A Novel Data Security Law Proposed in Colorado
There has been a lot of buzz around various privacy and security bills presented on the Federal level, including the reintroduction of the BEST PRACTICES ACT and a new privacy bill put out by Congresswoman Speier that brings "do-not-track" into the fray (not to mention the previously introduced Boucher Bill, which is now missing its named sponsor). Yet, for the most part, these types of bills have languished on the Federal level, while interesting new approaches race ahead from State legislatures (see for example, SB1386, Minnesota’s Plastic Card Protection Act, Massachusetts’ 201 CMR 17:00, et. seq., Nevada’s Security of Personal Information Law, and Washington state’s PCI Law) Over the past couple years, many predicted that new state laws would follow the lead of states like Nevada and Massachusetts, and some anticipated we could see a situation where 50 different privacy/security laws across the country. Now it looks like we are beginning to see some renewed activity on the state level. In Hawaii we have a proposed bill that would require breached entities to provide credit monitoring and call center services to impacted individuals. In my home state, Colorado, a legislator (Dan Pabon) has proposed a novel bill that takes a new approach to incentivizing companies to implement good security. In this post, we take a look at the highlights of the Colorado bill.
UPDATE -- 022810: Apparently there has been a committee vote on the Colorado bill that was split 5-5 along party lines. As such, this bill will not move forward in this session.
Colorado HB 11-1225 – An Information Security Carrot
Regulation is achieved via the “carrot” or the “stick” (and sometimes both). This is true in the information security context as well. For example, to incentivize encryption of personal information, breach notice laws use a stick: those that fail to encrypt may have to provide notice to affected individuals in the event of a security breach. In the credit card breach context, a Washington state law provides banks with a stick (e.g. the right to seek fraud and reissuance expenses from breached merchants), but also provides those merchants with a shield to block that stick (e.g. validation of PCI compliance blocks a bank’s ability to recover). In HB 11-1225, Colorado state legislator, Dan Pabon, apparently wants to give the carrot a chance. In the process, I am told that part of the goal is to make Colorado the “Delaware” of data storage. Here is how it works.
Immunity from Liability. Under HB 11-1225, if certain conditions are met (discussed below) a person or entity operating in Colorado that owns, licenses or maintains computerized data that includes “personal information” shall not be liable for civil damages resulting from a breach of data security due to its acts or omissions that are in good faith, and not grossly negligent or willful and wonton. So essentially, this would provide immunity from negligence claims. In order to receive this protection, two conditions must be satisfied: (1) the breach must have been caused by an unauthorized third party, or an employee or agent acting outside the scope of his employment; and (2) the person or entity must have been certified by a “qualified information technology auditor or assessor” as having used “best practices of data security and meeting information technology standards” established by an authorized state entity.
Rebuttable Presumption of Non-Negligence. Even if a breached organization has not been certified as compliant with best practices/information technology standards, it can achieve certain protections under the bill. In court, an organization can establish a rebuttable presumption that it was not negligent if it can produce evidence that the organization implemented best practices and was compliant with technology security standards established pursuant to the bill.
Consumers’ Right to Petition Court for Subpoena. The bill provides persons whose personal information was compromised or who are victims of a computer crime, to seek a petition from a court impelling the breached organization or any third party to produce “any” information concerning the unauthorized access to personal information or the computer crime. This information may be obtained in order to facilitate the detection, apprehension and prosecution of the computer crime or breach.
Key Definitions. “Personal information” as defined under the bill is broader than definitions in most breach notice laws. One defined category of personal information is information that can be used, alone or in conjunction with any other information, to obtain cash, credit, property, services, or any other thing of value, or to make a financial payment, including personal identification number, credit card number, banking card number, checking account number, etc. Personal information is also defined as information that can be used, alone or in conjunction with other information, to identify a specific individual, including name, date of birth, social security number, government ID, passport number, etc.
In order to be a “qualified information technology auditor or assessor” one must be certified by a nationally recognized organization or association as having expertise in data security, and cannot have any convictions involving moral turpitude offenses. The bill indicates that the CIO of the State of Colorado is required to establish an entity to maintain a list of the nationally recognized IT associations that may certify a person’s qualifications in data security systems for purposes of the bill.
Establishing Best Practices and Information Technology Security Standards. One of the key challenges for implementing this HB 11-1225 (should it become law in its current form) is going to be the establishment of best practices and IT security standards. On this issue the bill requires the CIO of the State of Colorado to create an “entity” to establish these best practices and standards for commercial entities and persons that own, license or maintain computerized data that includes personal information. The bill does not provide additional guidance as to how those best practices shall be determined, or whether there will be one set of best practices that will apply to all entities (regardless of size, complexity or resources).
Analysis and Observations
Novel approaches to information security and privacy legislation are, of course, welcomed. The questions remain, however. Will it work? Will it pass? Unclear at this point. Below are a few observations pertaining to these questions.
- Does a duty exist to safeguard personal information under common law negligence principles? Surprisingly, at this point we have very little case law directly on point that delves into this issue. However, a recent Illinois appellate court recently ruled that a common law duty to safeguard personal information did not exist. In contrast, we are aware of cases that did find a duty to secure personal information, but both were in the banking context and were arguably based mainly on the expectations that arise in that context (e.g. banking customers are specifically providing their money to banks for safeguarding, among other reasons). If indeed, no case law establishing such a duty exists in Colorado, the question becomes whether the existence of a law providing immunity for negligence implies that the duty exists. Worse (from the company point of view), it is possible that the best practices established under the bill could end up establishing a standard of care, in and of themselves (where one may arguably not exist).
- Even if such a duty does exist, do the “good faith” and “gross negligence “exceptions” effectively eat the immunity? In the wake of a data breach where a plaintiff’s attorney has filed a lawsuit, you can bet that any and all potential theories of liability will be alleged. That of course may include allegations of gross negligence and “bad faith.” One of the benefits of HB 11-1225, assuming only a negligence claim is alleged, would be the ability of defendants to have lawsuits dismissed early, perhaps in a motion to dismiss or motion for summary judgment phase. However, if gross negligence, bad faith or other non-negligence claims are alleged, the plaintiff may have a better chance to get past early motions to dismiss. If that is the case, plaintiffs will still have litigation leverage (regardless of whether they have a truly winning case). In fact, we are aware of one case in Federal court in Michigan that allowed a case to go to trial based on the issue of "good faith" behavior in the context of security. These “exceptions,” therefore, could undermine the effectiveness of the immunity granted in HB 11-1225. Of course, much more research is necessary to look into these issues.
- Is the jurisdictional scope of the immunity too narrow? At this stage in the game a large percentage of companies, big and small, conduct business with residents of more than one state (and in many cases all 50 states), and even with people residing outside of the United States. While HB 11-1225 may provide immunity from negligence claims for cases contained in Colorado, it may not help with lawsuits, for example, filed in other jurisdictions or Federal court where Colorado law is not the choice of law. So, if the goal of the law is to become the "Delaware of data storage", it may not be effective to shield companies that deal with personal information from non-Colorado states. That all said, there may be jurisdictional arguments that would preclude plaintiffs residing in other states from pursuing a company storing data in Colorado (although making and prevailing in such arguments in court can be an expensive process in and of itself). In addition, a choice of law provision in contracts with out-of-state counter parties might also do the trick to keep the immunity intact.
- Can the “entity” established by the State actually establish best practices that can work universally and result in good security? Legislating security controls is not an easy task. Two general approaches are used typically. One approach does not require specific controls, but rather mandates “reasonable” “adequate” “comprehensive” or “appropriate” security. The other method is more prescriptive in its approach, and seeks to require specific controls that certain entities must implement (e.g. Massachusett’s and Nevada’s personal information security laws). The risk of a prescriptive approach is the “check list” mentality whereby organizations simply address the specific requirements and don’t actually worry about truly securing themselves (this is a criticism of PCI, the ultimate prescriptive standard). However, even those taking a prescriptive approach may reference various risk factors that relate to the sensitivity of the data and the size, complexity and resources of the company trying to comply. The challenge for the entity developing these best practices is to provide enough clarity/certainty so companies have confidence that they are truly in the safe harbor, and yet to provide enough flexibility to allow companies of all shapes and sizes to get into the safe harbor in a relatively cost-efficient and realistic fashion. The failure to solve this problem could undermine the efficacy of the legislation if it is perceived to be unfair or discriminatory to small and medium-sized businesses who may have neither the expertise nor resources to implement a highly prescriptive set of controls.
- A Shift of Liability to the Auditors? On the one hand, this bill may serve as a business bonanza for IT security auditors who are called into validate compliance with the best practices laid out by the act. On the other hand, a mistake in validating the compliance of a company that suffers a breach could potentially lead to a lawsuit against not only the breached company, but the auditor as well. While a third party affected individual may have difficulty holding an IT security auditor liable without a contract, precedent may exist by analogy to accountants. Moreover, there is at least one known case (Merrick Bank v. Savvis) where an IT assessor (in this case a payment card security assessor) was sued by a party that allegedly relied on its compliance findings. So, from a “passability” point of view, does the IT security assessment community get on board or do they demand some of their own immunity in exchange for supporting this bill?
Conclusion
Overall, Representative Pabon’s bill represents a very interesting approach to data security regulation, and we applaud his efforts and creativity. There may be some hurdles to overcome to see this passed, and a vigorous debate on its mechanics is necessary. We will keep you up to date on its progress.
IL Appellate Court: No Duty Exists to Safeguard SSNs for Purposes of a Negligence Claim
In one of InfoLawGroup’s first blogposts to kick off 2011 we surveyed a handful of privacy lawsuits that are in the process of potentially altering the privacy and security legal risk landscape. ILG recently discovered another case (through an excellent service we use called Nymity), one of the first that we are aware of in the United States, that dives deep into the issue of whether a common law duty exists to safeguard personal information. In Cooney, et. al v. Chicago Public Schools, et. al¸ an Illinois appellate court upheld a lower court’s dismissal of a lawsuit involving the unauthorized disclosure of sensitive personal information, including names, addresses, social security numbers, marital status, dates of birth, medical and dental insurers and health insurance plan information. While we have seen plenty of courts dismissing data breach cases on motion to dismiss, most of those have focused on the lack of alleged damages. In Cooney, however, the court actually rendered a decision on whether any common law duty exists to safeguard personal information for purposes of a negligence claim. The Cooney court's ultimate answer was that no such duty exists. In this blogpost we take a closer look at the court’s rationale for dismissing the plaintiffs’ negligence claim, as well as the other interesting holdings of the court.
Background
In Cooney, the main defendants were the Chicago Public Schools and its Board (“CPS”), and a printing and mailing company known as All Printing & Graphics, Inc. (“All Printing”). All Printing was retained by CPD to print, package and mail a COBRA Open Enrollment List to approximately 1,750 former CPS employees. Unfortunately each of the 1750 employees was sent a list containing the personal information of all the other 1749 former employees, including names, addresses, social security numbers, marital status, medical and dental insurers and health insurance plan information. CPS notified the employees of the breach and offered one year of free credit protection insurance. Several of the employees filed individual and class action lawsuits, which were consolidated at the trial court level. The complaints alleged several causes of action (including common law negligence), which were all dismissed by the lower court. The appellate court set out to determine whether the dismissal was in error, and ultimately held that it was proper. One of the appellate judges, however, dissented. The following is a summary of the court’s opinion for the main causes of action alleged.
Common Law Negligence
In addressing the plaintiffs’ common law negligence claim, the court laid out the traditional elements necessary to allege negligence, and first set out to determine whether CPH was under a duty to safeguard the plaintiffs’ personal information.
First, under Illinois law, a violation of a statue designed to protect human life and property may be used as prima facie evidence of negligence (e.g. it can be used to allege a “duty” for purposes of negligence, and a violation of that duty). In this case, the plaintiffs argued that HIPAA and Illinois' breach notice law (815 ILCS 530) created a duty for negligence purposes. The court, however, rejected both arguments.
On HIPAA the court indicated that 45 CFR § 160.103 excluded “employment records held by a covered entity in its role as employer” from HIPAA coverage. According to the reasoning of the majority, since the CPH "held" the plantiffs’ health insurance elections in its role as employer, the disclosure of such records was not a HIPAA violation. Notably, however, the dissenting judge disagreed with this assessment. He indicated that the exception only applied to employment records actually “held” by the covered entity, as opposed to those disclosed (and therefore no longer held by CPH) to unauthorized third parties. In the dissent's view, then, the plaintiffs did properly plead a negligence claim based on allegations that HIPAA had been violated. If this is appealed to the Illinois Supreme Court this will likely be a key issue in the case. One important item to note here is that it appears that both the majority and dissent agreed that a data security statute can be used to establish a duty for negligence purposes even if the underlying statute does not itself provide a private right of action.
