InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Utah creates certain affirmative defenses for data breaches
On March 11, the Utah governor signed HB 80, which provides entities an affirmative defense for a data breach if they follow certain cybersecurity industry standards. Among other things, a “person that creates, maintains, and reasonably complies with a written cybersecurity program” that meets specific safeguard requirements to protect personal information and is in place at the time of the data breach has an affirmative defense to claims brought under Utah law or in the courts of the state that allege the person failed to implement reasonable information security controls that resulted in the data breach. A person also has an affirmative defense to claims regarding the failure to appropriately respond to a data breach or provide notice to affected individuals as long as the written cybersecurity program contained specific protocols at the time of the breach that “reasonably complied with the requirements for a written cybersecurity program” for responding to a data breach or for providing notice. HB 80 also outlines the components that a written cybersecurity program must include to be eligible for an affirmative defense, and is effective 60 days following adjournment of the legislature.
States reach data breach settlement with debt collector
On March 11, a coalition of 41 state attorneys general, led by the New York attorney general, announced a settlement with a bankrupt debt collection agency to resolve a multistate investigation into a 2019 data breach that allegedly exposed the personal information of more than 21 million individuals, including Social Security numbers, payment card information, and in certain instances, medical test names and diagnostic codes. According to the proposed consent order, an unauthorized user accessed the company’s internal system and accessed consumers’ personal information. The AGs claimed that “[d]espite numerous warnings from banks that processed its payments about a potential breach, [the company] failed to detect the intrusion.” Under the terms of the settlement, the company has agreed to implement data security practices to strengthen its information security program and safeguard consumers’ personal information. These measures include: (i) creating and implementing an information security program that includes an incident response plan; (ii) employing a chief information security officer to oversee data safety practices; and (iii) hiring a third-party assessor to conduct an information security assessment. Additionally, should the company fail to honor the injunctive terms of the settlement it may be liable for as much as $21 million.
NYDFS, mortgage lender reach $1.5 million cyber breach settlement
On March 3, NYDFS announced a settlement with a mortgage lender to resolve allegations that the lender violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to report it was the subject of a cyber breach in 2019. Under Part 500.17, regulated entities are required to provide timely notice to NYDFS when a cybersecurity event involves harm to customers (see FAQs here). A July 2020 examination revealed that the cyber breach involved unauthorized access to an employee’s email account, which could have provided access to personal data, including social security and bank account numbers. NYDFS also claimed that the lender allegedly failed to implement a comprehensive cybersecurity risk assessment as required by 23 NYCRR Part 500. Under the terms of the consent order, the lender will pay a $1.5 million civil monetary penalty, and will make further improvements to strengthen its existing cybersecurity program to ensure compliance with 23 NYCRR Part 500. NYDFS acknowledged that the mortgage lender had controls in place at the time of the cyber incident and implemented additional controls since the incident. NYDFS also acknowledged the mortgage lender’s “commendable” cooperation throughout the examination and investigation and stated that the lender had demonstrated its commitment to remediation.
Convenience store chain agrees to pay $12 million to resolve data security incident
On February 19, consolidated class members filed an unopposed motion for preliminary approval of a settlement agreement in the U.S. District Court for the Eastern District of Pennsylvania to resolve data security incident claims. Class members—comprised of a nationwide group of consumers whose credit and debit card information was compromised in a 2019 data security incident affecting a nationwide convenience store chain—alleged that “despite the foreseeability of a data breach” the convenience store chain, among other things, “failed to implement adequate measures to protect the sensitive, non-public payment card information entrusted to it by its customers.” The claims also alleged that certain class members continued to experience fraudulent transactions on their payment cards, and that many class members spent time responding to the data security incident, spent money on protective measures, and may experience a heightened risk of future misuse of their payment card information.
Following mediation, the parties agreed to the preliminary settlement terms, which will provide monetary relief to class members through a three-tier system totaling up to $9 million, plus $3.2 million for attorneys’ fees and expenses and class representative service awards. The convenience store chain is also required to take additional measures for a period of two years to prevent future unauthorized intrusions, including (i) retaining a qualified security assessor; (ii) conducting annual tests of its cybersecurity protocols; (iii) operating payment systems that encrypt payment card information and comply with credit card issuers’ security procedures, including systems at point-of-sale fuel pump terminals; and (iv) maintaining information security programs, policies, and procedures.
