Data Privacy Monitor - Commentary on Data Privacy, Security and Social Media Subjects

Editor's Notes:
Guest blog Interview by Mark Greisiger, President NetDiligence®
This blog post has been republished with permission from Junto – NetDiligence Blog

A Q&A with Ryan Kriger
Among state Attorneys General, Vermont has gained a reputation for being particularly aggressive about data breach and privacy regulation. To better understand the state’s Consumer Protection Act requirements and processes for data breach investigation, I talked to Ryan Kriger, Assistant Attorney General.

What should a small business know about complying with the Vermont law?
We have a guidance available on our website, which should be helpful. In the case of a breach, they should first contact law enforcement, their insurer, their lawyer, any IT people involved and, if there’s credit card information at stake, their processor. Their primary duty is to figure out what happened and get the situation under control. They have to notify us within 14 days of finding out about the breach. That preliminary notice is kept confidential. We want businesses to give notice to consumers relatively quickly, and the 14-day notice to us allows us to stay on top of things and make sure they are doing that. We did create a waiver last year—if your company has policies in place and you’re confident that you will comply with the law, you can be certified ahead of time as long as you sign the document and get it on file with us before a breach incident. If you have a certification on file, you don’t need to notify us within 14 days. Another subsection says that if the data collector is sure that the data never got into the wrong hands—say, a password protected laptop was lost for five hours, then returned—they can call and ask us if they still need to give notice, and we probably won’t require it.

If it’s a really big breach and we think it could be problematic, we may follow up with questions. If we perceive the company’s actions to be unreasonable, unfair or deceptive, such as in the case with TJX, then we will begin an inquiry. Often, this wouldn’t just be Vermont, but multiple states getting together and asking questions.

How might you approach a data breach incident?
The first step is that we want to make sure the business has covered all of the necessary notification. Notice to consumers should go out “in the most expedient time possible and without unreasonable delay.” Vermont has a 45-day deadline, but we think in many cases notice should go out sooner. We encourage companies to send us their notification letter before it goes out to consumers, and we can help them make sure it’s in line with the statute. Also, the sample letter to consumers gets posted to our website, so consumers can confirm that the letter itself is legitimate. The second thing is to make sure the company fixes the problems that led to the breach. Sometimes smaller businesses think it’s a one-shot deal and don’t want to change their business practices, but we remind them that they are on notice, and that the fine outlined in the Consumer Protection Act is $10,000 per violation. Now, we’ve never had to levy that fine as most people seem to want to resolve the issues, but we want businesses to know that we are here to protect consumers and they need to take that seriously. In the TJX case, it appears that the company may have been collecting credit card information at point of sale and transmitting it, unencrypted, over unprotected wi-fi networks. This sort of blatant violation of standard security practices, and the length of time that it was allowed to continue, clearly justified bringing an enforcement action. We’re not trying to trick people, and in most cases we can resolve things in a cooperative fashion, but when a company drags their feet, we will go after them.

What are some of the key weak spots that lead to a privacy/data breach incident?
It can be all over the map—certainly, not encrypting data where encryption is appropriate is one issue. Over-collecting data you don’t need, such as using SSNs as an identifier, could be another. Other problems we see: collecting credit card data through a homemade system that’s not PCI-compliant when you could be using a secure third-party system. Not changing passwords or updating software. In smaller businesses, it might be negligence about employees who could be stealing credit card information. In general, it’s a good practice to have the occasional forensic analysis or stress test. We have partnered with Norwich University to offer penetration testing to any small business in Vermont that wants it. The Verizon Report has shown us that small businesses are the prime focus of security breaches, so we are particularly sensitive to the needs of small businesses in Vermont.