The plaintiffs also claimed that Illinois' breach notice law was violated because a “breach of the security of the system data” had occurred as defined in that law. The court rejected this argument as well, noting that Illinois' breach notice law already provided a specific and exclusive remedy for a breach of security of the system data: notice to the data subjects (which was properly provided in this case).
Second, the court considered whether a "new" duty to safeguard personal information existed in general for negligence purposes (i.e. without having to rely on a specific statute). On this issue, the court rejected the plaintiffs’ argument that the sensitivity of personal information such as birth dates and social security numbers justified the recognition of a duty. Notably the court did not consider any “foreseeability” arguments or analyze whether a duty should have existed based on something like Judge Learned Hand's risk formula. Based on the foregoing, the court found that the lack of an alleged duty justified dismissal of the common law negligence claim against both CPH and All Printing.
IL Consumer Fraud and Deceptive Business Practices Act
Section 2QQ of Illinois Consumer Fraud and Deceptive Business Practices Act (815 ILCS 505/1, et. seq.) prohibits a “person” from publicly posting or displaying an individual’s social security number. In this case the court held the CPH Board was a “body politic” and therefore not a “person” under the Act. In addition, while All Printing does qualify as a “person” covered under the Act, the plaintiffs failed to allege actual damages as required under the Act. Relying on the large body of case law on the damages issue, the Court specifically rejected plaintiffs’ contention that increased risk of identity theft, and costs to pay for credit monitoring, constitute actual damages.
Traditional Privacy Torts
The plaintiffs also alleged “intrusion upon seclusion” and “public disclosure of private facts.” In considering these theories the court indicated that both torts require disclosure of “private” matters or facts. The court held that the privacy element was not satisfied because no law existed in Illinois defining social security numbers as private information. In addition, names and dates of birth did not qualify as private facts because they are matters of public records. Finally, while Illinois law had defined social security numbers as “personal information,” the court held that personal information does not equate to “private” information. Private information, in the court’s view, means private facts that are facially embarrassing and highly offensive, if disclosed. As such, the court ruled that these claims were properly dismissed by the trial court.
Other Miscellaneous Causes of Action
The appellate court, sometimes in a very cursory fashion, affirmed the dismissal of other causes of action the plaintiffs attempted to allege, including:
- Negligent infliction of emotional distress (dismissed because traditional negligence elements had not been alleged, as required)
- Breach of fiduciary duty (dismissed because no authority found to indicate that a fiduciary duty exists based on the plaintiffs providing their personal information “in confidence” to the CPS)
- HIPAA violations (dismissed because the plaintiffs did not allege that they had been deprived of a constitutionally protected right caused by a “municipal policy”; and because HIPAA does not provide a private right of action against non-state actors like All Printing)
- 4th Amendment privacy violation (dismissed because the plaintiffs failed to properly raise the issue before the trial court)
Conclusion
This case is very interesting because it is one of the first (if not the first) to squarely rule on whether a common law duty exists to safeguard personal data. It will be very interesting to see if this case is appealed to the Illinois Supreme Court. Based on the strong dissent it appears as if the majority opinion may be at risk for an overturn. What is somewhat disappointing, however, is the lack of deep analysis by the appellate court (especially on the issue of whether a common law negligence duty existed). It may be that key issues were not raised or briefed by the plaintiffs, but it would have been nice to see a full-throated analysis of "law school 101" issues like foreseeability, reasonableness and risk reduction. InfoLawGroup will try to get a hold of the appellate briefs and other underlying documents to see if they provide additional insight as to how the court reached its decisions (and we will post them here once we have them). We look forward to your thoughts, comments and questions on this case.
Heartland Bank and Keybank's Motion to Dismiss
As we reported in January, a handful of issuing banks had filed suit against two merchant banks (Heartland Bank and Keybank) for alleged losses (e.g. reissuance and fraud costs) they suffered due to the 2009 Heartland Payment Systems breach.
The general thrust of the class action compliant is that the merchant banks should be liable for the acts and errors of the payment processor they contracted with to process payments on their behalf. The complaint set forth a series of complex legal theories (3rd party beneficiary theory, negligence), some of which had been attempted in other litigation, and some new theories of liability such as breach of fiduciary duty and vicarious liability.
Each merchant bank has now filed a motion to dismiss the issuing banks' complaint. We have obtained copies of the motion and corresponding briefs.
The following motions and briefs were filed in this matter:
- Keybank's Reply Brief (in support of its motion)
- Heartland Bank's Reply Brief (in support of its motion).
As you can see (if you click on the links above) the motions and briefs are quite voluminous and complex. We will pass on trying to summarize all these arguments and instead will keep you posted on the Court's ruling when it comes out. All the briefs appear to be filed (the last one was filed on June 7th), so it is probable that an oral argument will be scheduled (if it has not been already) and we should get an opinion shortly after that argument. Stay tuned.
Quickhits: Federal Judge Dismiss Aetna Data Breach Case Due to Lack of "Injury-in-fact"
A Federal judge in the U.S. District Court for the Eastern District of Pennsylvania dismissed a class action lawsuit arising out of a data security breach involving Aetna, Inc. (original compliant found here). The basis of the dismissal was the plaintiff's lack of standing due to its failure to allege an "injury in fact" (the dismissal was under section 12(b)(1) of the Federal Rules of Civil Procedure). In particular the court held that the plaintiff's alleged injury in the form of an increased risk of identity theft is far too speculative based on the factual allegations.
The following quote cited by the court (from another case), is indicative of the court's reasoning:
[f]or plaintiff to suffer the injury and harm he alleges, many ‘if’s’ would have to come to pass. Assuming plaintiff’s allegation of security breach to be true, plaintiff alleges that he would be injured ‘if’ his personal information was compromised, and ‘if’ such information was obtained by an unauthorized third party, and ‘if’ his identity was stolen as a result, and ‘if’ the use of his stolen identity caused him harm. These multiple ‘if’s’ squarely place plaintiff’s claimed injury in the realm of the hypothetical. If a party were allowed to assert such remote and speculative claims to obtain federal court jurisdiction, the Supreme Court’s standing doctrine would be meaningless.
Note that the basis of this dismissal was not a "failure to state a claim" under 12(b)(6). Rather this decision basically held that the plaintiffs could not even get a hearing in court on a 12(b)(6) motion because the court lacked subject matter jurisdiction to hear the case at all. Also note that other courts have found standing for data breach cases, including the Seventh Circuit in Pisciotta. However, those that have proceeded past the 12(b)(2) motion have often been dismissed under 12(b)(6). In all, no matter how it happened, it appears that plaintiffs still have significant challenges moving consumer data breach cases further toward trial.
More commentary can be found here.
Massachusetts's Highest Court Delivers BJ Wholesalers (and other Retailers) a Data Breach Liability Gift
While the proverbial jury is still out concerning retailers’ sales success this 2009 holiday season, Massachusetts’s highest court (the Supreme Judicial Court or “Supreme Court” as referenced herein) delivered retailers a significant holiday gift in the form of an opinion slamming the door on some financial institutions seeking to recover reissuance costs arising out a retailer’s payment card data breach. The Cumis Insurance Society, Inc. v. B.J. Wholesale Club, Inc. decision (“Supreme Court Decision”) analyzed and ruled upon most of the mainstream legal theories issuing banks have used to attempt to recover card reissuance costs, including breach of contract under a third party beneficiary theory, fraud, negligence, negligent misrepresentation and breach of unfair/deceptive practices laws (in this case M.G.L. Chapter . 93A, section 11). We have previously commented on multiple decisions involving retailer payment card breaches similar to the BJ Wholesale breach and PCI liability in general, including a 3rd Circuit federal appellate decision that allowed issuing banks to proceed forward with a third party beneficiary breach of contract theory. This blog post dives into and analyzes the Supreme Court Decision, and looks at it in context against similar decisions. Overall, in terms of issuing banks recovering for payment card breaches, the game does not appear to be litigation in the courts, but rather in the backroom contracts and recovery processes contained in the card brand operating regulations that most retailers agree to comply with.
Relevant Facts
The Supreme Court Decision arises out of a payment card breach of BJ’s Wholesale Club, Inc. (“BJs”) involving approximately 9.2 million payment cards and millions of dollars in fraud. The plaintiffs in this case are credit unions and their insurer who incurred costs to reissue the payment cards that were impacted by the breach (as well as costs for fraudulent charges that arose out of the breach). The plaintiffs allege that thieves were able to compromise BJ Wholesale Club’ s systems because BJs and their acquiring bank (Fifth Third Bank) breached two sets of contractual obligations. With respect to BJs, the plaintiffs alleged that BJs breached their contract with Fifth Third bank, which prohibited the storage of the magnetic stripe data after authorization of card transactions. In turn, the plaintiffs alleged that Fifth Third breached its Membership Agreement with Visa and Mastercard requiring Fifth Third to ensure that merchants like BJs did not store magnetic strip data post-authorization.
Alleged Claims and the Supreme Court’s Decision
The plaintiffs alleged several causes of action against BJs and Fifth Third, including breach of contract under a third party beneficiary theory, fraud, negligence, negligent misrepresentation and breach of unfair/deceptive practices laws (in this case M.G.L. Chapter . 93A, section 11). The lower court had granted the defendants a motion to dismiss all of the plaintiff’s causes of action, and the Supreme Court was asked to review the lower court’s decision. Ultimately, as described below, the Supreme Court agreed with the lower court’s decision and upheld it.
Breach of Contract – 3rd Party Beneficiary Theory
The plaintiff’s alleged that they were the intended third party beneficiary of two separate contracts. First, the Merchant Agreement between BJs and Fifth Third prohibited the storage of magnetic card data, and the plaintiffs alleged they were the beneficiaries of, and should be able to enforce, the agreement against BJs. Second, the plaintiffs also alleged that they were the intended third party beneficiaries of the Membership Agreement between Fifth Third and Visa/Mastercard. Pursuant to the Membership Agreement, Fifth Third agreed to ensure that its merchants did not store magnetic stripe data.
Unfortunately for the plaintiffs, the Merchant Agreement contained the following language:
This Agreement is for the benefit of, and may be enforced only by [Fifth Third] and [BJ’s] and their respective successors and permitted transferees and assignees, and is not for the benefit of, and may not be enforced by, and third party.
Despite this language, the plaintiffs maintained that the prohibition against storing magnetic stripe data was intended to benefit them. Citing a lower court judge who had indicated that any benefits to the plaintiffs in the Merchant Agreement were incidental, and relying on the specific intent referenced in the disclaimer, the Supreme Court upheld the dismissal of the breach of contract claim based on BJs Merchant Agreement.
With respect to the Membership Agreements between Fifth Third and the card brands, the Supreme Court held that the plaintiffs’ third party beneficiaries allegations were conculsory in nature and not supported by any facts establishing Visa or Mastercard’s intent to have them as beneficiaries able to enforce the Membership Agreemwent. While Visa and Mastercard’s operating regulations did not have a specific third party beneficiary disclaimer, both Visa and Mastercard, reserved the right to interpret and enforce such regulations. The Supreme Court viewed this as indicating an intent to prohibit enforcement of the Membership Agreement by others like the plaintiff (the Supreme Court viewed that as consistent with the TJX decision). Interestingly, this case involved the same facts as another BJ Wholesale Club in federal court that allowed the plaintiff-banks to proceed with a third party beneficiary claim. In the Federal case, Visa and Mastercard representatives actually testified at deposition that operating regulations around magnetic stripe data were intended to protect the participants in the system, including issuers. However, the Supreme Court found that the plaintiffs failed to submit that deposition testimony into the court record so that testimony apparently was not considered by the Supreme Court.
Negligence – Economic Loss Doctrine
The Supreme Court did not address whether BJs or Fifth Third, for purposes of a negligence theory, had a duty to employ reasonable security with respect to cardholder data. Rather, the Supreme Court relied on the economic loss doctrine to dismiss the plaintiff’s negligence claim. Under the economic loss doctrine, plaintiffs cannot recover using a theory of negligence unless physical harm or harm to property exists (as opposed to pure “economic loss”). The plaintiffs argued that tangible harm did exist because the physical credit cards had to be reissued after the BJs breach. On this issue, the Supreme Court again followed the BJ Wholesaler’s decision rendered in Federal district court (see the 3rd Circuit Appellate Decision upholding that rationale), which held that reissuance costs are economic in nature even if related to a physical card. In this case the cards themselves were not harmed since consumers could still use them after the breach. Rather, the Supreme Court found that the plaintiffs chose to cancel the cards for the purpose of avoiding future economic loss.
