InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Insurers obligated to indemnify retailer’s payment card claims following data breach
On March 22, the U.S. District Court for the District of Minnesota ordered two insurance companies to cover a major retailer’s 2013 data breach settlement liability under commercial general liability policies. As previously covered by InfoBytes, in 2018 the retailer reached a $17 million class action settlement to resolve consumer claims related to a 2013 data breach, which resulted in the compromise of at least 40 million credit cards and theft of personal information of up to 110 million people. The banks that issued the payment cards compromised in the data breach sought compensation from the retailer for costs associated with the cancellation and replacement of the payment cards. The retailer settled the issuing banks’ claims and later sued the insurers in 2019 for refusing to cover the costs, arguing that under the general liability policies, the insurers are obligated to indemnify the retailer with respect to the settlements reached with the issuing banks. The retailer moved for partial summary judgment, seeking a declaration that the general liability policies (which “provide coverage for losses resulting from property damage, including ‘loss of use of tangible property that is not physically injured’”) covered the costs incurred by the retailer when settling the claims for replacing the payment cards. According to the retailer, the insurers’ “refusal to provide coverage for these claims lacked any basis in either the Policies’ language or Minnesota law.” The court reviewed whether the cancellation of the payment cards following the data breach counted as a “loss of use” under the general liability policies. Although the court had previously dismissed the retailer’s coverage claims, the court now determined that the “expense that [the retailer] incurred to settle claims brought by the [i]ssuing [b]anks for the costs of replacing the compromised payment cards was a cost incurred due to the loss of use of the payment cards” because being cancelled “rendered the payment cards inoperable.”
District Court grants final approval in data breach case
On January 4, the U.S. District Court for the Eastern District of Texas granted final approval of a settlement in a class action resolving claims that a software company and its subsidiary (collectively, “defendants”) failed to properly safeguard customers' personally identifiable information (PII). According to the memorandum of law in support of the plaintiff’s motion for preliminary approval, the plaintiffs filed suit after a data breach of the defendant’s systems, alleging that defendant violated numerous states’ privacy and other laws by failing to keep their PII confidential and securely maintained. According to the plaintiffs’ motion for preliminary approval, the settlement establishes a settlement class of approximately 4,341,523 members whose PII was potentially compromised by the breach. The settlement would provide $2,000 for each named plaintiff and reimbursement of up to $5,000 of out-of-pocket expenses per class member, including up to eight hours of lost time at $25 per hour and 12 months of financial fraud protection. Additionally, more funds will be given to the California subclass, comprised of 318,091 individuals, who will receive between $100 and $300 in relief each. The defendants are also be required to pay attorneys’ fees and litigation costs and expenses.
Indiana enacts data breach disclosure requirements
On March 18, the Indiana governor signed HB 1351, which provides that in the event of the discovery of a data breach, persons are required to disclose or provide notification “without unreasonable delay, but not more than forty-five (45) days after the discovery of the breach.” The bill provides for specific reasonable delays, including circumstances that are “necessary to restore the integrity of the computer system” or “to discover the scope of the breach,” or in certain instances where the attorney general or a law enforcement agency states that disclosure of the breach will impede a criminal or civil investigation or jeopardize national security. The statute amends an existing provision of Indiana law, IC-24-4.9.3-3, by making clear that notification must be within 45 days. HB 1351 takes effect July 1.
District Court approves $17 million data breach settlement
On March 15, the U.S. District Court for the Northern District of Illinois granted final approval of a class settlement to resolve claims alleging two defendant insurance companies failed to protect over six million employee/customers’ personal and private identifying information, including names, addresses, Social Security numbers, and driver’s license numbers, from two data breach and scraping incidents. According to the memorandum of law in support of the plaintiffs’ unopposed motion for final approval, plaintiffs separately filed complaints after learning the defendants were exposed to two separate data breaches in December 2020 and March 2021. The cases were consolidated, and parties engaged in settlement negotiations. Under the terms of the settlement agreement, the defendants will provide settling class members with at least $17.1 million in relief. Class members will also have automatic access to certain financial fraud services and may submit claims to receive compensation for out-of-pocket losses (capped at $10,000 per person) and lost-time losses (up to six hours of lost-time reimbursements at $18 per hour), in addition to receiving $50 per hour if they missed work to address the breaches. Additionally, a California subclass will also be able to file claims for $50 in statutory relief. Under the California Consumer Privacy Act, consumers may seek statutory damages of up to $750 per violation. Defendants are also responsible for a portion of attorneys’ fees and costs.
