The U.S. Department of Health & Human Services (HHS) issued a recent report noting that cybersecurity is a key public health concern that needs “immediate and aggressive attention.”  Shortly thereafter, HHS’ Office for Civil Rights (OCR) released a checklist of practical steps health care providers can take to protect themselves and their patients in the event of a cyber attack.  Both items underscore the Government’s increased focus on cybersecurity in the health care industry and remind health care providers of the importance of preparing for and appropriately responding to cyber attacks.

The Report

The interdisciplinary Health Care Industry Cybersecurity (HCIC) Task Force issued its 87 page report (the Report), mandated by the Cybersecurity Act of 2015, emphasizing the increased responsibility health care organizations have to secure their systems, medical devices, and patient data.

The increased focus on cybersecurity comes in the wake of recent rise and sophistication of cyberattacks on the health care industry. For instance, the Report notes that the health care sector experienced more cyber incidents resulting in data breaches in 2015 than any of the other 15 critical infrastructure sectors in the U.S. economy.  As the health care industry increasingly shifts to electronic health records (EHRs), automated medication delivery systems, and generally more connectivity and dependence on the Internet of Things (IoT), the prevalence and severity of these attacks is likely to increase.

The Report includes several high-level recommendations to federal regulators that could have a significant impact on members of the health care industry, including, among others:

  • Creating a cybersecurity leader role within HHS to align industry-facing efforts for health care cybersecurity;
  • Requiring federal regulatory agencies to harmonize existing and future laws and regulations that affect health care industry cybersecurity;
  • Exploring potential impacts to the Physician Self-Referral Law (the Stark Law), Anti-Kickback Statute, and other fraud and abuse laws to allow health care organizations to share cybersecurity resources and information with their partners; and
  • Establishing a Medical Computer Emergency Readiness Team (MedCERT) to coordinate medical device-specific responses to cybersecurity incidents and vulnerability disclosures.The Report also identified several recommended steps for industry members, including identifying a cybersecurity leadership role for driving for more robust cybersecurity policies, processes, and functions with clear engagement from executives.

The Report also suggested creating managed security service provider models to support small and medium-size health care providers. The Task Force also recommended that the industry evaluate options to migrate patient records and legacy systems to secure environments (e.g., hosted, cloud, shared computer environments). The imperatives, recommendations, and action items identified in the Report may be a guidebook for future rule-making from HHS aimed at strengthening the privacy of protected health information (PHI) in a new age of cybersecurity risks.

OCR Checklist

In the wake of the Report and an unprecedented year of increased cyber-attacks against health care entities (including the recent WannaCry attack and the Petya attack), OCR released a checklist of steps that HIPAA covered entities and business associates must take in response to a cyber-related security incident. OCR also published an infographic of the steps, which include: Continue Reading Increased Focus on Health Care Cybersecurity: HHS Releases Long-Awaited Report and Cyber Attack Quick-Response Checklist

Several cybersecurity firms and news outlets are reporting a new major cyberattack spreading across the globe. The attack, which is still developing and appears to have hit the UK first, is being described as a “global ransomware incident.” Some of the affected companies reportedly include British advertising firm WPP, Russian petroleum company Rosneft, and the National Bank of Ukraine. There have also been reports that multiple U.S. companies have been disrupted by the attack.

Initial reviews suggest the malware is another ransomware attack, coming shortly after the global WannaCry attack. This new intrusion may be exploiting vulnerabilities in Microsoft Windows to encrypt victims’ files. Once encrypted, the ransomware note has been demanding a $300-equivalent bitcoin payment.  A preliminary review of the virus indicates it is PetrWrap, a strain of the Petya ransomware family, which can encrypt a network’s entire hard drive by overwriting the hard disk drive’s master boot record.

To help avoid becoming a victim, some preventative measures that can be taken immediately include:

  • Ensure your network has updated security patches and is otherwise protected against PetrWrap, WannaCry and known system vulnerabilities.
  • Frequently backup your data onto an isolated and segmented network.
  • Remind your employees to practice caution before opening any document or email.
  • Review your incident response plan and identify those decisions and considerations that are most relevant to ransomware events.
  • Identify outside resources – legal counsel and forensics and public relations firms – that may be needed in the event that you are impacted by ransomware.
  • Review applicable insurance policies and understand relevant terms.