Fraud and Negligent Misrepresentation
The Supreme Court also rejected the plaintiff’s fraud and negligent misrepresentation claims. The basis for these claims was again tied to the defendant’s contractual promises to comply with the card brands’ operating regulations. In disposing of the fraud claim, the Supreme Court noted that the plaintiffs admitted neither BJs nor Fifth Third made any direct representations to the plaintiffs indicating that they were storing magnetic stripe data. Moreover, despite alleging that they would have changed their behavior had they known about the risk of magnetic stripe exposure, the reality was that the plaintiffs continued to participate in the Visa and Mastercard system. There was no evidence that the plaintiffs would have acted any differently had they been aware that BJs was storing magnetic stripe data.
With respect to the negligent misrepresentation claim, the Supreme Court cited case law indicating that failure to perform a contract does not equate to a negligent misrepresentation claim. Moreover, false statements of opinion or conditions to exist in the future cannot support a negligent misrepresentation claim. In this case, dismissal was warranted because there was no evidence that BJs never intended to comply with its Merchant Agreement at the time it entered into it.
In addition, the Supreme Court held that even if entering into an agreement constituted a representation of compliance with the magnetic stripe disposal requirements, there was no evidence that plaintiffs’ alleged reliance on that representation was justifiable. The Supreme Court essentially held that no reasonable person would rely on the regulations prohibiting the storage of magnetic stripe data. The court pointed to evidence indicating that the participants in the payment card system expected that the operating regulations would be breached because Visa and Mastercard instituted a system of fines and penalties for non-compliance. In addition, the plaintiffs’ purchase of insurance to cover credit card fraud was listed as evidence that plaintiffs anticipated this type of fraudulent activity. Finally, the plaintiffs had received numerous alerts from Visa and Mastercard concerning payment card breaches and fraud involving compromised magnetic stripe data (I find this reasoning very convoluted, at best. The existence of rules to deter certain behavior seems to create some certainty that such behavior should not be happening).
M.G.L. Chapter . 93A, section 11
Since the plaintiffs’ M.G.L. Chapter . 93A, section 11, equitable indemnification and subrogation claims were all based on the dismissed fraud and negligent misrepresentation claims, they were also dismissed. Interestingly, unlike the First Circuit Appellate court’s decision in the TJX matter, the Supreme Court did not consider whether the plaintiffs had a viable cause of action based on the “unfairness” prong of the Massachusetts’ law (e.g. whether BJs information security was so poor that it constituted an “unfair practices).
Conclusion
This case is yet another in the increasingly long series of cases that allow retailer plaintiffs to escape liability arising out of data breach litigation at the motion to dismiss phase. What lessons does it hold for the various payment card stakeholders?
On the merchant side, for any agreement where the merchant is making promises about data security or PCI compliance, make sure there is a strong disclaimer of third party beneficiaries. This will cut issuing banks off on that theory fairly early. Also on the merchant side, be careful of what you say about security and compliance with card brand rules and operating regulations. To the extent a merchant makes representations concerning security (especially direct representations), they may be opening themselves up to misrepresentation claims. The consequences could be serious since negligent misrepresentation and fraud claims are not barred by the economic loss doctrine (and at least one court has provided those theories some legs).
From the issuing banks’ point of view, the question becomes whether litigation is worth it in this context. This is especially true now that both VISA and Mastercard (*I believe, their regulations are not all public) have explicit recovery mechanisms within their systems that can allow an issuing bank to recover without going to court. VISA and Mastercard have both tightened up their contracts and operating regulations to disclaim third party beneficiary theories (although if an issuing bank is to pursue such a theory make sure to get the deposition testimony from the Visa and Mastercard officials referenced in the 3rd Circuit’s BJs Wholesale case). One area for issuing banks to take a harder look at is State unfair/deceptive trade practice acts. As mentioned above at least one high court has indicated that inherently poor security may amount to an unfair practice. This line of thinking also happens to be consistent with several high profile FTC actions , including of course one involving BJ Wholesale Club.
Merchant Liability for "Time and Effort" Following Security Breach?
The Hannaford saga continues, with possible civil liability implications for retailers.
Earlier this year, a federal judge in Maine dismissed almost all claims in the consolidated class action lawsuit against Hannaford Brothers Co. (In re Hannaford Bros. Co. Customer Data Security Breach Litigation, MDL No. 2:08-MD-1954, USDC Maine). Hannaford had millions of payment card records hacked in 2007 and 2008. Judge Hornby ruled that the common law in Maine allows consumers to seek restitution only for unreimbursed fraudulent charges on their credit or debit cards. Since the card issuers reversed the fraudulent charges under their “zero-liability” policies, the cardholders suffered only “collateral consequences” such as the time and effort involved in changing cards and accounts, monitoring for fraud, and dealing with banks, merchants, and others following notice of the breach. Judge Hornby did not believe such collateral harms were cognizable injuries under state law.
This week the judge reversed that decision and certified to the Maine Law Court (the highest court in the state) the following question:
“Do time and effort alone, spent in a reasonable effort to avert reasonably foreseeable harm, constitute a cognizable injury under Maine common law?”
That question might well be raised in many states that, like Maine, require some form of “economic loss” to sustain an action for negligence. The answer from the Maine Law Court could be an important precedent. So far, plaintiffs in the United States have generally been unsuccessful in pursuing claims against merchants based on fear of identity theft and incidental expenses to protect against it, following a security breach incident. “Lost time and effort” may not be worth a great deal in damages to any single cardholder, but if Maine allows such claims to proceed, a class action with millions of class members could make “time and effort” claims daunting, as well as allowing plaintiffs to sustain an action in which emotional distress can also be asserted as grounds for damages.
This development should serve as an additional spur for retailers to take precautions against the kinds of attacks that resulted in Hannaford’s data losses. Adherence to applicable security guidelines, prominently the Payment Card Industry Digital Security Standard (PCI DSS), will go far to avoid such incidents and protect a company from fines and civil liability as well. The Hannaford hackers, one of whom is now in jail, used SQL injection to plant malware in the merchant’s servers. This is hardly a new technique, and it is one that retailers may be held accountable for neglecting.
In 2008 Hannaford, which operates more than 150 grocery stores in New York and New England, announced that its payment card processing servers had been hacked for several months, exposing millions of payment card records and resulting in thousands of fraud investigations in the Northeast. In August this year, a federal grand jury in Newark, New Jersey indicted a 28-year-old Florida hacker named Albert Gonzalez (formerly an informant for the US Secret Service) and two unnamed persons living “in or near Russia” as conspirators who allegedly carried out the Hannaford hack and several others, including massive attacks on Heartland Payment Systems and the 7-11 retail chain. Gonzalez is already awaiting trial on charges in connection with the TJX hack in 2007. Altogether, the ring is accused of stealing data on more than 130 million credit cards and debit cards. According to the TJX and Hannaford/Heartland indictments, the hackers used several methods, but primarily SQL injection, to gain access to the target networks and install sniffer malware that intercepted card details and transmitted them to computers controlled by the hackers.
The Federal Trade Commission has publicly taken the position that SQL attacks are “commonly known or reasonably foreseeable” (see, for example, the FTC Complaint against Guess?, Inc., and the FTC’s press release concerning Life is good, Inc.). Thus, the FTC has fined retailers following such attacks and in some cases entered consent orders imposing additional sanctions and requirements. This makes it relatively easy to assert negligence in a civil action on behalf of a class of cardholders following a successful SQL attack.
Code or Clear? Encryption Requirements under Information Privacy and Security Laws (Part 1)
“Exactly what data do we have to encrypt, and how?”
That’s a common question posed by IT and legal departments, HR and customer service managers, CIOs and information security professionals. In the past, they made their own choices about encryption, balancing the risks of compromised data against the costs of encryption. Those costs are measured not merely by expense but also by increased processing load, user-unfriendliness, and the remote but real possibility of lost or corrupted decryption keys resulting in inaccessible data. After weighing the costs and benefits, most enterprises decided against encryption for all but the most sensitive applications and data categories.
But changes in technology and law are making enterprises rethink that decision. Processing is faster and encryption software is cheaper and more reliable. There are now several efficient options for encrypting data in communications and on laptops and mobile storage devices, where historically data is most vulnerable. And at the same time, new compliance obligations and heightened litigation risks are pushing companies, government agencies, and nonprofits to explore these options and adopt a defensible policy toward data encryption.
From “Reasonable” to Specific
Legal and IT personnel are generally familiar with a traditional pattern in privacy laws: Security is always mandated, but the statutory language is usually limited to generalities, stating that a company must develop and implement “reasonable” or “appropriate” security measures proportional to the risk of harm if the information at issue is lost, altered, or obtained by unauthorized persons. This sort of language is found, for example, in HIPAA and GLBA, FTC guidance on fair trade practices, SEC internal control rules under Sarbanes-Oxley (SOX), the EU Data Protection Directive, and the personal information security laws of Canada, Japan, Australia, and other jurisdictions. Some laws (or regulations issued under those laws) emphasize that these safeguards must include technical, organizational, and physical security measures, but they typically do not specify what those measures must be.
This is because lawmakers are well aware that technology and criminal tactics are both constantly changing. There is an understandable reluctance to define appropriate security measures based on current technology and practices that may be outmoded within a year or two.
Nevertheless, the spate of personal information security breaches, some of them on a breathtaking scale, and the rise of identity theft as the fastest-growing criminal activity tracked by the FBI and several foreign law enforcement agencies, have pushed legislators and regulators to become increasingly specific in mandating security measures for especially sensitive or risky categories of personal data. That trend is reflected in the new generation of privacy and information security laws and regulations outlined below, with significant consequences for compliance practices.
Lawyers will appreciate that these increasingly specific security requirements have an impact not only in the compliance context but in civil litigation based on common-law doctrines of negligence, invasion of privacy, and breach of contract or on “unfair or deceptive trade practices” under FTC Act sec. 5 and parallel state laws. Many large-scale security breaches involving credit or debit card details or Social Security Numbers have resulted in civil litigation, much of it in the form of class actions, lawsuits filed by the attorneys general in several states, or “private attorney general” actions in California.
Companies increasingly deploy security measures such as encryption, strong passwords, and access logs to protect sensitive personal data in a wider range of IT applications, partly in response to litigation risks and new compliance obligations. But as they do so, public and judicial perceptions of “industry standard” safeguards and “reasonable” security practices change; the bar is set higher. It becomes harder to defend against an “unfair practices” or negligence complaint following a security breach by asserting that the plaintiff had no reasonable expectation of privacy or that the defendant acted as a “reasonable man” in storing and transmitting sensitive personal data without encryption, for example, or with unchanged, four-digit passwords.
Very few lawsuits involving consumer or employee privacy have proceeded to trial. They are usually settled – publicly, in the case of class actions and lawsuits brought by the FTC or a state attorney general. Settlements and FTC consent decrees have often included specific security undertakings, including encryption and password controls, to avoid future privacy violations.
The key, then, is not to focus solely on compliance within the scope of specific statutory requirements, but to look at the trends in these requirements as a guide to effective risk management in the litigation context as well.
There is clearly a trend toward requiring encryption of sensitive personal data (particularly the identifiers used commonly in ID theft, as well as medical information), especially when that information is transmitted over public networks or wirelessly, or when that information is stored on laptops, USB drives, smart phones, PDAs, and other portable devices. These are precisely the circumstances in which most large-scale personal data security breaches have occurred.
So far, companies have not normally been required to routinely encrypt all such data on secure servers or in data centers and storage media located on their premises (or those of their contractors), behind firewalls and internal network or VPN controls. Some companies have chosen to do so, however, to further reduce their risks of noncompliance or litigation exposure.
Sources of Legal Requirements
In the next installment, I’ll review recent US state and federal laws or regulations that push organizations to reconsider encryption, especially for data in transit and on portable devices. Then, we’ll look at the international scene, and finally at standards that are often incorporated in legal and regulatory decisions as well as in contracts.
Merrick Bank v. Savvis Update: Savvis Files Motion to Dismiss
As reported previously, the CardSystems security breach has resulted in a lawsuit brought by a merchant bank (Merrick Bank) against CardSystem's security assessment company (Savvis). The suit alleges that Savvis negligently certified CardSystem's security as compliant with Visa's Card Information Security Program ("CISP"), and negligently represented that CardSystems was compliant. Earlier this month Savvis filed a motion to dismiss this case. This post summarizes and explores that motion.
