On Sept. 15, 2015, the Securities Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) published its second cybersecurity risk alert (the “2015 Risk Alert”). The 2015 Risk Alert is a follow up to the OCIE’s April 2014 cybersecurity initiative risk alert (the “2014 Risk Alert”) announcing a series of examinations to identify cybersecurity risks and assess cybersecurity preparedness in the securities industry. The 2015 Risk Alert puts broker-dealers (BDs) and investment advisors (IAs) on notice that OCIE will seek additional information and expand its area of focus in this second round of cybersecurity examinations. Continue Reading SEC’s OCIE Issues a Second Cybersecurity Risk Alert

Retail data breaches are multi-victim crimes, with the retailer, consumers and affected third parties all having legitimate claims to “victimhood” – and each left squabbling as the hacker vanishes into the digital ether. Moreover, the most powerless victims – individual consumers – may be foreclosed from class litigation because retailers, banks and credit card companies typically race to ensure customers are quickly made whole. However, a recent ruling in In re: Target Corp. Customer Data Security Breach Litigation suggests that, for class-action litigators, the real action is in the scrum among the retailer and affected third parties, including credit card companies, banks and credit unions.

On September 15, 2015, the U.S. District Court for the District of Minnesota certified a class of several hundred banks and credit unions against Target Corp. The recently minted class stems from the data breach Target suffered in 2013 that may have impacted up to 40 million debit and credit cards. A statement released by the League of Southern Credit Unions and Affiliates noted that Judge Magnuson’s ruling is “almost unprecedented” and their attorney called it “the beginning of a sea change to make merchants responsible for their misconduct, particularly when the misconduct impacts the credit union community.”

In opposing class certification, Target focused on Rule 23’s related commonality and predominance requirements. Specifically, Target argued common issues did not predominate because (1) the banks’ claims would require analysis and application of 50 states’ choice-of-law rules and substantive negligence laws, and (2) damages were not susceptible to class adjudication under the Supreme Court’s Comcast decision. Judge Magnuson summarily rejected these arguments, finding that a 50-state choice-of-law analysis was unnecessary because Minnesota’s contacts with the action were “legion” and the banks’ expert had established it is “possible to prove classwide common injury and to reliably compute classwide damages” as required by Comcast. Finally, the court distinguished between the claims of individual consumers – which the court categorized as presenting a “possibility” of future harm – and the banks’ claims – which the court found flowed from the actual cost of reissuing millions of cards affected by the breach.

Pursuant to the unique interlocutory appeal provision in Rule 23(f), Target has 14 days from the certification order to petition the Eighth Circuit for permission to lodge an appeal. That deadline can be extended if Target files a motion for reconsideration.

The court’s certification undoubtedly complicates – or at least makes more expensive – Target’s ongoing efforts to settle claims and put the 2013 data breach behind it. For other merchants, the ruling should serve as a warning that the threat of class-action litigation flowing from a data breach is not confined to affected consumers – affected businesses may also be aligning against you. Moreover, though one data point is not a trend, this decision suggests that those businesses may have an easier time meeting Rule 23’s certification requirements than a traditional putative consumer class would.

The EU and U.S. reached an agreement on Tuesday (9 September) which will enable the two sides to exchange personal data during criminal and terrorism investigations.

The so-called “Umbrella Agreement” comes after four years of negotiations between the EU and U.S. and will protect personal data exchanged between police and judicial authorities in the course of investigations.

Concerns in the EU were raised following revelations in 2013 that the U.S. National Security Agency (NSA) conducted mass surveillance on EU citizens, was involved in industrial espionage, and spied on heads of state and ministers. The European Commission said this deal will help restore lost trust.

The Umbrella Agreement will allow the transfer of personal data between the EU and the U.S. “for the purpose of prevention, detection, investigation and prosecution of criminal offences,” providing it is not “processed beyond compatible purposes.” It also will put limits on the ability of the U.S., or an EU country, to pass the shared data to a third country.

Importantly, EU citizens will have the same rights as U.S. citizens to enforce their data protection rights before U.S. courts in cases where U.S. authorities deny access or rectification, or unlawfully disclose their personal data. U.S. citizens currently have data protection rights in the EU, so this is seen as a quid pro quo.

