Nearly two and a half years following the appeal of the Federal Communications Commission’s (FCC) July 2015 Order, the U.S. Court of Appeals for the District of Columbia issued a ruling on March 16, 2018.  On appeal, over a dozen entities sought review of the 2015 Order, in which the FCC interpreted various aspects of the Telephone Consumer Protection Act (TCPA).  The appeal addressed four issues: (1) which devices constitute an automatic telephone dialing system (ATDS or “autodialer”); (2) whether a call to a reassigned phone number violates the TCPA; (3) whether the FCC’s approach to revocation was too broad; and (4) whether the FCC’s exemption for certain healthcare related calls was proper.

In short, the court set aside the FCC’s definition of an ATDS and vacated the FCC’s approach to calls placed to reassigned numbers.  The court upheld, however, the FCC’s broad approach to a party’s revocation of consent and sustained the scope of the FCC’s exemption for time-sensitive healthcare calls.

  1. ATDS

The FCC’s 2015 Order held that the analysis of whether equipment constitutes an ATDS is not limited to its present capacities, but also includes its “potential functionalities”—therefore having the apparent effect of encompassing ordinary smartphones. On appeal, the D.C. Circuit concluded that the FCC’s approach could not be sustained in light of the “unchallenged assumption that a call made with a device having the capacity to function as an autodialer can violate the statute even if autodialer features are not used to make the call.”  The court reasoned that if a device’s capacity includes functions that could be added through app downloads and software additions, and if smartphone apps can introduce ATDS functionality into the device, then all smartphones would meet the statutory definition of an autodialer—and therefore, the TCPA’s restrictions on autodialer calls “assume an eye popping sweep.”  Accordingly, the court found the FCC’s interpretation that all smartphones qualify as autodialers is unreasonably and impermissibly expansive.

Regarding functionality, the FCC identified a basic function of an ATDS as the ability to “dial numbers without human intervention,” but declined to clarify this point, apparently suggesting that a device might still qualify as an autodialer even if it cannot dial numbers without human intervention.  The FCC further said that another basic function of an ATDS is to dial thousands of numbers in a short period of time, but the ruling provides no additional guidance on whether that is a necessary, sufficient, or relevant condition, leaving affected parties “in a significant fog of uncertainty.”  In addressing these questions, the court found the FCC’s guidance gave no clear answer and in many ways provided contradictory interpretations. The court seemed particularly concerned with the practical implications that the FCC ruling seemingly imposed liability even if a system was not used to randomly or sequentially generate a call list, as “[a]nytime phone numbers are dialed from a set list, the database of numbers must be called in some order—either in a random or some other sequence.”  The court set aside the FCC’s ruling on what type of functionality a device must employ to qualify as an autodialer, finding that the FCC could not promote competing interpretations in the same order.

  1. Reassigned numbers and consent

If a call is made to a consenting party’s number, but that number has been reassigned to a nonconsenting party, the FCC’s 2015 Order stated that this situation violates the TCPA—except in the instance of a one-call safe harbor, which enables a caller to avoid liability for the first call to a wireless number following reassignment.  The court found that the FCC’s limitation of the safe harbor to only the first call was arbitrary, questioning why a caller’s “reasonable reliance” on the previous subscriber’s consent necessarily stops being reasonable after there has been only one call, as the first call may give the caller no indication of a possible reassignment.  The court set aside the FCC’s treatment of reassigned numbers in its entirety, finding it could not, without consequence, excise the one-call safe harbor, but leave in place the FCC’s interpretation that the “called party” refers to the current subscriber, and not the intended recipient.  This, the court found, would mean a caller is strictly liable for all calls made to the reassigned number, even without knowledge of the reassignment.