Choice of Law
The threshold issue addressed by Savvis is which States' law applies to this case (the choices appear to be Utah, Missouri or Arizona). This question is extremely important with respect to Savvis' statute of limitations argument. Under Arizona law, the time limit for filing negligence and negligent misrepresentation claims is two years. It may be longer for other States, such as Utah and Missouri which will be Merrick's counter-argument (note, Savvis contends that Merrick Bank's filing of this lawsuit originally in Missouri was a blatant attempt to avoid Arizona's two year statute of limitation). While this post will not go into the intricacies of the choice of law analysis, it will point out one fact that could hurt Merrick Bank. Both Merrick Bank and Savvis were sued previously by Cumis Insurance Society because of the CardSystem's breach (Cumis represents credit unions acting as issuing banks that allegedly incurred expenses because of the breach -- the Cumis case is still pending and the subject of a future post). In the Cumis case Merrick Bank previously took the position that Arizona law applied to the CardSystem's breach, and a Federal court in California agreed with Merrick. While this circumstance is not the ultimate determining factor on this issue, it will make it more difficult for Merrick Bank to avoid the imposition of Arizona law. It will be interesting to see what Merrick Bank comes back with in its reply brief.
Statute of Limitations
Savvis' first argument for dismissal is procedural in nature. It argues that Merrick Bank failed to file its lawsuit within Arizona's two year statute of limitations ("SOL").  The SOL analysis involves determining when the causes of action "accrued" and calculating how much time elapsed since the accrual date. In Arizona, the SOL begins to run when the plaintiff knew or by reasonable diligence should have known of the defendant's alleged tortious conduct.  In this case, Savvis has on its face what appears to be a very favorable timeline: Savvis argues that Merrick Bank's claims accrued no later than July 2005, and its filing of suit on May 12, 2008 was more than three years after that date.
Savvis' contention is based on Merrick's allegation that it knew that CardSystems was not CISP compliant "immediately" after CardSystem's May 2005 breach. In addition, the post-incident forensic report allegedly indicated that CardSystems was not CISP compliant at the time Savvis issued its June 2004 Report on Compliance. Savvis also points to Merrick Bank's January 20, 2006 lawsuit against CardSystems as evidence that it should have known by reasonable diligence that it had a potential claim against Savvis. In other words, if Merrick Bank knew it had a claim against CardSystems in January 2006 why didn't it reasonably know of Savvis' alleged tortious conduct at that time? Note, that even if the January 2006 date it the accrual date, Merrick Bank still would not make the two year SOL.
In addition to its SOL argument, in the alternative, Savvis claims that Merrick's complaint failed to adequately allege negligence and negligent misrepresentation.
Dismissal of Negligence and Negligent Misrepresentation
Savvis argues, that even if its position on the SOL is wrong, Merrick Bank's negligence and negligent misrepresentation allegations are flawed and should be dismissed. Savvis first addressed the negligent misrepresentation claim, citing Restatement section 552(2) which limits negligent misrepresentation liability to loss suffered:
(a) by the person or one of a limited group of persons for whose benefit and guidance he intends to supply the information or knows that the recipient intends to supply it; and(b) through reliance upon it in a transaction that he intends the information to influence or knows the recipient so intends or in a substantially similar transaction.
Based on the comments associated with section 552(2) and Arizona caselaw, Savvis maintains that it can only be liable where the maker of the representation intends to reach a particular person or group known to Savvis, and distinct from the larger class who might reasonably be expected to have access to, and take action in reliance upon, such information.  Savvis maintains that Merrick was not part of a defined group for whose benefit Savvis provided its representation of CardSystem's CISP compliance.  Savvis argues that Merrick's claim should be dismissed because Savvis did not make any representation directly to Merrick intending to influence its behavior "distinct from the much larger class" of acquiring banks involved with the Visa and Mastercard systems. Rather, Savvis made its representation directly to CardSystems and the card brands. Savvis also pointed to the Court's prior decision in the lawsuit filed by Cumis against Savvis. In that case the same Court dismissed a negligent representation claim because no representations where made to Cumis or its insureds (issuing banks) distinct from the larger class of participants in the Visa and Mastercard systems (as stated above, this blog will have more on that decision soon). Finally, from a public policy perspective, Savvis indicated that interpreting section 552 more broadly would expose it to limitless potential exposure.
In addition, Savvis made quick work of Merrick's negligence claim. According to Savvis, under Arizona law "providers of professional information" such as Savvis may be sued only for negligent misrepresentation. Savvis contends that plaintiffs are not permitted to avoid the limitations set forth in section 552 simply by alleging a general negligence claim. Signficantly, Savvis did not directly attack the merit of negligence claims on the basis of whether it owed any duty to Merrick Bank. (UPDATE -- 062409: as one reader points out, by claiming that the negligence claim is subsumed into the negligent misrepresentation claim, one could say that Savvis is indicating that they owe no duty under a pure negligence theory. I have not read the citations within the case so I don't know if that is the case).
Conclusion
The procedural aspects of this case, including the previous transfer of this matter from a Missouri court, as well as the choice of law, will have a significant impact on the case moving forward. Considering Merrick Bank's prior indication that Arizona law applies, it appears that Savvis has a solid statue of limitations argument that could kick the case out before any hearing on the merits occurs (which will keep the rest of the world in the dark on the substantive merits of this case). On this issue it will basically come down to when Merrick Bank knew, or reasonably should have known, it had a case against Savvis. Obviously Savvis is going to argue for the earliest date possible. Expect Merrick to come back with its own analysis on how it took longer for it to "discover" a valid claim against Savvis (e.g. perhaps the "necessary" facts of Savvis' alleged culpability only came out after depositions or other discovery in the CUMIS case). To the extent there are any factual issues wrapped into this analysis the Court might passe on a motion to dismiss an allow the litigants to engage in some discovery (at least limited to this issue).
On the merits, as previously predicted, the main issue is whether Merrick Bank is a "person" or a "one of a limited group" for whose benefit Savvis supplied the CISP certification information. This is going to be a close question. Unlike issuing banks or their insurers (as referred to by Savvis in relation to the Cumis lawsuit), processors like CardSystems have a direct contractual relationship with acquiring banks. That relationship requires processors, before acquiring banks can retain them, to certify compliance with payment card standards such as CISP. It is difficult to argue that security assessors in this space do not know this. In addition, it can be argued that these assessments are intended for the direct benefit of acquirers. Not only does it give acquiring banks and indication that the risk of credit card fraud is decreased, it also allows them to avoid contractually mandated. fines, penalties and recovery costs in the event of a security breach or otherwise.
It will be interesting to see Merrick's response on this matter. Note that even if this lawsuit does survive a motion for summary judgment there are other fact-based arguments that may allow this case to be dismissed on a different motion (e.g. motion for summary judgment). Not only will the issue of intended class of persons be attacked by Savvis, but also the matter of whether Merrick Bank relied on Savvis' assessment (and not some other factor) will be tested. More to come in the next few weeks. Stay tuned.
Nevada Law Incorporates PCI and Provides a Liability Safe Harbor
Nevada appears to be the second State to incorporate the Payment Card Industry Data Security Standard (PCI) into its personal information security law. Minnesota is the other State that incorporated part of PCI into its law.Â
In contrast to the Minnesota law (which only partially incorporated one subsection of PCI), the Nevada amendment requires "data collectors" doing business in Nevada to comply with the entire PCI standard:
If a data collector doing business in this State accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the Payment Card Industry (PCI) Data Security Standard or by the PCI Security Standards Council or its successor organization.
Unfortunately there is a built in ambiguity in the law since neither the PCI standard itself, nor the PCI Security Standards Council set the PCI compliance date. Rather, that is done by each card brand. Ignoring that glitch, obviously, by incorporating PCI into its law, Nevada has explicitly given the PCI "the force of law." This could have significant legal implications: see more HERE and HERE.
The Nevada amendment also appears to create a partial "safe harbor" for compliance with the law (and by extension PCI):
3. A data collector shall not be liable for damages for a breach of the security of the system data if: (a) The data collector is in compliance with this section; and (b) The breach is not caused by the gross negligence or intentional misconduct of the data collector, its officers, employees or agents.
While it is apparent that this language precludes liability for damages under the Nevada statute itself, it may also have wider application. In other words, would this language bar a "regular" negligence lawsuit arising out of a security breach as long as the data collector was PCI compliant? "Damages" in a breach of contract lawsuit? The broad language used ("shall not be liable for damages") suggests a solid argument exists for a "safe harbor" (even if compliance with the PCI standard itself was not "reasonable security") against any cause of action not involving "gross negligence" or "intentional misconduct." More research, and potentially case law, will be necessary before the scope of this safe harbor is clarified.
PCI Service Provider Contracting
(NOTE: cross-posted at Branden Williams' Security Convergence Blog)
As an attorney focusing on information security and privacy issues, I often get called in to assist companies to understand their legal liability risk around the PCI (self) regulatory system. One of the key areas I get involved in is service provider relationships, and in particular section 12.8 of PCI and service provider contracts. There are many aspects of 12.8 (and its subsections) that are potentially ambiguous and open to interpretation, but this particular article is not going to focus on those. This post concerns the "written agreement" referenced in 12.8.2, which provides in full:
12.8.2. Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.
We could debate whether a "written agreement" is the same of as a "contract" as referenced in version PCI v. 1.1 (under the law there is not much difference between a "contract" and an "agreement"). However, rather than concentrating on mere PCI technical compliance, this blog post will discuss the contract terms merchants should consider in their service provider agreements to actually manage their security risk. Of course service provider agreements should address the PCI requirements, but for merchants concerned about truly mitigating their risk, much more is involved. Coincidentally, I am in the middle of writing a book on payment card contracting that will be released through the American Bar Association, this post summarizes some of the ideas/concepts that will be in that book.Â
Pre-Contracting Activities
In general, as most understand, organizations cannot "outsource" compliance with PCI. That is to say, while merchants work with service providers that do some or all of the merchant's storing, processing or transmission of cardholder data, interested parties will still attempt to hold the merchant responsible for the service provider's non-compliance with PCI, and the impact of a service provider's payment card security breaches. The service provider contract is one of the key places where this risk can and must be dealt with (the other mechanism for managing service provider risk is insurance, but that is another topic for another day).Â
The first step in the process is understanding what the merchant has legally obligated itself to. This requires an analysis of the merchant's "upstream" contracts: the various "merchant agreements" it has in place with payment processors and/or merchant banks. If a merchant deals with more than one card brand there could be multiple contracts. In essence, the goal here is to identify the merchant's upstream obligations and transfer those obligations down to any service providers utilized by the merchant. For example, if the merchant agreement requires the merchant to indemnify the payment processor for fines and penalties imposed by card brands, the service provider agreement should require the service provider to do the same. One thing to note. Most modern merchant agreements require merchants to adhere to the relevant payment card brands' operating regulations. As such, merchants should understand those obligations (e.g. Visa's Account Data Compromise Recovery process) as well in order to transfer risk to their service providers.
The second step is attempting to understand the risk posed by the particular service provider the merchant is dealing with. What is the transaction volume the service provider is handling? What controls does the service provider have in place or not have in place? Has the service provider's security been independently assessed (e.g. by a QSA)? What would happen to the merchant's business if the service provider went down (e.g. not all the risk is liability risk)? If the service provider suffers a breach, does it have an incident response plan to mitigate harm and provide notice to the merchant? In addition to general security requirements, depending on the nature of the transaction, this risk assessment may result in specific service provider contractual obligations.
Security Contract Terms
So what security-related terms should be in service provider contracts? This answer to this question will vary depending on many factors (e.g. the type/purpose of the transaction, the data at issue, the laws that apply, the upstream contractual obligations of the merchant, etc.), but the following should be considered:•
(1)   Definitions. The payment card world relies on particular definitions and terminology. To avoid confusion, where warranted, some definitions should be incorporated into the contract (e.g. PAN, sensitive authentication information, etc.). This can be achieved in part for some key terms by referencing the PCI standard and/or the PCI glossary.
(2)  "Preventative" Contract Terms -- Compliance and Controls. The overall purpose of these terms is to contractually obligate the service provider to certain controls and practices with the hope of preventing non-compliance and/or a security breach (or at least to decrease the risk of those events). In these sections the service provider should be required to comply with the requirements of the PCI regulatory system. This includes, but goes beyond, the PCI standard itself. Other elements of the PCI regulatory system include card brand security programs, FAQs, Guidance papers and other documents issued by the PCI Council, and the card brand operating regulations themselves.Â
In addition, if there any specific controls or security measures that the merchant wants the service provider to implement and maintain, that should be indicated. Merchants can also draft other standards into the contact, such as ISO 27001, if desired. Last, regardless of the specifics, the service provider should have an obligation to maintain "reasonable security" to protect the sensitive data that is the subject of the agreement. By broadening the duty to "reasonable security" the hope is to avoid cases where technical compliance with PCI was achieved, but the service provider's systems were not actually secure. The reference to "reasonable" establishes an "objective" standard under the law that allows for scrutiny in a litigation context. Note that all duties in this section should be made ongoing and continuous (none of this PCI compliance only matters on the day the contract is signed), and the service provider should be required to comply with changes to the PCI Standard.
