Social Networking: Setting Boundaries in a Borderless Brave New World
The explosive growth and morphing applications of social media such as Facebook and Twitter create new opportunities and challenges for individual users, parents, employers, organizations, governments, and marketers. Where a social phenomenon has such a wide and unpredictable impact, it almost inevitably attracts a retinue of lawmakers and regulators, as well as lawyers and HR managers struggling to craft appropriate policies for employees. And given the globalization of social media, those policies have to take account of the evolving rules in multiple jurisdictions.
Continue Reading...Information Governance
When it comes to creating policies for handling personal data in an organization, who decides? How are those policy decisions made and kept up to date?
These are questions of governance – I would call it “information governance.” Most large enterprises have established responsibilities and procedures for information technology governance and specifically for IT security policies, procedures, procurement, management, and training. In many cases, however, these have not been fully mapped to personal data compliance and risk management requirements, which should be defined and monitored by a somewhat different group of people, from departments beyond IT and security. Unless privacy issues are visible in the internal governance process, the organization – and the individuals that deal with it -- may be exposed to some nasty surprises.
Live from the IAPP Global Privacy Summit in Washington, DC, It's Monday Afternoon
This week, I will be providing short updates from the IAPP Global Privacy Summit in Washington, DC. The conference will be in full swing tomorrow, and I will report on various panels and topics of interest. In the meantime, as I prepare to see old and new friends at the Welcome Reception this evening, a few thoughts on what I expect to see and hear a lot over the next few days:
- How can we harmonize the EU Data Protection Directive and EU member country privacy laws with the flow of data in today's global economy? It is unfortunate that a number of IAPP participants from the EU will not make it to DC for the Summit this year due to the Icelandic volcano. Nonetheless, I expect active dialogue regarding cross-border data transfers, safe harbor v. standard contractual clauses v. binding corporate rules, and, in particular, the impact of the growth of cloud computing and other outsourcing arrangements (or, at least, the growth of the hype around cloud computing). It would also be nice to hear more about the EU Cookie Consent law - there is a panel scheduled to take place, but unknown if that will happen in light of the volcano debacle.
- HIPAA/HITECH and Medical Identity Theft: Health care privacy topics are hotter than ever, especially with the growing number of reported security breaches affecting more than 500 individuals under the new HHS breach notification rules promulgated pursuant to the HITECH Act.
- "Reasonable Security": What does Massachusetts think? What does the FTC think? What in the world is it and how in the world can organizations comply?
- On a related note, FTC Enforcement, with a focus on behavioral marketing issues and evolving notions of notice and consent. What trends will we see over the next several years, particularly with the growth of social media and online behavioral advertising?
- Social media: how it affects the workplace, corporate policies and procedures, and "reasonable expectations" of privacy.
- The forecast for federal legislation - not just on breach notification, but security requirements, online behavioral marketing and, getting lots of media attention these days, potential revisions to ECPA (being driven, once again, by the cloud computing explosion).
- Breaches, breaches, and more breaches. Of course.
A few things that appear to be missing from this year's agenda - the FTC's current review of the rules under the Children's Online Privacy Protection Act (COPPA), enforcement of the Red Flags Rule (the FTC will start enforcing the Rule June 1), and the growing number of state laws (Washington, Nevada, Minnesota) requiring compliance with the PCI Standard.
Stay tuned, I will endeavor to post developments on a daily basis.
Security Breach Notices for Canadian Data
There’s some Canadian data on that lost laptop or hacked server. Do you have to notify individuals or authorities in Canada, as you are often required to do in the United States?
The US model of security breach notice laws has not been widely emulated abroad, although several jurisdictions are considering similar measures. Nevertheless, a duty to give notice of significant security breaches has been inferred in some cases from general principles found in comprehensive privacy and data protection laws in Europe, Canada, Japan, and elsewhere. Privacy commissioners in Canada have applied such general principles in publishing guidelines for companies suffering a data leak involving personal information. In addition, the province of Ontario expressly requires notice to individuals if their personal health information is compromised.
More recently, Special Commissions at the federal level and in the provinces of Alberta and British Columbia have recommended amending privacy legislation to mandate notification of material security breaches. Alberta is the first to act on this recommendation. Bill 54, amending Alberta’s Personal Information Privacy Act, will soon require organizations to notify potentially harmful security breaches to the Alberta Privacy Commissioner – who may then dictate the terms of notice to affected individuals.
Is Your Organization's Red Flags Rule Identity Theft Prevention Program Ready for Primetime?
As our readers know, the FTC, after four extensions of the deadline, currently intends to begin enforcing the Red Flags Rule with respect to organizations subject to its jurisdiction on June 1, 2010. In the meantime, the Red Flags Rule remains in effect as to all financial institutions and creditors (and has been subject to enforcement by the banking regulators since November 1, 2008). Although a recent decision of the United States District Court for the District of Columbia, ABA v. FTC, brought lawyers outside the scope of the Rule, the Rule remains broad and covers a wide range of entities as "creditors." Creditors subject to the FTC's jurisdiction need to have their written Red Flags Rule Identity Theft Prevention Programs prepared, approved by the Board, and implemented by June 1. For more on the history and the requirements of the Rule, see my recent article, "The FACTA Red Flags Rule: A Primer," published in Bloomberg Law Reports – Risk & Compliance, reproduced here with the permission of Bloomberg. Read on . . .