What type of fines and penalties can a company face for noncompliance? Can the lack of certain actions or controls increase their culpability in your view?
I mentioned the $10,000 per violation fine, and we consider each day you go beyond the deadline a separate penalty. Our Consumer Protection Act doesn’t have an intent requirement, but we obviously take intent, negligence and lack of controls into account when we think about enforcement and penalties. A business suffering a breach calling us to ask what they can do, making it’s clear they want to do the right thing, is very different from a business that denies anything went wrong, after we’ve found out about the breach three months later. We are very cautious with our use of power and we’re not trying to bully anyone, but if we need to use a large fine to get a business into compliance, we will do so. If an enforcement action reaches a settlement agreement, called an assurance of discontinuance or consent judgment, we may seek penalties, but we will also seek injunctive relief, which is asking the business to change its behavior. For example, we may want the business to put security or compliance systems into place, offer restitution for consumers, or take other steps to make sure it doesn’t happen again. In general, we are eager to proactively work with businesses to protect consumers and create a productive, cooperative relationship in order to prevent breaches.

In summary…
I first met AAG Ryan Kriger at our NetDiligence® Cyber Risk & Privacy Liability Forum last year in Marina del Rey. I thought he might be guarded about the state’s approach to enforcement, but boy, was I wrong. He was actually very forthright in talking about how seriously Vermont takes the issue of consumer privacy, including violators of state regulation. He makes the point that his department is willing to work with organizations that suffer a data breach incident and will give them a roadmap to do the right thing by the victims (whose personal information is now in wrongful hands). What is clear is that organizations that demonstrate a lack of care (or even willful nondisclosure) will be penalized.

Ryan is also speaking at the upcoming NetDiligence® Cyber Risk & Privacy Liability Forum in Philadelphia this June 6-7.

The long awaited HIPAA/HITECH Final Rule is out.  The final rule is effective March 26, 2013, but covered entities (CEs) and business associates (BAs) will have 180 days beyond the effective date to come into compliance. While we are still conducting a comprehensive review of this 563-page document, below are a few of the changes we have found so far:

• BAs are now directly liable for compliance with certain HIPAA Privacy and Security Rule requirements:  impermissible uses and disclosures; failure to provide breach notification to the covered entity; failure to provide access to a copy of electronic protected health information to either covered entity, the individual, or the individual's designee; failure to disclose PHI where required by the Secretary to investigate or determine the business associate's compliance with the HIPAA Rules; failure to provide an accounting of disclosures; and for failure to comply with the requirements of the Security Rule.
• Insurers may need a business associate agreement (BAA) with a covered entity if it is performing risk management or assessment activities or legal services for the covered entity which involve access to PHI.
• Additional guidance has been provided regarding the assessment of civil monetary penalties (CMPs):  number of individuals affected and time period during which violations occurred will be considered.  As noted below, OCR's presentation to the State Attorneys General shows how quickly CMPs can reach very high numbers.
• Reputational harm is a fact-specific inquiry and does not arise solely from the sensitivity of the diagnosis.  Instead, OCR will look at whether there were adverse affects on employment, standing in the community, or personal relationships.  
• When assessing CMPs, an organization's history of compliance and non-compliance will be considered.  A mere complaint does not constitute an indication of non-compliance.
• There are significant changes to treatment and care communications when the covered entity receives financial remuneration for promoting a third party's goods and services.
• Individuals must have a right to access and to obtain a copy of PHI within 30 days (with a one-time 30 day extension after written notice for the delay and when the records will be provided).
• The definition of breach has been modified to clarify that an impermissible use or disclosure of PHI is PRESUMED to be a breach unless the CE or BA demonstrates that there is a low probability that the PHI has been compromised.  Documentation sufficient to meet this burden of proof must be maintained.
• Breach notification is not required if a CE or BA demonstrates through a risk assessment that there is a low probability that the PHI has been compromised--the focus is no longer on the harm to the individual.
• The probability of harm must be assessed by considering at least: (1) the nature and extent of PHI involved; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether PHI was actually acquired or viewed; (4) the extent to which the risk to PHI has been mitigated (e.g. assurances from trusted third-parties that the information was destroyed). Most of these factors were likely considered previously by CEs.
• Notification does not require an analysis of risk because the occurrence of a breach is presumed.
• Notification, in situations where the use or disclosure is so inconsequential, is not warranted because it may cause the individual unnecessary anxiety or even eventual apathy if notifications of these types of incidents are sent routinely.  An example is provided of a misdirected fax to the incorrect physician who immediately calls to report the error. This is nothing new, just a clear expression of what many have already believed.
• Substitute notice or media notice may at times occur after the 60-day period dependin g on circumstances.
• Breaches under 500 must be reported no later than 60 days after the calendar year in which they were discovered, not when they occurred.
• Notification to the Secretary must occur contemporaneously with notice to individuals for breaches over 500.