(3)  Monitoring and Reporting. These contract terms should provide the merchant with the right to monitor and enforce compliance with the service provider agreement, the PCI standard, payment card company security programs, etc. There are many ways this can be achieved, including imposing reporting requirements on the service provider, providing the merchant with security assessment rights or actually requiring a periodic third party audit. With respect to PCI, the agreement should require the service provider to allow the merchant (or third parties selected by the merchant) to conduct quarterly network scans, as well as QSA assessments.Â
What are the consequences of non-compliance with the agreement or PCI? Monitoring is good, but if non-compliance is found the merchant must also have enforcement rights. Without enforcement mechanisms the service provider's promises may be hallow. Contractual penalties may be put into the contract, indemnification rights (discussed below), termination rights and other remedies may be considered. The key here is to have some leverage to get the service provider to actually comply instead of having to abandon the relationship and find a new service provider. .
(4)  Security Incident Response. Service providers and outsourcers act as an extension of the merchant's operations. However, if their incident response procedures are out of sync it could be problematic. Merchants need to understand their service provider's internal incident response procedure and then build contractual obligations that allow the merchant's incident response procedure to seamlessly meld with the service provider's. This section may require service provider to identify a response coordinator to act as a liaison and cooperate fully with the merchant. In addition, it may require an investigation, remedial action, notice and reporting to the merchant and payment card network, collection of evidence, documenting incident response and access to service provider systems, logs and data.Â
One of the key considerations here is identifying the party responsible for complying with breach notice laws. Arguably, based on the statutes themselves, the primary duty would rest with the merchant, and the merchant would have to pass it on contractually to the service provider (note the primary duty would still reside with the merchant, so if the service provider refused, the statutes still require the merchant to comply).
(5)  Rights, Remedies & Indemnification.  These terms transfers risk of loss between the merchant and service provider and provide other rights for breach of the service agreement or in the event the service provider suffers a security breach. These terms are amongst the most important in the agreement, and are also the most contentious to negotiate. However, they are also the most important and truly establish the baseline for the merchant's liability in the event the service provider makes a mistake. The following should be considered. Indemnification rights should require the service provider to pay for/reimburse the merchant for claims, attorney fees, lawsuits, fines, penalties and other costs associated with the service provider's non-compliance with the agreement and other requirements of the PCI regulatory system, as well as security breaches (whether compliant or not). If there is a limitation of liability clause, exceptions should be considered for security breaches, fines and penalties due to non-compliance and other issues. The same holds true for any consequential damages limitation clause that finds its way into the contract. Additionally, termination rights should be built into the contract based on service provider non-compliance or security breaches.
(6)  Insurance Clause. An insurance clause requiring the service provide to purchase insurance covering security breach notice law compliance, liability arising out of security breaches and other professional errors or omissions should be considered (especially when utilizing smaller vendors). If possible, the merchant should be named as an additional insured on the policy so that it can tap directly into the policy proceeds. This clause should specify required limits and should require the insurance to be primary. In addition, the contract should note that insurance proceeds are not intended to limit the amount of the service provider's liability.
To implement these terms, what I often do is create a security schedule or exhibit that contains all/most of the security-related obligations of the contract. Oftentimes a merchant will be forced to work with the service provider's contract.  If the security terms are in a pre-established exhibit, that exhibit can be incorporated into the contract (with some careful drafting of course). On a final note, please understand that while this post has focused on PCI, a framework similar to that described above could be used for other statutory or security requirements, including GLB, HIPAA, EU Data Protection Directive and others. In fact, for organizations with multiple security standards or laws to comply with, a security exhibit or schedule can be an efficient way for addressing all of the requirements at one time and in one place.
Conclusion
At this point in time when reliance on service providers and outsourcers to handle payment card information is high, while the legal liability risk associated with payment card security breaches is significantly growing, the security terms in a service provider contract have increasing importance.Â
In fact, I counsel my clients to raise some of the terms they want (especially indemnification) at the RFP phase instead of waiting until later. The key here is to create competition between potential service providers not only on price and scope of services, but also acceptance of risk and contract terms (those willing to accept more risk being potentially better candidates than those not so willing). Organizations that wait to request protective contract terms until after they have selected a vendor may find those terms watered down during negotiations, and may be stuck holding all the risk of a service provider mistake (and you know that for most service providers the default is contract terms that completely insulate them from risk - don't settle for that!). As it currently stands the focus of risk mitigation with respect to security are technical controls and other security measures, and the importance of the contract as a risk mitigating tool is overlooked. As litigation increases in this area, for risk-conscious organization, the protections (or lack of protections) in the service provider contracts are going to become very important.
Merrick Bank v. Savvis: Analysis of the Merrick Bank Complaint
The Merrick Bank v. Savvis lawsuit has the potential to change the liability dynamic of the PCI regulatory system. The Savvis case is one of the first known instances of a payment card security assessor being sued by a merchant bank ( the merchant bank is a third party relative to the Savvis-CardSystems relationship).   The Merrick Bank compliant alleges that it relied on Savvis' certification of CardSystems as Visa CISP compliant (this matter pre-dated the PCI standard), and that certification was false. After CardSystems suffered a breach exposing up to 40 million payment card records, Merrick allegedly incurred $16 million in payments to the card brands (which was ultimately transferred to issuing banks who suffered losses arising out of the CardSystem breach).
If Savvis is held liable (or even if this case makes it past motion to dismiss or a motion for summary judgment) it has the potential to significantly modify the relative risk of PCI qualified security assessors, and in turn modify the PCI regulatory scheme. This post discusses the two theories of liability alleged by Merrick: (1) negligence; and (2) negligent misrepresentation.
Please note, while I am an attorney this post does not in any way constitute legal advice or a legal opinion, and should not be relied upon to take any action or be the basis for any inaction. The law related to this case is complex and varies from jurisdiction to jurisdiction, and over time. If you are interested in a full legal analysis of potential security assessor liability in a particular jurisdiction, please contact me directly at djn@davidnavetta.com
One further note, the basic rules and general information in this document was derived from various legal research sources. However, one book in particular provided excellent information on the liability of service providers to third parties. Please check it out, and purchase it: Professional Liability to Third Parties (Jay M. Feinman).
UPDATE:Â Other bloggers/mags are putting together some nice analysis of this case as well:Â here, here
Relevant Allegations
In order to understand the theories of liability alleged by Merrick, it is important to spot the specific allegations that will ultimately support those allegations. The key allegations, which are repeated throughout the complaint, include:
- Merrick would not allow CardSystems to process Card Transactions until it was certified as CISP compliant
- Savvis was specifically retained to certify CardSystems as CISP compliant, and did so pursuant to a Report on Compliance issued to VISA
- Upon learning of the results of Savvis's Report on Compliance (after CardSystems was listed by Visa as CISP compliant) Merrick allowed CardSystems to serve as its processor
- According to a post-incident forensic analysis, at the time Savvis issued the ROC, CardSystems had been improperly and continuously storing unencrypted cardholder data
- Savvis provided the ROC to VISA for the express purpose and with knowledge that Visa would publish the ROC, and that merchant banks would rely on it to determine whether CardSystems met the CISP standard
- It was reasonably foreseeable to Savvis that merchant banks would rely on its report
- Savvis knew or should have reasonably known that its certification of CardSystems was directly for the benefit and guidance of merchant banks
Analysis
The key threshold issue in this case is whether Savvis owed any duty of care to Merrick with respect to the security assessment it provided to CardSystems, and if so the extent of those duties. Note that the typical method for establishing a duty in a professional services context is via a contract (and when two parties are bound contractually they are said to be in "contractual privity"). In this case, Savvis likely had a contract with CardSystems to perform an assessment, but did not have a direct contractual relationship with Merrick. The lack of contractual privity is main legal obstacle faced by Merrick. Are there other non-contractual theories of liability that apply to Savvis in this context? Merrick Bank has alleged negligence and negligent misrepresentation against Savvis.
Negligence
In the professional service provider/client relationship, negligence is typically a valid theory of liability. For example, it is the basis for many malpractice claims against lawyers, doctors, accountants and architects. The validity of a negligence claim is trickier when it is a third party alleges it. The key analysis is whether the service provider owed any duty to a third party to perform its services in a reasonable and competent manner. Unfortunately, this is not an easy question to answer under the law. There are several different tests courts consider to make this determination, and different jurisdictions may apply different tests or apply the same test in a divergent manner. In addition, whether a duty exists will also rest heavily on the particular facts of the case at hand. That said, in general, some Courts are wary of circumstances that will result in unlimited liability down the line for service providers.  The following represents a brief description of some of two of the main tests:
- Foreseeability. In the most basic approach to determining whether a duty exists, the Court asks whether the defendant's actions create a foreseeable risk of harm to the third party plaintiff. Typically both the plaintiff and the risk of harm must be foreseeable. This approach is criticized by some on the basis that the concept of  "forseeability" is unbounded and can extend extremely far.
- Balance of Factors Test. This test considers foreseeabilty of harm to the plaintiff as only one of several factors to determine whether a duty exists. Other potential factors include: the extent to which the transaction was intended to affect the plaintiff; the degree of certainty that the plaintiff suffered injury; the closeness of the connection between the defendant's conduct and the injury suffered; the moral blame attached to the defendant's conduct; and the policy of preventing future harm. After argument by the parties, all of these factors are weighed by the Court which then determines whether a duty exists.
Other jurisdictions employ variations of these tests. In Wisconsin state courts, for example, if it is foreseeable that the service provider's actions could harm a third party, then a duty will not exist only if there are overriding public policy considerations. Some courts employing the balance of factor test focus on the relationship between the parties, and specifically if there was any indication that a third party was the intended beneficiary of the professional services rendered.
One more important factor with respect to negligence: even if a duty is found to exist as to a third party, the "economic loss doctrine" may bar recovery of any "economic loss" (loss that is not a personal injury or property damage). This doctrine is also complex and applied differently depending on the jurisdiction. In some jurisdictions it does not apply when services are at issue (as opposed to products). In other jurisdictions, "professional services" such as those provided by lawyers or accountants are not protected by the rule. However, if the rule does apply, it can wholly eliminate the type of damages being claimed by banks like Merrick (and in fact has been used to dismiss negligence claims by issuing banks for security breaches in the TJX case and BJ Wholesalers cases).
Negligent Misrepresentation
Similar to the accountancy field, the payment card security assessment field involves an act of attestation. That is, an opinion/representation as to the status of a company's financial statements (for accountants) or security status against a particular standard (for security assessors). If these "representations" are purposely false or simply incorrect because of mistakes, plaintiffs may have an action for fraud or "negligent misrepresentation." Merrick alleged in this case that Savvis's certification of CardSystems was a negligent misrepresentation because in reality CardSystems was not CISP compliant. Similar to negligence claims (which often overlap with negligent misrepresentation claims because they require proof of a failure to meet the standard of due care), the approaches employed with respect to this theory varies by jurisdiction.
The original position adopted by most courts concerning negligent misrepresentation was that third parties not in privity of contract (or "near privity") could not utilize this theory of liability (see Ultramares v. Touche, 1931). The sixty year reign of the Ultramares case began to erode in the 1960s based on new case law and the eventual adoption of Section 552 of the Restatement (Second) of Torts, which represents the modern approach to service provider negligent misrepresentations to third parties. Section 552 states in relevant part:
(1) One who, in the course of his business, profession, or employment, or in any other transaction in which he has a pecuniary interest, supplies false information for the guidance of others in their business transactions, is subject to liability for pecuniary loss caused to them by their justifiable reliance upon the information, if he fails to exercise reasonable care or confidence in obtaining or communicating the information.(2) * * * liability in Subsection (1) is limited to loss suffered (a) by the person or one of a limited group of persons for whose benefit and guidance he intends to supply the information or knows that the recipient intends to supply it; and (b) through reliance upon it in a transaction that he intends the information to influence or knows the recipient so intends or in a substantially similar transaction.
Interestingly, if you read the Merrick complaint (or the relevant facts laid out above) you will see that many of the words used in section 552 are copied verbatim.
In the typical situation, many of elements in subsection (1) are satisfied in a typical attestation situation. In this case it is not a stretch to say that security assessors supply information that is relied upon by third parties.   However, plaintiffs may have to establish that their reliance was justified - the more direct the reliance the better their chances. So if there were other factors that impacted Merrick's decision to hire CardSystems and CISP certification was secondary, the issue of reliance may be more difficult to establish.
In addition, in some cases it may be difficult to establish that the information was "false" (especially when there are gray interpretative areas involved).  Likewise, in some cases it may be a challenge to establish that the security assessor violated his or her duty of care. If a security assessor's opinion was reasonable the plaintiff may not be able to establish this element. Of course, if there are obvious ("black and white") mistakes, such as the failure to encrypt cardholder data or the storage of track data, this element will be less difficult to establish.