The McGuireWoods Data Privacy and Security team will continue to monitor the attack as it develops and we stand ready to assist anyone affected by it. For more information, an in-depth ransomware response plan can be found here.

“Big data” in the education context refers to the massive amount of information collected by K-12 schools and higher education institutions on student socio-economics, race and sex, test performance, academic performance, graduation rates, behavior and a myriad of other data points and how they all interact with one another. Collecting and analyzing student data is critical to policy makers and curriculum and instruction developers as institutions try to adopt and support learning delivery in the most effective and economical manner.  The National Academy of Education recently released a workshop exploring the challenges for researchers, educators and legislators.

Not surprisingly, the collection of personal data from a captive student audience has led to significant privacy concerns.  Congress originally passed the Family Education Rights and Privacy Act (FERPA) to give greater empowerment and protection to students and their families.  But the 1974 law was passed decades before the internet and cloud data storage became ubiquitous, and efforts are underway in Congress and the U.S. Department of Education to update FERPA’s requirements.

One such legislative solution is a bipartisan Senate bill called The College Transparency Act of 2017.  The College Transparency Act is focused on tapping big data to ensure that student outcome results are accurate when schools report on enrollment, retention, completion, and post-collegiate outcomes.  The bill also addresses student privacy protections and security.

The College Transparency Act walks the tightrope between accessing data to enable consumers to make informed decisions about educational options, while at the same time protecting the individual student information that makes up the data system.  Finally, it purports to relieve the reporting requirements on institutions of higher education.  The National Center for Education Statistics would house the data system created by CTA, with the aspiration that a central repository can best maintain and protect this sensitive and personal information.  These are big aspirations, but needed in a world where data is valuable but also subject to abuse and misuse.

Healthcare service provider CoPilot Support Services (“CoPilot”) recently agreed to pay a $130,000 settlement after it waited over a year to notify patients of a data breach, in violation of New York’s breach notification law. The settlement highlights the need for covered entities to ensure compliance with state breach notification laws, which may impose stricter notice requirements than federal law, in addition to ensuring compliance with HIPAA. Likewise, as the New York Attorney General indicated in its press release about this matter, covered entities should not delay notifying consumers of a breach “unless explicitly directed in writing by an authorized law enforcement official” in cases where such notice would impede an ongoing investigation.

CoPilot provides physicians with insurance coverage information for certain medications through a web portal. In October 2015, an unauthorized individual gained access to protected patient reimbursement data via the company’s website administration interface. The breach involved records for 221,178 patients, including 25,561 New York residents. The Federal Bureau of Investigation opened an investigation at CoPilot’s request in mid-February 2016, focusing on a former employee suspected of stealing the data. On January 18, 2017, CoPilot began to provide notification to affected individuals in New York.

The New York Attorney General faulted CoPilot’s decision to wait more than one year to notify patients. CoPilot argued that it delayed notification due to the FBI’s ongoing investigation. However, the Attorney General found the delay unwarranted because the FBI never determined that personal notification would compromise the investigation nor did it instruct CoPilot to delay notification. According to the NY Attorney General: “General Business Law § 899-aa requires companies to provide notice of a breach as soon as possible, and a company cannot presume delayed notification is warranted just because a law enforcement agency is investigating.” By contrast, HIPAA requires covered entities to notify individuals without unreasonable delay and no later than 60 days following the discovery of a breach.  Although many states also have an “as soon as practical” standard for breach notification, several states require notification to be sent earlier than 60 days, and HIPAA requires compliance with the more stringent requirement.

In addition to the $130,000 penalty, CoPilot agreed to ensure and monitor compliance with New York’s data security laws, to update its data security policies and procedures, and to provide data security training as part of its legal compliance program.

McGuireWoods’ Data Privacy and Security Team has broad experience in responding to data breaches and stands ready to assist at any time. Furthermore, we routinely assist clients with an array of breach prevention and mitigation strategies. Fernando Tevez is a McGuireWoods summer associate.

On Friday, May 12, the WannaCry ransomware attack struck hundreds of thousands of users across the globe, causing major disruptions in private and public networks. The attack, which encrypts a user’s files and holds them for ransom, may infect a computer without any action taken by the user.  With similar attacks expected, and as we have previously discussed, businesses would be well served to proactively take steps to protect themselves from WannaCry and other malicious cyberattacks.