We also notice some things remain:

• HITECH only preempts state law to the extent HITECH is more stringent.  HITECH is only a Federal floor of privacy protection.
• The revised penalty structure remains.  A presentation by the OCR to state Attorneys General shows how aggressive OCR may be in assessing civil monetary penalties (CMPs).
• "The goal of enforcement is to ensure that violations do not recur without impeding access to care." P. 79.  An entity's financial condition will still be considered.
• The addressable standard remains.  HHS does "not mandate the use of specific technologies, or require uniform policies and procedures for compliance, because [they] recognize the diversity of regulated entities and appreciate the unique characteristics of their environments." P. 102.
• The "minimum necessary" standard applies directly to BAs.
• Certain provisions of the Privacy Rule do not apply to BAs unless the CE delegates that responsibility: designating a privacy officer, providing a notice of privacy practices (NPP).
• BAAs are still required to help clarify and limit permissible uses and disclosures.
• A decedent's PHI will require protection for 50 years.
• The requirement for return or destruction of PHI by the BA at the termination of the contract (if feasible) does extend to sub-BAAs.
• HHS will not establish or endorse a certification process for HIPAA compliance by BAAs and sub-BAAs.
• Timeliness and content of notification have not changed.
• A CE retains the ultimate obligation for proper notification.  Notification by the BA can be delegated.
• Media notification and notification to HHS has not changed.
• Law enforcement delays remain available.
• There are no changes to the circumstances permitting preemption of state law of HITECH.

We will continue to assess these changes and post updates as our analysis develops and the impact of these changes is further considered.  

During 2012, privacy class actions continued to trend toward two major categories: 1) actions that arose out of a data breach event and 2) actions brought to prosecute an alleged consumer privacy right. 

Article III Standing in Data Breach Class Actions

A key issue in data breach class actions is the question of what types of injuries are necessary to confer standing to sue.  In general, many of the federal district courts that have dismissed data breach class actions due to a failure to allege or prove injury have done on Article III standing grounds.  As a general proposition, it remains true that plaintiffs have not been able to establish standing where the conduct and harm alleged was simply use or disclosure of personal information, and where the complaint only alleged hypothetical or future injury. However, there are signs that courts may be more willing to consider what were once considered speculative injuries as sufficient to confer Article III standing.

In Resnick v. Avmed, Inc., the 11th Circuit reversed the dismissal of all but two claims in a class action that arose from a data breach.  In Resnick, two unencrypted Avmed laptops containing personal health information (“PHI”) and personally identifiable information (“PII”) for approximately 1.2 million Avmed customers were stolen, and the plaintiffs alleged that they were the victims of identity fraud approximately 10 to 14 months after the theft.  The Southern District of Florida dismissed plaintiffs’ claims, in part because the complaint failed to allege cognizable injury. 

The Eleventh Circuit reversed on all but two counts.  The court held that the plaintiffs properly alleged an injury in fact that was fairly traceable to the Avmed theft by alleging that they were careful with their own PII, that they were the victims of identity theft, and that their identities were stolen only after the Avmed incident. And, because Plaintiffs alleged they suffered monetary damages, the court held that their alleged injuries were cognizable and redressable.   Based on similar reasoning, the court also found that under the Twombly standard of federal pleading, the plaintiffs had properly alleged causation for purposes of their common law claims.  The court further found that the plaintiffs stated an unjust enrichment claim because they paid Avmed premiums, part of which allegedly went to Avemd’s data security expenses.

