Digital Media Lawyer Blog

Digital media law update: On December 10, 2009, a federal judge in the District of Columbia upheld the attorney-client privilege for an employee's emails to his attorney, even though his employer had access to them. The attorney-client privilege generally only exists for private communications between a client and his lawyer, not to communications to which uninvolved third parties have access. Here, the judge concluded that the privilege applied largely because the client was not aware that his employer had access to the emails.

The case is Convertino v. U.S. Dept. of Justice, D.D.C., No. 1:04-cv-00236. The plaintiff, Convertino, claims that the DOJ improperly disclosed information about him the Detroit Free Press, in contravention of the Privacy Act. To prove his case, Convertino served a discovery request on the DOJ seeking production of some 736 documents.

36 of these documents were emails between DOJ employee Jonathan Tukel to his personal attorney. Tukel had originally been a named defendant in the case and had retained an outside attorney to defend him. Tukel sent the emails to his attorney from his work computer at the DOJ - and the DOJ later obtained them from its email server.

The Court noted that under federal rules, a client can be found to have waived his right to the attorney-client privilege if he made an otherwise confidential communication in the presence of a third party, or if he disclosed it to a third party. See FRE 502(b). However, there is no waiver if the disclosure was inadvertent.

When dealing with communications made using equipment controlled by third parties, such as an employer-provided email system, the question of privilege "comes down to whether the intent to communicate in confidence was objectively reasonable." To make this determination, courts look at factors such as (1) does the corporation maintain a policy banning personal or other objectionable use, (2) does the company monitor the use of the employee's computer or e-mail, (3) do third parties have a right of access to the computer or e-mails, and (4) did the corporation notify the employee, or was the employee aware, of the use and monitoring policies?" [citing In re Asia Global Crossing, Ltd., 322 B.R. 247, 258 (S.D.N.Y. 2005)].

Here, the Court found that Tukel's expectation of privacy was reasonable: The DOJ does not ban personal use of company e-mail. Although the DOJ has access to personal email sent by its employees, Tukel was unaware that the DOJ would regularly access and save emails from his account. Tukel also worked to keep his emails private by deleting them as the came into his account - unaware that they were still on the DOJ servers.

While the result turned out well for Tukel here, employees everywhere should be wary about communicating with counsel via their employer's email system. If Tukel had been informed that the DOJ regularly accessed employee emails, and/or had the technical sophistication to realize that deleted emails were still on the company servers, the Court might have found that his privilege had been waived.

Of course, the obvious way that an employee can avoid trouble like Tukel's is simply to use a personal email account from a home computer to send confidential communications to counsel.

David D. Johnson is a business lawyer whose practice focuses on litigation and other issues relating to digital media and consumer electronics companies. David can be contacted at (310) 785-5371 or DJohnson@jmbm.com.

Digital media law update: In a twist on an old story, a judge in the Eastern District of Missouri has dismissed a data breach class action because the named plaintiff was unable to plead that he had suffered any injury other than an increased risk of identify theft. This case is somewhat unique, because the Court dismissed the case on standing grounds, even though it found that the lead plaintiff had pled sufficient facts for a breach of contract action. This result is at odds with many recent cases which tend to find that an increased risk of identity theft is sufficient to confer standing.

Express Scripts provides prescription management services for employee benefit plans. In October 2008, Express Scripts received an anonymous letter demanding money. The letter writer claimed that it had obtained critical personal identifying information for millions of Express scripts members and threatened to reveal this information if Express Scripts didn't pay up. The letter included details on 75 Express Scripts members, including names, dates of birth, Social Security numbers and prescription data.

In 2009, lead plaintiff John Amburgy filed a consumer class action against Express Scripts. Amburgy alleged that Express Scripts had failed to maintain adequate security measures and that this had led to the data breach. Amburg claimed that as a result of Express Scripts' breach of duty, Amburgy and other plan members had been exposed to "increased risk of becoming victims of identity theft crimes, fraud, abuse and extortion." Amburgy did not allege that he and other class members had actually suffered identity theft losses, but merely that they had incurred costs for credit monitoring to prevent such losses. The complaint sought damages from Express Scripts under negligence, breach of contract, and state consumer statute theories.

The Court rejected these claims on "standing" grounds. According to U.S. Supreme Court precedent, to have standing to bring a case before a federal court, a plaintiff must show that he has suffered "injury-in-fact." Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992). This can be either an injury he has already sustained or is in immediate danger of sustaining.

