We Gettin’ Money, Bank Roll, Supersized: Digesting the 7th Circuit’s Data Breach Ruling

July 28, 2015

by Brent Tuttle, CIPP/US, E*

Recently, the 7th Circuit handed down a ruling in a data breach case that has class action plaintiffs’ attorneys poppin’ bottles. The case is Remijas v. Neiman Marcus Grp., LLC, No. 14-3122, 2015 WL 4394814 (7th Cir. July 20, 2015).

Background:

Between July 16, 2013 and October 13, 2013, malware found its way onto the Neiman Marcus computer systems. This potentially exposed 350,000 credit cards, 9,200 of which were known to have been used fraudulently. (The Court of Appeal noted that all 9,200 fraudulent charges were subsequently reimbursed.)

The company discovered this breach January 1, 2014 and publicly disclosed it nine days later. The company offered all customers who shopped at Neiman Marcus between January 2013 and January 2014 one year of free credit monitoring and identity theft protection.

This announcement prompted a number of class action suits spearheaded by four individual plaintiffs who represent 350,000 other customers whose credit card information may have been stolen; the disclosures indicated that social security numbers and other PII had not been exposed. The complaint relies on several theories: negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violation of multiple state data breach laws.

The company moved to dismiss the claim, arguing that the plaintiffs lacked Article III standing, a usually successful procedural tactic in data breach litigation. A litigant with standing to sue must have “suffered [a] concrete and particularized injury that is fairly traceable to the challenged conduct, and is likely to be redressed by a favorable judicial decision.” Hollingsworth v. Perry, 133 S. Ct. 2652, 2661 (2013). Plaintiffs alleged injuries relating to lost time, money, and aggravation in dealing with the breach, as well as “an increased risk of future fraudulent charges and greater susceptibility to identity theft.” Neiman Marcus at 6. The case was dismissed by the district court, based on the 2013 Supreme Court case Clapper v. Amnesty Int’l USA, which held that allegations of possible future injury are not sufficient.

Seventh Circuit’s Decision:

On July 20, 2015, in a unanimous decision by a three–judge panel, the Seventh Circuit reversed the district court’s decision.  The Seventh Circuit stated “Clapper does not…foreclose any use whatsoever of future injuries.” In Clapper, the Supreme Court decided that Amnesty International did not have standing to challenge the Foreign Intelligence Surveillance Act (FISA) because they could not show that their communications were actually intercepted by the government, but only that such interceptions might have occurred. This was too speculative to establish standing.  However, Clapper left open what is known as the “substantial risk” standard, stating “[o]ur cases do not uniformly require plaintiffs to demonstrate that it is literally certain that the harms they identify will come about. In some instances, we have found standing based on a ‘substantial risk’ that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm.” Clapper, 133 S. Ct. at 1150 n.5 (2013). The Seventh Circuit ruled that the data breach plaintiffs alleged a sufficient substantial risk of harm.

The Seventh Circuit concluded that “the Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing because there is an ‘objectively reasonably likelihood’ that such an injury with occur.” Neiman Marcus at 9 (citing Clapper, 133 S. Ct. at 1147). Thus, the 350,000 Neiman Marcus customers whose information may have been stolen have standing to sue despite the fact that no real harm may ever come about. Or as Vietnam veteran Walter Sobchak might say, these plaintiffs may move forward based on “…what appears…to be a series of victimless crimes.”

Neiman Marcus represents a significant change in the tide for data breach litigation and as this is the first Court of Appeals to lower the bar for plaintiffs to gain standing, it may very well open up the floodgates elsewhere. This decision has the potential to send not just waves, but tsunamis, through the judicial system (at least within the Seventh Circuit). The ruling handed down in Neiman Marcus via “substantial risk” is distinct from past theories of injury previous courts have relied on dismissing data breach plaintiffs for lack of Article III standing. Past cases (some within the Seventh Circuit) had rejected the “clearly impending” theory of injury. See In re Barnes & Noble Pin Pad Litig., No. 12-CV-8617, 2013 WL 4759588, at *3 (N.D. Ill. Sept. 3, 2013) (holding “[m]erely alleging an increased risk of identity theft or fraud is insufficient to establish standing.”; see also Strautins v. Trustwave Holdings, Inc., No. 12-C-09115, 2014 WL 960816 (N.D. Ill. Mar. 12, 2014); see also Polanco v. Omnicell, Inc., 988 F. Supp. 2d 451, 468 (D.N.J. 2013).