The elements in subsection (2) of section 552 require both that the service provider have knowledge of the person or group of persons that will be receiving benefit or guidance from the opinion, and that the service provider (or recipient of the information, e.g. CardSystems of VISA) intends the information to influence the plaintiff with respect to a transaction. These knowledge and intent issues often ultimately impact the failure or success of plaintiff's case.
The application of these knowledge and intent requirements may vary by jurisdiction. Some may take a narrow view and require that the service provider specifically intended to induce the plaintiff's reliance for a particular transaction (e.g. the service provider would have had to have known of the transaction, and known that their opinion was the key information that was inducing the plaintiff to go through with the transaction). In some cases, the plaintiff may only need to know of the potential users of the information and the potential use of the information. In addition, some courts may require actual knowledge of the potential users of the information, while others may allow this element to be satisfied if the service provider has reason to know of potential users/uses of the information.
One item to note again with respect to the economic loss doctrine. While it often blocks plaintiffs from recovering under negligence theories, in some jurisdictions the doctrine is inapplicable to fraud and negligent misrepresentation claims. So if plaintiff can establish a negligent misrepresentation claim, it may have a good route to recovery.
Lastly, it must be noted that the negligent misrepresentation claim, in general, has been utilized by issuing banks against merchants already in the TJX case. Although the context is different (TJX involves a merchant's misrepresentation as opposed to a security assessor's misrepresentation), an appellate court refused to dismiss a negligent misrepresentation claim based on indirect representations of CISP compliance. Thus, it may be that the negligent misrepresentation claim against Savvis could have some legs.
Conclusion - Observations of the Merrick Case
The Merrick case represents a potential watershed moment for the payment card security assessor industry (and security auditors in general). If liability is found in this case, and especially if case law is created that goes against Savvis, security assessors will be entering the world of lawyers, doctors, accountants and architects. This world will involve much higher potential for liability, more need to purchase professional liability insurance, increased costs for merchants employee assessors, more rigorous ethical obligations and potentially a higher level of skill and scrutiny applied to security assessment engagements. Over time, this world could start to look more like the world of accountants.
Unfortunately for security assessors, since there is no ability to gain contractual protection through limitations of liability or consequential damages disclaimers, it may be difficult to deflect liability. Significantly, as one can ascertain above, whether plaintiff's claims are valid in this context may involve a fairly fact intensive inquiry. In many instances, legal matters that are highly fact intensive are allowed to proceed past a motion to dismiss or motion for summary judgment -- factual disputes are for juries to decide typically. What this means is litigation leverage for the plaintiffs - with good fact patterns the pressure to settle these cases may be great since victory may come down to who has the better facts and who can argue those facts the best. Moreover, regardless of the facts, arguing in front of a jury always poses a risk.
Based on the foregoing it is very difficult to make any predictions concerning the Merrick Bank case. However, the fact pattern in this case appears favorable to Merrick based on alleged severe violations of CISP and the magnitude of the breach. Merrick has gone out of its way to tailor its allegations to match the legal elements discussed above. Whether those allegations are substantially true remains to be seen. For instance, was the CISP compliance truly the make or break factor that Merrick relied on to enter into a transaction with CardSystems? The complaint mentions MasterCard's security program. Was it justifiable and reasonable for Merrick to rely on CardSystems CISP certification as a proxy for compliance with Mastercard's security rules? Will the court require that Savvis have actual knowledge and intent to induce the particular transaction at issue?
Please note that a potential analogue for security assessors are lawsuits by investors against accountants. Both engage in attestation services that are known to some degree to be relied upon by third parties. There are numerous cases going both ways (some finding liability/some not) with respect to accountant liability to investors who relied on inaccurate financial statements.
Finally, one thing to be aware of with respect to negligent misrepresentation. If a security assessor is made aware that its assessment will be relied upon by a particular third party as the key factor in it deciding to engage in a transaction, the more likely a negligent misrepresentation claim will be valid. QSAs brought into an engagement for this purpose should pause and consider the implications of making a mistake.
Regardless of the outcome, this case will be very interesting to watch and it will surely wake the QSA community up. Once we have more information we will put it up on the blog. In the meantime, feel free to contact me with any questions on this matter.
The TJX Case: It Lives! With a New Theory of Liability: "Unfairness"
However, two financial institutions (Amerifirst Bank and SELCO Community Credit Union - hereinafter "Issuing Banks" or plaintiffs) have pressed forward with an appeal of various dismissals and class certification motions to the U.S Court of Appeals for the First Circuit (the "Appellate Court"). The 1st Circuit's opinion sheds some more (high level) light on the liability risk of payment card data breach security cases. Ultimately, the Appellate Court allowed three theories of liability to proceed, including a previously dismissed theory alleging that TJX's inadequate security amounted to an unfair business practices under Massachusetts's unfair and deceptive business practices law.
The main issue on appeal was the ruling on a motion to dismiss by the U.S District Court for the District of Massachusetts (the "District Court"). TJX and Fifth Third Bank (TJX's merchant bank; collectively referred to as "defendants") had asked the District Court to dismiss all of the counts alleged in the Issuing Bank's complaint, including: (1) negligence; (2) breach of contract; (3) negligent misrepresentation; and (4) unfair or deceptive business practices under chapter 93A (Massachusetts's consumer fraud statute). The District Court dismissed the negligence and breach of contract claim, but allowed the negligent misrepresentation claim and the 93A claim (which was based on negligent misrepresentation) to proceed.
Negligent Misrepresentation
The Appellate Court ultimately refused to dismiss the plaintiff's negligent misrepresentation claim. However, the Court took a different path than the District Court. First, the court noted that the plaintiffs were not alleging any actual misrepresentation, but rather the plaintiff's "negligent misrepresentation" was based purely on the defendants' conduct in performing credit card transactions (in fact, the Appellate Court also referenced the defendants' conduct in the form of entering contracts requiring certain credit card security measures). While conduct can be part of a misrepresentation, the link between the conduct and the implication must be "tight." This link may be established by a combination of words and conduct concerning the alleged misrepresentation.
The Court then pointed to another Massachusetts's State credit card breach lawsuit (Cumis Ins. Soc. Inc. v. BJ Wholesale Club, Inc. 23 Mass. L. Rep. 550 [Mass Super. 2005]) that granted a defendant a motion for summary judgment on the issue of negligent misrepresentation. In that case, the motion was granted because the implied misrepresentation was based purely on conduct.
Based on this the Appellate Court refused to dismiss the negligent misrepresentation count on a motion to dismiss. In its view, the claim was properly pleaded in the complaint, and the proper method for dismissal of the case would be a motion for summary judgment (assuming the plaintiffs could not provide evidence to support their allegations). In its parting words, the Appellate Court ultimately indicated that the claim was "on life support." (e.g. likely to be dismissed on motion for summary judgment).
The Appellate Court also considered the District Court's denial of class certification with respect to the negligent misrepresentation claim, and ultimately upheld the District Court's denial. As such, even if the plaintiffs can establish negligent misrepresentation it appears they will have to do so for each individual plaintiff (rather than a class of plaintiffs).
Chapter 93A "Unfair" or "Deceptive" Trade Practices
The Appellate Court's ruling on the Issuing Banks' 93A claim was actually a bit surprising. The non-surprising aspect was the court's decision to uphold the plaintiff's 93A claim based on negligent misrepresentation. Since the base negligent misrepresentation claim was allowed to stand, the 93A claim based on the misrepresentation also stood, albeit with the same defects according to the Court.
The surprise was the Appellate Court's reversal of the dismissal of the plaintiff's other 93A claim. 93A provides a claim for "unfair" or "deceptive" trade practices as between businesses, and "unfairness" can be established by reference to other appropriate sources of law The plaintiffs had alleged that the defendant's lack of security measures, based on various consent decrees issued by the FTC, amount to a violation of the Federal Trade Commission Act, and therefore an "unfair" practice under 93A. The District Court disagreed and held that consent decrees are not appropriate sources of law for purposes of 93A.
In reversing the dismissal, the Appellate Court recognized that the plaintiffs allegations went beyond consent decrees and relied on an actual FTC complaint against TJX for the very breach at issue, as well as two other security breach complaints alleging that the lack of appropriate security measures equated to an unfair act or practice. The court noted that use of FTC precedent was directly referenced in 93A itself, and that at least one other Massachusetts court had allowed FTC complaints to serve as the basis of 93A actions. The court also noted that "adjudicated" FTC cases were even more potent (although did not clarify whether a "consent decree" amount to an adjudicated FTC case).
Moreover, the Appellate Court rejected TJX's argument that it did not have a close enough business relationship to the Issuing Banks. The Court also refused to limit a 93A actions to "egregious conduct" or "deliberate wrongdoing" at this stage. Rather, this issue was one that would have to be resolved after discovery in the District Court.
Negligence
The District Court dismissed the plaintiffs' negligence claim based on the "economic loss doctrine", which holds that "purely economic losses are unrecoverable in tort and strict liability actions in the absence of personal injury or property damage." On this claim the plaintiffs argued that they had suffered property damage because they had a property interest in the payment card information which the breach rendered worthless. The Appellate Court disagreed. It recognized that electronic data can have value and that value can be lost, but the loss must be as a result of the physical destruction of property. That was not the case for this security breach, and the District Court's dismissal was upheld.
Breach of Contract - Third Party Beneficiary Theory
The Appellate Court upheld the District Court's dismissal of the plaintiff's breach of contract claim. Under this theory, the Issuing Banks argued that they were the intended beneficiary of the contract between Fifth Third and TJX. That contract, however, contained the following express provision disclaiming third party beneficiaries:
This Agreement is for the benefit of, and may be enforced only by, Bank [Fifth Third] and Merchant [TJX] . . . and is not for the benefit of, and may not be enforced by any third party.
The plaintiffs argued that this provision was superseded by the Visa and Mastercard Operating Regulations. The court noted that those regulations do indicate that they prevail in any conflict with the provisions of a merchant account, but in this case the court noted, those provisions did not conflict with the third party beneficiary disclaimer in the TJX merchant agreement. The Appellate Court construed the following language in the Mastercard agreement as disclaiming third party beneficiary rights: [Mastercard] "shall have the sole right to interpret and enforce" [its operating regulations]. The Visa Operating Regulations were more explicit, indicating that those regulations "do not constitute a third-party beneficiary contract as to any entity or person . . . or confer any rights, privileges, or claims of any kind as to any third parties." Note that it does not appear that this type of disclaimer existed in early versions of the Visa Operating Regulations (see the use of third party beneficiary theory in the B.J. Wholesaler's case)
Class Certification
One of the biggest risks for defendants, even where weak theories of liability exist that are likely to yield small recoveries, is the prospect of certification of large plaintiff classes. The District Court held that class certification was not appropriate for the surviving negligent misrepresentation claim and 93A claim (based on negligent misrepresentation). The District Court reasoned that class certification was inappropriate because negligent misrepresentation requires proof that each individual plaintiff relied on the misrepresentation.
The Appellate Court, however, questioned whether the newly revived 93A "unfairness" cause of action would require an individual finding with respect to each plaintiff. The Appellate Court noted that the unfairness theory appears to consider what the defendants did (or failed to do) rather than the Issuing Bank's reliance on any misrepresentation. Ultimately, the Appellate Court did not issue an opinion on the certification of the 93A unfairness claim, and instead remanded the question back to the District Court.
Conclusion
For the most part the Appellate Court's decision represents a victory for TJX, but does open the door to some uncertainty. While the negligent misrepresentation claims (common law and the 93A claim) is viable, class certification has been denied. The plaintiffs have indicated that they will attempt to better define the classes to remedy this defect, but at this point it appears they would have a very difficult road.
The "unfairness" theory under 93A, however, presents a wild card. The "unfairness" doctrine has been used by the FTC to allege that a company's security itself was inherently unreasonable and therefore "unfair." Those FTC cases resulted in consent decrees and therefore the unfairness theory has never been truly tested (one commentator believes it was improperly employed by the FTC). Yet it provides a potential hook, especially in this case where TJX was found to have been in non-compliance with 9 of the 12 PCI requirements. Even so, the question remains whether the Issuing Banks will be able to establish damages under 93A. Notably, considering that most States have a similar deceptive practices laws on the books (although not all of them with private causes of action), this "unfairness" theory could have wider application in the security breach context.
Ruiz v. Gap: Increased Risk of ID Theft Not Damages
In a previous post this blog noted that a California Federal District Court denied a motion to dismiss a data breach negligence claim based on a lack of "damages." Despite the partial "victory," the Court had also suggested that the damages issue might not survive a motion for summary judgment. Well, the Court made its own prediction come true in a recent ruling.
