Consistent with a growing trend among courts nationwide, the D.C. Circuit Court unanimously held that a group of plaintiffs had cleared a “low bar” to establish constitutional standing for their claims in a data breach case against health insurer CareFirst by alleging potential future harm as a result of the breach. The plaintiffs alleged that

The impact from the recent Petya/NotPetya ransomware attack — or what was reported as a ransomware attack but now appears to be something even more damaging — continues to spread around the globe, with several new companies coming forward as victims, including a prominent law firm.

This attack acts as an unfortunate reminder that

Those who tuned in to McGuireWoods’ data breach class action webinar last month know that attacking the plaintiff’s standing can be an effective defense strategy in these cases.  Here’s our analysis of the most recent appellate decision on that issue.

Last Tuesday, the Second Circuit Court of Appeals affirmed the district court’s dismissal of a

Last week a National Labor Relations Board (NLRB) administrative judge ruled that AT&T Mobility interfered with employees’ labor rights with an overly broad privacy rule. The rule prohibited employees from recording any conversation without approval from the company’s legal department.

The judge found that the rule was in violation of Section 8(a)(1) of the National

The $10 million settlement class in the Target data breach case was unraveled by the Eighth Circuit Court of Appeals in a recent decision that will force the district court to address the impact of the Supreme Court’s decision in Spokeo v. RobinsThe Eighth Circuit remanded the case to the district court, finding

Cyber threats cannot be eliminated but they can be managed. Cyber experts say that it is not a question of if you will have a cyber-attack, rather it is a question of when. The next question is what you are going to do about it. In addition to taking action to minimize cybersecurity risk, all parties involved in the administration of benefit plans and their data should be prepared to RESPOND and RECOVER in the case of a cyber event. Cybersecurity is everyone’s responsibility. Critical actions and decisions can be anticipated, so they should be considered before an incident occurs, not while it is occurring or after it has occurred. You should be PREPARED IN ADVANCE.”

The above admonition appears in the November 2016 report to the Secretary of Labor recently released by the Advisory Council on Employee Welfare and Benefit Plans (the Council) entitled “Cybersecurity Considerations for Benefit Plans” (the Report). The Council was established under the Employee Retirement Income Security Act of 1974 (ERISA) to advise the secretary on issues related to employee benefit plans. ERISA, which was designed to be a comprehensive federal law regulating benefit plans, gives the Department of Labor (the DOL) enforcement authority over various matters involving plans, including the responsibilities of plan fiduciaries.

The Report notes that while cybersecurity is a focus area for organizations as to ongoing business activities, benefit plans often fall outside the scope of cybersecurity planning. Given that plans maintain and share sensitive employee data and asset information across multiple unrelated entities on a regular basis as part of the plan administration process, the Report indicates that such data and asset information should be specifically considered when implementing cybersecurity risk management measures.

Report’s Objective and Recommendations

The Council’s objective in producing the Report was to provide relevant information to, and raise awareness with, plan sponsors, fiduciaries and service providers regarding the development of cybersecurity risk management programs for benefit plans.

During 2016, the Council studied benefit plan cybersecurity, receiving oral and written testimony from experts and interested parties. Based on this testimony and the Council’s own research, the Report provides two recommendations:

  • Make the Report and its appendices available via the DOL website as soon as administratively feasible to provide plan sponsors, fiduciaries and service providers with information on developing and maintaining a robust cyber risk management program for benefit plans; and
  • Provide information to the members of the employee benefit plan community to educate them on cybersecurity risks and potential approaches for managing these risks.

In connection with the second recommendation, the Report includes as Appendix A a sample document designed to be a resource for plan sponsors and service providers as to considerations for managing cybersecurity risks.

Unfortunately, the Report does not address two major concerns of plan administrators. According to the Report, the Council is aware that ambiguities and potential issues remain as to:

  • Whether cybersecurity is a fiduciary responsibility; and
  • Whether state cyber laws are preempted by ERISA.

However, the Report notes, the Council has determined that providing guidance on these topics is beyond the scope of its study.

Observations:

Fiduciary Duty: If courts should hold that fiduciaries are required under ERISA to safeguard benefit plan data (the statute is silent on the matter), the implications are enormous. ERISA provides that any fiduciary as to a plan “who breaches any of the responsibilities, obligations, or duties imposed upon fiduciaries by [Title I of ERISA] shall be personally liable to make good to such plan any losses to the plan resulting from each such breach.” Under ERISA, various persons, including plan participants, can bring suit for “appropriate relief” in connection with a breach of fiduciary duty. A representative of one prominent company that assists thousands of businesses in managing employee benefit programs has told us that it views the safeguarding of participant data as a contractual matter rather than an ERISA matter.