Irish DPC fines global social media company €17 million for GDPR violations
On March 15, the Irish Data Protection Commission (DPC) adopted a decision fining a global social media company €17 million (approximately $18.6 million) after finding that the company failed to prevent a series of data breaches in 2018. The DPC conducted an inquiry into a series of 12 data breach notifications it received between June 7, 2018 and December 4, 2018, to examine the extent that the company complied with GDPR requirements related to the processing of personal data. Following the inquiry, the DPC found that the company violated GDPR Articles 5(2) and 24(1) by failing “to have in place appropriate technical and organizational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches.” Article 5 outlines principles related to the processing of personal data and requires companies to ensure that EU residents’ personal data is processed “in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.” Article 24(1) requires controllers to “implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with” the GDPR. The DPC noted that because the processing under examination constituted “cross-border” processing, the “decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU.”
FTC settles action against e-commerce platform for data breach cover up
On March 15, the FTC announced a proposed settlement with two limited liability companies, the former and current owners, of an online customized merchandise platform (collectively, “respondents”) for allegedly failing to secure consumers’ sensitive personal data and covering up a major breach. According to the complaint, the respondents allegedly violated the FTC Act by, among other things, misrepresenting that they implemented reasonable measures to protect the personal information (PI) of customers against unauthorized access and for misrepresenting that appropriate steps to secure consumer account information following security breaches were taken. The complaint further alleged that respondents failed to apply readily available protections against well-known threats and adequately respond to security incidents, which resulted in the respondents' network being breached multiple times. Notably, one of the breaches involved a hacker gaining access to “millions of email addresses and passwords with weak encryption; millions of unencrypted names, physical addresses, and security questions and answers; more than 180,000 unencrypted Social Security numbers; and tens of thousands of partial payment card numbers and expiration dates.” The complaint goes on to allege that the online customized merchandise platform failed to properly investigate the breach for several months despite additional warnings, including failing to promptly notify its customers of the breach. Under the terms of the proposed settlement, the respondents are: (i) ordered to pay $500,000 in redress to victims of the data breaches: (ii) prohibited from making misrepresentations about their privacy and security measures, among other things, and (iii) required to have a third party assess their information security programs and provide the Commission with a redacted copy of that assessment suitable for public disclosure.
Biden signs $1.5 trillion omnibus package
On March 15, President Biden signed H.R. 2471 the “Consolidated Appropriations Act, 2022” (Act) into law. According to House Appropriations Committee Chair Rosa DeLauro’s press release, the Act is an omnibus spending measure that provides $1.5 trillion in discretionary resources across the 12 fiscal year 2022 appropriations bills. Among other things, the Act includes the “Cyber Incident Reporting for Critical Infrastructure Act of 2022,” which establishes requirements for reporting ransomware incidents on critical infrastructure to the DHS Cybersecurity and Infrastructure Security Agency (CISA). Specifically, Division Y Section 2242, establishes that companies must report incidents to CISA 72 hours after the covered entity reasonably believes that a cyber incident has occurred, or within 24 hours if a ransomware payment has occurred. If a company fails to meet the reporting requirements, the Act permits the cyber security director to “obtain information about the cyber incident or ransom payment by engaging the covered entity directly to request information about the cyber incident or ransom payment, and if the Director is unable to obtain information through such engagement, by issuing a subpoena to the covered entity, pursuant to subsection (c), to gather information sufficient to determine whether a covered cyber incident or ransom payment has occurred.” The Act also establishes that if CISA determines that the incident requires regulatory enforcement action or criminal prosecution, such information may be provided to the Attorney General or the appropriate regulator, who may utilize such information for a regulatory enforcement action or criminal prosecution. Within 24 months, CISA is directed to publish a notice of proposed rulemaking (NPRM) in the Federal Register to implement the Act, followed by the issuance of a final rule within 18 months of the NPRM. The final rule will outline the criteria of reporting and provide the effective dates for the reporting requirements. The Act also directs CISA to carry out an outreach and education campaign to inform covered entities about the rule’s requirements. Though the bill establishes that a court shall dismiss a cause of action against a person or entity for submitting a report, the liability protections “shall only apply to or affect litigation that is solely based on the submission of a covered cyber incident report or ransom payment report to the [Sector Risk Management] Agency.”