Likewise, in In re: Sony Gaming Networks and Customer Data Security Breach Litigation, the court found that the plaintiffs had alleged sufficient injury to establish Article III standing.  Citing to Krottner v. Starbucks, which held that future injury could be cognizable if it were “real and immediate” rather than “conjectural” or “hypothetical,” the court found that under the circumstances, by “alleg[ing] that their sensitive Personal Information was wrongfully disseminated, thereby increasing the risk of future harm,” the plaintiffs had stated “a cognizable loss sufficient to satisfy Article III’s injury-in-fact requirement.”  The court largely dismissed the plaintiffs’ claims for failure to state a claim, however, because those alleged injuries, while sufficient for standing purposes, were not sufficient for purposes of stating a claim under the law. 

One key difference between Avmed and Sony is the inability of the plaintiffs in the Sony case to allege any identity theft or out-of-pocket expenses resulting from the breach.  Thus, the probability of a dismissal for lack of injury or standing in a data breach class action appears to be higher where there is no evidence of identity theft or other use of any compromised information. 

Claims for Statutory Damages

Plaintiffs have had some success in avoiding the standing or lack of injury defense by bringing claims for statutory damages.  With respect to state claims, over the last several years, plaintiffs have frequently brought claims under state consumer protection statutes and state data breach statutes. 

The second key category of privacy cases are those brought under a federal or state consumer privacy statute.  Federal consumer privacy statutes include the Fair Credit Reporting Act as amended by the Fair and Accurate Credit Transactions Act (FCRA/FACTA) (15 U.S.C.A. § 1681 et seq.); the Telephone Consumer Protection Act (TCPA) (47 U.S.C.A. § 227); the Driver’s Privacy Protection Act (DPPA) (18 U.S.C.A. §§ 2721–25); the Electronic Communications Privacy Act (ECPA) (18 U.S.C.A. §§ 2510–22); and the Video Privacy Protection Act (VPPA) (18 U.S.C.A. § 2710).

Several high profile cases were litigated or settled this year under the VPPA, which provides for damages of $2,500.00 per violation for improper retention or disclosure of a consumer’s video viewing history, including cases against Netflix, Blockbuster, Redbox, and Hulu.  Perhaps the most significant development in the law as it relates to the VPPA this year was the ruling in In re Hulu Privacy Litigation that rejected Hulu’s argument that the VPPA does not apply to online video providers. 

Also trending this year were claims under the TCPA, which provides for statutory damages of $500 or $1,500 per violation (for willful violations), alleging liability premised on unsolicited text messages.  A significant decision this year in the TCPA area was handed down by the U.S. Supreme Court in Mims v. Arrow Financial Services, LLC, in which the Court held that TCPA claims arise under federal law and may be asserted in federal court even absent diversity of citizenship jurisdiction.  Prior to Mims, the federal circuits disagreed over whether the TCPA provided for federal question jurisdiction or whether jurisdiction was limited to state courts and federal suits brought or removed on diversity jurisdiction.

As in the data breach cases, a common question that arises in statutory damages cases is whether the named plaintiff must prove some sort of injury to herself and/or members of the putative class in order to recover statutory damages.  In some situations, courts have held that no proof of injury is required at all for the recovery of statutory damages; however, in some cases, such as this year’s decision in Sterk v. Best Buy Stores, L.P., defendants have been successful in arguing for dismissal on the grounds that the plaintiff had alleged no plausible actual injury.  

The problem for all parties in these cases seeking statutory damages is that the damages, when aggregated over hundreds, thousands, or even millions of consumers, can become crippling to the defendant.  Accordingly, constitutionally excessive damages is a defense that defendants frequently raise in these cases, though no reported decision appears to have decided the viability of the defense. 

Class Certification and Settlement

To date, class certification battles have been rare in cases arising out of data breach, which is likely explained by the fact that so many defendants have been successful disposing of cases prior to certification. With respect to consumer privacy cases, particularly those that arise out of a defendant’s privacy policies, the statutory privacy claims are often litigated on the merits, with little argument around the issue of whether a class can be properly certified, though that certainly is not always the case.  For example, in Local Baking Products, Inc. v. Kosher Bagel Munch, Inc., the New Jersey appellate court decided this year, after reviewing cases on both sides of the issue, that TCPA claims were not suitable for class certification because class treatment is not a superior method for handling claims because the statutory damages regime incentivizes individual actions. Further, the court found, common issues did not predominate because of individualized issues over whether calls and faxes were authorized by the consumer.

