime in the News

JPMorgan and Other Banks Struck by Hackers, N.Y. Times (Aug. 27, 2014).

United Parcel Services Confirms Security Breach , N.Y. Times (Aug. 20, 2014).

Hospital Network Hacked, 4.5 Million Records Stolen, CNN Money (Aug. 18, 2014).

Russian Hackers Amass Over a Billion Internet Passwords, N.Y. Times (Aug. 5, 2014).

Government Enforcement

LavaFlow, Inc. Pays $5 Million to SEC to Settle Data Protection Case

On July 25, 2014, the Securities and Exchange Commission announced that it was settling an administrative proceeding against LavaFlow, Inc., an alternative trading system (ATS), for failing to protect the confidential information of its subscribers. According to the SEC, LavaFlow violated Rule 301(b)(10) of Regulation ATS by allowing an affiliate smart order router system to access the order information of its customers without obtaining customer consent. Rule 301(b)(10) requires an ATS to establish safeguards and procedures to protect subscribers’ confidential information.

The $5 million settlement included a $2.85 million penalty – the largest fine of an ATS to date, disgorgement of $1.8 million, and prejudgment interest of $350,000.

International

British and U.S. Citizens Convicted in China of Data Privacy Violations and Sentenced to Prison

On August 8, Peter Humphrey, a British citizen, and Yu Yingzeng, a U.S. citizen, were convicted in Shanghai of illegally collecting the personal information of Chinese citizens. Humphrey and Yu ran a business risk consulting firm, ChinaWhys Col., Ltd, which investigated businesses and individuals for corporate clients. According to the Chinese government, Humphrey and Yu would access or sell information about Chinese citizens, such as immigration history, real estate holdings, and addresses.

A year ago, Humphrey and Yu were arrested and charged with violating Article 253 of China’s Criminal Law, which prohibits government personnel and certain business sectors from selling or sharing the personal information of Chinese citizens. Their convictions followed a one-day trial during which they argued that they had purchased a service and not data; the data they sold and/or accessed was publicly available; that they had created reports and not provided specific information; and that the violation was not serious enough to warrant the criminal case.

Humphrey was sentenced to two and a half years in prison and will be deported following his imprisonment, and Yu was sentenced to two years in prison. They collectively were fined more than $50,000. Article 253 has been used several times to prosecute Chinese citizens since it was enacted in 2009, but this marks the first time that foreigners were prosecuted under the law.

UK’s Ministry of Justice is Fined for Data Protection Failures

On August 20, the United Kingdom’s Information Commissioner’s Office (ICO) announced that it was fining the government’s own Ministry of Justice £180,000 after two separate occasions when unencrypted portable hard drives containing the personal information of prisoners went missing, affecting nearly 19,000 prisoners. Although the drives had encryption software installed, the Ministry of Justice division responsible for prison services did not realize that the software had to be manually activated. While only two drives were lost, 75 prisons were storing prisoners’ confidential information on unencrypted devices for at least a year. In issuing a monetary penalty notice, the ICO noted that the Ministry of Justice had failed to take proper remedial action after the first hard drive was lost and that, as a part of the government, the ministry should “be expected to be a model of best practice and exemplary in respect of data protection compliance.”

The ICO regulates data controllers under Data Protection Act and Privacy and Electronic Communications Regulations. It routinely fines both public and private entities for failing to safeguard data. These entities may either pay the fine (at a discount if they pay early) or appeal to a tribunal. This was not the first time the ICO took action against the Ministry of Justice, which apparently is a repeat offender. In October 2013, it was fined £140,000 after spreadsheets containing prisoners’ personal information were inadvertently emailed to members of the public.

New Filings

P.F. Chang’s Hit With Third Data Breach Class Action
Lovell v. P.F. Chang’s China Bistro, Inc., No. 2:14-cv-01152 (W.D. Wash., filed July 30, 2014).

As detailed in our July issue, following a point-of-sale data breach, P.F. Chang’s was hit with two putative class actions in Illinois. Both complaints alleged that the restaurant chain’s failure to safeguard customer data resulted in a breach of an implied contract and a violation of state consumer protection acts. On July 30, Daniel Lovell filed a third putative class action complaint alleging that P.F. Chang’s failure to prevent the security breach gave rise to claims for negligence, breach of implied contract, breach of fiduciary duty, strict liability, negligent misrepresentation, and a violation of the Arizona Deceptive Trade Practices Act. Mr. Lovell alleges that his injury results from the overpayment for food based on the mistaken belief that his personal information would be secure.

Neither the Seattle P.F. Chang’s allegedly patronized by Mr. Lovell, nor the Northbrook, Illinois, restaurant allegedly frequented by Mr. Lewert was one of the 33 locations from which credit and debit card data was reportedly compromised. Mr. Kosner did not specify which location in Cook County, Illinois, he visited, but only one P.F. Chang’s location in Cook County was compromised.

Data Breach Class Actions Filed Against Supervalu; Requested Relief Includes Damages for Emotional Distress and Diminution in Value of Compromised Personal Information Based on PI’s Value in the Black Market
McPeak v. Supervalu Inc., No. 3:14-cv-00899 (S.D. Ill., filed Aug 18, 2014)
Hanff v. Supervalu Inc., No. 14-cv-3252 (D. Minn., filed Aug. 25, 2014)

Supervalu, an operator of grocery and liquor stores, announced on August 14 that hackers had installed malware on its point-of-sale network, compromising the credit and debit card data of shoppers between June 22 and July 17 at more than 200 of its stores. Within two weeks of the announcement, consumers filed two putative class actions. Both lawsuits allege that Supervalu’s failure to secure consumers’ data gives rise to claims for negligence, breach of implied contract, and violations of state consumer protection acts. The McPeak suit also alleges violation of the Stored Communications Act and various state data protection statutes, while the Hanff suit includes a claim for invasion of privacy. In alleging damages, the McPeak plaintiffs focus on unspecified unauthorized charges, the time and cost spent replacing cards and monitoring credit, and the increased risk of identity theft. The Hanff plaintiffs additionally allege that they suffered emotional distress and the diminution in value of their personal information. This allegation about the value of the plaintiffs’ personal information amounts to an argument that the data breach deprived consumers of the value they could receive by selling their own credit card information on the black market.

Patients File Class Action Against Community Health Systems Following Massive Data Breach
Alverson v. Community Health Systems, Inc., No. 2:14-cv-1620 (N.D. Ala., filed Aug. 20, 2014)

On August 18, Community Health Systems, an operator of 206 hospitals in 29 states, announced in a public filing that it had experienced a data breach affecting 4.5 million patients. Hackers (suspected to be from China) stole patient names, birth dates, telephone numbers, and Social Security numbers. Two days later, five patients filed a putative class action, alleging that Community Health’s failure to safeguard their data gave rise to claims for breach of express and implied contract, breach of implied covenant of good faith and fair dealing, unjust enrichment, money had and received, negligence, negligence per se, wantonness, invasion of privacy, and violations of the Fair Credit Reporting Act. The plaintiffs allege that they suffered damages because a portion of their payments to the hospitals was “intended to pay for the administrative costs of data security” and the data security was allegedly inadequate and because they will be forced to incur the cost of credit monitoring. Community Health has offered free credit monitoring for all patients affected by the breach.