The Act also includes the “Adjustable Interest Rate (LIBOR) Act,” which establishes “a clear and uniform process, on a nationwide basis, for replacing LIBOR in existing contracts the terms of which do not provide for the use of a clearly defined or practicable replacement benchmark rate, without affecting the ability of parties to use any appropriate benchmark rate in new contracts,” among other things. Additionally, the Act includes rental assistance programs and climate restoration grants, which, according to a statement by HUD Secretary Marcia L. Fudge, “provides funding to improve the energy efficiency of housing and increase resilience to climate impacts.”
SEC proposes amendments to cybersecurity risk management
On March 9, the SEC announced proposed amendments to its standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The proposed amendments would require, among other things, “current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents.” Specifically, firms would be required to describe their policies and procedures for the identification and management of cyber risks, provide information about the board’s oversight of and management’s role in cybersecurity risk, and disclose if a member of the board has expertise in cybersecurity. According to the SEC, “[t]he proposed amendments are intended to better inform investors about a registrant's risk management, strategy, and governance and to provide timely notification to investors of material cybersecurity incidents.” Comments are due 60 days after publication in the Federal Register.
The same day, the SEC published a fact sheet clarifying, among other things, how the amendments are applied and what is required. SEC Chair Gary Gensler issued a statement stating he was “pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.” According to a dissenting statement issued by SEC Commissioner Hester M. Peirce, the proposed amendments “flirt[] with casting us as the nation’s cybersecurity command center, a role Congress did not give us,” and argued that the “precise disclosure requirements look more like a list of expectations about what issuers’ cybersecurity programs should look like and how they should operate.”
District Court preliminarily approves $4.75 million data breach settlement
On March 3, the U.S. District Court for the Western District of Texas preliminarily approved a $4.75 million class action settlement resolving claims between a pharmacy benefits manager and consumers in six different proposed class actions filed in Texas and California. The court also conditionally certified a nationwide settlement class and a California settlement subclass. According to the memorandum in support of the plaintiffs’ motion for preliminary approval of the settlement, plaintiffs claimed the company acted negligently by failing to implement reasonable safeguards for protecting customers’ personally identifiable information and preventing a 2021 data breach, which exposed their sensitive, protected health information. The plaintiffs also alleged that the company breached California privacy and consumer protection laws. If the settlement is granted final approval, the company will be required to create a $4.75 million settlement, and “develop, implement, and maintain a comprehensive information security program that is reasonably designed to protect the security, integrity and confidentiality” of customers’ personal data. The company may also be responsible for a portion of attorneys’ fees, costs, and service awards.
9th Circuit affirms dismissal of investors’ data breach disclosures suit
On March 2, the U.S. Court of Appeals for the Ninth Circuit affirmed the dismissal of a class action suit for failure to state a claim, concluding that investors had failed to adequately allege that statements about the defendant company’s cybersecurity practices in the company’s 2018 Form 10-K amounted to securities fraud. The plaintiffs asserted that certain statements, including statements that the company maintained “a comprehensive security program,” “were misleading because they created the impression that [the company] implemented the data security best practices described in those statements no later than 2016, when in fact, the company did not implement those practices until later.” The plaintiffs argued that based on these statements, “a reasonable investor could have concluded that any data security improvements [the company] described would have been put in place in response to the two public hacks [the company] had experienced in the past, one in 2013 and one in 2016.” The 9th Circuit determined that the plaintiffs had failed to show that the company had misled investors into believing that it had made data security improvements specifically in response to the 2013 and 2016 data breaches and had “plead no facts supporting a reasonable inference that either of those hacks was a prominent enough milestone in company history that the average investor would be led to believe every data security improvement directly followed them.”
The plaintiffs further alleged that other statements in the 10-K were misleading because they “created the impression that it was unlikely [the company] had suffered an undetected data breach in the past, when in reality it was somewhat likely.” The appellate court rejected the plaintiffs’ argument and noted that “these statements would not give an ordinary investor reason to believe that [the company] was asserting that the risk that an undetected breach had occurred was particularly high or low, or that it had changed over time.” The 9th Circuit further agreed with the district court that the plaintiffs had failed to specifically allege that the company acted with the intent to deceive, manipulate, or defraud, or engage in “deliberate recklessness.”