Posted on October 24, 2011 by David Navetta

Federal Appeals Court Holds Identity Theft Insurance/Credit Monitoring Costs Constitute "Damages" in Hannaford Breach Case

In a significant development that could materially increase the liability risk associated with payment card security breaches (and personal data security breaches, in general), the U.S. Court of Appeals 1st Circuit (the “Court of Appeals”) held that payment card replacement fees and identity theft insurance/credit monitoring costs are adequately alleged as mitigation damages for purposes of negligence and an implied breach of contract claim. For some time, the InfoLawGroup has been carefully tracking data breach lawsuits that, for the most part, have been dismissed due to the plaintiffs' inability to allege a cognizable harm/damages. In fact, we have been tracking the legal twists and turns of the Hannaford case with great interest (see e.g. here, here, here, here, here and here). The decision in Hannaford could be a game changer in terms of the legal risk environment related to personal data breaches, and especially payment card breaches where fraud has been perpetrated. In this post, we summarize the key issues and holdings of the Court of Appeals.

Background

In terms of background, this matter involves a payment card data security breach perpetrated by hackers that resulted in the theft of 4.2 million credit and debit card numbers, expiration dates and security codes from the Hannaford Brothers grocery store chain. After being alerted of the breach by the credit card companies, Hannaford announced the breach and informed the public that 1,800 cases of fraud arose out of the theft of the cardholder data.

Twenty-six separate lawsuits were filed against Hannaford, and all were eventually consolidated in the Federal District Court of Maine (the “District Court”). After winding through various legal proceedings, including the Maine Supreme Judicial Court, the District Court eventually dismissed most of the plaintiff’s claims, except for the single plaintiff that was actually required to be responsible for $50 of fraudulent charges (the maximum for credit card fraud under U.S. law).

Plaintiffs alleged several causes of action, but this post will focus on the issue of whether damages were properly alleged for purposes of the plaintiffs’ negligence and implied contract claims as to certain categories of alleged damages.

The Holding

As is to be expected when twenty-six lawsuits are filed in a relatively novel area of law, the plaintiffs’ alleged several different damage elements resulting from the data breach, including:

  1. unreimbursed fraud charges;
  2. overdraft fees;
  3. loss of accumulated reward points;
  4. loss of opportunities to earn reward points;
  5. the time and effort consumers spent to protect against losses;
  6. the fees charged by issuing banks to customers who requested that their credit card be replaced; and
  7. the cost for identity theft insurance/credit monitoring.

The Court of Appeals agreed with the District Court and affirmed the dismissal of plaintiffs' negligence and implied contract claims alleging the damage elements set forth in 1. through 5. above. The Court, however, reversed the District Court’s dismissal of the damage elements set forth in 6. and 7. above (“Mitigation Costs”).

The Court of Appeals looked at Maine negligence law in rendering its decision, which requires damages to be both reasonably foreseeable and not barred for policy reasons. In addition, for nonphysical harm, Maine courts take policy considerations into account such as “societal expectations regarding behavior and individual responsibility in allocating risks and costs.” The Court of Appeals also indicated that Maine courts had previously allowed plaintiffs to recover for costs and harms incurred during a reasonable effort to mitigate harm. It specifically cited the Restatement (Second) of Torts section 919(1), which provides in relevant part:

[o]ne whose legally protected interests have been endangered by the tortious conduct of another is entitled to recover expenditures reasonably made or harm suffered in a reasonable effort to avert the harm threatened

The Court of Appeals noted that to recover mitigation damages, plaintiffs need to show that their mitigation efforts were reasonable and that those efforts constitute a legal injury, such as actual money loss (rather than time or effort expended). In order to judge whether a mitigation decision was reasonable, Maine courts consider reasonableness at the time the decision was made (not using 20/20 hindsight). According to the Court’s interpretation of Maine law, mitigation damages are available even when it is not certain at the time that the costs are needed, when mitigation costs are sought but other damages are unavailable, and when mitigation costs exceed the amount of actual damages. In support of its decision, the Court of Appeals cited and summarized several cases from multiple jurisdictions, many of which involved structural damages or defective construction.

The Court of Appeals considered whether the Mitigation Costs alleged by the Hannaford plaintiffs were reasonable. It first noted that the Hannaford breach involved a large scale and sophisticated criminal operation. Moreover, there was actual widespread misuse of credit cards and fraud committed using the cards (as announced by Hannaford itself). In the Court of Appeal’s view, the plaintiffs were “not merely exposed to a hypothetical risk, but to a real risk of misuse.” Moreover, the Court noted that there was no way for plaintiffs to predict whose accounts would be used for fraudulent purposes. As such, in the Court’s view it reasonably appeared that all Hannaford customers that used credit cards during the relevant time frame of the breach were at risk of unauthorized charges.

