DEATH, TAXES AND DATA BREACH: THE LEGAL LESSONS

Size: px

Start display at page:

Download "DEATH, TAXES AND DATA BREACH: THE LEGAL LESSONS"

Magnus Pitts
6 years ago
Views:

1 DEATH, TAXES AND DATA BREACH: THE LEGAL LESSONS NAPAVALLEYVINTNERS AUGUST 27, 2015 CHRIS PASSARELLI SENIOR COUNSEL, I.P. DICKENSON, PEATMAN & FOGARTY T: LAW.COM

2 AGENDA Overview Legal Framework Notable Cases & Outcomes Regulatory Liability Lessons Conclusion These materials are made available to you for general informational purposes only. None of the information provided herein should be considered to constitute legal advice.

3 Dual Objectives: OVERVIEW 1. Educational: Convey an appreciation of the scope of the issue. 2. Practical: Convey useful information, awareness of and access to available resources.

4 RECENT BREACHES August 19 th Web.com August 17 th University of VA August 12 th Nationstar Mortgage LLC August 7 th Sterling BackCheck, Ubiquiti Networks, Inc., Sabre Corporation August 6 th WP Technology, Inc. dba Wattpad August 4 th Mama Mio US Source: breach

5 OVERVIEW Data Breach lawsuits arise from loss or disclosure of personal identification information. Consumer/Industry Class Action Suits Focus: Increased risk of identity theft following a breach Plaintiffs often seek to recover credit monitoring expenses, card cancellation fees, and repayment for unauthorized charges. 21 Rich. J.L. & Tech. 3

6 OVERVIEW Theories of Injury: Increased risk of identity theft after personal information has been compromised in a breach (most common) Expenses incurred to mitigate risk, e.g., credit monitoring & cancellation of credit cards Anxiety and distress upon learning about the loss of personal information (less common); and Breached an implied contract to keep information secure. 21 Rich. J.L. & Tech. 3, 21 Rich. J.L. & Tech. 3

7 COST OF BREACH U.S. Year Avg. Cost Per Breach Event Avg. Cost Per Record Compromised 2013 $5.85M $201 44% 2012 $5.4M $188 41% 2011 $5.5M $194 37% 2010 $7.2M $214 31% 2009 $6.8M $204 24% 2008 $6.7M $202 12% % Caused by Malicious attack 2007 $6.3M $197 Unknown 2006 $4.8M $182 Unknown

8 LEGAL FRAMEWORK 1. Statutes State and Federal 2. Notable Cases & Outcomes 3. Standards 4. Regulatory Enforcement

9 STATE LEGISLATION CALIFORNIA CIVIL CODE , et seq.

10 STATE LEGISLATION Personal Information (CA): First name/first initial & last name plus: SSN, or DL No./State-issued ID No., or Account, credit card or debit card no. plus access code/pin/password; or Username or address plus password or security question and answer

11 STATE LEGISLATION Personal Information (CA), cont. Does not apply to: information lawfully made publicly available from federal, state or local government records, or widely distributed media.

12 STATE LEGISLATION Breach Notification Cal. Civ. Code Applies to businesses that own, license or maintain personal information Required to disclose any breach of the security of the system following discovery or notification of the breach* in the most expedient time possible and without unreasonable delay.

13 STATE LEGISLATION AB 1710 Personal Information: Privacy On Sept. 30, 2014, CA Gov. Brown signed AB 1710, amending CA s existing personal information privacy laws. CIV. CODE now requires businesses that maintain (not just own or license) personal information about CA residents must: 1. Implement and maintain reasonable security measures to protect residents personal information; and 2. Offer to provide appropriate identity theft prevention and mitigation services for at least 12 mos.

14 STATE LEGISLATION Breach Notification Requirements Must be written in plain language and include: (1) the name and contact information of the person reporting a breach; (2) the date of the notice; (3) a list of the types of personal information likely impacted; and (4) if the breach exposed SSN, DLN or CA IDN, must provide toll-free phone no. and addresses for credit reporting agencies.

15 STATE LEGISLATION Breach Notification Requirements The following information must be included if available or can be determined prior to notification: (1) date range of breach; (2) whether notification was delayed as a result of a law enforcement investigation; and (3) a general description of the breach incident.