  1. Revocation of consent

The FCC, in declining to unilaterally prescribe the exclusive means for consumers to revoke their consent, instead concluded that a called party may revoke consent at any time and through any reasonable means that clearly expresses a desire to receive further messages.  In upholding the FCC’s approach to revocation, the court found that the FCC’s ruling absolves callers of any responsibility to adopt a system that would entail undue burdens, like training every retail employee on the “finer points of revocation.”  And, under this approach, callers have every incentive to avoid TCPA liability by making available clearly-defined and easy-to-use opt-out methods, therefore making a call recipient’s unconventional and idiosyncratic revocation requests unreasonable.  Finally, the court concluded that nothing in the 2015 Order “should be understood to speak to the parties’ ability to agree upon revocation procedures”—thereby leaving open the possibility of contractually specified revocation methods.

  1. Healthcare-related exemption

The final challenge concerns the scope of the FCC’s exemption of certain healthcare related calls from the TCPA’s prior-consent requirement for calls to wireless numbers.  The exemption is limited to calls that have a healthcare treatment purpose, and excludes calls related to telemarketing, solicitation, or advertising.  The court rejected the argument that any partial exemption of healthcare related communications is unlawful because HIPAA supersedes any TCPA prohibition, finding that the two statutes provide separate protections and, therefore, there is no obstacle to complying with both.  Moreover, the court found that the FCC did not act arbitrarily in affording a narrower exemption for healthcare related calls made to wireless callers, finding that the TCPA assumes the fact that residential and wireless numbers warrant different treatment.  Finally, the court rejected the argument that the FCC erred in failing to recognize that all healthcare related calls satisfy the TCPA’s “emergency purposes” exception to the consent requirement, reasoning that it is implausible to conclude that calls related to telemarketing, solicitation, or advertising are made for emergency purposes.  Therefore, the court upheld the way in which the FCC narrowly fashioned the exemption for healthcare related calls.

Without question, the long-awaited ruling will significantly impact TCPA compliance and litigation.  Stay tuned for additional analysis on the impact of the D.C. Circuit’s ruling.

The Supreme Court’s decision in Spokeo, Inc. v. Robins continues to have an impact on class actions involving data privacy statutes. Most recently, a federal district court dismissed yet another class action involving claims under the Fair and Accurate Credit Transactions Act (FACTA) in Kirchein v. Pet Supermarket, Inc. for lack of subject matter jurisdiction under Spokeo, on the grounds that Kirchein did not establish the injury-in-fact necessary to maintain the case in federal court.

In January 2016, Kirchein filed a putative class action in the U.S. District Court for the Southern District of Florida, alleging violations of FACTA, which prohibits printing more than the last five digits of the credit card number or expiration date on the receipt provided to the customer. FACTA provides a private right of action with statutory damages up to $1,000 for any violation. In August 2016, the court preliminarily approved a $580,000 class action settlement. In October 2017, however, the defendant moved to vacate the preliminary approval order and settlement and reopen the class on the grounds that the class was much larger than the parties anticipated. The Court denied the motion on those grounds, but gave the parties an opportunity to brief the issue of subject matter jurisdiction under Spokeo.

After considering the parties’ briefing, the Court dismissed the case on February 8, 2018 for lack of subject matter jurisdiction, finding that the mere “disclosure of the first six digits of a credit card account number” did not result in an imminent, real risk of harm under Spokeo. In doing so, the Court relied heavily on its own September 2017 decision in a case alleging similar violations of FACTA. In that case, the Court held that merely printing the digits of the credit card on a receipt was insufficient to establish standing when the plaintiff did not allege that any disclosure of his private information actually occurred. Similarly here, Kirchein failed to allege that anyone besides Kirchein himself actually saw the receipt. To the extent that Kirchein relied on store employees seeing the receipt, the Court was unconvinced, finding that to be the same type of disclosure that happened any time a consumer uses a credit card to pay for a transaction.

The Court also rejected Kirchein’s argument that the settlement was still enforceable, despite any lack of standing resulting from Spokeo. The Court noted that Spokeo was not a change in the law, but merely clarified well-established principles of standing, and emphasized that it must have subject matter jurisdiction at all stages of a case, including to approve a class action settlement agreement under Rule 23.

The decision joins those of the Seventh and Second Circuits, as well as several other district courts, which have dismissed FACTA claims for lack of standing under Spokeo. These cases continue to suggest that purely technical violations of data privacy statutes will not satisfy the injury-in-fact requirement under Article III’s standing analysis after Spokeo. Instead, plaintiffs will need to show that a violation of the statute caused harm, likely through the actual disclosure to a third party.