NYDFS announces cybersecurity fraud alert
On February 16, NYDFS issued a cybersecurity fraud alert to regulated entities describing a “widespread cybercrime campaign” designed to steal nonpublic private consumer information (NPI) from public-facing websites and use the stolen NPI to fraudulently apply for pandemic and unemployment benefits. NYDFS states that it has received reports from several regulated entities of “successful or attempted data theft” from websites providing instant rate quotes such as auto insurance rates, noting that even if NPI is redacted, “hackers have shown that they are adept at stealing the full unredacted NPI.” NYDFS advises regulated entities to review security controls for public-facing websites that display or transmit NPI (even redacted NPI), and reminds entities of their obligations under the state’s cybersecurity regulation to promptly report the theft of consumers’ NPI. (See InfoBytes coverage on NYDFS’ cybersecurity regulation here.) The cybersecurity fraud alert furthers NYDFS’ commitment to improving cybersecurity protections for both consumers and the industry, and follows an enforcement action taken last year alleging cybersecurity regulation violations (see InfoBytes coverage of NYDYS’ complaint against a title insurer for allegedly failing to safeguard mortgage documents here), as well as the regulator’s recently issued cybersecurity insurance framework (covered by InfoBytes here).
Insurance company not obligated to indemnify retailer’s payment card claims following data breach
On February 8, the U.S. District Court for the District of Minnesota granted defendant’s motion for summary judgment, ruling that an insurance company is not obligated to indemnify a national retailer (plaintiff) for settlements paid to multiple banks to resolve claims over the costs of canceling and reissuing customers’ compromised credit and debit cards after a 2013 data breach. After the data breach, the banks sued the plaintiff for the costs associated with cancelling and reissuing the cards (payment card claims). The plaintiff notified the defendant of its potential liability for payment card costs associated with the data breach, claiming that the payment card claims were covered under the defendant’s commercial general liability policies. The defendant denied coverage under the policies, and the plaintiff filed a breach-of-contract action seeking both declaratory judgment that its liability for the payment-card claims was covered under the policies, as well as judgment against the defendant for the settlement payments related to the payment card claims. In granting the defendant’s motion for summary judgment, the court determined, among other things, that the plaintiff failed to “establish[] a connection between the damages incurred for settling claims related to replacing the payment cards and the value of the use of those cards, either to the payment-card holders or issuers.” As such, “the connection between the damages claimed and the loss of use of the payment cards is insufficiently direct and, therefore, the damages claimed are not loss-of-use damages covered under the policies,” the court stated, noting that the defendant’s policies only allowed for indemnification when the plaintiff had a legal obligation to pay damages because of a “loss of use” of “tangible property that is not physically injured.”
11th Circuit: Future identity theft risk does not confer standing
On February 4, the U.S. Court of Appeals for the Eleventh Circuit affirmed dismissal of a class action complaint, which raised several claims against a restaurant following a data breach that exposed customers’ financial information, for the named plaintiff’s lack of standing. According to the opinion, a restaurant chain suffered a data breach when hackers gained access to customers’ credit and debit card information through an outside vendor’s remote connection tool. The restaurant chain provided notice to customers that their information “‘may’ have been accessed.” A consumer, who made two purchases during the data breach period, cancelled the credit cards he used and filed a class action two weeks after the announcement of the breach, alleging the company was negligent in failing to safeguard the credit card data, and violated the Florida Unfair and Deceptive Trade Practices Act (FUDTPA), among others. The district court dismissed the action for lack of standing, concluding that the consumer failed to identify a “single specific, concrete injury in fact that he or anyone else [] suffered as a result of any misuse of customer credit card information.”
On appeal, the 11th Circuit affirmed the district court’s holding. The appellate court rejected the consumer’s theories of standing, which were predicated on (i) a threatened “future injury” of identity theft, and (ii) the consumer’s alleged suffering of “mitigation injuries” (i.e., lost time, lost rewards points, and loss of access to accounts). The appellate court explained that in data breach cases like this, to have Article III standing the consumer must show a “substantial risk” of harm or that harm (e.g., identity theft) is “certainly impending.” The appellate court noted that despite the consumer still carrying “some risk of future harm involving identify theft,” that risk “is not substantial and is, at best, speculative” because the consumer “immediately cancelled his credit cards following disclosure [of the breach], effectively eliminating the risk of credit card fraud in the future.” Moreover, according to the appellate court, the consumer did not sufficiently allege an actual, present injury, through “inflicting injuries on himself to avoid an insubstantial, non-imminent risk of identity theft.” The appellate court reasoned that “[t]o hold otherwise would allow an enterprising plaintiff to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.”