On the heels of yet another high profile cyberattack, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued an alert to broker-dealers, investment advisers, and investment companies warning them of WannaCry and reminding them of the importance of addressing cybersecurity issues to protect investors and clients.  Regulated entities are required by Regulation S-P, 17 C.F.R. § 248.30(a), to adopt written policies and procedures (administrative as well as technical) to safeguard the personally identifiable information of their investors, clients, and customers.  The regulation requires that these procedures be reasonably designed to protect against anticipated cyber threats and unauthorized access to or use of customer records or information.

In 2015, OCIE launched its cybersecurity examination initiative, and the SEC’s Division of Investment Management and FINRA simultaneously offered guidance to regulated entities on cybersecurity.  The OCIE alert serves as a reminder to regulated entities of their obligation to safeguard client data.  In conducting a recent examination of 75 SEC registered broker-dealers, investment advisers, and investment companies, OCIE found that 26% of investment advisers and investment companies surveyed did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, and 57% of investment advisers and investment companies did not conduct penetration tests and vulnerability scans on critical systems.  Broker-dealers fared better, with only a 5% deficiency rate in both categories.

Both the SEC and FINRA have made enforcement of cybersecurity issues a focus, and recent SEC enforcement actions demonstrate its willingness to pursue firms that have suffered from cyberattacks and that lacked policies and procedures that the SEC deemed to be “reasonably designed” to safeguard customer information.  For example, R.T. Jones Capital Equities Management recently settled a cease-and-desist proceeding after an unauthorized, unknown intruder gained access to the personally identifiable information of over 100,000 individuals.  This breach cost R.T. Jones a $75,000 civil monetary penalty.

The WannaCry attacks and OCIE’s alert should serve as a reminder that regulators are watching how broker-dealers and other regulated entities safeguard customer data.  For a regulated entity, crafting effective cybersecurity policies and procedures is essential not only to preventing harmful and embarrassing attacks, but also to prevent a potentially costly regulatory action.  As a regulatory compliance matter, these policies and procedures are more than an IT policy and require scrutiny from well-advised in-house counsel.

The UK government launched its 5-year National Cyber Security Strategy in November 2016, investing a reported £1.9 billion to protect UK businesses from cyber-attacks and make the country the safest place to live and do business online. This strategy has included the opening of the National Cyber Security Centre (part of GCHQ) and the creation of campaigns to support businesses with expert guidance on cyber security, such as Cyber Aware and Cyber Essentials.

More recently, on 19 April, the government produced its report into cyber security breaches, based on a survey of over 1500 UK businesses. According  to the government report, just under half of all UK businesses suffered at least one cyber security breach or attack in the last 12 months, yet only 1 in 10 businesses have a cyber security incident management plan in place and only a third have a formal policy that covers cyber security risks. The average cost of a breach is said to be around £20,000, but this is a conservative estimate and for many larger companies the cost is much more, not least in monetary terms. The risk of negative publicity and damage to reputation remains high, even when security measures are adopted and insurance cover is in place, so it is no wonder that businesses are confused about what to do to protect themselves and the data they hold. The danger is that companies do not sufficiently address the problems, perhaps because it seems impossible to eliminate the threat completely, or they are put off by scaremongering tactics by InfoSec consultants or cyber insurance brokers.

Cybersecurity should be a priority for company directors. Under the Companies Act 2006, they have a duty to promote the success of the company and to exercise reasonable care, skill and diligence in the performance of their role. Failing to adopt and maintain appropriate security measures to protect personal data and confidential information against cyber-attacks could be considered a breach of these duties and expose the company and individual directors to legal liabilities, including fines and claims for compensation, under data protection legislation and potential action from regulators, such as the ICO or FCA, for businesses in the financial sector. Continue Reading UK Cyber- Security Breaches Survey

On May 18, 2017, the European Commission imposed a “proportionate and deterrent” fine of €110 million on Facebook for providing misleading information during the Commission’s investigation under the EU merger control rules of Facebook’s acquisition of WhatsApp. This decision – which it is understood Facebook will not appeal – is an example of the importance that the Commission puts on complying with all aspects of the EU merger rules.  The information at issue concerned how Facebook would be able to use its and WhatsApp’s data.  Although the case did not directly concern the processing or use of data as such, its factual background raises data protection issues and it is notable that similarly high fines will soon be possible under the EU’s General Data Protection Regulation (GDPR) for data protection infringements.