Reminder: FTC Will Enforce Red Flags Rule Beginning November 1 (but Federal Judge Rules Lawyers Not Subject To Rule)
The Federal Trade Commission will begin enforcing its Red Flags Rule this Sunday, November 1. Financial institutions and creditors that hold covered accounts, as defined under the Rule, must have written Red Flags identity theft prevention programs in place by November 1. Earlier today the American Bar Association reported that a federal judge in Washington, D.C., ruled that the FTC exceeded its authority by applying the Red Flags Rule to practicing lawyers. The FTC is expected to appeal today's ruling.
In 2007, the FTC, the federal bank regulatory agencies, and the National Credit Union Administration issued final rules requiring financial institutions and creditors to develop and implement written identity theft prevention programs, as part of the Fair and Accurate Credit Transactions Act of 2003. The FTC (but not the federal bank regulatory agencies) extended the deadline for enforcement three times: from November 1, 2008, to May 1, 2009, to August 1, 2009, and finally to November 1, 2009.
Who Must Comply with FACTA's Red Flags Identity Theft Rule?
According to the FTC, any company that "regularly defer(s) payment for goods or services". . .
On October 31, 2007, the FTC released the Red Flags Identity Theft Rule (the "Red Flags Rule" or the "Rule"). The Red Flags Rule requires "covered entities" to conduct a risk assessment to determine if they have "covered accounts," which are consumer-type accounts that pose a reasonable risk of identity theft. If a covered entity does have covered accounts the Red Flags Rule requires the entity to develop and implement a written Identity Theft Program to identify, detect and respond to possible risks of identity theft. The deadline to comply with the Red Flags Rule was November 1, 2008. The FTC, however, announced that it would suspend enforcement of the Rule until May 1, 2009 (note that the enforcement date suspension DID NOT impact the compliance deadline -- all covered entities should have been in compliance by November 1, 2008).
Recently a controversy has arisen as to what constitutes a "covered entity" that must comply with the Rule. The FTC has taken the position, based on various definitions in the Rule and other relevant statutes, that the Rule applies to any company that "regularly defers payment for goods or services." This can include any company that does not require payment at the time goods or services are provided, including for example doctors, hospitals, lawyers, merchants and repairmen. As such the potential scope of the Rule is enormous and all companies should investigate whether they are subject to it.
Continue Reading...Stollenwerk v. Tri-West Health - Rise of the Phoenix?
Ninth Circuit Partially Reverses Motion for Summary Judgment on Issue of Damages in Data Breach Case
One of the biggest obstacles for consumer plaintiffs in personal data breach lawsuits has been establishing the "damages" element for a negligence claim. Several courts have dismissed such suits ruling that plaintiffs could not provide sufficient evidence that they suffered an injury as the result of a data breach. Ironically one of landmark cases against establishing damages, Stollenwerk v. Tri-West Health Care Alliance (D. Ariz. 2005), may give plaintiffs' attorneys some additional ammunition. The United States Court of Appeals for the Ninth Circuit ("Appellate Court") recently ruled on the Stollenwerk appeal and provided the plaintiffs with a partial victory on the issue of proving damages that could clarify the liability landscape for data breach lawsuits (see Stollenwerk v. Tri-West Health Care Alliance (9th Cir. November 20, 2007). The ruling may allow more data breach suits involving victims of actual identity theft to get in front of a jury and achieve more favorable settlements.
Stollenwerk Background & District Court's Ruling
In December 2002, Tri-West Healthcare Alliance ("Tri-West"), a contractor managing a large government health insurance program, suffered a burglary that resulted in the theft of computer hard drives containing the personal information of the program's members (mainly military personnel). Three individuals brought a class action lawsuit against Tri-West in the U.S. District Court of Arizona ("District Court") alleging numerous claims, including common law negligence. One of the plaintiffs (William Brandt - hereinafter "ID Theft Plaintiff") alleged that unknown individuals used his personal information after the burglary to open (or attempt to open) unauthorized credit accounts in his name (e.g. identity theft). The two other plaintiffs (Michael Stollenwerk and Andrea DeGatica - hereinafter "Credit Monitoring Plaintiffs"), while not alleging they suffered identity theft, alleged that they needed to purchase credit monitoring services and identity theft insurance to prevent potential future identity theft.
In its September 2005 opinion, the District Court dismissed all of the plaintiffs' claims on the grounds that they could not establish that they suffered any injury as a result of the Tri-West data breach. The Credit Monitoring Plaintiffs attempted to analogize financial credit monitoring expenses to medical monitoring expenses in "toxic tort" cases (e.g. asbestos lawsuits where otherwise healthy individuals exposed to asbestos paid doctors to monitor their health prior to any adverse affects manifesting). The District Court indicated that enhanced risk of future injury is generally insufficient to establish a negligence claim, but in the case of toxic tort lawsuits an exception was justified because of the importance of preserving public health. In addition, since the plaintiffs could not establish that the target of the burglary was their personal information (as opposed to the physical hard drives themselves), the court ruled that the Credit Monitoring Plaintiffs failed to provide evidence that such information was significantly exposed or that plaintiffs were at significantly increased risk of suffering identity fraud.