16 STATE LEGISLATION Breach Notification Requirements For breach of ONLY username or address plus password or security Q&A Notification can be electronic Must direct user to change password or Q&A plus other appropriate steps to protect account or other accounts with the same username/password combo If entity maintains but does not own the personal information, must immediately notify owner/licensee of breach.

Civil Liability STATE LEGISLATION Persons injured by a violation of 1798.

17 Civil Liability STATE LEGISLATION Persons injured by a violation of may recover damages in civil suit. Businesses may be enjoined by Court order.

18 STATE LEGISLATION Required Notice to CA Attorney General Must submit copy of notification letter if >500 affected. Safe Harbors 1. (CA) Only applies to unencrypted personal info; 2. EXC for disposing of records

STATE LEGISLATION CA Bus. & Professions Code 17200 BROAD: Prohibits unlawful, unfair or deceptive (fraudulent) trade practices.

19 STATE LEGISLATION CA Bus. & Professions Code BROAD: Prohibits unlawful, unfair or deceptive (fraudulent) trade practices. Unlawful - allows plaintiffs to borrow violations of other laws and treat them as independently actionable unfair competition. Plaintiff must personally suffer injury in fact and lost money or property as a result.

20 STATE LEGISLATION CA Bus. & Professions Code Economic injury may be shown by: Paying more or getting less in a transaction than he/she otherwise would; Present or Future property interest diminished; Deprived of money or property Required to enter into an otherwise unnecessary transaction, costing money or property

21 DO NOT TRACK LEGISLATION California Online Privacy Protection Act (CalOPPA) CA Bus. & Professions Code Applies to online operators that collection personal information (i.e. any website or app) Must explain how they respond to DNT signals in privacy policy to allow consumers to exercise choice. Must disclose whether 3 rd parties collect personal information on sites/apps. Must disclose whether parties may collect info over time and across different websites by using operator s sites. Can provide hyperlink in the operator s privacy policy to an online description of any program the operator follows that offers the consumer that choice. Enforced by CA Attorney General - up to $2500 per violation.

22 FEDERAL LEGISLATION Gramm-Leach-Bliley Act (GLBA) applies to financial institutions Health Insurance Portability and Accountability Act of 1996 (HIPAA) Data Security and Breach Notification Act of 2015 (Blackburn (R-TN) & Welch (D-VT)) Goal: comprehensive plan to help safeguard sensitive consumer information and shield Americans from the harmful consequences of cyber attacks.

23 LIABILITY TO WHOM Consumers Financial Institutions Credit Card Issuers Regulatory Investigation and Enforcement

24 Common Sources of Liability Improperly retained data Failure to secure & segregate (segmentation) Failure to heed warnings Delay in responding to threat*

25 NOTABLE CASES Issue: Standing to Sue U.S. Constitution Article III Requires: (1) Concrete Injury (2) Traceable to the challenged conduct (i.e., causation), (3) Redressable by favorable judicial decision.

26 SOURCES OF LAW CASES Issue: Standing to Sue Split: Increased Risk of ID Theft giving rise to standing: While initial federal decisions were hostile to the idea that an increased risk of identity theft could constitute injury-in-fact, a shift occurred after the Seventh Circuit endorsed such a theory in Pisciotta v. Old National Bancorp. Despite more success for plaintiffs after Pisciotta, other courts have continued to find that an increased risk of identity theft does not establish injury-in-fact, including the Third Circuit in Reilly v. Ceridian Corp.

27 NOTABLE CASES Clapper v. Amnesty Int l USA, 133 S. Ct 1138 (2013) Issue: Standing and Future Harm Passage of foreign surveillance law (FISA) Plaintiffs: Lawyers, journalists, activists Second Circuit found objectively reasonable likelihood of harm via surveillance. Wrong Standard. U.S. Supreme Court finds that there is no injury in fact and plaintiff had no standing to challenge a foreign surveillance law that may cause them possible future harm.

28 NOTABLE CASES (CA) In re Adobe Sys. Privacy Litigation, 66 F. Supp. 3d 1197 (CA Northern District) 38 million customers Names, login IDs, passwords, credit and debit card number, expiration dates, mailing and ing addresses, as well as source code for Adobe products Theories: Viol. CA Customer Records Act (CC & ) Failure to maintain reasonable security measures and failure to promptly disclose the breach.