Preemption: ERISA provides, with certain exceptions, that it “shall supersede [i.e., preempt] any and all State laws insofar as they may now or hereafter relate to any employee benefit plan.” State-law preemption is a bedrock principle of ERISA. If courts should conclude that state laws on data breaches do not “relate” to benefit plans, and are therefore not preempted by ERISA, the determination of which state law or laws apply to a data breach involving a plan having participants in multiple states would be a daunting task for its administrator, given that these laws are far from uniform as to the duties they impose.

Existing Cybersecurity Frameworks

The Report reviews and comments on various cybersecurity frameworks that could provide the foundation for cybersecurity strategies for benefit plans.
Continue Reading ERISA Advisory Council Issues 2016 Report on Benefit Plan Cybersecurity

Earlier this year, the Supreme Court, in Spokeo, Inc. v. Robins, held that a bare procedural violation of a statutory requirement, divorced from any concrete harm, does not establish the injury-in-fact necessary to maintain a lawsuit in federal court. As the year comes to an end, it is clear that Spokeo has undoubtedly had

Particularity and plausibility are recurring themes from Judge Reagan’s order last week in the most recent round of litigation stemming from a 2012-2013 data breach at Schnucks grocery. See Community Bank, et al. v. Schnuck Markets, Inc., No. 3:15-cv-01125-MJR-RJD (S.D. Ill. Sept. 28, 2016).  Unlike previous litigation brought by the grocery store’s customers, this

Following the Seventh Circuit’s recent decision in Lewert v. P.F. Chang’s China Bistro Inc., 2016 U.S. App. LEXIS 6766 (7th Cir. Ill. Apr. 14, 2016), many commentators quickly pronounced the Seventh Circuit fertile territory for consumer data breach class actions. But, suggesting that such claims will thrive there is a lot like saying the Sasquatch thrives in the Pacific Northwest. Maybe, but the evidence is, at best, grainy and inconclusive.

The Significance and Insignificance of Lewert

Last month in Lewert, the Seventh Circuit reversed the trial court’s dismissal of a putative class action brought by alleged victims of a 2014 data breach. For those following data breach jurisprudence, the conclusion was hardly a surprise. Just last July, the Seventh Circuit became the first federal court of appeals to find standing among data breach victims absent a showing of identity theft or unreimbursed fraud. Remijas v. Neiman Marcus Group LLC, 794 F.3d 688 (7th Cir. 2015). In Remijas, the court held that Article III’s “concrete and particularized injury” requirement was met by “the increased risk of fraudulent credit- or debit-card charges, and the increased risk of identity theft,” “time and money the class members predictably spent resolving fraudulent charges,” and “time and money customers spent protecting against future identity theft.” P.F. Chang’s attempted to distinguish Remijas, arguing that the nature of its breach created less risk of identity theft than in Remijas. Unlike Neiman Marcus, P.F. Chang’s also disputed that the named Plaintiffs’ data had been compromised. The Seventh Circuit brushed aside these distinctions as immaterial at the pleading stage where plaintiffs’ allegations are presumed true.

As a threshold matter, Lewert did not really change anything within the Seventh Circuit. Indeed, the most notable aspect of Lewert may be how closely it hewed to last year’s Remijas decision. The Seventh Circuit still believes that allegations of a payment card data breach can constitute a “certainly impending future harm” sufficient to satisfy the U.S. Supreme Court’s standing analysis in Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147, 185 L. Ed. 2d 264 (2013). And, it believes that certain victim activities following a payment card data breach — such as purchasing credit monitoring or expending time and resources to guard against identity theft — constitute “present injuries” for Article III purposes. However, the court remained “skeptical” of the plaintiffs’ more creative standing theories, like the plaintiffs’ claim that they would not have dined at P.F. Chang’s had they known of its poor data security or that the plaintiffs had a property right in their personally identifiable data.

So, is Lewert a positive development for future retail data breach plaintiffs? Sure, to a point — it reaffirmed the Seventh Circuit’s divergence from the majority of post-Clapper data breach decisions, which have held that absent allegations of actual identity theft or other fraud, the increased risk of such harm alone is insufficient to satisfy Article III standing.
Continue Reading Tracking The Elusive Consumer Data Breach Class Action