On April 4, 2009, the court issued a decision indicating that an increased risk of identity theft did not rise to the level of harm necessary to maintain a negligence claim. This was true despite evidence from experts indicating an increase risk that the plaintiff's personal information was exposed. Without evidence of actual significant exposure of the plaintiff's personal information, the Court indicated that analogies to "medical monitoring" damages were not supported.
This case is another in a line of case establishing that, absent identity theft, it is uncertain whether a consumer plaintiff of a data breach can win in court.
Is Something Wrong With PCI?
A question being asked in various circles in the wake of the Heartland breach. An interesting post by Michael Dahn over at the Aegenis Group. I started to respond and kept going and going and going.  Read his post first and my (somewhat rambling/unpolished ) response is below.
A couple points.
(1) Faulty Logic. You claim that it is faulty logic to conclude after one company getting hacked that the entire PCI program ineffective. On the flip side, it is also faulty logic to conclude that the mere existence of a standard means better security.  It really depends on what the standard says, its scope/rigor and how it is applied. Even for seatbelts, some studies have suggested that the existence of seatbelts may increase the likelihood of reckless driving. It is possible to implement a standard simply to give the impression that something is being done...
(2) It's the Risk, Stupid.  As you site in your post many individuals considering PCI compliance are only interested in doing "the minimum" to allow them to validate compliance for the year. The problem is that there is no requirement under PCI that the level of risk posed by a given merchant or processor's operation dictate compliance. How can the requirements of PCI be the same for a merchant that does 1000 cards a month and a payment processor that does 100 million cards per month? It only can if the depth/rigor of compliance is higher for the 100 million processor.  You are right, there is a difference between having a firewall (check box!) and having a properly configured firewall and having a program in place to ensure/check that firewalls are properly configured. Yet, some view the PCI Standard as not making a distinction between these situations - all are "compliant." And, I contend that that is a problem with the Standard - that concept should be explicitly stated in and made part of PCI. Not that GLB itself is a great standard, but at least it captures the idea of risk:
(a) Information security program. You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.
(3) The Incentives Are All Wrong. Let me partially take back some of what I said about not taking risk into account. Merchants and service providers are taking risk into account, the risk that they will lose their ability to process credit cards if they are not PCI compliant. That is the motivating factor in the PCI game. With no other real carrot or sticks implemented within the system. Thus the name of the game is getting an ROC as cheaply as possible.
As long as you can find a QSA to validate, or one of your own IT employees for SAQs, you can continue doing business. And of course, since there are hundreds of QSAs, meaning tons of competition, companies can leverage that competition to get an easy pass. QSAs that want to do the right thing get marginalized. In fact, since the QSAs get critiqued by their customers, those that play ball end up rising to the top of the ladder (another flaw in the system). But isnt' the QSA assuming the risk if they rubber stamp, you ask? Go read your contract with the QSA and see how much risk they are actually taking (look at the limitation of liability clause, disclaimer of consequential damages clause and indemnification clauses). Meanwhile the ROC that is submitted is accepted without question. We won't even get into the incentives around an in-house security or IT professional (with perhaps no security training) who is completing a merchant or service provider's SAQ.
So what could change the incentives/motivating factors: carrots and sticks. There is no enforcement unless you are not validated. Nobody checks if you REALLY ARE PCI compliant or whether you ACTUALLY have reduced any risk. There is no penalty if you are validated unless you suffer a security breach (discussed more below).
What about carrots? The benefit of validating PCI compliance is the ability to accept payment cards. That benefit accrues to any company that has validated, whether or not they actually have reduced risk to a reasonable level. What about "Safe Harbor"? I don't think it exists. Many companies I have spoken to are under the impression that if they are PCI compliant they will be immune from fines/penalties and liability. I challenge anybody to identify a LEGAL RIGHT to immunity or a LEGAL OBLIGATION on anybody to provide a Safe Harbor.  In fact, Safe Harbor is no longer even identified on Visa's website: VISA Merchant Page. You have to use the Internet Way Back machine to find information on what they used to call "safe harbor": Old Safe Harbor Reference.
Note the even under the old description of safe harbor, it only excused PCI-complaint merchants from fines. It did not prevent an Issuing bank from suing a merchant for the cost to replace cards.   So clearly, for merchants that engage in rigorous PCI-compliance there is no carrot that comes their way if they happen to suffer a breach.
Frankly, the lack of proper incentives and motivation around PCI compliance make me wonder about my last sentence in (1) above.
(4) The Ultimate Stick - Getting Your Pants Sued Off. Yes, high profile breaches and lawsuits can deter bad behavior in the PCI realm. However, there are a couple issues here as well. As set forth below it appears that some companies believe that if they validate PCI compliance they are in a Safe Harbor that protects them. Therefore they (wrongly) may not fear lawsuits. Secondly, for those that use QSAs, there is a belief that if they are validated PCI compliant and they really aren't, that it will be on the QSA. Again read your contract with your QSA to see how much liability they are actually taking. Perhaps more high profile incidents like Hannaford and Heartland will act as a deterrent, but I question how much it is now.  This is especially true because lawyers are often not involved in the PCI compliance process and those security pros that are do not have the experience pr expertise to gauge actual legal risk (unless they have law degrees and have practiced - which is a whole other post). Therefore, it may not be fully taken into account.
Thoughts?
Another "Victory" on the Issue of "Damages" in a Security Breach Negligence Case
As has been reported on this blog previously (here and here), many courts that have considered the issue of damages in a security breach scenario involving personal information have concluded that taking pre-emptive actions (such as purchasing credit monitoring services) do not amount to "damages" for purposes of a negligence claim. Some chinks, however, have begun to develop in the "damages" armor used by defendants in security breach negligence cases. A recent decision sets forth another possible theory of liability to get a plaintiff at least beyond a motion to dismiss.
In Ruiz v. Gap, 07-5739 (N.D. Cal. 2008), a class of plaintiffs sued the Gap alleging that their unencrypted personal information resided on one of two laptops stolen from one of the Gap's vendor (the personal information of approximately 800,000 Gap job applicants was stored on the laptops). The Gap offered the plaintiffs 12 months of credit monitoring services and fraud assistance without charge, as well as access to $50,000 worth of identity theft insurance.
The Ruiz court analyzed the plaintiffs' complaint to determine whether the plaintiff properly alleged an "injury in fact" for purposes of standing and the issue of damages with respect to the plaintiffs' negligence claim. In particular, the court noted that the plaintiffs had merely alleged that they were at "an increased risk of identity theft" and did not allege that their identity had been stolen.
The court noted that the plaintiffs' allegations seemed "conjectural or hypothetical, rather than actual or imminent," and that there was nothing else to allow the court to determine that the risk was actual, imminent or credible. Nonetheless, the court presumed that the general allegations embraced the specific facts supporting them and denied the motion to dismiss. The court did, however, issue a warning to the plaintiffs indicating that if it became apparent that their allegation of injury was too speculative or hypothetical the plaintiffs' case may be dismissed later in the proceeding. In addition, the court noted that the extent of recoverable damages was unclear even if the plaintiffs were to prevail on a negligence claim.
Unfortunately, as with other negligent security cases allowing plaintiffs to proceed past a motion to dismiss, the court did not provide a highly developed legal rationale to support its decision. In this case it appears that the court simply accepted on its face that the alleged "increased risk of identity theft" constituted an injury. It went further and allowed the negligence claim to proceed even though no specific facts were alleged supporting that the plaintiffs were at increased risk. For the time being at least, it appears to be another small chip off the damages security breach defense rationale.
"Damages" in a security breach case... er.. maybe kinda...
A recent opinion came out of the U.S. District Court for the District of Columbia that denies defendant's motion to dismiss a case against the Transportation Safety Administration arising out of the loss of hard drive containing the personal information of 100,000 TSA employees (including names, SSNs, DOBs, bank account numbers, etc.).
The plaintiff's alleged a violation of section 522a(3)(10) of the Privacy Act, which provides:
Each agency that maintains a system of records shall . . . establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained .
In various contexts, the defendants argued that the plaintiff's had not alleged actual damages, that damages should be construed as only encompassing "out-of-pocket" pecuniary loss, and that plaintiffs' concerns about harm were speculative and dependent on future events (e.g. criminal misuse of the plaintiff's personal information by third parties).
The court analyzed the following injury allegations by plaintiffs:
"embarrassment, inconvenience, mental distress, concern for identity theft, concern for damage to credit report, concern for damage to financial suitability requirements in employment, and future substantial financial harm, [and] mental distress due to the possibility of security breach at airports."
In rejecting the defendant's motion to dismiss on the issue of injury/harm/damages, the Court focused on the "embarrassment... mental distress.... and concern" allegations. It held that those emotional distress allegations were not speculative nor dependent on future events.
The court also noted that the plaintiffs conceded that they were not alleging "current, actual, financial loss" or seeking out-of-pocket expenses. The court cited a case interpreting the Privacy Act that held that actual damages were not limited to "pecuniary losses" and that actions under the Privacy Act could survive the motion to dismiss phase based on pain and suffering and non-pecuniary losses. In this case the allegation of emotional distress was sufficient to surviving a motion for summary judgment.
There are several issues to address in this case:
(1) First off, since the plaintiffs did not appear to allege "out-of-pocket" expenses related to the security breach, it does not appear that the logic of this case would apply to situations where a plaintiff incurs costs (e.g. credit monitoring) to head off potential future harm that could arise out of identity theft (e.g. bad credit, cleaning up credit reports, credit monitoring, etc.). Rather, this case focused on whether "emotional distress" or "concern" was itself actual damages or an adverse impact under the Privacy Act. So I am not sure it helps support the theory that out-of-pocket expenses post breach, pre-Identity Theft are actionable.
(2) This case arose in the context of the Privacy Act, and in particular an alleged violation of a section intended to prevent "substantial harm, embarrassment, inconvenience." Since the intended harm includes "intangibles" such as embarrassment and inconvenience it seems that emotional distress can easily fall into that type of "injury."
(3) Another contextual matter: the reason the plaintiffs have to establish actual damages is to satisfy a U.S. Supreme Court case that ruled that "actual damages" were necessary for a plaintiff to recover the $1,000 statutory penalty available under the Privacy Act. More research needs to be done to determine whether "damages" in a negligence context is the same as "actual damages" in the Privacy Act coverage.
(4) It seems to me the logic employed here was a little loose. Most of the "emotional distress" and "concern" clearly ties to what might happen to the plaintiffs' personal information (e.g. concern for identity theft, concerning for damage to credit report, concern for damage to employment suitability, etc.). I suppose its possible that somebody could suffer emotional distress simply knowing their information was breached. However, its how that information might be used in the future after the breach that is actually of concern. It seems to me without some alleged facts (e.g. evidence of visits to a psychiatrist, starting anti-anxiety medication, evidence of depression) that this is fairly weak tea. I suppose courts are more lenient at the motion to dismiss phase (all you need to do is state a claim) and are likely to be more demanding on the evidentiary front if/when a motion for summary judgment is filed.
(5) In my view, since the ruling was fairly conclusory and did not dive deep into the details concerning how to define "damages," I am not sure how persuasive this reasoning will be in other contexts.
The "Circle of Blame"
I prefer the "Chain of Blame" because of the better rhyme scheme... all kidding aside, Andrew Conry-Murray has done some good reporting on this story.
One money quote:
While PCI provides more concrete guidelines than, say, Sarbanes-Oxley, merchants are quick to complain that it's both too specific and too vague. For instance, the standard requires use of stateful packet inspection firewalls. "What if I choose to use another technology that I believe is equivalent?" says Michael Barrett, chief information security officer of PayPal, a Level 1 merchant. "You have a whole big fight with your auditors or you hold your nose and do it."Level 1 merchants also clash with QSAs over issues such as "compensating controls"--technologies or processes used in place of specific requirements on the PCI checklist. "We believe our controls are adequate, but they are different from how the standard is written," Barrett says. "So you argue with auditors. Those kinds of things make you want to tear your hair out."
There's also a level of subjectivity in PCI that many find disturbing. The training for QSAs provides few guidelines for resolving this subjectivity. One PCI expert, who requested anonymity, says of the training: "When you ask if X or Y would be acceptable, or how to apply X in situation Y, they always answer 'Use your best judgment.'" He says that when others in the class pointed out how wildly their opinions could differ in a given situation, the instructor "had no answer other than to say 'do your best.'"
"It's a question of interpretation of the auditor, and the sophistication and skill set of the auditor," says Jay White, global information protection architect at Chevron, also a Level 1 merchant. "PCI was more painful than it had to be, but we've learned we have to help the auditors understand how we meet their objectives, even if they don't at first see it."
This lack of guidance can lead to significantly different approaches to compliance, even among auditors at the same Qualified Security Assessor. In one case, a company brought in a PCI expert to monitor a QSA's recommendations. The expert says the QSA had insisted the company deploy a million-dollar technical control when a simple change in operational procedure would have addressed the issue. "The assessment company then sent out someone completely different," the expert says, "and he disagreed with the recommendations of the prior QSA from his own company!"