Frequently, privacy class actions are certified for settlement purposes, and given the immense exposure under statutory damages provisions, settlement at even close to the maximum aggregate value of the claims is a practical impossibility, which creates challenges for both the parties and the courts.  Cases are commonly settled for coupons or services, injunctive relief or compliance monitoring (i.e., changes in privacy policies), cy pres awards, or monetary relief to class members in the cases where statutory damages are sought.  And while most privacy class action settlements have been approved, in some cases, the courts have been skeptical. 

For instance, the district court in Fraley v. Facebook declined to grant preliminary approval to a proposed settlement in November.  In Fraley, the plaintiffs charged that Facebook violated its own privacy policies as it related to the use of Facebook subscribers’ information in connection with the “sponsored stories” advertising service.  The proposed settlement called for a $20 million settlement fund, half of which was earmarked for class counsel, and the other half of which would be distributed as cy pres awards.  Judge Richard Seeborg specifically questioned the adequacy of compensation to the class in light of the $750 per violation that would be recoverable under the statute at issue.  Judge Seeborg ultimately granted preliminary approval, however, of a revised settlement that allowed for payments of up to $10 per class member.

Authored by: Paul Karlsgodt

Editor’s Note – This article is a joint submission to BakerHostetler's Class Action Lawsuit Defense blog.

Companies that provide call center services to consumers are increasingly being targeted in class action lawsuits under an arcane section of the California penal code that provides a civil right of action and statutory damages for monitoring or recording of confidential telephone conversations without the other party’s knowledge or consent. Sections 630 et seq. of the California Penal Code were enacted in the 1960s to prevent illegal surveillance of confidential telephone calls. In the past several years, plaintiffs have attempted to use the statute to seek damages against the operator of a customer service call center that fails to include a notice at the beginning of each customer service call that the call “may be monitored or recorded” for training or quality assurance purposes. Since this type of notice is ubiquitous among call centers, the failure to provide the notice can often be the result of a system error or a design flaw in the call system. Plaintiffs’ lawyers have been taking advantage of these errors by filing class actions for statutory damages for each call that was made from California during any time period during which the warning was not provided.

The exposure in these cases can be enormous because the statute provides for $5,000 in statutory damages, an amount that the lawsuits allege is owed for each call. For example, a call center that receives 1,000 calls during a time in which the warning was not provided may find itself defending a $5 million lawsuit, and 10,000 calls means a $50 million lawsuit. The high exposure amounts, coupled with the seemingly low standard that has been adopted by the California state courts to determine what constitutes a “confidential” telephone conversation, has caused many defendants to rush to early settlements rather than face the risks of litigation.

SETTLEMENT MAY NOT BE THE ANSWER!

A defendant should not assume that there is no defense to a case filed under the Privacy Act. Defenses on the merits that have been raised in Privacy Act cases include that the call centers were intended to be exempt from the statute altogether, that the aggregation of statutory penalties violates due process and that customer service calls are not confidential in nature. Individual defenses to the named plaintiff’s claims may also exist. For example, the claims of individual defendants may be susceptible to arguments that 1) the plaintiff signed an arbitration agreement; 2) the circumstances surrounding the plaintiff’s call show that there was no expectation of confidentiality; or 3) the plaintiff knew the call was being recorded despite the lack of express notice.

There are also defenses to class certification based on factual variations, despite the uniform nature of the statutory remedy. Plaintiffs will argue that the fixed nature of the available remedy and the objective standards for determining the expectation of confidentiality and the disclosure of sensitive information simplifies the cause of action and alleviates the need for certain individualized questions. However, in cases involving recorded telephone conversations, there can be significant factual differences from caller to caller on facts ranging from the location of the caller at the time of the call, to the nature of the conversation alleged to be confidential, to the facts bearing on the caller’s knowledge or understanding that the call may be recorded. The California Privacy Act is just one of the various statutes that are increasingly becoming targeted for class action lawsuits because of the availability of a statutory penalty.