However beyond the 7th Circuit, at least two cases in the Ninth Circuit have also afforded data breach plaintiffs standing through the substantial risk standard, one of which was cited in the Seventh Circuit’s opinion.  See In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1214 (N.D. Cal. 2014); see also In re: Sony Gaming Networks & Customer Data Sec. Breach Litig., No. 11-md-2258, 2014 WL 223677, at *9 (S.D. Cal. Jan. 21, 2014).

The Seventh Circuit’s justification upon which it placed the above reasoning is questionable. The court states “…it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” That is quite a presumption, is it not? How can anyone truly know the purpose behind a hack or data breach? There may be other purposes, such as causing fear itself, seeking to increase the costs of Neiman Marcus, or simply exploiting a security weakness because it is there.  On remand, would this be a rebuttable presumption relegated to the damages phase of a trial?

Further, one wonders if the facts of the Neiman Marcus case will be extrapolated:  Is there such presumption for the Sony breach? (Coincidentally a suit involving that breach has been allowed to move forward. See Corona v. Sony Pictures Entm’t, Inc., No. 14-CV-09600 RGK EX, 2015 WL 3916744 (C.D. Cal. June 15, 2015)). What about the Office of Personnel Management breach? Is it plausible to presume any intent or motive with that incident? The enemies of the U.S. government may have different motives from the enemies of Neiman Marcus.

How about the Ashley Madison hack that was in the headlines earlier last week? Adult Friend Finder earlier this summer? These breaches certainly don’t seem to fit within the Seventh Circuit’s reasoning above. Those may have been primarily targeting the businesses, not the customers.

Another consideration is that hackers might take haystacks of data in order to identify the desirable needles.  Can a court presume that a breach isn’t really targeting a needle as opposed to the entire haystack? And what sort of public policy does this promote by allowing the entire haystack a bite at the apple if it’s unknown whether they were ever actually harmed or the target thereof? The Seventh Circuit’s language in Neiman Marcus may just be a presumption, but it’s going to be an expensive presumption for data breach defendants to bear.

It is further problematic that the Seventh Circuit partially grounded its decision on the basis that “[i]t is telling in this connection that Neiman Marcus offered one year of credit monitoring and identity-theft protection to all customers whom it had contact information and who shopped at their stories between January 2013 and January 2014. It is unlikely that it did so because the risk is so ephemeral that it can safely be disregarded.” Neiman Marcus at 11. It may be true that Neiman Marcus’s actions are unlikely a result of ephemeral risk. However, the Seventh Circuit ignored the fact that at least one state data breach law requires Neiman Marcus to pay for such services if offered (See Cal. Civ. Code § 1798.82(G)). Furthermore, many laws require that data breach notices provide the victim with information as to where they can obtain free credit reports (See VA. Code Ann. 18.2-186.6; see also Wash. Rev. Code § 42.56.590; see also W. Va. Code § 46A-2A-102.) It is a logical fallacy to conclude that Neiman Marcus’s actions, then, were related to an assessment of risk rather than statutory obligations.

There are other legitimate reasons, beyond risk, why Neiman Marcus would offer such services.  First, it makes for good public relations, to give the appearance their response is proactive.  Second, it typically renders moot the standard plaintiff’s claim that the breach forced them to purchase their own credit monitoring.  However, the Seventh Circuit has challenged that tactic as well.  On remand, the court not so subtly advises the district court to investigate how long stolen data puts consumers at risk (a question they will not find an answer to). It seems this will be used to assert whether the 350,000 potentially harmed customers will need credit monitoring services beyond the twelve months that Neiman Marcus has offered to pay for, something the Seventh Circuit says “easily qualifies as a concrete injury.”

It is troubling that the Seventh Circuit has utilized evidence that Neiman Marcus is taking measures to mitigate any further harm from the breach against them. Customarily, evidence of remedial measures is inadmissible to prove a breach of duty.  Although it may be admissible as proof of harm (or standing), the prejudice may outweigh the probative value.

In sum, there is a “substantial risk” that we’ll see a lot more class action data breach suits getting filed under this new theory. This should make for some interesting developments in the field data breach litigation as most plaintiffs have not previously been able to get around the Article III standing issue. However, it’s hard to say whether the ruling will have a positive net impact on privacy for consumers, or merely just benefit plaintiffs’ attorneys looking for a payday. Legislative changes are also likely to impact the data breach class action landscape.  Two things are almost certain to come out of the Neiman Marcus ruling: OPM is probably getting sued in the Seventh Circuit and it might be a good time to invest in Orville Redenbacher.

__________

*Brent Tuttle is a Summer Associate at Randazza Legal Group


Updates in Railroad Employee Liability Law

July 17, 2015

by Jay Marshall Wolman

In addition to my usual lawyerly activities, I am also a Vice Chair of the Workers’ Compensation and Employers’ Liability Law Committee of the American Bar Association’s Tort Trial and Insurance Practice Section.  Probably the longest line on my resume.

The Committee’s Spring 2015 Newsletter is out.  I contributed an article on updates on the Federal Employers Liability Act (FELA), 45 U.S.C. sec. 51, et seq.  In short, before general workers’ compensation laws existed, the U.S. Congress established a liability and compensation framework for railroad employees.  That framework continues to govern on-the-job injuries to railroad employees.

Cases continue to develop, both in state and federal courts.  The article highlights four recent developments:

  1. Expert medical opinions on differential etiology (diagnosing the cause of the injury) must meet Daubert requirements.  Shannon Brown v. Burlington Northern Santa Fe Railway Co., 765 F.3d 765 (7th Cir. 2014).
  2. Injured employees cannot recover prejudgment interest for the gap between the verdict and the issuance of the judgment.  Dennis Kinworthy v. Soo Line Railroad Co., 860 N.W. 2d 355 (Minn., Mar. 4, 2015).
  3. Questions of constructive knowledge of defects are Federal substantive questions, requiring that the defendant should have known at a time sufficiently before the incident to have taken preventative or ameliorative measures.  Andrew Spencer v. Norfolk Southern Railway Co., 450 S.W. 3d 507 (Tenn. 2014).
  4. Railways are permitted to introduce statistical evidence  relative to when the injured worker might otherwise have retired.  John Giza v. BNSF Railway Co., 843 N.W. 2d 713 (Iowa 2014).

I highly recommend the other articles, including:

  • A Committee Notice on a proposal dealing with Medicare set-asides in workers’ compensation claims;
  • An article by Matthew Schiff and Kathryn Nadro on how different states (Ohio, Pennsylvania, Louisiana, Illinois, New Jersey & California) handle PTSD and other psychological injuries arising from the .workplace.

If you have an interest in these or other workers’ compensation topics, check out the committee at http://www.ambar.org/tipsworkers .


Problems with Revenge Porn Laws

July 16, 2015

by Jay Marshall Wolman

Revenge porn is bad, and this blog has been active in fighting it.  As a moral matter, it is a pretty easy thing to address.  As a legal matter, it is not.

More and more states have been passing laws against revenge porn.  California, for example, in 2013, added Penal Code Section 647(j)(4),   The meat is in sub-subsection (A), which states:

Any person who intentionally distributes the image of the intimate body part or parts of another identifiable person, or an image of the person depicted engaged in an act of sexual intercourse, sodomy, oral copulation, sexual penetration, or an image of masturbation by the person depicted or in which the person depicted participates, under circumstances in which the persons agree or understand that the image shall remain private, the person distributing the image knows or should know that distribution of the image will cause serious emotional distress, and the person depicted suffers that distress.

There are three exemptions in sub-subsection (D):

  1. The distribution is made in the course of reporting an unlawful activity.
  2. The distribution is made in compliance with a subpoena or other court order for use in a legal proceeding.
  3. The distribution is made in the course of a lawful public proceeding.

California’s law is similar to the model law of the Cyber Civil Rights Initiative, spearheaded by Prof. Mary Anne Franks. A Federal bill is expected to be introduced soon, with Prof. Franks’s involvement.  Although of late I have had some concerns regarding Prof. Franks, we are likely on the same side of opposing revenge porn.

A similar Arizona law was recently put on hold for vagueness.  So, too, do the California and model laws suffer from practical problems, and it is probably the case that, if the Federal bill follows the model, it will be defective.  The problem is that there are many circumstances where it is entirely appropriate to share a picture or video of nudity or a sexual encounter, taken without consent, that does not fit among the exemptions, to wit:

  • A woman suspects her husband is cheating and rigs up a motion activated camera in the bedroom.  She records him in the act and shows her mother to get advice on what to do.  She decides to stay with him.  Two years later he files for divorce and the recording and the fact of sharing with the mother is revealed.  Since her distribution two years earlier was not “in the course” of a public proceeding, she has no defense.
  • A female employee has been harassed by a male supervisor.  On more than one occasion, he has exposed himself to her and started playing with himself.  She sets up a surreptitious recording on her cellphone and brings it to her union representative.  She doesn’t want to file a formal complaint, so the union representative helps her arrange for a transfer.  Notwithstanding the transfer, the harassment continues and she quits.  The supervisor hears through the grapevine that the recording and sharing with the representative was discussed at the unemployment hearing.  The distribution to the union representative was not a proper report of unlawful activity, so she has no defense.
  • An employer suspects employee theft and sets up hidden cameras.  Instead of theft, employee fraternization, violating company policy, is caught.  The supervisor shares the video with the human resources manager.  The employees are notified of the video during exit interviews.  Again, no exemptions apply.
  • A mother installs a nanny cam, suspicious of the new babysitter.  One day, it catches the babysitter with her girlfriend getting intimate while the child naps.  The mother shares it with the father, and the father mentions it while firing her.  No exemptions.
  • A couple decides to make an intimate video.  During the encounter, he gets too aggressive, beyond their normal activities.  She shares it with her therapist, who then mentions it in a later joint therapy session. No exemption applies.

Other scenarios exist as well.  Even sharing photographs of unclothed infants could be deemed unlawful.  In each scenario, there would be the expectation that the encounter, and therefore images thereof, should remain private. And, each of these scenarios might find the law unconstitutional as it prohibits parties from sharing information, the essence of free speech. In the ideal world, there would be no revenge porn, so it wouldn’t matter how well crafted the anti-revenge porn legislation was written.  These are all plausible scenarios based on how people act in reality.

None of these scenarios are the ones that revenge porn activists are addressing.  They are focusing on the run of the mill ex-lover who posts online nude photos or videos sent or taken (with knowledge or without) during the course of the relationship.  Unfortunately, sweeping legislation is frequently overbroad or ill-considered.


Professor Franks and the False Dichotomy

July 15, 2015

by Jay Marshall Wolman

Apparently, along with Eric Turkewitz, I have been blocked on Twitter by Mary Anne Franks.  A Rhodes Scholar and woman of letters, Dr. Franks has divined that I am not worthy of comment.  According to Dr. Franks, I am a “false rape truther“.  Presumably, she means to equate questions about false accusations with rape with those who question whether Al Qaeda was behind the attack of September 11, 2001, generally labelled “9/11 Truthers”.  Rather than engage in discussion, as one hopes a law school professor who takes to social media might expect, I have been banninated from her Twitter feed.  So much for academic discourse.

The primary thrust of this posting, however, is not to lament the inability of a law professor to engage in debate.  I agree that I am not “entitled” to her attention.  I do lament the lack of intellectual rigor in her discourse, and I am seeking to address that.

The initiating factor was her statement that the likelihood of a false rape accusation was “inifinitesimal”.  Dr. Franks wrote this in the context of a discussion on reddit that seems to have resulted in the recommendation that men wear body cameras to avoid false rape accusations.  It is an interesting proposal, given that the presidential frontrunner endorses police wearing body cameras, in order to ensure good evidence of what actually happened during an encounter (and, perhaps, to act as a deterrent).  Dr. Franks is concerned that this will lead to secret recordings and revenge porn.  She may not be incorrect on that point.  But it is a poor argument to then be dismissive of the underlying concern, false accusations of rape, as “infinitesimal”.  There is no question that such false accusations happen.  If Dr. Franks believes otherwise, then she is a False Rape Accusation Denialist.  When asked by Attorney Turkewitz to back up her claim that it is inifinitesimal, she cited to a Washington Post article.  As a Twitter follower of Attorney Turkewitz, I took note of the discussion and read the article.  According to one study in the Washington Post article, 41% of rape allegations were fabricated.  In another study referenced, 2-10% were fabricated.  Even acknowledging that there may be many actual rapes that go unreported, I was banninated for asking how many false accusations are too many.  Here is where Dr. Franks committed an egregious failure of logic.  She and I both agree that rape is very bad.  What she cannot seem to comprehend is that false accusations are also very bad.  For her, to be anti-rape you must also pretend that false accusations are not a problem.  It is not an either/or situation.  One should be both anti-rape and anti-false accusation.  In fact, false accusations hurt rape victims, for the false accusers harm the credibility of all accusers.  To protect rape victims, Dr. Franks should be working hard to prevent false accusations.

Men (and women) falsely accused or standing the risk of being falsely accused of rape rightly need to take steps to protect themselves.  The body camera idea is just one idea.  But rather than merely address the problems with the proposal, that perhaps other steps are required to ensure consent and privacy relative to the recordings, Dr. Franks opted to pretend that the problem is insignificant.  It is not, which is why it is big news when the UVA, Duke Lacrosse, or Tawana Brawley incidents are exposed.

Dr. Franks further seems to take issue with those who oppose voter fraud, somehow tying it to opposing false criminal accusations.  She also has a problem with raising concerns about benefit fraud.  I admit–fraud is bad.  Fraud in business is bad.  Fraud on the courts is bad.  Fraudulent accusations of criminal wrongdoing is bad.  And voter and benefit frauds are bad, no matter how infinitesimal.  In the last two, the entire polity is the victim of voter and benefit fraud.  Twice more, Dr. Franks sets up false dichotomies.  Disenfranchisement is bad, but so is counting votes of ineligible voters.  Poverty is bad, but so is improperly taking others’ tax dollars.  Again, these are not either/or situations.  One can impose voter ID while working to ensure that every eligible voter gets that ID.  One can audit benefit recipients while ensuring that those who are entitled get what is allotted.  We got country *and* western.

If Dr. Franks is going to lock herself in an ivory tower rather than engage in actual legal practice, she should use her time and Oxford education wisely:  come up with workable solutions rather than ignore problems.  Discuss and debate outside an echo chamber.


A Cost-Imposing Law that may Indirectly Save Millions

July 6, 2015

by Jay Marshall Wolman, CIPP/US

This past June, the Connecticut General Assembly enacted Public Law No. 15-142, ostensibly to improve data security in the state.  It follows on the heals of the Anthem Data Breach earlier this year.  The first major provision governs state contractors in receipt of confidential information received from the state.  The second major provision, addressed to Anthem and other health insurers, creates specific obligations to secure data under a regulatory scheme.  The third major provision addresses all other businesses.

Previously, reasonable notice of a data breach (release of certain unencrypted personal information) was required to be given.  A specific 90 day notice is now required.  More important is the remedy provision–in the event of a data breach, businesses (including health insurers), must implement identity theft prevention and/or mitigation services.  This also includes incidents where there is no actual proof of a data breach, only reasonable suspicion.  Normally, regulatory burdens such as these impose greater costs on the marketplace.  This may not be the case here.

Following Clapper v. Amnesty International, USA, most federal courts addressing standing (i.e. whether you can claim a right to sue) have found that the increased risk of injury from identity theft does not suffice to have been sufficiently injured to confer standing.  Novel theories to avoid this claim have included the costs of identity theft protection services incurred by breach victims.  This theory has been rejected at the trial court level.  See, e.g. In Re: Barnes & Noble Pin Pad Litigation.

Many companies experiencing a data breach automatically, for public relations reasons, offer identity theft protection services.  Thus, the formal obligation under law would not likely add significant cost.  And, assuming cases like the Barnes & Noble one were reversed on appeal, the claimants would no longer suffer the costs of such services, since the companies are now required (at least in Connecticut) to provide those identity theft services.  The practical effect will be that more consumer data theft class actions will likely be won on the defense of lack of subject matter jurisdiction (how a defense of lack of standing is brought).  With dismissal, there would be no settlement and no claim for millions of dollars in attorneys’ fees.  As a result, companies experiencing a breach (and their cyber insurers) would potentially save millions by doing what they already do, merely because the services are now required.

Of course, if increased regulation with a de jure cost burden has a de facto cost savings due to costs imposed by the court system, it may be time to take a closer look there as well.


If you ever wonder if being a lawyer is hard…. (City of Inglewood v. Teixeira)

June 3, 2015

Do you?

Are you a law student, worried that you might not pass the bar?

If you’re that worried, read this shit and remember that the idiot who filed this idiotic lawsuit is not only licensed, but has clients. See Inglewood, California Sues YouTube Critic For Copyright Infringement Over Use Of City Council Videos (here)

The City of Inglewood is suing the author of this youtube clip for copyright infringement. Come at me, bro. I’m re-publishing it. (wags dick at fucking idiot mayor of Inglewood)

Seriously, read this garbage. If you think you can’t make it as a lawyer, just remember that the author of that piece of shit has a bar license and managed to snag the City of Inglewood as a client.


Negotiation Theory in Action

May 30, 2015

Follow

Get every new post delivered to your Inbox.

Join 3,767 other followers