During the acquisition notification procedure in 2014, the Commission had some concerns about Facebook’s ability to establish automated matching between users’ accounts in the two services. Such matching could be a way for Facebook to introduce advertising on WhatsApp and/or to use personal data sourced from WhatsApp to improve its targeting of advertisements. From a competition perspective, this could strengthen Facebook’s position in the online advertising market and hamper competition in such market. From the data protection side, data subjects and data protection authorities should be informed of any such data sharing between Facebook and WhatsApp, as well as possible new processing resulting from that matching.

Facebook informed the Commission that it would be technically impossible to achieve reliable automated matching between Facebook users’ accounts and WhatsApp users’ account.  However, WhatsApp updated its Terms of Service and Privacy Policy in August 2016, which update included the possibility of linking WhatsApp user’ phone numbers with Facebook users’ identities.  The Commission investigated and found that the technical possibility of this automatic matching of identities existed in 2014, that Facebook staff were aware of this and that Facebook was aware of the relevance of the issue for the Commission’s investigation. Facebook’s answers in 2014 had been incorrect or misleading and a fine was justified.

Separately, in a letter of October 2016, the Article 29 Working Party (WP29, gathering all EU data protection authorities) called into question the validity of the existing WhatsApp users’ consent to this change under data protection rules.  This is because, at the time they signed up, users were not informed that their data was to be shared among the “Facebook family of companies” for marketing and advertising purposes.  The WP29 announced an investigation, urged WhatsApp to communicate all available information on this new data processing and required the company not to proceed with the sharing of users’ data until appropriate legal protections could be assured.

This investigation by the Article 29 Working Party demonstrates once again, against the background of the increased sanctions soon to be introduced under the GDPR, the importance of compliance with data protection law in the EU.  For example, companies engaged in a merger or acquisition should integrate data protection compliance programs (in addition to those covering, at least, general corporate, competition and bribery/corruption matters). Such programs should include at least the following measures:

  • Map and assess the privacy risk involved in the new processing to be carried out in the context of the corporate operation (due diligence audits, international transfers, etc.), as well as the privacy risk involved in the new processing that will be carried after the operation.
  • To the extent required by law, inform the data subjects (employees, clients, stakeholders, etc.) about those new processing and purposes, taking into account confidentiality issues.
  • Take all steps necessary to make the new data processing, data transfers and processing purposes compliant with the various applicable data protection rules.

Last week, President Trump signed an executive order (EO) designed to strengthen national cybersecurity and critical infrastructure. The EO focuses on the modernization of the federal information technology (IT) network and national cybersecurity risk management. While the order does not specifically address private-sector business procedures, companies will likely be forced to adjust operations in response to cybersecurity risks.

Modernization of Federal IT

To promote IT modernization, the EO specifically directs agencies to “show preference” for shared IT services including email and cloud services, requests strategies to reduce threats from botnets, and seeks a plan to help secure critical infrastructure. As a part of the modernization process, the order states that agency heads will be held accountable for promulgating cybersecurity initiatives and adequately protecting and managing cybersecurity risks. The tone of accountability woven throughout the order is particularly noteworthy, as the order suggests that President Trump may be much more interested in holding senior officials personally accountable for cybersecurity failings than were past presidents.

Although most of these modernization efforts will take time, one immediate effect from the order is that each agency is now explicitly required to follow the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology (NIST). Notably, the EO does not include the language, “at a minimum” preceding that requirement.  By excluding that language the order potentially disincentives, or at least fails to incentivize, agencies from exploring security policies and procedures beyond what NIST requires.

In order to implement such an extensive modernization effort, there are legitimate budgetary concerns. To help address this issue, the Secretary of Commerce, among others, are charged with reporting on the budgetary considerations involved with the federal transition to a secure and shared IT service. However, it is unclear how the new budgetary requests will be managed by Congress and whether budget cycles and associated processes will impede the expedited reforms that the President is seeking.