EU Justice Commissioner Vera Jourová said the agreement will guarantee a “high level of protection” for personal data exchanged between U.S. and EU investigators. “The finalization of the Umbrella Agreement negotiations is therefore an important step to strengthen the fundamental right to privacy effectively and to rebuild trust in EU-U.S. data flows,” she said in a statement.

Next steps

In the U.S., the Judicial Redress Bill, granting judicial redress rights to EU citizens, will have to be adopted before the Umbrella Agreement can be signed and formally concluded. Senator Chris Murphy, who is sponsoring the bill which was introduced by Representative Frank James Sensenbrenner Jr., has said that he is angling to attach the language to the Cybersecurity Information Sharing Act that is currently pending, or pass it as a standalone bill.

In the EU, the European Council, on the basis of a proposal by the European Commission, shall adopt a decision authorising the signing of the agreement. The decision concluding the agreement will be adopted by the European Council after consent of the European Parliament.

The Future of Safe Harbor?

The negotiations over the separate EU-U.S. Safe Harbor agreement, which covers corporate data transfers, have hit a road block. The concurrence on the judicial redress issue covered by the Umbrella Agreement should allow the parties to make progress on that point as part of the Safe Harbor negotiations.
Last year, the European Parliament voted to suspend the Safe Harbor agreement, which legitimizes the transfer of personal data outside the EU to the U.S. More than 5,000 U.S. companies have signed on to the Safe Harbor self-certification scheme, but a study in 2013 found that hundreds of companies had lied about belonging to the Safe Harbor arrangement.

Almost two years ago, the European Commission issued 13 recommendations to the U.S. to improve the scheme but, as yet, little has been done to improve it. The U.S. Department of Commerce is refusing to move on the agreement’s national security exceptions. The agreement is currently under review and on 9 September 2015, Ms. Jourová said that she is confident the work on Safe Harbor “will soon conclude.”

On August 28, 2015, the National Futures Association (NFA) submitted a proposed interpretative notice (Notice) to the Commodity Futures Trading Commission (CFTC) to require information systems security programs (ISSPs). If the CFTC adopts the NFA’s proposals, NFA member firms − including swap dealers, major swap participants, futures commission merchants, commodity trading advisors, commodity pool operators and introducing brokers (collectively, Members) − would have to establish, maintain and follow written ISSPs. Continue Reading NFA Proposes Cybersecurity Guidance for Derivatives Traders

PRIVACY STETHOSCOPEThe UK’s data protection authority, the Information Commissioner’s Office (ICO), may be prompted to investigate a serious breach of privacy involving a London health clinic last week.

The 56 Dean Street Clinic, which is operated by the Chelsea and Westminster NHS Trust and specializes in HIV and other sexual health services, has apologized for the error which revealed (to all 780 recipients) the full names and email addresses of fellow clinic users who had signed up to an email service, which allows them to receive test results and book appointments by email, and to receive the clinic’s newsletter. An internal investigation is underway, but it appears that human error is to blame; instead of “blind” copying recipients to the email bulletin, the sender incorrectly used the “cc” function. Such slip-ups are usually embarrassing for any organisation, but this one is particularly serious because of the highly sensitive nature of the information and the breach of patient privacy.

Patients of the clinic have understandably expressed their concerns:

  • Their full names and email addresses have been circulated.
  • It is possible to identify other people they know from the list and to learn their HIV status.
  • They may not have shared their HIV-positive status with friends and family, but now anyone could find out.
  • Although the email was recalled, there is no way of controlling the further dissemination of the information.
  • The information could be published online at any time.
  • The information could be used against patients (for example, in an employment context).
  • Any legal action taken by the patients, or others, acting on their behalf, could further compromise privacy.

This breach could lead to enforcement action by the ICO and other industry regulators, such as the Care Quality Commission in the health sector. UK Health Secretary Jeremy Hunt has ordered an inquiry into the incident, which he described as “completely unacceptable.” It also draws unwelcome attention to his plans to put NHS patients’ GP records online within 12 months, with hospital records to follow by 2018. It has already been noted that security for patient data must be a key priority for these plans, as the public needs to trust the NHS to properly safeguard health and treatment records online. Security measures to prevent cyber-attacks are necessary, but so is training for staff to learn how to reduce the risks of accidentally disclosing personal data.