Continue reading "Amburgy v. Express Scripts: Why a Missouri Court Held that an Increased Risk of Identity Theft Is Insufficient to Confer Standing in a Data Breach Case" »

As reported by Brian Krebs of the Washington Post, electronic calibration systems firm JM Test Systems, which is based in Baton Rough, Louisiana, has just filed a complaint against its bank, Capital One, to recover two unauthorized wire transfers amounting to some $97,000. See JM Test Systems, Inc. v. Capital One Bank, N.A., 19th Judicial Dist., Parish of East Baton Rouge No. 585172D. As reported by Krebs and stated in the complaint, the unauthorized transfers appear to have been initiated by hackers. The funds were ultimately transferred to "Alpha-Bank Moscow." Eastern Europe is the destination of choice for funds from hacked bank accounts.

This complaint involves just one of dozens of cases that Krebs has unearthed in the past year in which a small business has lost a significant sum of money through wire transfer fraud. While some businesses have filed lawsuits against their banks in an attempt to recover the stolen funds, according to Krebs, many small businesses have been leery to go after their banks.

So can a business expect its bank to cover its losses from hacker wire transfer fraud? The answer is "sometimes." The result in an individual case is largely determined by rules found in an obscure section of the Uniform Commercial Code -- Article 4A. Here is a synopsis of the key rules:

• Rule 1 -- Insider fraud: If the person who initiated the transfer was authorized under agency law to initiate the transfer, then the customer is generally liable for the unauthorized transfers. UCC § 4A-202. In other words, if an unauthorized transfer results from an act of embezzlement by a person otherwise authorized to act on behalf of the company, the customer, not the bank, will generally be liable.

• Rules 2-4 -- Outsider fraud: If the person who initiated the transfer was not an agent of the corporation, then following rules apply:

• Rule 2: The bank is not liable for a fraudulent transfer if the four following conditions exist: (i) the bank and it customer have agreed to verify the authenticity of transfers by security procedures, (ii) the bank instituted a commercially reasonable method of providing security against unauthorized transfers, (iii) the bank complied with these security procedures for the transfers in question; and (iv) none of the exceptions to this rule apply. UCC § 4A-202(b).

What constitutes commercially reasonable security procedures will depend on the customer account involved. According to the UCC, "A customer that transmits very large numbers of payment orders in very large numbers may desire and reasonably expect to be provided with state of the art procedures that provide maximum security." While smaller customer accounts may not need this level of security, according to the UCC, "a security procedure that fails to meet prevailing standards of good banking practice applicable to the particular bank should not be held to be commercially reasonable." For further information on what constitutes commercially reasonable security procedures, see our post on the Shames-Yeakel case and the FFEIC's 2006 Report on Authentication in an Internet Banking Environment.

Continue reading "JM Test Systems v. Capital One: The Legal Decision-Tree for Determining the Party Liable for an Unauthorized Funds Transfer" »

On October 23, 2009, Judge Vaughn Walker did something that doesn't happen very often. He rejected final approval of a class action settlement that was opposed by less than .001% of the members of the plaintiffs' class. The reason: he had come to believe that while the settlement would cost Ameritrade millions, and pay $1.87 million to the plaintiffs' counsel, it ultimately provided the plaintiffs themselves with no real benefits.

The case is the In re TD Ameritrade Accountholder Litigation, N.D. Cal. C-07-2852, a class action that was originally filed in 2007 regarding an allegedly long-term data security breach at Ameritrade. Ameritrade is a well-known brick and mortar and on-line stock broker, whose commercials star Sam Waterston of Law and Order fame.

In October 2006, Ameritrade customer Matthew Elvey, who graduated from Yale with a B.S. in computer science and mechanical engineering, and works as a website infrastructure consultant (as he describes his business, see his bio at http://www.elvey.com/) decided to test Ameritrade's data security system. So he provided Ameritrade with a unique email address that he had never provided to any other person. In November 2007, Elvey allegedly began to receive stock spam directed to this secret address. The spam allegedly touted low-priced, speculative stock of smaller companies that are traded over-the-counter, and was part of stock "pump and dump" schemes.

Elvey filed a class action against Ameritrade in 2007. The complaint focused on Ameritrade's Privacy Statement which allegedly told customers that "Ameritrade does not sell, license, lease or otherwise disclose your personal information to any third party for any reason . . . " According to Elvey's complaint, the "spam received by Plaintiffs was not consistent" with these representations.