This inconsistency can have significant repercussions for Level 1 merchants. If a merchant exposes card data, Visa dispatches a team of forensics security consultants to determine if the merchant was compliant with PCI at the time of the breach. "If a 'compliant' merchant gets compromised, I can guarantee you I can find at least one thing in the compliance report I could argue about," says the PCI expert. "This provides just enough wiggle room for the brands to point at the merchant or QSA and argue the standard was interpreted wrong."
Being judged noncompliant can result in substantial fines for the merchant and its acquiring bank, including higher per-transaction card processing fees. A judgment of noncompliance would also be useful to law firms contemplating action against the merchant.
More interesting points:
One major clothing retailer we spoke with said auditors examined four out of 1,000 stores, a sample size of just 0.4%. The retailer says all its stores share the same configuration and are centrally managed, but it's all too easy for security problems to go undiscovered with such small samples. "I could hide a multitude of sins from a QSA," says the PCI expert.And while some retailers complain that auditors are too strict, the current system lets retailers seek out QSAs who may apply the standard less rigorously than others. "I've read several compliance reports that have been provided to us after the fact, and I wouldn't consider them appropriate," says the PCI expert. "They passed, but I don't know how." When asked if merchants are shopping for QSAs that provide an easy assessment, he says: "I can guarantee you that. Why wouldn't they?" Even the PCI Security Standards Council, which trains and certifies QSAs, admits that quality levels may not be consistent among the more than 100 active QSAs.
"It's a competitive game," says Bob Russo, general manager of the council. "One QSA might do an on-site assessment for X number of dollars, and another QSA will do the exact same assessment for less. A merchant thinks, 'If this guy is charging me $50K and this guy charges me $10K, there's a question there.'"
In response, the council is introducing a quality assurance program, due later this quarter, to ensure that all QSAs are performing assessments with the same rigor. "The goal is to make sure it's a level playing field so we don't have accusations from QSAs or merchants that some people are rubber-stamping," Russo says.
The question of rubber-stamping ties to the issue of liability. If a compliant merchant is breached, does the QSA bear any responsibility? It's a question that makes QSAs uncomfortable.
"Who's to say a retailer doesn't take what we say and toss it into the garbage?" says Barbara Mitchell, manager of security product marketing at Verizon. Along with Internet Security Systems and TrustWave, Verizon wins much of the assessment business for Level 1 merchants. "We should have some skin in the game, but if a retailer decides to not listen to our recommendations, it's a murky area," Mitchell says. "If we assume liability, we want to review all the stores, all the servers. That shoots the cost up to a prohibitive degree."
Retailers we spoke with were unclear about the liability question. "I think it would depend on whether our controls were deficient and on the audit process," says the network architect at the major clothing retailer. "I think there would be some level of liability, but we've not dug into that. There may be language in the contract I'm unaware of, but my focus has been on controls to prevent a breach rather than where we will point a finger." Unfortunately, finger-pointing is inevitable if credit card data gets stolen. "When a breach happens, if they see something out of whack, they will go back to the auditor, like Enron and Arthur Andersen," says Teri Quinn-Andry, product marketing manager for Cisco Security Solutions.
Then there's the problem of depending on what is, essentially, an honor system for Level 2, 3, and 4 merchants. There is no outside validation of a company's responses to the self-assessment questionnaire. "The reality is, you don't have to be compliant, if your business wants to take that risk," says the IT director of a Level 2 cruise ship operator.
"A lot with PCI is left to your interpretation," agrees Alan Stukalsky, CIO of Church's Chicken restaurant chain, also a Level 2 merchant.
So what does it all mean. I think it means a very volatile system with a lot of liability risk and uncertainty. I think it means that taking shortcuts could get both merchants that self-assess and QSAs into hot water (including hot water of the "going out of business" type for smaller merchants and QSAs). I think it means probably more comprehensive and expensive assessments when QSAs start getting hit with lawsuits.
So what can be done to smooth out the risk? More on that later from me... any thoughts from others?
Stollenwerk v. Tri-West Health - Rise of the Phoenix?
Ninth Circuit Partially Reverses Motion for Summary Judgment on Issue of Damages in Data Breach Case
One of the biggest obstacles for consumer plaintiffs in personal data breach lawsuits has been establishing the "damages" element for a negligence claim. Several courts have dismissed such suits ruling that plaintiffs could not provide sufficient evidence that they suffered an injury as the result of a data breach. Ironically one of landmark cases against establishing damages, Stollenwerk v. Tri-West Health Care Alliance (D. Ariz. 2005), may give plaintiffs' attorneys some additional ammunition. The United States Court of Appeals for the Ninth Circuit ("Appellate Court") recently ruled on the Stollenwerk appeal and provided the plaintiffs with a partial victory on the issue of proving damages that could clarify the liability landscape for data breach lawsuits (see Stollenwerk v. Tri-West Health Care Alliance (9th Cir. November 20, 2007). The ruling may allow more data breach suits involving victims of actual identity theft to get in front of a jury and achieve more favorable settlements.
Stollenwerk Background & District Court's Ruling
In December 2002, Tri-West Healthcare Alliance ("Tri-West"), a contractor managing a large government health insurance program, suffered a burglary that resulted in the theft of computer hard drives containing the personal information of the program's members (mainly military personnel). Three individuals brought a class action lawsuit against Tri-West in the U.S. District Court of Arizona ("District Court") alleging numerous claims, including common law negligence. One of the plaintiffs (William Brandt - hereinafter "ID Theft Plaintiff") alleged that unknown individuals used his personal information after the burglary to open (or attempt to open) unauthorized credit accounts in his name (e.g. identity theft). The two other plaintiffs (Michael Stollenwerk and Andrea DeGatica - hereinafter "Credit Monitoring Plaintiffs"), while not alleging they suffered identity theft, alleged that they needed to purchase credit monitoring services and identity theft insurance to prevent potential future identity theft.
In its September 2005 opinion, the District Court dismissed all of the plaintiffs' claims on the grounds that they could not establish that they suffered any injury as a result of the Tri-West data breach. The Credit Monitoring Plaintiffs attempted to analogize financial credit monitoring expenses to medical monitoring expenses in "toxic tort" cases (e.g. asbestos lawsuits where otherwise healthy individuals exposed to asbestos paid doctors to monitor their health prior to any adverse affects manifesting). The District Court indicated that enhanced risk of future injury is generally insufficient to establish a negligence claim, but in the case of toxic tort lawsuits an exception was justified because of the importance of preserving public health. In addition, since the plaintiffs could not establish that the target of the burglary was their personal information (as opposed to the physical hard drives themselves), the court ruled that the Credit Monitoring Plaintiffs failed to provide evidence that such information was significantly exposed or that plaintiffs were at significantly increased risk of suffering identity fraud.
The District Court also dismissed the negligence claim of the ID Theft Plaintiff. Although the plaintiff suffered identity theft on several occasions six weeks after the burglary, the Court held that the circumstantial timing of the burglary and identity theft was insufficient evidence that the burglary was the cause of such theft.
The Appellate Court's Decision
In November 2007, the Appellate Court reversed the District Court's decision concerning the ID Theft Plaintiff, but upheld the lower court's ruling on the Credit Monitoring Plaintiffs.
The Credit Monitoring Plaintiffs
With respect to the Credit Monitoring Plaintiffs, the 9th Circuit agreed that the analogy to toxic tort cases was not justified because credit monitoring does not directly involve health and human safety. However, the court did not reject the analogy entirely, noting that:
"In both circumstances the individual may manifest more obvious injury, such as identity fraud or disease, after some period of time, and in neither instance is the later manifestation of patent injury guaranteed, although the certainty with which such a development may be anticipated may be greater for toxic torts."
The Appellate Court also noted that under the facts of this case, even if the toxic tort analogy were apt, the Credit Monitoring Plaintiffs had not established the requisite elements to support their claim, including: (1) significant exposure of sensitive personal information; (2) a significantly increased risk of identity fraud as a result of that exposure; and (3) the necessity and effectiveness of credit monitoring in detecting, treating, and/or preventing identity fraud. The Court held that the plaintiffs did not provide sufficient evidence that their personal data was targeted or accessed. Moreover, the Court indicated that the plaintiffs' expert failed to objectively quantify the reduction of risk that would result from credit monitoring.
The ID Theft Plaintiff
The Appellate Court's opinion was much more forgiving for the ID Theft Plaintiff. In this case, the ID Theft Plaintiff allegedly was the victim of identity theft on six occasions after the burglary of Tri-West's hard drives. The Court did not make a distinction between "attempts" to open accounts and successful account openings - the Court appeared to conclude that both constituted identity theft. Significantly, the Court's opinion appears to simply accept that "identity theft" constitutes an injury, and instead focused on whether the ID Theft Plaintiff established that the burglary was the proximate cause of the identity theft.
On the issue of causation, to survive a motion for summary judgment, the plaintiff needed provide evidence from which a reasonable jury could conclude that ID Theft Plaintiff's injuries were the result of the burglary rather than other causes. Direct or circumstantial evidence is permitted, but this plaintiff was only able to offer circumstantial evidence, including:
- Possession: the ID Theft Plaintiff provided Tri-West with his information;
- Type of Information: the personal information stored on the Tri-West hard drives is the type of information that can be used to open credit card accounts;
- Timing -- Identity Theft Incidents: the six alleged identity theft incidents all occurred after burglary, and the first began about six weeks after the burglary (the last happened about 3 - 4 months after the burglary);
- Timing - Prior Incidents: the plaintiff had never suffered identity theft prior to the burglary (despite having his wallet stolen five years earlier); and
- Limited Opportunities for Other Causes: the plaintiff testified that he had never transmitted his personal information over the Internet and that he shreds all mail in the form of credit card applications, approvals and pre-approvals.
The 9th Circuit ruled that this circumstantial evidence on the issue of causation was sufficient for purposes of summary judgment and reversed the District Court's grant of summary judgment to the Defendants.
Conclusion
The Stollenwerk decision is largely a mixed bag for both plaintiffs and defendants. The 9th Circuit's decision is good for defendants because it largely validates that the purchase of credit monitoring services or insurance to decrease the likelihood of potential future identity theft is not sufficient to establish damages for purposes of a negligence lawsuit. This ruling most likely decreases the risk of successful class action lawsuits involving massive numbers of plaintiffs whose personal information is exposed in a data breach. However, because its decision was based mainly on public policy grounds, and because it noted some similarities between toxic tort injuries and data breach injuries, the Court appeared to leave the door open a little for plaintiffs to make the toxic tort analogy in other jurisdictions.
The Court's ruling was favorable for plaintiffs that actually suffer identity theft after a data breach situation The Court was lenient in its acceptance of purely circumstantial evidence -- most of the evidence provided was very loosely tied to the actual burglary. As a result of this ruling, plaintiffs that were the victims of identity theft will have a better chance to get their case in front of a jury in the 9th. On the flip side, since it appears that most data breaches never actually result in identity theft (see GAO Report (June 2007)), plaintiffs' lawyers may find it difficult to establish large classes that make these suits financially attractive to pursue. In all, this decision and other cases dismissing breach data cases seem to indicate that successful and severe consumer litigation (e.g. large successful class action suits) is still elusive for the plaintiffs' bar Circuit, which increases both the likelihood of success in litigation and the leverage plaintiffs will have to force a settlement.
TJX Motion to Dismiss Bank's Claims
I came across this ruling in the TJX matter that dismisses some of the banks' claims against TJX: Link
Consistent with past decisions (B.J. Wholesalers) it looks like issuing banks cannot rely on a 3rd party beneficiary theory to go after merchants for breach of contract. Also appears that the economic loss doctrine is still an effective block to general negligence actions.
However, the negligent misrepresentation claim and unfair/deceptive business act claims both survived. The negligent misrepresentation argument was very interesting. Basically, it appears that the issuing banks alleged that by participating in an a financial network that relies on members taking appropriate security measures, TJX made "implied representations" that they would take security measures required by industry practice. The court let these allegations stand, indicating that the economic loss doctrine does not apply to a negligent misrepresentation claim in Massachusetts. In addition the court ruled that the banks' reliance on such implied representations is a question of fact inappropriate for resolution at the motion to dismiss phase. These allegations also serve as the basis for the Banks' unfair and deceptive business practices claims under Chapter 93 of Massachusetts' law.
While the survival of these claims is certainly good news for the banks, TJX may still be able to stop this case from going to trial using a motion for summary judgment further down the line. It will be interesting to see if the Banks can successfully argue that the costs of preemptively reissuing credit cards constitutes "damages" for purposes of negligent misrepresentation.