Under the Data Protection Act 1998 (DPA), the clinic could face a penalty fine of up to £500,000 for the breach and may be liable to compensate individuals for any damage and distress suffered. The Data Protection Act 1998 does not define this clearly, but according to ICO guidance, “damage” is understood to mean “financial loss or physical harm,” and “distress” can be described as “a level of upset or emotional or mental pain, that goes beyond annoyance or irritation, showing dislike, or a feeling that the processing is morally abhorrent.”

The data subjects involved in this incident will undoubtedly be able to claim that they have suffered, or are likely to suffer, distress. That said, the clinic did take steps to contain the incident and its repercussions. These are noteworthy and, depending on the circumstances and appropriate legal advice, potentially suitable actions to be taken by any organization involved in similar events:

  • Recall/delete the email as soon as possible.
  • Contact recipients to explain the problem.
  • Ask them to delete the original email immediately.
  • Recognize that the error was unacceptable and apologise.
  • Explain that there is an investigation into the incident and that they will be informed of the outcome.
  • Set up a helpline.
  • Provide contact details.

Immigration-300x300Illicit affairs have always imposed risks – from marital discord and divorce to boiling bunnies and Maury appearances. However, when old-school adultery met new-school technology on the Ashley Madison infidelity website, those risks expanded to include data breach, identity theft, and having private sexual predilections and fantasies revealed to the world. Those risks became reality earlier this year when a hacker collective calling itself “The Impact Team” released over 30 gigabytes of stolen data, including personal and financial information of Ashley Madison’s more than 39 million users, as well as internal company e-mails and information. The breach has already created considerable fallout – including last week’s announcement of the CEO’s resignation.

 Now, in a series of class action lawsuits, plaintiffs’ lawyers are jockeying for the opportunity to represent classes of potential victims. The various suits – filed in California, Missouri, Texas, and Alabama – are all, predictably, brought by “John Doe” or “Jane Doe” plaintiffs against Ashley Madison parent company, Avid Life Media, Inc. The thrust of each suit is similar. For example, each alleges that Ashley Madison promised robust protection of its members’ personal and financial information but, in fact, employed anemic security measures. Perhaps more troublesome for the company – because it could open the doors to fraud or other claims supporting punitive damages – the suits allege that Ashley Madison charged members $19 to permanently delete – as opposed to merely deactivate or hide – their profiles and data, but even members who purchased this “paid delete” option had their data compromised. Some of the suits focus almost exclusively on the loss of standard personal and financial information similar to claims seen in other data breach class actions. However, others spice things up by arguing that the disclosure of plaintiffs’ “intimate desires” and similar information gives rise to compensable emotional distress damages.     Continue Reading A Classy Affair: Class Action Lawyers Race to Courthouse in Wake of Ashley Madison Data Breach

The UK’s Information Commissioner’s Office (ICO) has made what appears to be its first “right to be forgotten” enforcement action against Google Inc. The ICO issued the notice on 18 August 2015, ordering Google to remove nine links to news stories about an individual’s criminal offence committed almost a decade ago.

How we got here

In May last year, the European Court ruled in favour of the right to be forgotten, giving anyone permission to request that specific links no longer be returned in searches for their names if they involve information that is out of date, excessive, or irrelevant.

The search engine previously deleted links referencing the criminal history of an individual after that person made such a request. However, the removal of those links then made news and those news stories referenced the individual again by name, including details of the original criminal offence. Google refused to remove links to the subsequent news stories, arguing that they were “an essential part of a recent news story relating to a matter of significant public importance.”

This enforcement notice comes just two months after the French data protection authority (CNIL) ordered Google to remove links for right to be forgotten request from its entire search engine, as reported in our blog post in June. Continue Reading UK’s First Ever Right To Be Forgotten Enforcement: Google In the Firing Line Again

Does a data breach of a retailer’s payment-card information automatically confer Article III standing on affected customers?  Is the mere possibility that some criminal element may use pilfered information to commit future fraud or identity theft sufficient to confer customers standing to assert a class action?  Are a retailer’s customer service efforts following a data breach – arguably subsequent remedial measures – proper evidence of the customers’ injury?