Risk Management

The order seeks to determine to what extent the country is prepared for and could respond to a prolonged cyber incident. As a part of the information gathering process, the EO requires several difference agencies to prepare reports which are due within 45 to 240 days; most of the reports are due within the next 90 days. These reports include:

  • addressing the country’s strategic options for deterring adversaries and protecting against cyber threats;
  • the assessment of cybersecurity-related education, training, and apprenticeship programs;
  • the sufficiency of existing policies to promote market transparency of cybersecurity risk management practices by critical infrastructure entities;
  • the potential scope and duration of a prolonged power outage associated with a significant cyber incident; and
  • the cybersecurity risks facing the defense industrial base and recommendations for mitigating those risks.

While the relatively short 90-day reporting deadline illustrates a sense of urgency on this matter, it does raise the concern that agencies may be forced to rely on existing perspectives and information or to generate relatively cursory analysis rather than engage in comprehensive studies of the matters outlined in the order.

The EO does not fundamentally change U.S cybersecurity policy but it does lay the groundwork for changes to future policy initiatives. The seriousness of implementing new cybersecurity policy, especially the EO’s request for deterring advisories, was unfortunately reinforced by the unprecedented global ransomware attack as well as the Federal Communications Commission falling victim to a distributed denial-of-service attack. Given the increasing regularity of cyber disruptions, the administration is likely to continue focusing on this issue throughout the year.

With the commencement of the workweek, experts predict the WannaCry cyberattack will spread further through systems that rely on older or unpatched versions of Microsoft Windows. The following alert explains the WannaCry ransomware and its impact on businesses and organizations as well as the preventative measures they need to take immediately.

What: Like other forms of ransomware, WannaCry — aka WanaCrypt0r and WCry — locks users off their computers and gives malicious actors control of operating systems. This can result in the loss of system functionality (as long as the computer remains infected) and often involves the destruction of data.

Those in control of WannaCry seek ransom payments in the form of bitcoin. Ransom demands started at $300 and escalated to $600 before system files were being deleted. WannaCry is indiscriminate in its effects (i.e., it is not focused on a discrete target set or industry and it has the potential to continue to propagate through systems that have not taken appropriate defensive measures). Notably, it can spread among network users without users taking any action.

The WannaCry messages that users encounter are presented in the following safe images.

Cyberattack-WannaCry1 (002) Cyberattack-WannaCry2 (003)

Who: While the originators of WannaCry are unknown, as of May 14, it had victimized at least 200,000 users in more than 100,000 organizations. Victims include the UK’s National Health Service (multiple hospitals and facilities); Federal Express in the United States; Chinese universities; Russia’s Interior Ministry; Telefonica, Gas Natural and Iberdrola (electrical) in Spain; and Renault in France.

Where: As of May 14, WannaCry had infected computers in over 150 countries (noting that the ransomware’s ability to operate in at least 27 languages has increased its transnational potency).

When: The new variant of WannaCry began creating significant effects on May 12, with infections and ransom demands expected to continue. Another strain of WannaCry began infecting computers over the weekend.

Why: WannaCry takes advantage of a known vulnerability (MS17-010 or ETERNALBLUE) in Microsoft Windows computers, and some experts believe it may have the ability to exploit other vulnerabilities. Because this vulnerability had been identified some time ago, Microsoft released a patch approximately two months earlier. However, many Microsoft users did not upload the patch.

The Way Ahead: It is possible that the variant of WannaCry discussed above (and its successors) will continue to wreak havoc on computer systems for the near future. Effects would be felt across industries globally.

Organizations should take preventative measures immediately:

  • Ensure that all systems and software are protected against WannaCry. Windows users should confirm they have the latest Windows security updates installed (e.g., MS17-010) and organizations should only use supported versions of software. As always, organizations should systematically monitor patch availability and promptly download and implement available patches.
  • Organizations that rely on internal cybersecurity defensive tools, software or services, or that use outside vendors or other external defensive options, should confirm they have layered defenses that account for, and are capable of addressing, the latest variant of WannaCry and its successors.
  • Back up data, make certain that backup files are as current as possible, and implement measures to ensure resilience and business continuity in the event of infection by WannaCry. Backups should be isolated and segmented and interconnectivity should be avoided whenever it is not essential. Limit internal (workstation-to-workstation, server-to-server) communication and user permissions to help prevent the spread of WannaCry.
  • Review incident response plans and update them as necessary to address distributed ransomware attacks. Conduct training exercises tailored to distributed ransomware scenarios.
  • Deliberate now as to whether or under what circumstances the organization would pay the ransom — decisions driven by considerations specific to particular businesses. Considerations may include, but are not limited, to:
    • harm to the business or those it serves if the system remains inoperable and/or files are destroyed;
    • the cost of payment and whether that cost is incurred for a single computer or for multiple computers;
    • whether there is a sufficient basis to believe that payment will result in the system and/or files being released to the user (noting that some of the recent ransomware attacks resulted in computers being left inoperable even after meeting ransomware demands); and
    • the potential that payment in this instance will perpetuate ransomware attacks against the business and others in the future.
  • Review insurance policies and consider whether they cover a WannaCry infection; whether additional coverage is needed; and whether they permit the use of outside cybersecurity vendors and qualified legal counsel, under what circumstances and when in the process (e.g., not until after notification to the insurer if the insurer will be responsible for paying for cybersecurity and legal services).
  • Train and test — on a continuing basis — employees and other persons with access to company computer systems on identifying and avoiding phishing and spear phishing.
  • Ensure comprehensive, functional and effective cybersecurity strategies and/or written information security programs are in place. These strategies and programs should address vulnerabilities created by the existence of disparate systems, networks and cybersecurity responsibilities that may exist across lines of businesses or business infrastructure and involve regular testing for vulnerabilities and strategy/program compliance.
  • Review second-tier plans, policies, procedures and cyber hygiene practices to ensure they address vulnerabilities in other devices (e.g., tablets, mobile phones, personal laptops) that may connect to business systems and networks.
  • Ensure that crisis response team members have been identified. Consider who, specifically, they will call for assistance (e.g., cybersecurity firm, outside counsel, public relations, government agency) in the event of an infection.
  • Understand legal obligations with respect to a ransomware incident (e.g., must the organization report the incident to customers, employees, regulators, attorneys general, etc.?).
  • Consider whether to join an Information Sharing and Analysis Center, if one exists for the specific industry, to share threat information and learn best practices for combatting cyber incidents.

 

 

Those who tuned in to McGuireWoods’ data breach class action webinar last month know that attacking the plaintiff’s standing can be an effective defense strategy in these cases.  Here’s our analysis of the most recent appellate decision on that issue.

Last Tuesday, the Second Circuit Court of Appeals affirmed the district court’s dismissal of a putative class action filed against a merchant in connection with a data breach of customer information, holding that the cardholder failed to allege sufficient injury to establish standing.

The decision adds yet another data point for practitioners feeling out the boundaries for when the exposure of personal information creates a legal right to sue.

In Whalen v. Michaels Stores, Inc., the plaintiff alleged that shortly after she made in-store purchases with her credit card, her card information was used in Ecuador in attempted purchases of a gym membership and concert tickets.  She cancelled her card upon learning of those attempts, and did not allege those charges were ever approved.

In rejecting the plaintiff’s arguments in favor of standing, the Second Circuit emphasized that she failed to allege that she actually incurred or paid those charges, and also discounted her assertion that she faced risk of future identity fraud—noting that she had already cancelled her card, and failed to allege that her name, birth date, or social security number were among the information stolen.

Notably, the court considered her allegation that she suffered damages “based on the opportunity cost and value of time” that she spent monitoring her account also insufficient to establish injury.  In so holding, the court interpreted the “particularized” component of Article III’s “concrete and particularized injury” requirement to require the plaintiff to plead specifics about the time and effort expended.

The Second Circuit expressly distinguished prior decisions from the Seventh Circuit holding the victims of a data breach alleged sufficient injury to invoke Article III standing.  On a closer review, however, it is not always easy to draw a clean line between the injuries alleged in Whalen and some of those deemed sufficient by the Seventh Circuit.

For example, in Remijas v. Neiman Marcus Group, LLC, the Seventh Circuit held the plaintiffs had sufficiently alleged injury based on an increased risk of future fraudulent charges and identity theft, notwithstanding that the data breach in that case also only involved the theft of card information and not personal information such as social security numbers or birth dates.

Similarly the court in Remijas deemed sufficient allegations that the plaintiffs lost time and money protecting themselves against future identify theft—allegations not dissimilar from those rejected in Whalen.

Although we are yet to arrive at a unified theory of standing in data breach cases, Whalen does provide a helpful piece of line-drawing, illustrating that a plaintiff who does not incur fraudulent charges—and cancels her card before any fraudulent charges are incurred—may have trouble convincing a court that she has suffered sufficient injury from a data breach to confer standing.