In a recent decision, the 11th U.S. Circuit Court of Appeals reversed a grant of summary judgment in favor of a bank on Telephone Consumer Protection Act (TCPA) claims, by holding that a consumer can partially revoke her previously provided consent.

In Schweitzer v. Comenity Bank, the plaintiff sued the bank under the TCPA for calls placed to her cell phone after she allegedly revoked her consent. The revocation at issue purportedly occurred during a call the bank placed to the plaintiff, in which the plaintiff said, “And if you guys cannot call me, like, in the morning and during the workday, because I’m working, and I can’t really be talking about these things while I’m at work.”

The bank argued, and the district court had agreed, that this statement did not constitute a clear statement that the plaintiff did not want any further calls. The plaintiff appealed, arguing that the TCPA allows a consumer to partially revoke her consent to receive automated calls and that the plaintiff had revoked her consent to receive calls in the morning or during the workday.

In analyzing the issue of partial revocation, the 11th Circuit turned to its prior decision in Osorio v. State Farm Bank, F.S.B., which held that a consumer may orally revoke her consent under the TCPA in the absence of a contractual restriction, to hold that the common-law understanding of consent applies to the TCPA. Under the common law, the court explained, a person may limit her consent as she likes, permitting a consumer under the TCPA to provide limited consent. Therefore, the court concluded that “unlimited consent, once given, can also be partially revoked as to future automated calls under the TCPA.”

Turning to the effect of the plaintiff’s statements, the court held that a jury may find that the plaintiff was too equivocal to constitute partial revocation, but the lack of specificity in the plaintiff’s request did not preclude her from being able to have a jury decide the question. This holding highlights that the question of whether a consumer adequately revoked her consent, in many circumstances, will require a trial.

Of note, the 11th Circuit did not reference the recent Reyes decision by the 2nd Circuit, which held that a consumer cannot unilaterally revoke contractually agreed-upon consent under the TCPA. The reference the court made to its prior decision in Osorio, however, did highlight the distinction the 2nd Circuit drew in its decision limiting revocation. Specifically, the court noted that only in the “absence of any contractual restriction to the contrary, [consumers] were free to orally revoke any consent previously given.”  In addition, given that the court relied upon the common-law principles for revocation, like the 2nd Circuit in Reyes, it appears the two decisions are consistent. Thus, a company may be able to avoid the issues faced in Schweitzer by utilizing contractual provisions addressing consent and revocation.

Consistent with a growing trend among courts nationwide, the D.C. Circuit Court unanimously held that a group of plaintiffs had cleared a “low bar” to establish constitutional standing for their claims in a data breach case against health insurer CareFirst by alleging potential future harm as a result of the breach. The plaintiffs alleged that there was a substantial risk that their personal information could be used for medical identity theft after a breach of CareFirst’s systems. Despite the fact that (i) no actual misuse of the information had yet occurred and (ii) the breach involved medical information, rather than financial or other sensitive information typically involved in successful data breach claims, the D.C. Circuit Court held that the plaintiffs had established standing and their claims could move forward.

In 2016, the U.S. Supreme Court held in Spokeo v. Robins that plaintiffs must allege an actual or imminent injury, not hypothetical harm, to establish standing and proceed past the pleadings stage. The Supreme Court found that plaintiffs cannot rely on statutory violations for standing and remanded the case for the lower court to identify a “concrete injury.” Even after the Supreme Court’s decision, appellate courts have split on how to interpret the standard in data breach cases and whether to find standing based on a risk of harm, and courts are increasingly sympathetic to data breach claims.

The D.C. Circuit Court joins several other circuit courts that have interpreted the pleading standard liberally and in favor of data breach victims. As a result, more claims in these jurisdictions will survive past the pleading stage based on a risk of injury to the individuals affected by a breach. These rulings are largely based on an assumption that the perpetuators of information theft intend to misuse the information, indicating that the bar to claims at the pleading stage would require proof that the breached information could not or would not be used for fraud or identity theft.