Looking at plaintiffs who had to pay fees to have their cards reissued (apparently not all banks reissued cards), the Court indicated that the immediate reissuance of cards by many banks was evidence of reasonable mitigation.  As such, plaintiffs who were required to pay such fees properly alleged damages.

The Court also indicated that it was reasonable mitigation for a plaintiff to purchase identity theft insurance after she experienced unauthorized charges to her account. The Court of Appeals contrasted decisions in other jurisdictions that rejected credit monitoring costs as a cognizable damage element. In those cases, unlike Hannaford, the plaintiffs failed to allege that any of the similarly situated plaintiffs had been the victim of identity theft or other harm. In this case, the plaintiff who purchased identity theft insurance actually had unauthorized charges on her card, and there were at least 1800 instances of fraud reported by Hannaford when it announced the breach.  Therefore, the plaintiffs alleging this damage element satisfied their pleading requirements.

Observations

As mentioned above, this case could significantly impact the liability risk associated with data breach lawsuits. Some observations below:

  • Early Stages. Readers must be reminded that even if the negligence and implied contract claims are allowed to proceed, we are only at the pleading stage. It may be possible for Hannaford to win on a motion for summary judgment, the issue of class certification and at trial
  • Class Certification Difficulties. Even if certain individual plaintiffs are able to allege negligence and implied contract claims, they may not be able to certify a class action if there is not sufficient commonality between the class members. Class certification is the wild card at this point. It is one thing to have a handful of plaintiffs individually suing for relatively small amounts, and quite another to have a large class doing the same.
  • Misapplied Theory of Mitigation Damages? The mitigation damages theory seems weak in one key area: most of the cases cited by the Court of Appeals involved situations where some physical harm or a harmful property defect had already occurred, and the mitigation efforts related to cutting off the harm arising from such harm or defect. In contrast, for data breach situations we do not have physical harm or harmful property defects; many would argue that the mitigation is an attempt to cut off future harm (and that is what other courts have held), and should not be construed as cognizable
  • U.S. Supreme Court. While there may be differences between various decisions that may preclude a conflict, it now appears that we have a split between U.S. Courts of Appeal. On one side we have the 7th and 9th Circuits throwing data breach lawsuits out due to lack of cognizable harm. On the other we have the 1st Circuit going the opposite direction for some damage elements. Will the U.S. Supreme Court have to weigh in to resolve the split?
  • Create Your Own Class. If purchasing identity theft insurance or credit monitoring equals cognizable harm, will plaintiff lawyers direct their clients to purchase such services (in part so that they can recover from the breached organizations?
  • Offering Credit Monitoring Services and Identity Theft Insurance. It is not unusual for breached organizations to offer credit monitoring and/or identity theft insurance to individuals impacted by a breach (often for customer relations purposes). However, as we have predicted in the past, will offering such services effectively cut off lawsuits? Plaintiffs may not be in a position to allege out-of-pocket costs if those services were offered for free by the breached organization. Considering that the redemption rate for such services is relatively low (in our experience typically less than 20%), offering the services might save a breached entity on the litigation end of the equation. Even so, plaintiffs' lawyers might simply move the goalposts, and even if one year of such services is offered, they may allege that two years is required/reasonable.
  • Other Mitigation Damages? What other costs might constitute recoverable mitigation damages? The threshold is reasonableness, and it does not necessarily appear that the plaintiff needs to be aware of actual harm or misuse of personal information (although it helps the reasonableness argument if they are). We have had regulators ask our clients to offer to pay for fraud alerts after a data breach – might the cost of a fraud alert also equal a recoverable mitigation damage element? There are probably other similar costs that creative plaintiff lawyers will come up with.

We will have to wait to see what the ultimate impact of this decision is. However, with cases like this and other favorable decisions for plaintiffs concerning the issue of damages arising out of a data breach, we could be witnessing the beginning of a shift in the legal liability environment. At this point, since it may be the case that these data breach lawsuits have more litigation legs, organizations concerned about liability should consider focusing more on whether their security is reasonable and legally defensible
Tags: , , , , ,
Posted on September 22, 2010 by David Navetta

"Damages" Last Stand - Maine Supreme Court Puts an End to the Hannaford Bros. Breach Suit

We have been following the twists and turns of the Hannaford Bros. security breach litigation from the beginning (see here, here, here, here and here). As of yesterday, it looks like the consumer plaintiffs’ case has suffered the “true death” (my friends and colleagues that watch HBO’s “True Blood” will know what I am talking about) The Maine Supreme Court has rendered its opinion on the “damages” issue in the Hannaford Bros. consumer security breach lawsuit. Again, the plaintiffs have been unable to establish that they suffered any harm as a result of the Hannaford security breach. Specifically, the Court ruled that “time and effort” alone spent to avoid or remediate reasonably foreseeable harm do not constitute “a cognizable injury for which damages may be recovered.” In this blogpost we take a closer look at the Court’s rationale.