The Elvey suit was later consolidated with a class suit filed by lead plaintiff Brad Zigler. The combined class action sued Ameritrade on breach of fiduciary duty, CFAA, and Nebraska and California unfair trade practices grounds. The plaintiffs claimed that Ameritrade had breached its duties to them by knowingly failing to correct defects in its security system and by failing to disclose the security breach that had led to the spam attacks on its customers. The plaintiffs claimed that they were damaged by "losing the benefit of the bargain on Ameritrade's brokerage fees, which were premised, in part, on Ameritrade's compliance with the privacy statement . . . ."

While TD Ameritrade filed a motion to dismiss the original Elvey complaint -- a motion that was never heard -- it did not file a similar motion for the consolidated complaint. Instead, it began settlement negotiations with the Plaintiffs. This resulted, in October 2008, with a proposed settlement which released Ameritrade for any damage claim, "of any kind," based on "any legal theory whatsoever," that "is, has been, or could have been asserted by" a member of the settlement class for: (i) an unauthorized disclosure of their information by Ameritrade, (ii) their receipt of SPAM e-mail and (iii) misrepresentations in Ameritrade's privacy statement. The settlement applied to any person who had provided Ameritrade with a physical or email address on or before September 14, 2007. It did carve-out a right for individuals to file identity theft claims on their own behalves -- but not as part of a class action.

Continue reading "In re. Ameritrade Accountholder Litigation: Court Rejects Class Settlement He Viewed as Providing Members of Plaintiff Class with No Real Benefits" »

It was recently reported by Brian Krebs of the Washington Post, and others, that a Maine construction sued its bank for failing to prevent hackers from transferring some $588,000 in company funds to co-conspirators throughout the U.S. This case bears watching because it may well test the conclusion of the court in Shames-Yeakel v. Citizens Financial Bank that a bank's failure to use multi-factor authentication procedures for wire transfers may not constitute a reasonable business practice. It should also test the effect of a clause in the bank's contract with the construction company, requiring the company to monitor and immediately report questionable transfers to the bank.

The case is Patco Construction Co. v. Ocean Bank, York County Superior Court, 2009. According to the complaint, on May 7, 2009, hackers stole Patco's login credentials and initiated a series of transfers throughout the week that totaled over $588,000. Patco discovered the fraud on May 13, when one of its co-owners found a notice from Ocean Bank in his mailbox, stating that several recent transfers had been rejected. Patco notified the bank on the morning of May 14. While the bank attempted to rescind the transfers, Patco was ultimately out at least $345,000 in stolen funds.

The bank claimed that Patco was responsible for the loss, citing a clause in its ebanking and bill payment agreement, which states that customers who use automated clearinghouse (ACH) transactions on their commercial accounts "assume all liability and responsibility to monitor those accounts on a daily basis" and "[i]n the event you object to any ACH debit, you agree to notify us of your objection on the same day the debit occurs." Patco allegedly didn't discover or report the losses until days after most had occurred.

Patco claims that Ocean Bank is responsible for the loss, arguing that the bank breached its duty to provide a commercially reasonable security system because it only provided a single-factor authentication system for wire transfers.

So, which side is right?

Fraud losses for business deposit accounts, such as those suffered by Patco here, are governed by Part 4A of the Uniform Commercial Code. Part 4A is written from the standpoint of the bank and gives a bank a "safe harbor" from losses associated with wire fraud, if it meets three conditions: (i) the bank and its customer agree to use a particular procedure for verifying the authenticity of wire transfer orders, (ii) the bank has provided a "commercially reasonably method of providing security against unauthorized payment orders" to the customer, and (iii) the bank followed the procedures.

Article 4A permits generally parties to modify its provisions as they see fit -- except where modification is not permitted by Article 4A. See §4A-501. One area where waiver of Article 4A's provision is restricted is in contracts dealing with commercially reasonable security procedures. Under Section 4A-202, a security procedure can be "deemed commercially reasonable if (i) the security procedure was chosen by a customer after the bank offered, and the customer refused, a security procedure that was reasonable for that customer, and (ii) the customer expressly agreed in writing to be bound by any payment order, whether or not authorized, issued in its name and accepted by the bank in compliance with the security procedure chosen by the customer." According to the official comment to this section, the bank has to first offer a commercially reasonably security procedure to the customer, the customer has to "be made aware of the risk" of rejecting the procedure, and the asset in writing to assume that risk.