Significantly, the D.C. Circuit’s ruling focused on the risk of harm from breaches of information other than financial information and social security numbers, which typically form the basis for data breach claims. The D.C. Circuit noted that there was a substantial risk to the plaintiffs of medical identify theft based on a breach of information such as names, birthdates, email addresses, and health insurance policy numbers. In addition to an overall increase in data breach claims based on potential harm, this type of ruling could expand the success of claims based in negligence or other state law doctrines arising out of breaches of health information.

It is likely that the Supreme Court will eventually weigh in on whether plaintiffs have standing in claims arising out of data breaches based on the potential for harm. In the meantime, individuals and entities who maintain personal information, whether financial or medical, should be aware that individuals affected by data breaches are increasingly likely to get their day in court.

The impact from the recent Petya/NotPetya ransomware attack — or what was reported as a ransomware attack but now appears to be something even more damaging — continues to spread around the globe, with several new companies coming forward as victims, including a prominent law firm.

This attack acts as an unfortunate reminder that the Internet of Things, along with our dependence on technology, has created a host of new legal and ethical challenges for attorneys. Chief among them is the duty owed to clients to keep their information secure.

Put simply, cyberattacks against law firms are a rapidly growing problem that we must collectively work to manage. And we need to do a better job of it. The 2016 ABA TECHREPORT indicated that, overall:

  • 21 percent of law firms reported having no data security policy;
  • Under 20 percent reported having an incident response plan;
  • 37 percent of firms reported downtime or loss of billable hours after a breach;
  • Only 17 percent of attorneys reported they have cyber coverage; and
  • Only 18 percent of law firms reported they have had a full security assessment.

The Threat

Cyberattacks against law firms have only just begun. The cybercriminals executing these attacks understand that law firms are the white whale of cyber victims. Client information is highly confidential and highly lucrative to cybercriminals. The financial and personally identifiable information that an individual company keeps for business operations is nothing compared to the treasure trove of sensitive data law firms maintain on behalf of their hundreds, or even thousands, of clients. Further, law firms possess data that, if stolen, would provide cybercriminals the information necessary to engage in a variety of nefarious activities, such as insider trading, intellectual property theft and corporate espionage.

Law firms are vulnerable to attack in several ways — via mobile devices, home networks, spear phishing, business email compromise and failure to install security patches, to name a few. The vigilant execution of advanced defenses against vulnerabilities must remain a priority.

In addition to securing the network, a host of legal and regulatory challenges continue to evolve and demand constant analysis. Aside from the more well-known regulations — the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, EU’s General Data Protection Regulation, and the Telephone Consumer Protection Act — federal and state agencies regularly promulgate and enforce new standards that must be met. This legal regime is further complicated by emerging American Bar Association and state ethical obligations.

Despite continued best efforts to safeguard client information, law firms remain at risk of attack by hackers and those who find opportunity in law firms’ cybersecurity failings. The industry recently found itself targeted by plaintiffs’ attorneys who exploit data breaches by claiming law firms failed to take reasonable steps to maintain data security. Thus, in addition to the cyberthreat itself, the looming threat of class action lawsuits must be considered as law firms develop and implement data security practices.

Our Response

As with every incident, the McGuireWoods data privacy and security team monitors the Petya/NotPetya attack as it develops and we stand ready to assist anyone affected. We provide solutions across industries — including solutions for law firms and colleagues in the legal profession.

In our experience, few businesses maintain an incident response plan that adequately addresses the decision points and considerations presented by distributed ransomware or other advanced threats, or have policies and procedures in place to ensure legal, regulatory and ethical compliance. We can help.

We have publicly offered some preventative measures that firms can take immediately. But we can also provide insight into our internal data privacy and security practices and how we use those practices to protect our clients’ most sensitive information (e.g., enforcing encryption for data at rest and in transit, performing regular security awareness training, using data loss protection functionality, conducting security audits, and aligning our information security plan with the firm’s strategic plan).