Background

This lawsuit arose of out of a data security breach that occurred between December 2007 and March 2008 that exposed up to 4.2 million payment cards of Hannaford customers. As you may recall this case was brought before the Maine Supreme Court after the U.S. District Court of Maine certified two questions of state law to the Maine Supreme Court. At the end of the day, however, the Supreme Court only considered the following question:

“In the absence of physical harm or economic loss or identity theft, do time and effort alone, spent in a reasonable effort to avoid or remediate reasonably foreseeable harm, constitute a cognizable injury for which damages may be recovered under Maine law of negligence and/or implied contract?”

Ultimately the court answered this question in the negative.

The Court’s Rationale

The Supreme Court focused its decision on two particular classes of Hannaford plaintiffs: those that had never experienced a fraudulent charge on their payment card, and those that experienced a fraudulent charge that was reversed by their bank (and they were not responsible for any of the charge). The Court’s focus was the time and effort allegedly expended by these plaintiffs to protect themselves against fraud and identity theft.

In its holding the Supreme Court characterized time and effort in this context as “typical annoyances or inconveniences that are a part of everyday life.” It also proclaimed that an individual’s time alone is not protected by tort law, and that loss of time is a cognizable harm only if its related to loss of earning capacity or wages. In addition, loss of time might also be a cognizable harm if it could be assigned a value reflecting from loss of earning opportunities resulting from personal injury or property damage.

Significantly, the Supreme Court did recognize that loss of time without a corresponding personal or property damage is compensable for certain torts, including: nuisance; false imprisonment and abuse of process. The Court unfortunately, did not explain why loss of time is a proper damage element for these torts, but not for a negligence or breach of contract claim.

It also recognized that under the doctrine of mitigation of damages, plaintiffs may recover for costs and harms incurred during a reasonable effort to mitigate harm. Nonetheless, if such mitigation only amounts to an inconvenience or annoyance, the Court held it did not amount to a legal injury.

In addition, the court analyzed cases put forth by the plaintiffs that appeared to allow recovery for loss of time (some of which date back to the 1800s). The court distinguished those cases because many of them involved at least one intentional tort. The court indicated that “because liability is often more extensive in cases of intentional torts than those in negligence, intentional tort cases recognizing recovery for time and effort have little bearing on our analysis.” It also discounted other cases finding time of loss harm because those cases failed to demonstrate how those damages were being measured.

Analysis

The final decision of the Maine Supreme Court in this case was not surprising in light of the multitude of caselaw rejecting the existence of legally cognizable harm in the security breach context. However, the caselaw used by the plaintiffs and the court’s reasoning in rejecting those cases was interesting.

In essence the court used a contextual argument to reject loss of time as a harm element in the data breach context. For some types of torts loss of time is a recognized damage, but for reasons that the Court did not fully explain, such loss of time in the negligent security breach context only amounted to “typical annoyances or inconveniences that are a part of everyday life.” It is unclear, for example, why being falsely imprisoned for several hours in the back of a store (e.g. wrongly accused of shoplifting) constitutes damages, but taking several hours to engage in credit monitoring, calling various banks and otherwise dealing with a data security breach does not constitute damages. Same holds true for intentional torts where loss of time was recognized as damages. The question is how does (or why does) the nature of the tort change the nature of the damages element (in this case loss of harm)? It seems from a consistency standpoint, one could argue that harm is harm is harm regardless of how that harm was made to occur.  It would have been nice to see the Court flesh this holding out more.

The Court also fumbled to some degree when it appeared to require some ability to measure the loss of time damages against earning capacity or wages. If loss of wages due to loss of time is a cognizable injury, this would seem to open the door to plaintiffs alleging that they were required to take time off of work or use a vacation day to deal with a payment card security breach. However, in cases where earning capacity is referenced, there is typically a corresponding personal injury that undermined that capacity. In other words, the cognizable harm is the personal injury and the loss of earning capacity is a method for measuring that harm. Without the personal injury, there would not appear to be a cognizable harm.  While the reasoning was ultimately correct, the court should have been more careful when it described loss of time has a cognizable harm in and of itself in the personal injury context.