Continue reading "Patco Construction v. Ocean Bank: Who Pays when a Hacker Steals Money from a Business Bank Account?" »

Financial institutions face an uncertain legal environment when they attempt to obtain reimbursement for losses associated with a data breach at a credit card processor. When a data breach at a credit card processor or large merchant occurs, financial institutions are often out millions of dollars associated with cancelling and reissuing customer credit cards and covering losses from unauthorized use of cards. No federal law directly addresses this situation, so financial institutions are left to the vagaries of state law. However, state laws create major obstacles to recovery.

Many of these obstacles are caused by the fact that the financial institution has no direct contractual relationship with the credit card processor. Credit card transactions involve four players. (1) a bank, which enters into an agreement with a corporation that operates a credit card payment system, such as Visa, that permits the bank to issue Visa credit cards to its customers, (2) the consumer, uses the credit card, (3) a credit card processor, which enters into agreements with merchants to process their Visa credit card transactions, and (4) the merchant.

In a typical purchase transaction, the merchant's computer scanners read the cardholder information contained on the magnetic stripe on the credit card, as it is swiped through a terminal at checkout. The merchant sends this information through the Visa network to the bank. The bank reviews the card, and assuming it is valid and has sufficient credit, authorizes the transaction. The merchant completes the transaction and notifies the processor, which pays the merchant. The processor then notifies the bank, which pays the processor and charges the Consumer. See, generally, Sovereign Bank v. BJ's Wholesale Club, Inc., 3rd Cir., No. 06-3405 (July 16, 2008).

While the processor and the bank interact, they generally have no written contractual agreement between them. The lack of a contractual relationship is the source of one of several problems when a bank seeks recovery from a processor data breach.

For example, a class action was recently filed on behalf of banks who incurred losses from the date breach at credit card processor Heartland Payment Systems, Inc. In re Heartland Payment Systems, Inc. Customer Data Security Breach Litigation, S.D. Tex, No. 4:09-md-02046. The complaint attempts to recover on breach of contract, breach of implied contract, negligence, negligence per se, negligent and intentional misrepresentation, and a number of state unfair business practice statutes. However a number of these theories has faced rough sledding in previous data breach class actions by financial institutions:

Breach of contract under a third-party beneficiary theory

A person that is not a party to a contract can still sue for breach of the contract if it can show that it was the "intended beneficiary" of the contract. Some banks have attempted to recover losses under the theory that they are the third-party beneficiaries of the contracts between the processor and the credit card company. For example, in Sovereign Bank v. BJ's Wholesale Club, the plaintiff banks claimed that they were the intended third-party beneficiaries of the contract between the processor and Visa, because a memorandum accompanying the relevant security provisions in the contract stated that their purpose was "to protect the Visa system and [the Banks] from potential fraud exposure . . . ." The 3rd Circuit held that this memo and other evidence, was sufficient for a jury to find that the banks were intended beneficiaries of the processor's contract with Visa.

However, this theory did not work in a subsequent data breach case brought by financial institutions -- In re TJX. By the time that suit was brought, Visa had changed its processor agreement to expressly exclude third-party beneficiaries. As a result, the banks were not able to recover under this theory. In re TJX Companies Security Breach Litigation, 524 F.Supp.2d 83 (D. Mass. 2007).

Continue reading "Heartland Data Breach: Handicapping the Financial Institutions' Suit In Light of Recent Class Actions" »

Digital media law: On September 23, 2009, Judge Ware of the Northern District of California issued a temporary restraining order in a case in a bank advertently sent a file containing confidential customer information to an unidentified Gmail account. The Judge ordered Google and the unidentified Gmail account holder not to access, use or distribute the confidential customer information and required Google to disclose whether the Gmail account was active or dormant, and if active, to disclose the identity of Gmail account holder. The judge also ordered Google to "immediately deactivate the Gmail account."

While Judge Ware's move to cut off the subscriber's Gmail account has been viewed by some as draconian trespass on the email account holder's rights, it was not without at least some legal basis.

The facts of the case are simple. On August 12, 2009 a customer requested that the Bank send some loan statements to a third party representative of the customer. Later that evening, the customer informed that Bank that his representative had not received the information. The next day, August 13, the Bank investigated that matter and discovered that it had sent the customer's information to the wrong email address -- a Gmail address -- and that it had also attached a file containing "names, addresses, tax identification numbers and loan information for . . . 1,325 customer accounts" -- oops!

Upon discovering its double error, the Bank immediately sent another email to the Gmail account holder asking the recipient to immediately delete the file without opening it or reviewing it. Receiving no response from the Gmail account holder, the Bank contacted Google to determine whether the Gmail account was active or dormant, and if active to get information about the account holder. It also asked Google to deactivate the Gmail account.
Google refused to do any of these things without a court order.

The Bank then filed a complaint against Google, seeking an injunction restraining Google and its account holder from accessing or using the confidential customer information, requiring Google to deactivate the Gmail account, requiring Google to delete the email and the confidential customer information from its system, and requiring Google to disclose information about the Gmail account holder. See Complaint, Rocky Mountain Bank v. Google, Inc., N.D. Cal., Case No. 5:09-cv-04385.

On September 23, 2009, Judge Ware issued a temporary restraining order (TRO) granting most of the relief the Bank had requested. The TRO was only be effective for a short time -- until September 28, when the Court would conduct a hearing on whether or not to issue a preliminary injunction, which would then be in effect until the case was fully adjudicated.

A Court only has authority to make an order in favor of a plaintiff, if the plaintiff establishes that it has some legal right that the order would protect. What is striking is that nowhere in its motion papers did the Bank cite any legal basis, such as a statute or case, that would empower the Court to order Google to disable the Gmail account or to prevent Google and the customer from accessing and using the confidential information. Rather, the Bank based its requests for relief on the mere assertions that "Google and its email account holder have no rights in or to the inadvertently disclosed information, while the Bank and its customers have every right to prevent further disclosure and use of such information."

Continue reading "Rocky Mountain Bank v. Google: Was Judge Ware's Order that Google Deactivate the Gmail of a Customer Inadvertently Sent Confidential Information Appropriate?" »

Data security law: There is no question that it is a trend. In the latest in the never-to-be ended series of data breach cases, a Connecticut District Court held that a plaintiff may not maintain a claim for damages after a data breach merely based on a fear of future identity theft losses.

The case is McLoughlin v. People's United Bank, Inc., District of Connecticut, No. 3:08-cv-00944. People's United Bank had a contract with co-defendant BNY Mellon to handle People's customer information, including its customers' names, addresses, Social Security numbers and bank account information. In February 2008, a metal box containing six to ten unencrypted backup tapes of People's customer data was lost or stolen from a courier truck. The truck had a broken lock and was left unattended during the transport.

About two months after the breach, Peoples and BNY Mellon began informing customers of the loss of the unencrypted back-up tapes. BNY Mellon ultimately offered affected customers two years of free credit monitoring, $25,000 in identity theft insurance and free credit freezes. The plaintiffs eventually brought the present case -- a class action against People and BNY Mellon.

After removal to Federal court, the defendants moved to dismiss for lack of standing, arguing that the plaintiffs had pleaded no actual damages.

Citing U.S. Supreme Court precedent in Friends of the Earth, Inc. v. Laidlaw Envtl. Servs., 528 U.S. 167, 180 (2000), the District Court stated that "to satisfy Article III's standing requirements, a plaintiff must show (1) it has suffered 'injury in fact', that is (a) concrete and particularized, and (b) actual and imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision."

To be cognizable, actual damages may flow directly from the defendants' act, or may flow indirectly, in the form of costs spent to remedy the harm. For example, in a case brought against a bank for giving faulty tax advice, actual harm was held to include the "costly and time-consuming step" the plaintiffs had taken "to rectify errors in their past or future tax filings" and the fees they paid for advice. Denny v. Deutsche Bank AG, 443 F.3d 253, 264 (2nd Cir. 2006). Under Second Circuit precedent, "injury in fact" may also be based on "the fear or injury of future harm." Id.

Here, the plaintiffs' claims for damages were not based on direct losses or indirect payments of fees or expenses, but solely on their fear of future losses from identity theft. However, while fear of identity theft been held sufficient to confer standing, it has also been held to be insufficient to satisfy the "actual damages" elements of state tort claims. For example, in Caudle v. Towers, Perrin, Forster & Crosby, Inc., 580 F.Supp.2d 273 (S.D.N.Y. 2008), the court found that an employee had alleged sufficiently alleged injury-in-fact for standing purposes when his laptop was stolen from his employer, but could not sustain a claim for negligence or breach of fiduciary duty. See also Ruiz v. Gap, Inc., 540 F.Supp.2d 1121 (N.D.Call 2009) (standing but no quantifiable damages where thief broke into data processor's office, stealing laptops containing unencrypted personal data).