Our clients trust us with their most valuable information. They deserve the highest level of data security protection. No law firm is immune to the sophisticated threats today’s cybercriminals develop and propagate, but implementing cybersecurity programs and incident response plans now can significantly reduce the risk of breach, improve response protocols and mitigate financial and reputational loss.

Those who tuned in to McGuireWoods’ data breach class action webinar last month know that attacking the plaintiff’s standing can be an effective defense strategy in these cases.  Here’s our analysis of the most recent appellate decision on that issue.

Last Tuesday, the Second Circuit Court of Appeals affirmed the district court’s dismissal of a putative class action filed against a merchant in connection with a data breach of customer information, holding that the cardholder failed to allege sufficient injury to establish standing.

The decision adds yet another data point for practitioners feeling out the boundaries for when the exposure of personal information creates a legal right to sue.

In Whalen v. Michaels Stores, Inc., the plaintiff alleged that shortly after she made in-store purchases with her credit card, her card information was used in Ecuador in attempted purchases of a gym membership and concert tickets.  She cancelled her card upon learning of those attempts, and did not allege those charges were ever approved.

In rejecting the plaintiff’s arguments in favor of standing, the Second Circuit emphasized that she failed to allege that she actually incurred or paid those charges, and also discounted her assertion that she faced risk of future identity fraud—noting that she had already cancelled her card, and failed to allege that her name, birth date, or social security number were among the information stolen.

Notably, the court considered her allegation that she suffered damages “based on the opportunity cost and value of time” that she spent monitoring her account also insufficient to establish injury.  In so holding, the court interpreted the “particularized” component of Article III’s “concrete and particularized injury” requirement to require the plaintiff to plead specifics about the time and effort expended.

The Second Circuit expressly distinguished prior decisions from the Seventh Circuit holding the victims of a data breach alleged sufficient injury to invoke Article III standing.  On a closer review, however, it is not always easy to draw a clean line between the injuries alleged in Whalen and some of those deemed sufficient by the Seventh Circuit.

For example, in Remijas v. Neiman Marcus Group, LLC, the Seventh Circuit held the plaintiffs had sufficiently alleged injury based on an increased risk of future fraudulent charges and identity theft, notwithstanding that the data breach in that case also only involved the theft of card information and not personal information such as social security numbers or birth dates.

Similarly the court in Remijas deemed sufficient allegations that the plaintiffs lost time and money protecting themselves against future identify theft—allegations not dissimilar from those rejected in Whalen.

Although we are yet to arrive at a unified theory of standing in data breach cases, Whalen does provide a helpful piece of line-drawing, illustrating that a plaintiff who does not incur fraudulent charges—and cancels her card before any fraudulent charges are incurred—may have trouble convincing a court that she has suffered sufficient injury from a data breach to confer standing.

Last week a National Labor Relations Board (NLRB) administrative judge ruled that AT&T Mobility interfered with employees’ labor rights with an overly broad privacy rule. The rule prohibited employees from recording any conversation without approval from the company’s legal department.

The judge found that the rule was in violation of Section 8(a)(1) of the National Labor Relations Act (Act) which prohibits employers from interfering with Section 7 rights. Section 7 gives employees the right to organize and engage in other concerted activity for the purpose of collective bargaining.

The rule was questioned by sales associate, Marcus Davis after he attended a termination notice meeting for another employee and recorded audio of the meeting without management’s prior knowledge.

After the meeting, local area sales manager, Andrew Collings, contacted the human resources department for guidance. Collings then instructed the local store manager to retrieve the company owned phone, delete the 20 minute recording and coach Davis on the company policy. Davis challenged the rule and filed an unfair labor practice charge at the NLRB.

In defense of the rule, AT&T argued that the policy was in place to protect the privacy of customer information. The judge found that although AT&T has a pervasive and compelling interest in protecting customer information, when balanced against employees’ Section 7 rights, the rule is overbroad and in violation Section 8(a)(1) of the Act. Specifically, the judge noted that recent NLRB decisions had suggested that “protected conduct may include a number of things including recording evidence to preserve it for later use in administrative or judicial forums in employment-related actions,” and there were narrower ways for the employer to protect its legitimate interests without interfering with these employee rights. The judge also found that the employee was illegally threatened with disciplinary action, possibly termination, if he violated the privacy rule.