29 NOTABLE CASES In re Adobe Sys. Privacy Litigation, cont. Plaintiffs alleged: Increased risk of future harm (fraud) Cost to mitigate risk of future harm (credit monitoring) Loss of value of Adobe products Held: Customers have standing to sue based on actual breach plus risk of future misuse of data and costs to mitigate future harm, as well as unfair business practices under CA law. Confidential settlement agreement filed with Court under seal on August 13, 2015.

CASES In re: Target Corp. Customer Data Security Breach Litigation (Case No. MD-02522-PAM) filed August 1, 2014 Theft of unprotected vendor s credentials provides access to Target systems.

30 CASES In re: Target Corp. Customer Data Security Breach Litigation (Case No. MD PAM) filed August 1, 2014 Theft of unprotected vendor s credentials provides access to Target systems. Plaintiff financial institutions: banks, S&L. 110 million customers affected. Customer names, credit or debit card numbers, expiration dates and CVVs. Theories: Negligence, negligent omission, Minnesota state data breach law Outcome: $67 million settlement reached on August 18, 2015 other plaintiffs still disputing settlement.

31 Legal Standards Minnesota s Plastic Card Security Act, Minn. Stat. 325E.64 Imposes liability upon merchants who retain the card security code data, the PIN verification code number, or the full contents of any track of magnetic stripe data, subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction. Intended to create an incentive [for retailers] to do the right thing and create consequences to prevent breaches from happening in the first place.

32 BASES FOR LIABILITY In re: Target Corp. Customer Data Security Breach Litigation, cont. Failure to adequately secure payment information on its systems. Complaint alleges breach was easily preventable. Failure to take adequate, reasonable measures to ensure data systems are protected. Ignored clear warnings of intruder breach and failed to take actions to thwart breach. Treatment of sensitive personal and financial information entrusted to it by its customers fell woefully short of legal duties and obligations.

33 FAILURES In re: Target Corp. Customer Data Security Breach Litigation allegations, cont. Visa warnings allegedly instructed Target to: Review its firewall configuration and ensure only allowed ports, services and IP addresses are communicating with your network ; segregate the payment processing network from other non-payment processing networks ; implement hardware-based point-to-point encryption ; perform periodic scans on systems to identify storage of cardholder data and securely delete the data ; and assign strong passwords to your security solution to prevent application modification. Target did not implement these measures. Customer payments and personal data network not properly segmented from vendor billing, etc. Target s security software provider spotted the hackers while they were uploading the malware and alerted Target s security team, which could have completely foiled the breach, but Target took no action.

NOTABLE CASES Remijas v. Nieman Marcus Group, LLC, 2015 U.S. App. LEXIS 12487 (7 th Cir.

34 NOTABLE CASES Remijas v. Nieman Marcus Group, LLC, 2015 U.S. App. LEXIS (7 th Cir.) (decided July 20, 2015) 350,000 customers affected Payment card account information Theories of liability: negligence, breach of implied contract, unjust enrichment, unfair & deceptive business practices, invasion of privacy, multiple state data breach laws Outcome: Consistent with Adobe, 7 th Cir. allowed case to move forward on theory of standing based on imminent future harm certainly impending. Opening the floodgates

35 NOTABLE CASES Remijas v. Nieman Marcus Group, LLC, 2015 U.S. App. LEXIS (N.D. Ill. Sept. 16, 2014) Alleged Injury: Lost time and money to resolve fraudulent charges; Lost time and money to protect against future ID theft; Financial loss of buying items at NM which plaintiffs would not otherwise have purchased, had they known; Lost control over the value of personal information Holding: injuries associated with resolving fraudulent charges and protecting oneself against future identity theft are sufficient for standing

36 On the Horizon Missing Link/eCellar 70 wineries 250,000 customers affected Names, credit and debit card numbers, billing addresses and dates of birth Social Security numbers, the CVV and pin numbers were not compromised. Ashley Madison 40 million user records exposed Company's user databases, financial records along with other confidential information. The company has not stated the exact personal information compromised. On August 18, 2015, hackers posted sensitive data online : A data dump, 9.7 gigabytes in size, appear to include account details and log-ins for some 32 million users, seven years worth of credit card and other payment transaction details are also part of the dump, going back to Data includes names, street address, address and amount paid, but not credit card numbers; instead it includes four digits for each transaction that may be the last four digits of the credit card or simply a transaction ID unique to each charge."

Contractual Liability to Financial Institutions Card Operating Regulations Contractual: Enforceable upon merchant under contract with acquiring bank.