Court approves grocery store data breach settlement
On January 25, the U.S. District Court for the Central District of Illinois preliminarily approved a class action settlement, resolving allegations that a grocery chain was responsible for a data breach that exposed the credit card information of consumers. The preliminary settlement would allow class members to receive reimbursement of up to $225 for out-of-pocket expenses related to the breach, including (i) unreimbursed bank, overdraft, and late fees; (ii) long distance and cell phone charges; and (iii) costs related to credit monitoring and identity theft protection. Additionally, class members may be awarded up to $5,000 for “extraordinary unreimbursed monetary losses” resulting from the compromise of personal information. Moreover, the grocery chain agreed to “establish and maintain security enhancements that are estimated to cost more than $20 million.” Class members who do not agree to the settlement may keep their right to independently sue if they opt out by May 24.
Law firm ordered to produce cyberattack report in malpractice action
On January 12, the U.S. District Court for the District of Columbia ordered a law firm to produce a forensic report generated by a consultant retained by the firm’s outside counsel in the wake of the plaintiff’s data breach, concluding that the report and associated materials were neither protected work product nor attorney-client privileged. According to the order, as part of a malpractice action in which the plaintiff, a Chinese entrepreneur, accused the law firm of failing to protect his personal information from hackers, the plaintiff moved to compel the production of “‘all reports of its forensic investigation into the cyberattack’ that led to the public dissemination of [plaintiff]’s confidential information.” The law firm opposed the motion, arguing that it already had turned over all relevant internally generated materials and any other documents were protected by attorney-client and work-product privileges. The law firm argued that the forensic report was only one half of a two-tracked investigation of the incident. On one track, the law firm’s usual cybersecurity vendor worked to investigate the attack to preserve business continuity while on a separate track, a different consultant was retained by counsel for the sole purpose of assisting the law firm in gathering information necessary to render legal advice.
The district court disagreed, concluding that the report is not covered by work-product privilege because the law firm failed to show that the report “‘would [not] have been created in the ordinary course of business irrespective of litigation.’” The court noted that the forensic report summarizes the findings of the investigation and that substantially the same document would have been prepared in any event as part of the ordinary course of the law firm’s business. While seeming to endorse the idea of a two-track investigation, the court noted that the law firm failed to provide any evidence that supported the fact that there were actually two tracks. Among other things, the court noted that the report summarizes findings into the data breach’s “cause, nature, and effect” and was used “for a range of non-litigation purposes,” including being shared with members of the law firm’s leadership and IT team and the FBI. In addition, the court noted that there was no evidence that the law firm’s usual cybersecurity vendor produced any findings, let alone a comprehensive report about the incident. Instead, the court stated that the record suggested that two days after the cyberattack began, the law firm turned to this second consulting firm instead of rather than in addition to the first consulting firm. Moreover, the court rejected the application of attorney-client privilege, concluding that the law firm’s “true objective was gleaning [the security-consulting firm]’s expertise in cybersecurity, not in ‘obtaining legal advice from [its] lawyer.’” The court noted that the report included remediation advice, indicating the security firm was “engaged for immediate ‘incident response.’” Lastly, the court noted the law firm can safely respond to the plaintiff’s interrogatories calling for information regarding other clients impacted by the cyberattack with “appropriate redactions in responsive documents” and “tailored” answers.
Court dismisses data breach claims citing lack of compromised sensitive information
On January 12, the U.S. District Court for the Central District of California dismissed a data breach lawsuit brought against a hotel chain, ruling the plaintiff lacked standing. The plaintiff claimed class members were victims of a data breach when hotel employees at a franchise in Russia allegedly accessed personal information without authorization, including guests’ names, addresses, phone numbers, email addresses, genders, birth dates and loyalty account numbers. The plaintiff’s suit alleged, among other things, violations of the California Consumer Privacy Act and the state’s Unfair Competition Law. While the hotel disclosed the incident last March and admitted that class members’ personal information was compromised, the court determined that the plaintiff lacked standing to bring claims after the hotel’s investigation found that “no sensitive information, such as social security numbers, credit card information, or passwords, was compromised.” The court determined that the plaintiff failed to plausibly plead that any of the class members’ more sensitive data had fallen into the wrong hands, and that “[w]ithout a breach of this type of sensitive information, Plaintiff has not suffered an injury in fact and cannot meet the constitutional requirements of standing.”