The District Court also dismissed the negligence claim of the ID Theft Plaintiff. Although the plaintiff suffered identity theft on several occasions six weeks after the burglary, the Court held that the circumstantial timing of the burglary and identity theft was insufficient evidence that the burglary was the cause of such theft.
The Appellate Court's Decision
In November 2007, the Appellate Court reversed the District Court's decision concerning the ID Theft Plaintiff, but upheld the lower court's ruling on the Credit Monitoring Plaintiffs.
The Credit Monitoring Plaintiffs
With respect to the Credit Monitoring Plaintiffs, the 9th Circuit agreed that the analogy to toxic tort cases was not justified because credit monitoring does not directly involve health and human safety. However, the court did not reject the analogy entirely, noting that:
"In both circumstances the individual may manifest more obvious injury, such as identity fraud or disease, after some period of time, and in neither instance is the later manifestation of patent injury guaranteed, although the certainty with which such a development may be anticipated may be greater for toxic torts."
The Appellate Court also noted that under the facts of this case, even if the toxic tort analogy were apt, the Credit Monitoring Plaintiffs had not established the requisite elements to support their claim, including: (1) significant exposure of sensitive personal information; (2) a significantly increased risk of identity fraud as a result of that exposure; and (3) the necessity and effectiveness of credit monitoring in detecting, treating, and/or preventing identity fraud. The Court held that the plaintiffs did not provide sufficient evidence that their personal data was targeted or accessed. Moreover, the Court indicated that the plaintiffs' expert failed to objectively quantify the reduction of risk that would result from credit monitoring.
The ID Theft Plaintiff
The Appellate Court's opinion was much more forgiving for the ID Theft Plaintiff. In this case, the ID Theft Plaintiff allegedly was the victim of identity theft on six occasions after the burglary of Tri-West's hard drives. The Court did not make a distinction between "attempts" to open accounts and successful account openings - the Court appeared to conclude that both constituted identity theft. Significantly, the Court's opinion appears to simply accept that "identity theft" constitutes an injury, and instead focused on whether the ID Theft Plaintiff established that the burglary was the proximate cause of the identity theft.
On the issue of causation, to survive a motion for summary judgment, the plaintiff needed provide evidence from which a reasonable jury could conclude that ID Theft Plaintiff's injuries were the result of the burglary rather than other causes. Direct or circumstantial evidence is permitted, but this plaintiff was only able to offer circumstantial evidence, including:
- Possession: the ID Theft Plaintiff provided Tri-West with his information;
- Type of Information: the personal information stored on the Tri-West hard drives is the type of information that can be used to open credit card accounts;
- Timing -- Identity Theft Incidents: the six alleged identity theft incidents all occurred after burglary, and the first began about six weeks after the burglary (the last happened about 3 - 4 months after the burglary);
- Timing - Prior Incidents: the plaintiff had never suffered identity theft prior to the burglary (despite having his wallet stolen five years earlier); and
- Limited Opportunities for Other Causes: the plaintiff testified that he had never transmitted his personal information over the Internet and that he shreds all mail in the form of credit card applications, approvals and pre-approvals.
The 9th Circuit ruled that this circumstantial evidence on the issue of causation was sufficient for purposes of summary judgment and reversed the District Court's grant of summary judgment to the Defendants.
Conclusion
The Stollenwerk decision is largely a mixed bag for both plaintiffs and defendants. The 9th Circuit's decision is good for defendants because it largely validates that the purchase of credit monitoring services or insurance to decrease the likelihood of potential future identity theft is not sufficient to establish damages for purposes of a negligence lawsuit. This ruling most likely decreases the risk of successful class action lawsuits involving massive numbers of plaintiffs whose personal information is exposed in a data breach. However, because its decision was based mainly on public policy grounds, and because it noted some similarities between toxic tort injuries and data breach injuries, the Court appeared to leave the door open a little for plaintiffs to make the toxic tort analogy in other jurisdictions.
The Court's ruling was favorable for plaintiffs that actually suffer identity theft after a data breach situation The Court was lenient in its acceptance of purely circumstantial evidence -- most of the evidence provided was very loosely tied to the actual burglary. As a result of this ruling, plaintiffs that were the victims of identity theft will have a better chance to get their case in front of a jury in the 9th. On the flip side, since it appears that most data breaches never actually result in identity theft (see GAO Report (June 2007)), plaintiffs' lawyers may find it difficult to establish large classes that make these suits financially attractive to pursue. In all, this decision and other cases dismissing breach data cases seem to indicate that successful and severe consumer litigation (e.g. large successful class action suits) is still elusive for the plaintiffs' bar Circuit, which increases both the likelihood of success in litigation and the leverage plaintiffs will have to force a settlement.
