InfoLawGroup Counsel Andrew L. Hoffman contributed to this post. In a case of first impression in the Eleventh Circuit, the Court ruled in a 2-1 opinion that the plaintiffs in a putative class action had sufficiently alleged liability against a health plan provider for a data breach involving actual identity theft. The Court’s opinion, decided… Continue Reading
Over the past couple years, many predicted that new state laws would follow the lead of states like Nevada and Massachusetts, and some anticipated we could see a situation where 50 different privacy/security laws across the country. Now it looks like we are beginning to see some renewed activity on the state level. In Hawaii we have a proposed bill that would require breached entities to provide credit monitoring and call center services to impacted individuals. In my home state, Colorado, a legislator (Dan Pabon) has proposed a novel bill that takes a new approach to incentivizing companies to implement good security. In this post, we take a look at the highlights of the Colorado bill.
InfoLawGroup recently discovered a new data breach case, one of the first that we are aware of in the United States, that dives deep into the issue of whether a common law duty exists to safeguard personal information. In Cooney, et. al v. Chicago Public Schools, et. al¸ an Illinois appellate court actually rendered a decision holding that no such duty exists under Illinois law. In this blogpost we take a closer look at the court’s rationale for dismissing the plaintiffs’ negligence claim, as well as the other interesting holdings of the court.
As we reported in January, a handful of issuing banks had filed suit against two merchant banks (Heartland Bank and Keybank) for alleged losses (e.g. reissuance and fraud costs) they suffered due to the 2009 Heartland Payment Systems breach. The general thrust of the class action compliant is that the merchant banks should be liable… Continue Reading
A Federal judge in the U.S. District Court for the Eastern District of Pennsylvania dismissed a class action lawsuit arising out of a data security breach involving Aetna, Inc. (original compliant found here). The basis of the dismissal was the plaintiff’s lack of standing due to its failure to allege an "injury in fact" (the dismissal… Continue Reading
While the proverbial jury is still out concerning retailers’ sales success this 2009 holiday season, Massachusetts’s highest court (the Supreme Judicial Court or “Supreme Court” as referenced herein) delivered retailers a significant holiday gift in the form of an opinion slamming the door on some financial institutions seeking to recover reissuance costs arising out a… Continue Reading
This week the federal court in the Hannaford class action asked the highest court in Maine to clarify whether cardholders’ “loss of time and effort” are sufficient injuries to ground a negligence claim following a payment card security breach.
“Exactly what data do we have to encrypt, and how?” That’s a common question posed by IT and legal departments, HR and customer service managers, CIOs and information security professionals. In the past, they made their own choices about encryption, balancing the risks of compromised data against the costs of encryption. Those costs are measured not merely by expense but also by increased processing load, user-unfriendliness, and the remote but real possibility of lost or corrupted decryption keys resulting in inaccessible data. After weighing the costs and benefits, most enterprises decided against encryption for all but the most sensitive applications and data categories.
As reported previously, the CardSystems security breach has resulted in a lawsuit brought by a merchant bank (Merrick Bank) against CardSystem’s security assessment company (Savvis). The suit alleges that Savvis negligently certified CardSystem’s security as compliant with Visa’s Card Information Security Program (“CISP”), and negligently represented that CardSystems was compliant. Earlier this month Savvis filed… Continue Reading
Nevada appears to be the second State to incorporate the Payment Card Industry Data Security Standard (PCI) into its personal information security law. Minnesota is the other State that incorporated part of PCI into its law.
(NOTE: cross-posted at Branden Williams’ Security Convergence Blog) As an attorney focusing on information security and privacy issues, I often get called in to assist companies to understand their legal liability risk around the PCI (self) regulatory system. One of the key areas I get involved in is service provider relationships, and in particular section… Continue Reading
The Merrick Bank v. Savvis lawsuit has the potential to change the liability dynamic of the PCI regulatory system. The Savvis case is one of the first known instances of a payment card security assessor being sued by a merchant bank ( the merchant bank is a third party relative to the Savvis-CardSystems relationship). The… Continue Reading
The last two plaintiff-banks still breathing after 1st Circuit Appeal Little know (or at least discussed) fact: despite announcing settlements with VISA and Mastercard in 2007, the TJX data security litigation is still going. In fact most of the issuing banks impacted by the TJX breach are no longer pursuing TJX and/or have settled via… Continue Reading
In a previous post this blog noted that a California Federal District Court denied a motion to dismiss a data breach negligence claim based on a lack of “damages.” Despite the partial “victory,” the Court had also suggested that the damages issue might not survive a motion for summary judgment. Well, the Court made its… Continue Reading
A question being asked in various circles in the wake of the Heartland breach. An interesting post by Michael Dahn over at the Aegenis Group. I started to respond and kept going and going and going. Read his post first and my (somewhat rambling/unpolished ) response is below.
As has been reported on this blog previously (here and here), many courts that have considered the issue of damages in a security breach scenario involving personal information have concluded that taking pre-emptive actions (such as purchasing credit monitoring services) do not amount to “damages” for purposes of a negligence claim. Some chinks, however, have… Continue Reading
A recent opinion came out of the U.S. District Court for the District of Columbia that denies defendant’s motion to dismiss a case against the Transportation Safety Administration arising out of the loss of hard drive containing the personal information of 100,000 TSA employees (including names, SSNs, DOBs, bank account numbers, etc.). The plaintiff’s alleged… Continue Reading
I prefer the “Chain of Blame” because of the better rhyme scheme… all kidding aside, Andrew Conry-Murray has done some good reporting on this story. One money quote: While PCI provides more concrete guidelines than, say, Sarbanes-Oxley, merchants are quick to complain that it’s both too specific and too vague. For instance, the standard requires… Continue Reading
Ninth Circuit Partially Reverses Motion for Summary Judgment on Issue of Damages in Data Breach Case One of the biggest obstacles for consumer plaintiffs in personal data breach lawsuits has been establishing the “damages” element for a negligence claim. Several courts have dismissed such suits ruling that plaintiffs could not provide sufficient evidence that they… Continue Reading
I came across this ruling in the TJX matter that dismisses some of the banks’ claims against TJX: Link Consistent with past decisions (B.J. Wholesalers) it looks like issuing banks cannot rely on a 3rd party beneficiary theory to go after merchants for breach of contract. Also appears that the economic loss doctrine is still… Continue Reading