37 Contractual Liability to Financial Institutions Card Operating Regulations Contractual: Enforceable upon merchant under contract with acquiring bank. Prohibit merchants from disclosing cardholder account numbers, personal information, magnetic stripe information, or transaction information to 3 rd parties other than the merchant s agent, the acquiring bank, or the acquiring bank s agents. Required to protect cardholder information from unauthorized disclosure. Payment Card Industry Data Security Standards ( PCI DSS ) 12 information security requirements promulgated by the Payment Card Industry Security Standards Council. Apply to all organizations and environments where cardholder data is stored, processed, or transmitted Require merchants to protect cardholder data, ensure the maintenance of vulnerability management programs, implement strong access control measures, regularly monitor and test networks, and ensure the maintenance of information security policies. Prohibits merchant from retaining certain customer data.

38 Industry Standards PCI DSS 2.0 requires merchants to adhere to the following rules: Build and Maintain a Secure Network Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Protect stored cardholder data Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program Use and regularly update anti-virus software or programs Develop and maintain secure systems and applications Implement Strong Access Control Measures Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain an Information Security Policy Maintain a policy that addresses information security for all personnel

39 Contractual Liability to Financial Institutions EMV Chip Technology aka ChipandSignature Global standard for secure credit card payments. Already used in EU. Embedded chip protects cardholder info from fraud. Used in place of magnetic stripe. Creates unique transaction code with each use. In October, 2015 contractual liability for counterfeit card transactions will move from card issuers to merchants if an EMV card transaction turns out to be fraudulent. Affects card present transactions only at this time. ecommerce, online or phone orders are not yet included. Merchants are not required to switch to EMV yet. Cost to implement = $ or low monthly rental fee. Tokenization standard keep customer data stored in a secured payment vault with your processor, not on your system!

40 Research: Litigation Empirical Analysis of Data Breach Litigation, Sasha Romanosky, David Hoffman, Alessandro Acquisti* April 6, 2013 First comprehensive empirical analysis of data breach litigation Built database and analyze court dockets for over 230 federal data breach lawsuits from 2000 to Two questions: Q1: Which data breaches are being litigated?; and Q2: Which data breach lawsuits are settling? A1: odds of a firm being sued are 3.5 times greater when individuals suffer financial harm, but 6 times lower when the firm provides free credit monitoring. A2: Defendants settle 30% more often when plaintiffs allege financial loss, or when faced with a certified class action suit.

41 Research: Litigation Q1: Which data breaches are being litigated? A1: odds of a firm being sued are 3.5 times greater when individuals suffer financial harm, but 6 times lower when the firm provides free credit monitoring. Q2: Which data breach lawsuits are settling? A2: Defendants settle 30% more often when plaintiffs allege financial loss, or when faced with a certified class action suit. Empirical Analysis of Data Breach Litigation, Romanosky, Hoffman, Acquisti

penalties Imperative to engage counsel in

42 Regulatory Enforcement Who: FBI Secret Service Federal Trade Commission (FTC) CA Office of Privacy Protection CA Attorney General What: Potential fines and penalties Imperative to engage counsel in responding to a communication from regulatory authorities!

43 The Consumer Recent Pew Research Center survey: 91% of adults in the survey agree or strongly agree that consumers have lost control over how personal information is collected and used by companies.

44 Response Plan Jayme Soulati Soulati Media, Inc.

45 The Consumer Best Practice = Standard Practice What is reasonable? Constantly evolving moving target.

46 Countermeasures Before breach - Develop a written response plan Form a response team Review Insurance coverage Set Internal/External Communication strategies

47 Countermeasures During/After Breach - Investigate incidents without delay Consult with counsel to coordinate: Law enforcement Forensic consultant PR Firm Assess response

48 THANK YOU! QUESTIONS? CHRISTOPHER J. PASSARELLI SR. INTELLECTUAL PROPERTY ATTORNEY DICKENSON, PEATMAN & FOGARTY 1455 FIRST STREET, STE. 301 NAPA, CA TELEPHONE: LAW.COM LAW.COM

CYBER LIABILITY: TRENDS AND DEVELOPMENTS: WHERE WE ARE AND WHERE WE ARE GOING

CYBER LIABILITY: TRENDS AND DEVELOPMENTS: WHERE WE ARE AND WHERE WE ARE GOING 2015 Verizon Data Breach Report 79,790 security incidents 2,122 confirmed data breaches Top industries affected: Public, Information,