Accordingly, AT&T was ordered to rescind the rule and refrain from any action that would limit the exercise of employees’ Section 7 rights. It remains to be seen whether the company will comply now, or contest the decision before the NLRB itself. The order fits into the trend of NLRB decisions the last few years finding against work rules prohibiting photography and other forms of recording in the workplace. It does not entirely prohibit all rules limiting workplace recordings, but does reject broad rules containing a blanket ban on all workplace recordings.

The $10 million settlement class in the Target data breach case was unraveled by the Eighth Circuit Court of Appeals in a recent decision that will force the district court to address the impact of the Supreme Court’s decision in Spokeo v. RobinsThe Eighth Circuit remanded the case to the district court, finding that the lower court did not conduct a rigorous analysis of the record under Rule 23 prior to certifying the settlement class.

The case stems from the 2013 data breach of consumers’ credit and debit card information, which consisted of approximately 110 million Target customers. Following the consolidation of the hundreds of consumer class action lawsuits that followed, the U.S. District Court for the District of Minnesota preliminarily certified a settlement class defined as “[a]ll persons in the United States whose credit or debit card information and/or whose personal information was compromised as a result of the [Target] data breach.”  Under the terms of the settlement, Target was to create a $10 million settlement fund, which would pay class members with documented losses first with the remaining balance distributed to members with undocumented losses.  Class members who suffered no loss from the data breach would not receive any monetary compensation.  Target also agreed to permit an attorney fee award of up to $6.75 million in addition to the $10 million class fund and take on certain improvements in its data security practices.

Prior to final approval, two class members, Leif Olson and Jim Sciaroni, objected to the settlement. Olson alleged that certification of the class was improper due to the intraclass conflict between the named representatives and class members who, like Olson, had not suffered any loss and therefore would not receive any compensation, but would release Target from any claims should the breach someday injure him in the future.  Olson contended that this “zero-recovery subclass” should be certified as a separate subclass with independent representation.

At the final approval stage, the district court did not analyze Olson’s objection. Indeed, the district court refused to reconsider whether certification was proper solely because it had already preliminarily certified the class, stating “[b]ut the Court certified a settlement class in the preliminary approval order, and will not revisit that determination here.”  This outright refusal to consider the propriety of class certification at the final approval stage was the death knell for the case before the Eighth Circuit.

The Eighth Circuit explained that not only do courts have the duty to conduct a rigorous analysis to ensure that Rule 23’s prerequisites are met, but this duty continues throughout the litigation.  In reviewing the district court’s preliminary order, the Eighth Circuit found that it was lacking in legal analysis, concluding that the court’s remarks were “the product of summary conclusion rather than rigor.”  This lack of legal analysis constituted an abuse of discretion and prevented the appellate court from conducting a meaningful review.

The Eighth Circuit highlighted three issues for the district court to consider on remand. First, whether an intraclass conflict exists when class members who cannot claim money from a settlement fund are represented by class members who can. Second, if there is a conflict, whether it prevents the class representatives from fairly and adequately protecting the interests of all of the class members.  Third, if the class is conflicted, whether the conflict is fundamental and requires certification of one or more subclasses with independent representation.

Although these questions are important in any case involving intraclass conflicts, they underscore a problem arising frequently in data breach actions—how should the law treat the compromise of data without any evidence of misuse.  This issue is particularly at the forefront following the Supreme Court’s decision in Spokeo v. RobinsIf class members that suffered no loss from the data breach lack standing under Spokeo, it is unclear whether such a subclass could exist since neither the representative nor its members suffered a concrete injury.  It also poses the question as to whether those members should be included in the class at all.  How the district court analyzes these issues on remand may set the stage for future data breach class actions.