 

These are some of the bedrock questions luxury retailer Neiman Marcus has asked the Seventh Circuit Court of Appeals to consider en banc following a three judge panel’s bombshell opinion in Remijas v. Neiman Marcus Group.  Before Remijas, the answer to each of these questions – based on opinions from the Third Circuit and numerous federal district courts finding a lack of standing in data breach cases – was unequivocally “No.”  Remijas, however, is a potential game changer on several key fronts because it is the first Circuit Court opinion to find:

  1. Customers need not wait until hackers commit identity theft or credit-card fraud to acquire standing because there is an “objectively reasonable likelihood” injury will occur;
  2. Plaintiffs who have not suffered actual fraud or identity theft are nonetheless injured because they must spend time and money replacing cards, monitoring their credit score and otherwise “sorting things out”;
  3. A retailer’s offer of credit monitoring and identity-theft protection to customers following data breach was “telling” evidence that risk of harm was not “ephemeral.”

For any company regularly compiling or retaining customer data, the potential ramifications of Remijas are harrowing.  As Neiman Marcus pointed out in its petition for en banc review, in Clapper v. Amnesty Int’l USA, the U.S. Supreme Court held Article III standing for possible future injuries only exists where the threatened injury was “certainly impending.”  Remijas use of an “objectively reasonable likelihood” standard potentially lowers the crucial standing bar announced in Clapper.  Moreover, Neiman Marcus argues, Remijas creates a circuit split with the Third Circuit which failed to find standing in Reilly v. Ceridian Corp. – a similar data breach class action.

Neiman Marcus also took issue with the Court’s finding that the cost of “sorting things out” following a data breach – including protection of credit monitoring services – could constitute a compensable injury where there was no allegation that any class representative or member had actually suffered identity theft or unreimbursed fraud.  On this last point, Neiman Marcus was particularly troubled by the Court’s use of the retailer’s offer of credit‑monitoring services and identity-theft insurance – offers made as a “customer service measure” – as evidence that its customers suffered injury.  As Neiman Marcus points out, it made those offers to a much larger subset of customers than were actually impacted by the breach.  Moreover, allowing the store’s post-data breach purchase of credit monitoring and identity-theft insurance for potentially affected customers to serve as evidence of its customers’ compensable injuries perversely disincentives companies from taking similar steps in the future.

Although petitions for en banc rehearing are not routinely granted, the panel’s apparent deviation from recent Supreme Court standing jurisprudence, and the potential conflict with the Third Circuit, may prove compelling reasons for the Seventh Circuit to grant the petition.  Pursuant to federal appellate court rules, Plaintiffs are not permitted to respond to a petition for en banc review unless requested by the Court.  However, the Court typically allows a response before granting such a petition.  Thus, if the Court sees potential merit in the petition, the most likely next step would be to invite a response from Plaintiffs.  On the other hand, if the Court is wholly unswayed, it could deny the petition outright.

While allowing Remijas to stand would not be a death blow to Neiman Marcus’s case – it still has strong defenses to class certification only hinted at in the briefing thus far – it would significantly increase the likelihood of future data breach plaintiffs surviving a motion to dismiss and, consequently, spike the frequency and expense of data breach class-action litigation for defendants.  McGuireWoods LLP data privacy and class action attorneys will continue to closely monitor this important case.

Last winter, following a well-publicized data breach, a group of financial institutions sued Target, arguing that Target should be held responsible for the damages that they had experienced as a result of the data breach despite the fact such damage only occurred indirectly through their individual cardholders. As discussed in this previous post, the financial institutions were able to survive a motion to dismiss from Target using this novel argument. In a new development, another victory was handed to the banks on Tuesday – Target and Visa have announced that they have agreed to settle the claims of Visa’s major card issuers for up to $67 million dollars.

This deal is significant in a number of ways, not the least of which is its size – $67 million represents a significant settlement amount for a single data security suit. When combined with the novelty of the claims made by the financial institutions, it’s likely that this deal will set a precedent for future data security litigation and may spark more claims from financial institutions who suffer losses as a result of similar data breaches in the future.