Conclusion

Regardless of the potential flaws in this decision, we are talking about one of the highest courts in the land, and this decision adds another significant court to those that fail to recognize damages in a data breach lawsuit. At this point, it is unclear whether the plaintiffs’ bar will ever achieve a victory on this issue.
 
Tags: , , , , , ,
Posted on July 13, 2010 by David Navetta

Heartland Bank and Keybank's Motion to Dismiss

As we reported in January, a handful of issuing banks had filed suit against two merchant banks (Heartland Bank and Keybank) for alleged losses (e.g. reissuance and fraud costs) they suffered due to the 2009 Heartland Payment Systems breach

The general thrust of the class action compliant is that the merchant banks should be liable for the acts and errors of the payment processor they contracted with to process payments on their behalf. The complaint set forth a series of complex legal theories (3rd party beneficiary theory, negligence), some of which had been attempted in other litigation, and some new theories of liability such as breach of fiduciary duty and vicarious liability. 

Each merchant bank has now filed a motion to dismiss the issuing banks' complaint.  We have obtained copies of the motion and corresponding briefs.

 

The following motions and briefs were filed in this matter:

As you can see (if you click on the links above) the motions and briefs are quite voluminous and complex.  We will pass on trying to summarize all these arguments and instead will keep you posted on the Court's ruling when it comes out.  All the briefs appear to be filed (the last one was filed on June 7th), so it is probable that an oral argument will be scheduled (if it has not been already) and we should get an opinion shortly after that argument.  Stay tuned.
Tags: , , , , , , , ,
Posted on December 22, 2009 by David Navetta

Quickhits: AMEX settles with Heartland Payment Systems for $3.6 Million

Read all about it:  HERE.

Tags: , , , ,
Posted on October 2, 2009 by W. Scott Blackmer

Code or Clear? Encryption Requirements (Part 2)

In the last post, I talked about the role of encryption in fashioning a “reasonable” security plan for sensitive personal information and other protected data routinely collected, stored, and used by an enterprise. But lawmakers and regulators are getting more specific about using encryption and managing data that is risky from an ID-theft perspective. Here are some leading examples of this trend.

State Security and Breach Notification Laws

Since California adopted SB 1386, which went into effect in 2003, nearly all US states have enacted security breach notice laws that require notice to affected individuals, and in some cases to public authorities, when a party has reason to believe that the security of protected categories of personal data has been compromised. The protected categories are typically SSN (Social Security Number), driver’s license, financial account or payment card details (usually only if the password or access code is also compromised), and, increasingly, medical data not covered by federal HIPAA privacy protections.

All of these laws make an exemption from the notice obligation if the data were encrypted (some add that this is true only if there is no reason to believe that the decryption key was also compromised). The laws, and regulations adopted under the laws, typically do not specify the level or kind of encryption. For example, California’s Office of Privacy Protection published guidance specifically on the subject of “Recommended Practices on Protecting the Confidentiality of Social Security Numbers” in April 2007, which has only this to say about encryption, on page 11:
“Protect records containing SSNs, including back-ups, during storage by encrypting the numbers in electronic records or storing records in other media in locked cabinets.”

Partly as a consequence of these security and breach notice laws, organizations should limit their use and storage of these categories of personal data to the extent they are really necessary for business operations. Storage on servers or on archived media, and transmission over internal networks and VPN connections, may or may not be sufficiently secure without encryption, depending on the company’s risk assessment and IT security practices. Organizations should encrypt such data when it is resident on laptops or other portable devices and when it is in transit over the public Internet.

Massachusetts and Nevada have recently adopted stricter and more specific rules, however, that may become a model for other states. These increase the regulatory pressure for encrypting protected categories of personal data.

Massachusetts

The Massachusetts Personal Information Security Regulation (201 CMR 17.00) is now scheduled to take effect on March 1, 2010. The Regulation was promulgated by the Office of Consumer Affairs and Business Regulation (OCABR) under the authority of the Massachusetts personal information security law.

The Regulation will require all parties that “own or license” any of the protected categories of personal data concerning Massachusetts residents to encrypt the data in laptops or other portable devices, as well as in wireless transmissions and in transmission over public networks.

Note that the Regulation does not limit its coverage of financial account data to cases where the access code or PIN is compromised, as do most security and breach notice laws. The Regulation extends to any nonpublic financial account or payment card data, as well as to SSNs and driver’s license numbers. The Regulation does not cover medical information, however.

The Regulation mandates a number of “Computer System Security Requirements” (201 CMR sec. 17.04) for businesses that handle the protected categories of personal data. These expressly include the following:

“(3) Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly . . .

(5) Encryption of all personal information stored on laptops or other portable devices . . .”

The level and type of encryption are not specified.

Nevada

Nevada recently amended its personal information security law, which already required “reasonable” security measures as well as breach notice (Nevada Rev. Stats. secs. 603A.010 et seq.). The amendments take effect on January 1, 2010.

The law covers SSNs, driver’s license numbers, and payment card or financial account data in combination with an access code or PIN. Medical information is not covered.

Under the amended law, businesses that accept payment cards (credit cards and debit cards) must comply with the Payment Card Industry Digital Security Standard (PCI DSS). In addition, a party handling any of the protected categories of information must encrypt the data if it transfers the data electronically “outside of the secure system of the data collector” or if the data is stored on a device (laptop, USB drive, etc.) that is moved “beyond the logical or physical controls of the data collector or its data storage contractor.”

“Encryption” is defined in the amendments with reference to “established standards,” specifically including FIPS and mentioning the need for standards-based key management as well as encryption protocols:

‘Encryption’ means the protection of data in electronic or optical form, in storage or in transit, using:

(1) An encryption technology that has been adopted by an established standards setting body, including, but not limited to, the Federal Information Processing Standards issued by the National Institute of Standards and Technology, which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data; and

(2) Appropriate management and safeguards of cryptographic keys to protect the integrity of the encryption using guidelines promulgated by an established standards setting body, including, but not limited to, the National Institute of Standards and Technology.”

Thus, while the law itself does not specify the form of encryption, it puts the burden on the user to choose an appropriate and standards-based method.

HITECH

Title XIII of ARRA, the federal economic recovery legislation adopted early in 2009, is labeled the Health Information Technology for Economic and Clinical Health Act (HITECH). It amends the HIPAA medical privacy provisions by adding a federal security breach notice requirement for nonpublic, personally identifiable health information. While HIPAA applies only to certain covered entities (healthcare providers and insurance companies and clearinghouses), HITECH also applies to “business associates” that provide services to those entities. HITECH reaches as well any employers that are covered by HIPAA because, for example, they operate company clinics or manage their own health plans.

HITECH requires notice to affected individuals when there has been a security breach exposing personally identifiable health data. HIPAA already lists 18 identifiers (names, addresses, SSNs, health plan ID numbers, etc.) that must be removed to establish that health records have been “de-identified.” Where compromised records have not been fully de-identified by removing these data fields, HITECH sec. 132400 also recognizes that the information may not be personally identifiable if it is effectively encrypted:

“(b) Implementation specifications: Requirements for de-identification of protected health information. A covered entity may determine that health information is not individually identifiable health information only if:

(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:

(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and (ii) Documents the methods and results of the analysis that justify such determination; . . . .”

Thus, HITECH does not specify a particular form of encryption but leaves it to IT security experts to decide whether the data are effectively unidentifiable in the hands of an unauthorized user. Note that the statute requires covered entities to maintain documentation of this professional analysis, and that the analysis must be based on “generally accepted” principles and methods – which means that professional opinions are likely to refer to published specifications and industry standards.

Red Flags

The 2007 Identity Theft Red Flags Rule (promulgated under the 2003 FACTA amendments to the federal Fair Credit Reporting Act) went into effect in November 2008, although the FTC suspended enforcement until November 1, 2009. (Similar rules were issued by the federal financial regulatory agencies, for the institutions they supervise.) The Rule requires covered entities to develop and implement written policies to prevent identity theft, including recognition of warning signs or “red flags” of suspected ID theft.

The Rule applies not only to traditional financial institutions but to “creditors,” defined as companies that “regularly defer payment for goods or services,” whether or not charging interest or finance charges, and therefore store personal information about individual debtors. Some employers, for example, sell goods or services to employees on deferred payment terms and may be treated as covered entities for that reason. (However, the Red Flag FAQs written by FTC staff take the view that an employer is not a covered entity simply because it sponsors a 401k or other qualified retirement plan that allows participants to borrow from their retirement funds.)
For covered entities, the mandatory policy to prevent ID theft must identify signs of possible security breaches involving certain data, as well as appropriate responses to those alerts. The covered data are SSNs and tax identification numbers, healthcare IDs, financial account and credit/debit card details, personally identifiable medical information, and identifying data from consumer reports (which are often used for employee background checks as well as for credit applications).
The Rule itself does not mandate encryption measures. However, most covered entities will necessarily address encryption in their written anti-ID theft policies. Their “red flags” should also include an alert if there is evidence that encryption keys have been misused, stolen, or hacked.
 
Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , ,