Header graphic for print

Technology's Legal Edge

A Technology, Privacy, and Sourcing Blog

Seventh Circuit: victims of data breaches have Article III standing to litigate class action lawsuits

Posted in Security Breaches, US Federal Law, US State Law

By Amanda Fitzsimmons, Jim Halpert and Chelsea Mutual

To date, an overwhelming majority of courts have dismissed data breach consumer class actions at the outset due to a lack of cognizable injury-in-fact, an essential element for standing under Article III of the US Constitution. In Remijas v. Neiman Marcus Group, a decision issued Monday, a Seventh Circuit panel disagreed with the analysis of those courts, concluding that customers who have been the victims of data breaches have standing to sue not only after fraudulent charges appear on their cards, but also for an increased risk of future harm and harm-mitigation expenses. Such expenses include lost time and money incurred in resolving fraudulent charges and in protecting against future identity theft, including money spent to purchase credit monitoring.

The consumer class action before the court arose out of a 2013 hack of Neiman Marcus’s computer systems, which resulted in the unauthorized acquisition of credit card numbers. The three-judge panel, led by Chief Judge Diane Wood, held that an increased risk of future harm resulting from a data breach satisfies the injury-in-fact requirement.

In reaching its decision, the court distinguished the Supreme Court’s decision in Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138 (2013) on the basis that the risk at issue in that case − risk that communications between detainees and their lawyers were being monitored − was speculative, whereas the fact of the data breach in this case was real. The court concluded that at the pleading stage of the litigation, it was “plausible to infer that plaintiffs had made a showing of a substantial risk of harm,” thereby meeting the requisite threshold for injury-in-fact set forth in Clapper, because there was “an objectively reasonable likelihood that [identity theft or fraud] will occur.” The court explained, “Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”

The court further noted that while harm-mitigation measures do not always qualify as an injury for purposes of standing, the purchase of credit monitoring in the context of a data breach “easily qualifies as a concrete injury” because the threatened harm of a data breach is “imminent.” Interestingly, the court concluded that the harm was imminent based on the fact that Neiman Marcus had offered one year of free credit monitoring in response to the breach. The court did not seem to consider the fact that credit monitoring does nothing to prevent fraudulent charges appearing on one’s credit card − the only type of fraud that could have occurred with the type of information that was stolen in this case. Thus, there remains a serious question whether this mitigation activity would in fact be “reasonable” in a consumer payment card breach case.

Although the court declined to decide whether the over-payment for Neiman Marcus products or the right to one’s personally identifiable information − a right that plaintiffs argued was granted to them by state data breach notice statutes − are “injuries” sufficient to establish Article III standing, the Court indicated that it was “dubious” whether those allegations, standing alone, would be sufficient.

Takeaway

Since the Supreme Court issued its 2013 decision in Clapper, defendants of data breach class action lawsuits have often cited it for the proposition that data breach victims lack Article III standing because their injuries are too speculative. This decision marks the first time that a circuit court has addressed the issue following the Supreme Court’s Clapper decision. The decision’s precedential impact, however, is limited to courts within the Seventh Circuit, and it is unclear whether other circuits will follow suit. Indeed, in Reilly v. Ceridian Corp., a decision that pre-dated the Clapper decision, the Third Circuit held that data breach victims whose data has not been misused lack standing under Article III.

It is by no means certain that the Third Circuit or other circuits will follow the Seventh Circuit’s approach, particularly when it appears that the Seventh Circuit’s decision was more policy driven than rule based. While the future remains uncertain, it is clear that the Seventh Circuit poses the most favorable venue for plaintiffs’ lawyers to file data breach class actions in the future, and that the data breach docket of district courts in the Seventh Circuit is likely to grow.

For more informtion, contact Amanda Fitzsimmons or Jim Halpert.

Hacking Team case – is your cyber risk strategy enough?

Posted in Cybersecurity, EU Data Protection, Internet of Things, Privacy and Data Security, Security Breaches

The cyber-attack suffered by Hacking Team revealed unexpected vulnerabilities of systems with considerable consequences for businesses whose cyber risk strategy shall be reassessed. Continue Reading

NETHERLANDS – Legislation on mandatory data breach notification adopted by the Dutch Senate

Posted in EU Data Protection, International Privacy, New Privacy Laws, Privacy and Data Security

On May 26, the Dutch Senate adopted the legislative bill on Data Breach Notifications, thereby amending the Dutch Data Protection Act and the Telecommunications Act (Wetsvoorstel meldplicht datalekken en uitbreiding bestuurlijke boetebevoegdheid Cbp).

Content bill

The bill introduces the mandatory obligation for all types of data controllers to notify data breaches to the Dutch Data Protection Authority (“DPA”) and under circumstances also the obligation to notify the individuals affected by the data breach. Also, the DPA will have the authority to impose increased fines for noncompliance with this obligation.

The obligation to immediately notify the DPA arises in case of a security breach that has or is likely to have serious adverse effects on the protection of personal data. The severity of the potential consequences of the data breach is key when assessing the impact of the data breach. The government’s explanatory memorandum specifically states some factors that have to be taken into account in this assessment, namely: (i) the nature and scope of the data breach; (ii) the nature of the breached personal data; (iii) the extent to which technical measures have been put in place; and (iv) the consequences to the privacy of the individuals affected.

Additionally, data controllers will have the obligation to notify individuals affected by the data breach, but only in case the breach is likely to have adverse effects on the data subject’s privacy. In any case, data controllers will be required to maintain an internal register recording all data breaches that have or could possibly have serious adverse consequences on the protection of personal data.

It should also be noted that the obligation to notify should be separated from the obligation to implement adequate technical security measures , since both serve a different purpose. The DPA is expected to issue guidelines specifying the requirements for the obligation to notify in further detail.

In addition, the bill introduces increased regulatory and investigative powers for the Dutch DPA, thereby becoming the regulatory authority responsible for the oversight based on the Data Protection Act as well as the Telecommunications Act. Under the new bill, in case of a failure to notify or other violations of specific articles of the Data Protection Act the Dutch DPA will be authorized to impose increased fines up to EUR 810,000 or 10% of the company’s annual net turnover per violation, which could also be calculated based on global revenues. Fines will only be imposed following a binding instruction from the DPA, except in case of deliberate violations or violations as a result of serious culpable negligence. The intended purpose of the binding instruction is to offer the alleged offender a chance to restore the suspected data breach and to avoid a serious fine.

At this moment it is unknown when the adopted legislation will enter into force. It is expected that the bill will enter into force on 1 January 2016.

Companies are advised to review whether they comply with the newly imposed notification requirements for data controllers, especially in relation to current data processors’ agreements.

DLA Piper’s global privacy team has helped clients through more than 450 breaches. For further information, please contact Richard van Schaik (richard.vanschaik@dlapiper.com) and Róbin de Wit (robin.dewit@dlapiper.com)

EU: European Commission declares Audiovisual Media Services Directive rules open for debate

Posted in EU Data Protection, Technology and Commercial

Written by Patrick van Eecke and Atoon Dierick

On 6 July 2015, the European Commission launched a public consultation on the current Audiovisual Media Services Directive 2010/13/EU (“AVMSD”), entitled “A media framework for the 21st century”.

The aim of this public consultation, launched as a result of the rapidly shifting media landscape, is to invite all stakeholders, ranging from market players to individual users of audiovisual media services, to share their views on an array of issues related to the AVMSD in order to review the existing rules and offer a regulatory environment for audiovisual media services fit for the digital era.

Through the public consultation, the respondents can express their views specifically on several detailed questions which are structured by the Commission around six key topics, such as creating a level playing field, enhancing consumer protection, promoting European audiovisual content, etc. Questions include whether respondents are of the opinion that the geographical and material scope of the rules of the AVMSD are still relevant, effective and fair, whether the rules on commercial communications need to be amended, whether the distinction between broadcasting and on-demand services in relation to the protection of minors is still justifiable, etc.

The review of the AVMSD is one of sixteen key action points, presented by the Juncker Commission on 6 May 2015, in its Strategy to complete the Digital Single Market.

On the basis of the outcome of the public consultation, the Commission may propose a review of the AVMSD. The public consultation will run until 30 September 2015.

Should you have any questions about this consultation, please contact Patrick Van Eecke (Patrick.vanEecke@dlapiper.com ) or Antoon Dierick (Antoon.dierick@dlapiper.com)

Most Favoured Customer Provisions

Posted in Strategic Sourcing

Written by Kit Burden

Obviously, every customer (in whatever walk of life!) wants to feel “special”. This doesn’t change just because one is looking at the IT and outsourcing services market.

What “special” means, though, is up for debate. It could mean a particularly keen price point. Or fantastic service levels. Or a great customer experience overall.

Some – albeit by no means all – of this may be provided for in the specific provisions of a contract as at the day that it is signed. Some larger customer organisations, however, can try to go a step further, particularly when looking to sign up to especially large or noteworthy contracts. What sometimes then appears in the contract is a variant of what is referred to as a “Most Favoured Customer” clause. Although the actual wording can vary, the effect is usually to oblige the service provider – on an ongoing basis – to treat the customer at least as well as (if not better   than) all of its other clients.

So what does this actually mean? In the harsh glare of reality, this comes down to a matter of price. In other words, the customer is seeking the assurance that it will be charged the same kind of “beneficial pricing” that the service provider may in future extend to any other large client that it takes on

Is this actually fair? Well, the service provider will obviously argue that it is not. After all, the pricing will likely have been set as a result of a comprehensive negotiation process, and often after market testing in the form of a competitive tender process. There will quite likely be further price-related protections in the contract, such as restrictions on indexation related price adjustments, or the incorporation of detailed benchmarking provisions (potentially with automatic price adjustments as a consequence of an “adverse” benchmark report). The customer, on the other hand, may simply say that it  wants the contract to reflect the language used with it during the bid process vis a vis how important this project would be for the service provider not just as at the point of signature, but throughout its term….!

Leaving aside the potential merits of each side’s arguments, if there IS to be such a clause, then both parties will have issues to address.

From a service provider perspective, one would want to ensure that the assessment is a holistic one. For example, it would be unfair to judge the treatment of a customer on price alone, and to omit consideration of the rigour of service levels and contract terms, or the degree of financial engineering/amortisation of costs which may have taken place at the outset. Equally, the clause would need to ensure apples were compared with apples in terms of not just the overall size of the deal in terms of potential fees, but also the type of services and geographies involved, for example.

From the lens of  the customer, the key issue is usually one of visibility. With each new deal potentially being confidential (or least vis a vis the finer details of the charging and contract provisions), how can it actually be certain that any MFC commitment is actually being honoured? Having contractual rights of audit feels a bit like having a sledgehammer to crack a nut and may be imperfect in any event, but an alternative may be to require a form of written certification from a sufficiently senior executive from within the service provider organisation.

The devil is inevitably in the detail, and with ways and means of either firming up or undermining the level of effectiveness of such provisions. But that’s the story of another blog post…..

FTC Announces “Start with Security” Business Education Initiative; Issues Security Guidelines to Businesses

Posted in Cybersecurity, E-Commerce and Social Media, Privacy and Data Security, Security Breaches

The Federal Trade Commission (“FTC”) has launched a new initiative, dubbed “Start with Security,” which is focused on assisting businesses in developing greater security to protect consumers’ personal information. To kick off the initiative, the FTC issued Protecting Personal Information:  A Guide for Business, which is based on the lessons learned from the approximately fifty (50) data security cases that the FTC has brought against companies throughout the years. In the Guidance, the FTC sets forth the following ten steps that it believes are key to protecting consumer information and provides guidance regarding each:

1. Start with security

2. Control access to data sensibly.

3. Require secure passwords and authentication.

4. Store sensitive personal information securely and protect it during transmission.

5. Segment your network and monitor who’s trying to get in and get out.

6. Secure remote access to your network.

7. Apply sound security practices when developing new products.

8. Make sure your service providers implement reasonable security measures.

9. Put procedures in place to keep your security current and address vulnerabilities that may arise.

10. Secure paper, physical media, and devices.

The FTC focuses on building security into every aspect of the decision-making process within the company, whether collecting information from employees or customers. The FTC further urges companies to evaluate whether they need the information that they intend to collect, and reminds companies that persons cannot steal information that a company does not hold.  In each step, the FTC provides a reference to a complaint that it issued against a particular company and explains how it believes certain situations could have been avoided.

In addition to the written guidance, beginning in September, the FTC will convene a series of conferences across the country, with the first event to be held in San Francisco on September 9, to address these issues. The September event is aimed at start-ups and developers, and will bring together experts to discuss security by design, common security vulnerabilities, and vulnerability response, among other topics.

Net Neutrality, the EU “open internet” right and the new rule on internet access speeds

Posted in Internet of Things, Mobile Privacy, Technology and Commercial, Telecoms

I have expressed some strong views on the (lack of) merits of a specific net neutrality rule in the EU before (here and here).

It was with interest then that I read the language of the “final compromise test” of the proposed new regulation on the Connected Continent from the EC. This cover two things principally – (1) it tries to abolish roaming in the EC; and (2) it contains a net-neutrality-like “open internet” obligation. This blog post will discuss only the latter.

Whilst advocates of net neutrality have criticised the regulation for allowing too many get-outs (in respect of “specialised services” I am much more concerned about the potential downsides in terms of restricting competition and the launch of new services. As explained below however there is also one, little commented-upon, aspect of the new regulation which will, I think, be beneficial and should be much-welcomed by  consumer advocates.

Continue Reading

Europe: European Commission survey finds that data protection remains a major concern for EU citizens

Posted in EU Data Protection, Privacy and Data Security

By Patrick van Eecke and Mathieu Le Boudec

A recent survey commissioned by the European Commission reveals that data protection remains an important concern for EU citizens.

Key findings of the survey are that:

Control over personal data

  • More than eight out of ten respondents feel that they do not have complete control over their personal data they provide online.
  • Two-thirds of these respondents are concerned about not having complete control over their personal data.
  • Respondents are most concerned about the recording of their activities via payment cards and via mobile phones.

Disclosure of personal data

  • Seven out of ten respondents say that providing personal information is an increasing part of modern life and accept that there is no other alternative than to provide it if they want to obtain products or services.
  • Over half of respondents disagree that providing personal information is not a big issue for them.
  • A majority of people are uncomfortable about Internet companies using information about their online activity to tailor advertisements.
  • Two-thirds of respondents think it is important to be able to transfer personal information from an old service provider to a new one.

Management of personal data by other parties and perceived risks

  • Nearly seven out of ten respondents say that their explicit approval should be required in all cases before their data is collected and processed.
  • Roughly seven out of ten people are concerned about their information being used for a different purpose from the one it was collected for.
  • Almost all respondents say they would want to be informed should their data be lost or stolen.
  • Two-thirds of people think the public authority or private company handling the data should be the ones to inform them if it has been lost or stolen.

Privacy policies

  • Only a fifth of respondents fully read privacy statements.
  • Most respondents do not read these statements because they find them too long to read or unclear or too difficult to understand.

According to the European Commission these results confirm the need to finalise the on-going data protection reform.

The complete report can be consulted here, a 25-pages summary here and a short fact sheet here.

For further information, please contact Patrick.VanEecke@dlapiper.com or Mathieu.LeBoudec@dlapiper.com.

China Adopts the New National Security Law – A Top Legislative Effort To Control Cyber Security

Posted in Asia Privacy, Cybersecurity, International Privacy, Privacy and Data Security

On 1 July, 2015, the Standing Committee of the National People’s Congress, China’s top legislature, approved the new National Security Law of the People’s Republic of China (中华人民共和国国家安全法, the “New Law”) which became effective on the same day. This New Law is very high-level in its nature covering a wide range of areas from the military, wider economy and natural resources to environment, religion, food security, cyber security and space exploration. The most significant aspect of this New Law in relation to cyber security is the fact that it was issued by China’s top legislature, indicating the importance being placed on cyber security at the highest level of China’s legislative system.

Highlights
The New Law provides for a general legislative framework to control cyber security which includes the following:

  • The state should develop its ability to protect against cyber and information security risks, and to ensure that the core cyber and information technology, key infrastructure, information system and data in important sectors are secure and controllable.
  • The state should set up a national security review and supervision system and should conduct national security reviews of any foreign investment, key technologies, internet and information technology products and services and other important matters and activities that impact or are likely to impact national security.
  • The state should actively develop independent controllable key technologies in important sectors and strengthen the application of intellectual property.

Our Observations
As this New Law is newly promulgated and is very general in its nature, there is considerable ambiguity which will may be clarified by subsequent guidance. In particular:-

  • The New Law does not provide specific requirements as to how to ensure that IT systems are secure and controllable. The term “secure and controllable” is also used in the CBRC Guidelines that DLA Piper reported on earlier this year. Although the CBRC Guidelines set out specific requirements to implement “secure and controllable” information technology products in the banking sector, we understand that the implementation of such rules are still pending.
  • Although the New Law requires a national security review system, it does not provide any details of the practical implementation of such rules. For example, which authority will conduct such a review, what are the specific criteria to determine whether a technology product will impact or is likely to impact national security, and what the review process will be etc.

Due to the above ambiguity, we believe that more specific implantation rules, and a possible update of the CBRC Guidelines will be issued in the near future.

Back to Top of Page