This should be a cautionary tale for retailers. Between the success of the banks in obtaining recovery for these losses by taking an expansive view of the scope of foreseeable harm and the new liability-shifting rules being introduced in conjunction with the new EMV chip technology, retailers who accept credit cards are facing a future in which they are expected to bear an increasing portion of the burden of any losses occurring from data breaches – especially if such retailers are not taking active and aggressive steps to keep, implement, and maintain available processes and tools to prevent such losses.

On October 1, 2015, a substantial portion of the liability associated with in-store fraudulent credit card purchases will shift from credit card issuers, such as banks or credit unions, to retail merchants.  Credit card companies instituted the shift in a push to force retailers to adopt new EMV (EuroPay, MasterCard, and Visa) chip technology over the traditional magnetic strip readers prevalent in the United States.

EMV chip technology is considered a more secure payment system than traditional credit card magnetic strips.  Magnetic strips contain a single set of unchanging data that can be replicated and used repeatedly for fraudulent purchases until the card is cancelled.  In contrast, a card with an EMV chip generates a one-time transaction code that cannot be used for any other in-store transaction, limiting the utility of the stolen data.  According to the credit card industry, the adoption of EMV chip technology will also limit fallout from significant company-wide data breaches as the breach would yield less profitable information for hackers.

Credit card companies hope to expedite the new technology rollout through the pending change in liability rules. Under current rules, the card issuer assumes all the liability for counterfeit or stolen credit card transactions.  Under the new rules, retailers who choose to accept payments via a credit card’s magnetic strip will be able to do so but may be liable for fraudulent purchases resulting from the use of the magnetic strip on EMV chip enabled cards.  Generally speaking, if the card does not contain an EMV chip, the card issuer can be held liable.  If the card contains an EMV chip but the merchant has not adopted EMV chip technology, the merchant can be held liable.  As between the two parties, the party with the least EMV-compliant transaction network will be responsible for the fraudulent transaction.

The new rules will likely generate some confusion over who is liable for specific transactions, as each instance of fraud requires the following factual determinations, among others:

  1. what type of card was used in the fraudulent transaction (counterfeit magnetic strip card with data copied from another magnetic strip card, or counterfeit magnetic strip card with data copied from a chip card)
  2. whether the card was EMV chip-enabled;
  3. whether the point-of-sale (POS) terminal was EMV chip compliant, and
  4. if the POS terminal and the card were both EMV chip enabled, whether the transaction was a “fallback” transaction in which the magnetic strip was used despite the EMV chip capability of both the card and POS system.

Depending on the answers to each inquiry, either the retail merchant or the issuer will be liable for the fraudulent transaction.  The liability analysis becomes even more complex if chip and pin technology is part of the transaction.

In order to be deemed EMV-compliant, retailers need to upgrade their POS terminals and review their software to ensure both can process the new technology.  Cost estimates for converting the entire U.S. network range from 8.5 billion dollars to in excess of 30 billion dollars.  Advocacy groups for the retail industry have asked for an extension of the October deadline because some retailers are experiencing delays in procuring the new technology ahead of the looming deadline.  Additionally, the new liability standard calls for the installation of chip and signature technology as opposed to the more secure chip and pin technology.  Chip and signature cards require the customer to sign for each credit card transaction.  Chip and pin cards require the customer to memorize a numerical pin to authorize the transaction and offer an additional layer of security.  Many retailers are concerned that the failure to convert to chip and pin technology as part of the EMV transition will place an undue share of fraud liability on the retail merchant handling the in-store transaction.  Credit card companies have responded that the conversion to chip and pin will be phased in over a period of years to give the U.S. consumer time to adjust.

After October 1, 2015, retailers may continue to use the old magnetic strip technology but will be subject to the new liability-shifting rules.  Although the cost of switching to the new technology may be high, the potential liability of failing to make the switch is significant under the new rules.  Card issuers are well on their way to full EMV chip compliance and estimate that two-thirds of U.S. credit cards will contain an EMV chip by the end of 2015, placing the burden of compliance squarely on the shoulders of retail merchants.  Retailers contemplating converting their networks will need to weigh the cost of adopting the new technology against their potential liability exposure once the new rules go into effect.