Cyber threats cannot be eliminated but they can be managed. Cyber experts say that it is not a question of if you will have a cyber-attack, rather it is a question of when. The next question is what you are going to do about it. In addition to taking action to minimize cybersecurity risk, all parties involved in the administration of benefit plans and their data should be prepared to RESPOND and RECOVER in the case of a cyber event. Cybersecurity is everyone’s responsibility. Critical actions and decisions can be anticipated, so they should be considered before an incident occurs, not while it is occurring or after it has occurred. You should be PREPARED IN ADVANCE.”

The above admonition appears in the November 2016 report to the Secretary of Labor recently released by the Advisory Council on Employee Welfare and Benefit Plans (the Council) entitled “Cybersecurity Considerations for Benefit Plans” (the Report). The Council was established under the Employee Retirement Income Security Act of 1974 (ERISA) to advise the secretary on issues related to employee benefit plans. ERISA, which was designed to be a comprehensive federal law regulating benefit plans, gives the Department of Labor (the DOL) enforcement authority over various matters involving plans, including the responsibilities of plan fiduciaries.

The Report notes that while cybersecurity is a focus area for organizations as to ongoing business activities, benefit plans often fall outside the scope of cybersecurity planning. Given that plans maintain and share sensitive employee data and asset information across multiple unrelated entities on a regular basis as part of the plan administration process, the Report indicates that such data and asset information should be specifically considered when implementing cybersecurity risk management measures.

Report’s Objective and Recommendations

The Council’s objective in producing the Report was to provide relevant information to, and raise awareness with, plan sponsors, fiduciaries and service providers regarding the development of cybersecurity risk management programs for benefit plans.

During 2016, the Council studied benefit plan cybersecurity, receiving oral and written testimony from experts and interested parties. Based on this testimony and the Council’s own research, the Report provides two recommendations:

  • Make the Report and its appendices available via the DOL website as soon as administratively feasible to provide plan sponsors, fiduciaries and service providers with information on developing and maintaining a robust cyber risk management program for benefit plans; and
  • Provide information to the members of the employee benefit plan community to educate them on cybersecurity risks and potential approaches for managing these risks.

In connection with the second recommendation, the Report includes as Appendix A a sample document designed to be a resource for plan sponsors and service providers as to considerations for managing cybersecurity risks.

Unfortunately, the Report does not address two major concerns of plan administrators. According to the Report, the Council is aware that ambiguities and potential issues remain as to:

  • Whether cybersecurity is a fiduciary responsibility; and
  • Whether state cyber laws are preempted by ERISA.

However, the Report notes, the Council has determined that providing guidance on these topics is beyond the scope of its study.

Observations:

Fiduciary Duty: If courts should hold that fiduciaries are required under ERISA to safeguard benefit plan data (the statute is silent on the matter), the implications are enormous. ERISA provides that any fiduciary as to a plan “who breaches any of the responsibilities, obligations, or duties imposed upon fiduciaries by [Title I of ERISA] shall be personally liable to make good to such plan any losses to the plan resulting from each such breach.” Under ERISA, various persons, including plan participants, can bring suit for “appropriate relief” in connection with a breach of fiduciary duty. A representative of one prominent company that assists thousands of businesses in managing employee benefit programs has told us that it views the safeguarding of participant data as a contractual matter rather than an ERISA matter.

Preemption: ERISA provides, with certain exceptions, that it “shall supersede [i.e., preempt] any and all State laws insofar as they may now or hereafter relate to any employee benefit plan.” State-law preemption is a bedrock principle of ERISA. If courts should conclude that state laws on data breaches do not “relate” to benefit plans, and are therefore not preempted by ERISA, the determination of which state law or laws apply to a data breach involving a plan having participants in multiple states would be a daunting task for its administrator, given that these laws are far from uniform as to the duties they impose.

Existing Cybersecurity Frameworks

The Report reviews and comments on various cybersecurity frameworks that could provide the foundation for cybersecurity strategies for benefit plans. Continue Reading ERISA Advisory Council Issues 2016 Report on Benefit Plan Cybersecurity

Earlier this year, the Supreme Court, in Spokeo, Inc. v. Robins, held that a bare procedural violation of a statutory requirement, divorced from any concrete harm, does not establish the injury-in-fact necessary to maintain a lawsuit in federal court. As the year comes to an end, it is clear that Spokeo has undoubtedly had an impact on class actions involving data privacy.

