InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Delaware Chancery Court rules hotel corporation plaintiff failed to allege particular facts
On October 5, the Court of Chancery of the State of Delaware dismissed a stockholder derivative suit filed against directors of an international hotel corporation arising out of massive data breach. The court held that the plaintiff was not excused from making a demand on the board because he failed to show that the directors faced a substantial likelihood of liability on a non-exculpated claim.
The data breach, which exposed the personal information of approximately 500 million customers, took place via the reservation database of a property company that the corporation had acquired two years prior. The plaintiff alleged that the directors breached their fiduciary duties by failing to adequately conduct due diligence of cybersecurity technology for the property company in the pre-acquisition time period. For the post-acquisition period, the plaintiff alleged that the defendants continued to operate the property company’s deficient systems, failed to timely disclose the data breach, and that the directors breached their duty of loyalty under In re Caremark Int’l Inc. Derivative Litigation, a 1996 Delaware Chancery Court decision establishing a standard for oversight liability for board members.
With respect to the pre-acquisition time period, the court held that the plaintiff’s claims were time-barred and that was no basis for tolling. As to the post-acquisition claims, the court concluded that the directors do not face a substantial likelihood of liability under Caremark. Although the court noted that “[c]ybersecurity has increasingly become a central compliance risk deserving of board level monitoring at companies across sectors,” the allegations “do not meet the high bar required to state a Caremark claim. According to the court, the plaintiff has not shown that the directors completely failed to undertake their oversight responsibilities, turned a blind eye to known compliance violations, or consciously failed to remediate cybersecurity failures.” The court acknowledged that the data breach was “momentous in scale and put the data of hundreds of millions of people at risk,” but concluded that the actions were “at the hands of a hacker,” saying that “[the corporation] was the victim of an illegal act rather than the perpetrator.”
Massachusetts investigating data breach
On September 14, the Massachusetts attorney general announced the launch of an investigation to determine if an international wireless carrier had proper safeguards in place to protect consumer and mobile device information after a major data breach that allegedly compromised personally-identifying information of more than 50 million people. According to the carrier’s announcement, in July, the carrier experienced a breach where personally-identifying information, such as names, drivers’ license information, Social Security numbers, and addresses, among other things, of approximately 13.1 million current customers and 40 million former and prospective customers were compromised. According to the AG, the office is also investigating the circumstances of the breach and the steps the company is taking to address it and notify consumers. The AG urged affected consumers to take precautions “to ensure their information is safe, and to prevent identity theft and fraud” as the carrier continues to contact individuals. She also encouraged customers to utilize the free theft protection services being offered by the carrier, such as scam and account take-over protection for their cell phones, and to take precautionary steps, such as placing a credit freeze on credit reports.
FTC says health apps must comply with Health Breach Notification Rule
On September 15, the FTC warned health apps and connected devices collecting or using consumers’ health information that they must comply with the FTC’s Health Breach Notification Rule (Rule). The Rule requires companies to notify consumers and others if consumers’ health data is breached, and ensures that entities not covered by HIPAA are held accountable in the event of a security breach. Companies that fail to comply with the Rule may be subject to monetary penalties of up to $43,792 per violation per day. The FTC’s policy statement (approved by a 3-2 vote) clarifies the Rule’s scope and puts companies on notice of their reporting obligations. According to the FTC, health apps that are increasingly collecting sensitive and personal data from consumers have a responsibility to ensure the collected data is secured from unauthorized access. However, the FTC expressed concern that there are still few applicable privacy protections. “While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” FTC Chair Lina M. Khan stated. “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”
SEC settles with company over data breach
On August 16, the SEC announced charges against a London-based educational publishing company for its role in allegedly misleading investors regarding a cyber breach that involved millions of student records and had inadequate disclosure controls and procedures in place. According to the SEC’s order, the company made material misstatements and omissions about a 2018 cyber intrusion that affected millions of rows of data across 13,000 school, district, and university customer accounts in the U.S. According to a 2019 report furnished to the Commission, the company’s risk factor disclosure implied that the company faced the hypothetical risk that a “data privacy incident” “could result in a major data privacy or confidentiality breach” but did not disclose that a data breach involving the company had previously taken place. In response to an inquiry by a media outlet, the company sent a breach notification to its affected customers and issued a previously prepared statement that included misstatements regarding the breach and data involved. The order found that the company failed “to maintain disclosure controls and procedures designed to analyze or assess such incidents for potential disclosure in the company’s filings.” The SEC charged the company with violating, among other things, Rule 13a-15(a) of the Securities Act, which requires every issuer to maintain disclosure controls and procedures, and Section 13(a) of the Exchange Act which requires “every foreign issuer of a security registered pursuant to Section 12 of the Exchange Act to furnish the Commission with periodic reports containing information that is accurate and not misleading.” The order, which the company consented to without admitting or denying the findings, imposes a civil money penalty of $1 million and provides that the company must cease and desist from committing or causing any future violations of the Securities Act and the Exchange Act.
District Court: Cloud computing company must face class action CCPA claims in data breach suit
On August 12, the U.S. District Court for the District of South Carolina issued a ruling in a consolidated putative class action against a cloud software company alleging several state consumer protection and data reporting law violations related to a 2020 data breach. The plaintiffs asserted that the data breach was a result of the company’s “deficient security program” and contended that the company “failed to comply with industry and regulatory standards by neglecting to implement security measures to mitigate the risk of unauthorized access, utilizing outdated servers, storing obsolete data, and maintaining unencrypted data fields.” They further claimed, among other things, that the company’s narrow internal investigation did not address the full scope of the ransomware attack (in which it was eventually revealed that Social Security numbers and other sensitive personal data were compromised) and that plaintiffs were not provided timely and adequate notice of the data breach.
The court found that the plaintiffs failed to adequately plead their claims for violations of consumer protection laws in New Jersey, Pennsylvania, and South Carolina, but allowed certain claims to proceed, including plaintiffs’ allegations that the company violated the California Consumer Privacy Act (CCPA) by failing to implement and maintain reasonable security procedures. The CCPA, which became effective January 1, 2020 (covered by a Buckley Special Alert), provides for a limited private right of action for actual or statutory damages to “[a]ny consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information[.]” The company countered, however, that it is not a “business” regulated under the CCPA.
The court disagreed, writing that “the plain text of the statute is instructive” and that the plaintiffs had adequately alleged that the company qualified as a “business” under the statute because it (i) uses consumers’ personal data to provide, develop, improve, and test its services; (ii) “develops software solutions to process its customers’ patrons’ personal information”; (iii) has annual gross revenues of more than $25 million; and (iv) is allegedly registered as a “data broker” in California under a law that “provides that a ‘data broker’ is a ‘business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.’” The court also rejected the company’s contention that because it qualifies as a “service provider” under the CCPA it is not a “business.” The court further allowed claims under New York General Business Law Section 349 to proceed, finding the plaintiffs had sufficiently alleged that the company had misrepresented its security measures and the scope of the breach and had prevented consumers from protecting their data. The court also allowed the plaintiffs to seek declaratory and injunctive relief under Florida’s Deceptive and Unfair Trade Practices Act.
District Court grants preliminary approval of class action settlement against national convenience store chain
On July 30, the U.S. District Court for the Eastern District of Pennsylvania granted preliminary approval of a settlement in a class action against a national convenience store chain (defendant) for a 2019 data security incident that allegedly compromised consumers’ credit and debit card information. As previously covered by InfoBytes, class members—comprised of a nationwide group of consumers whose information was allegedly compromised in the data security incident—claimed that “despite the foreseeability of a data breach” the defendant, among other things, “failed to implement adequate measures to protect the sensitive, non-public payment card information entrusted to it by its customers.” In May, the court ruled that the defendant must face certain claims filed by a group of financial institutions (covered by InfoBytes here). Under the terms of the preliminarily approved settlement, the defendant must provide monetary relief to class members totaling approximately $9 million, plus $3.2 million for attorneys’ fees and expenses and class representative service awards, in addition to requiring the defendant to take additional measures for a period of two years to prevent future unauthorized intrusions. The settlement includes three tiers of customers, who will receive gift cards for either $5 or $15, or $500 in cash, depending on the level of their injury caused by the data breach.
5th Circuit overturns ruling that insurer must defend data breach
On July 21, the U.S. Court of Appeals for the Fifth Circuit reversed a lower court’s decision to grant summary judgement for a Houston-based insurer (defendant), finding that publication of material that violates a person’s right of privacy under the insurer’s policy can include making credit card information generally available. According to the opinion, a retail company (plaintiff) was sued by a branch of a national bank (bank) for alleged violations of an agreement that led to a $20 million data breach dispute. In response, the plaintiff filed a separate suit in Texas court against the defendant for breaching the insurance policy. The district court granted the defendant’s motion and dismissed all the claims. In doing so, “the district court held that the bank’s complaint did not allege a ‘publication’ of material that violated a person’s right to privacy because it asserted only that ‘[a] third party hacked into [the] credit card processing system and stole customers’ credit card information.’” Furthermore, the district court found that the complaint also did not allege a violation of a person’s right to privacy because the bank involves the payment processor’s contract claims, not the cardholders’ privacy claims.
On appeal, the 5th Circuit adopted a broad definition of “publication” because such term was undefined, and found that the contract dispute brought by the bank against the plaintiff “plainly alleges” that hackers published the credit card information of the plaintiff customers in several ways. First, the bank accused the plaintiff of publishing its customers’ credit cards to hackers. Then, the hackers allegedly published the information by using it to make fraudulent purchases. The appellate court then examined whether the defendant “has a duty to defend [the plaintiff] in the [u]nderlying [bank] [l]itigation.” The appellate court applied Texas’s “eight-corners rule,” which compares the “four corners of the [p]olicy to the four corners of the [bank’s] complaint.” In doing so, the appellate court found that the bank’s “alleged injuries arise from the violations of customers' rights to keep their credit card data private,” and “[u]nder the eight-corners rule, [the defendant] must defend [the plaintiff] in the underlying [bank’s] litigation.”
District Court grants final approval to grocery chain data breach settlement
On July 21, the U.S. District Court for the Central District of Illinois granted final approval to a class action data breach settlement, resolving allegations that a grocery chain was responsible for a data breach that exposed the credit card information of consumers. The final settlement (which was preliminarily approved in January) allows class members representing consumers who used a payment card to make a purchase at an impacted point-of-sale device during the security incident to receive reimbursement of up to $225 for out-of-pocket expenses related to the breach, including (i) unreimbursed bank, overdraft, and late fees; (ii) telecommunication charges; (iii) payday loan interest; and (iv) costs related to credit monitoring, identity theft protection, and time spent replacing credit cards and addressing fraudulent charges. Additionally, class members may be awarded up to $5,000 for “extraordinary expenses” resulting from the compromise of personal information. The grocery chain also agreed to “establish and maintain security enhancements that are estimated to cost more than $20 million.” However, the court reduced the attorneys’ fees to $739,000 in the final settlement after determining the initial fee request was too high compared to the overall relief for class members.
9th Circuit partially reverses lower court’s ruling based on tech company's misleading statements
On June 16, the U.S. Court of Appeals for the Ninth Circuit partially revived a securities fraud action brought by the state of Rhode Island on behalf of its employees’ retirement system against a California-based technology company, its holding company, and several individuals (collectively, “defendants”), reversing a district court’s dismissal. In 2018, investors sued the defendants after the technology company discovered a security glitch that same year on its now-defunct social network site that exposed hundreds of thousands of users’ private data. The suits were consolidated, with the state of Rhode Island as lead plaintiff, alleging the defendants deceived investors and caused the company’s shares to be traded at artificially inflated prices between the discovery of the software glitch and its disclosure. According to the plaintiffs, the defendants omitted material facts on Form 10-Qs filed with the SEC in 2018 by including statements such as “[t]here have been no material changes to our risk factors since our Annual Report on Form 10-K for the year ended December 31, 2017.” The defendants moved to dismiss for failure to state a claim, which the district court granted, stating, among other things, that the plaintiffs failed to adequately allege “falsity, materiality, and scienter” in statements made by the defendants in their April 2018 and July 2018 10-Qs.
On appeal, the 9th Circuit reviewed the challenged statements, concluded that two statements made by the parent company in its 10-Qs were materially misleading or had omitted facts regarding the software issues, and vacated the dismissal of the plaintiffs’ falsity, materiality, and scienter claims. The appellate court also found that the defendants’ claim that the software problem had been patched by the time the challenged statements were made in their 10-Qs was not enough. “Given that [the company’s] business model is based on trust, the material implications of a bug that improperly exposed user data for three years were not eliminated merely by plugging the hole in [the social network site’s] security,” the appellate court wrote, further concluding that “[t]he market reaction, increased regulatory and governmental scrutiny, both in the United States and abroad, and media coverage alleged by the complaint to have occurred after disclosure all support the materiality of the misleading omission.” The 9th Circuit also referenced a so-called “Privacy Bug Memo” that was supposedly circulated among some of the defendants’ leadership team, which warned that disclosing these security issues “would likely trigger ‘immediate regulatory interest’ and result in the defendants ‘coming into the spotlight[.]’”
Concerning the remaining 10-Q statements identified in the complaint, the 9th Circuit affirmed the district court’s dismissal of claims based on these statements after concluding that the plaintiffs did not plausibly allege that they were “misleading material misrepresentations.”
Connecticut amends data security breach provisions
On June 16, the Connecticut governor signed H.B. 5310 to establish new data breach notification requirements related to state residents. Among other things, the act updates the definition of “personal information” to also include (i) taxpayer identification numbers; (ii) IRS identity protection personal identification numbers; (iii) passport and military identification numbers, as well as other government-issued identification numbers; (iv) medical information; (v) health insurance policy numbers or other identifiers used by health insurers; (vi) biometric information; and (vii) user names or email addresses combined with passwords or security questions and answers used to access an individual’s online account.
The act also requires businesses to notify residents whose personal information was breached or reasonably believed to have been breached within 60 days instead of 90 days after the discovery of the breach. Should a business identify additional affected residents after 60 days, it is required to provide notice as expediently as possible. Additionally, in the event that a resident’s login credentials are breached, a business may provide notice in electronic form (or another form) that directs the individual to take appropriate measures to protect the affected online account and all other online accounts. Businesses that furnish email accounts are also required to either verify that the affected individual received the data breach notice or provide notification through another method. The act also adds provisions related to compliance with privacy and security standards under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act, and specifies that information provided in response to an investigative demand connected to a data breach will be exempt from public disclosure, but the attorney general may make the information available to third parties in furtherance of the investigation. The act takes effect October 1.