Procedural Violations of Data Privacy Statutes Do Not Satisfy Article III Following Spokeo

Given that many data privacy statutes provide for statutory damages and attorneys’ fees, they have become prime targets for class action attorneys. The class action claims, however, typically stem from technical or procedural violations of these statutes without any actual harm suffered by the plaintiffs, subjecting these lawsuits to fresh attacks following Spokeo. The various Courts of Appeals that have faced such challenges in data privacy actions in the wake of Spokeo have consistently found standing lacking under Article III.

Most recently, on December 13, 2016, the Seventh Circuit examined Spokeo in the context of the Fair and Accurate Credit Transactions Act (FACTA) in Meyers v. Nicolet Restaurant of de Pere, LLC.  FACTA prohibits businesses from printing more than the last five digits of a customer’s credit card number or the expiration date on a receipt, providing a private right of action with statutory damages up to $1,000 for any violation. In Meyers, the plaintiff alleged that a restaurant violated FACTA by printing the expiration date of his credit card on his sales receipt. In analyzing whether the plaintiff suffered a concrete harm in accordance with Spokeo, the Court noted that the plaintiff discovered the violation immediately, nobody else saw the non-compliant receipt, and thus it was “hard to imagine” how the expiration date could have increased the risk that the plaintiff’s identity would be compromised. Accordingly, the Court held that the plaintiff failed to establish any concrete harm, nor any appreciable risk of harm, to satisfy the injury-in-fact requirement for Article III standing under Spokeo.

The D.C. Circuit similarly held that a data privacy class action could not even “get out of the starting gate” with respect to standing following Spokeo. The plaintiffs in Hancock v. Urban Outfitters, Inc. alleged violations of D.C.’s Use of Consumer Identification Information Act, which prohibits retailers from asking for a customer’s address in connection with a credit card transaction. The Court held that the plaintiffs failed to allege that they suffered any cognizable injury as a result of defendants requesting their zip codes, noting that the plaintiffs did not allege any invasion of privacy, increased risk of fraud or identity theft, or pecuniary or emotional injury.  Instead, the claim rested upon a bare violation of the statute—the very theory of standing that the Supreme Court rejected in Spokeo.

These cases suggest that purely technical violations of data privacy statutes will not satisfy the injury-in-fact requirement under Article III’s standing analysis after Spokeo.  Instead, plaintiffs will need to show that a violation caused harm, likely through the actual disclosure to a third party or some evidence of emotional injury.

Data Breaches Likely Satisfy Article III Standing

Spokeo, however, has had less of an impact on standing in data breach class actions. This is because, as the Supreme Court in Spokeo acknowledged, an alleged violation of a procedural statutory right can establish the requisite concrete injury if the violation creates “a risk of real harm.”

The Sixth Circuit recently held that a data breach creates a sufficient “risk of real harm” to satisfy Article III. In Galaria v. Nationwide Mutual Insurance Company, some hackers allegedly broke into an insurance company’s computer network and stole personal identifying information of the customers. The plaintiffs brought a class action alleging violations of the Fair Credit Reporting Act for the company’s alleged failure to adopt procedures to protect against the wrongful dissemination of its customers’ data.  In evaluating standing, the Court found that where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for fraudulent purposes—creating a “risk of real harm” to support standing. The plaintiffs also alleged that they had to expend time and money to monitor their credit, check their bank statements, and modify their financial accounts because of the data breach. Thus, in addition to the substantial risk of harm, the plaintiffs had reasonably incurred mitigation costs sufficient to establish standing under Article III.

Looking Ahead to Future Standing Challenges

Cases involving data privacy claims arguably have seen the greatest impact from the Supreme Court’s ruling in Spokeo.  Although the line drawn between standing and the absence of standing seems clear at the moment, plaintiffs’ attorneys are sure to create new theories of harm to attempt to satisfy Article III’s standing requirement.