Following these precedents, the Court in McLoughlin found that the plaintiffs had pled an injury-in-fact sufficient to comply with Federal standing requirements. However, also following these precedent, the Court found that the plaintiff had not alleged damages sufficient to state a claim under Connecticut law which controlled here.

Continue reading "McLoughlin v. People's United Bank: No Claim for Future Identity Theft Losses where Plaintiffs Were Unable to Claim that Data Lost in a Breach Was Misused" »

Keeping up with the constant changes in security measures necessary to handle the latest threats to data can make a business feel like it is running out of breath. When a business already has a quality data security system in place, implementing the latest security protocol may feel like a distraction and a waste of money. However, state and federal legislatures and regulators, as well as courts around the country, are increasingly unwilling to let businesses slack off from the cyber-security arms race. As seen in a recent Indiana District Court decision, failure to implement the latest and greatest in data protection measures may be found to be a breach of expected standards of care and expose a business to liability for data breaches.

The case is Shames-Yeakel v. Citizens Financial Bank, U.S.D.C., Northern District of Illinois, Case No. 07-c-5387. The plaintiffs operated a bookkeeping and accounting service from their home, presciently named "Best Practices." The plaintiffs had personal checking accounts with the defendant, Citizens Financial Bank, as well as a business account under the Best Practices name. The plaintiffs also obtained a home equity line of credit from Citizens, which they drew on to make a down payment on a loft in Chicago, pay off their auto loans, make roof repairs to their residence and purchase a car for their daughter. The plaintiffs linked the line of credit to their Best Practices business checking and made payments on the line through that account.

In 2007, an unknown person gained access to the plaintiffs' online accounts by using Ms. Shames-Yeakel's username and password. This person ordered a $26,500 advance on the home equity line of credit, which was eventually transferred to a bank in Austria. When the theft was discovered and the funds traced, the Austrian bank refused to return the money.
Citizens Bank notified the plaintiffs that it intended to hold them liable for the loss. The online banking agreement between Citizens and the plaintiffs stated "We will have no liability to you for any unauthorized payment or transfer made using your password that occurs before you have notified us of possible unauthorized use and we have had a reasonable opportunity to act on that notice." Citizens then began to bill the plaintiffs for the $26,500. When they failed to pay the balance on time, Citizens reported the account as delinquent to national credit bureaus. Citizens also threatened to foreclose on their home, if the plaintiffs continued to refuse to make payments.

The plaintiffs complained to the Office of Thrift Supervision ("OTC"). However, the OTC informed them that they had no objection to Citizens holding them liable. In support of its conclusion, the OTC noted that Regulation E, which implements the Electronic Funds Transfer Act, only protects demand deposit and consumer asset accounts, not credit accounts like a home equity line of credit. It also noted that Regulation Z, which implements the Truth in Lending Act, only covers lines of credit when the credit is used for personal purposes. Here, because the plaintiffs had linked the line of credit to a business checking account, the OTC concluded that it was a business line of credit.

Continue reading "Shames-Yeakel v. Citizens Financial Bank: Failure to Expeditiously Implement State-of the Art Security Measures Can Create Liability for Negligence in Data Breach Cases" »

Consumer suits against retailers for losses from data thefts face many hurdles to recovery. A recent illustration is the court's dismissal of virtually all claims brought by customers of Hannaford, a supermarket chain based in Maine. In re Hannaford Bros. Co. Customer Data Security Breach Litigation, U.S. District Court, District of Maine, MDL Docket No. 2:08-MD-1954).

From December 2007 through March 2008, "wrongdoers" (apparently a less malevolent class of miscreant than the "evildoers" faced by President Bush) gained access to Hannaford's information technology systems. The thieves stole some 4.2 million debit and credit card numbers, expiration dates, security codes, PIN numbers and other customer information. They were able to use this information to rack up an undisclosed amount of charges on customer accounts. Hannaford apparently discovered the security breach, but delayed before warning its customer, who continued to use their credit and debit cards for some time before the breach was closed.

The customers sued in the U.S. District Court in Maine and sought certification as a class action. They brought claims for breach of implied contract, breach of implied warranty, breach of fiduciary duty, breach of a Maine statute requiring disclosure to customers of a data security breach, strict liability, negligence, and unfair trade practices.

District Court Judge Hornby first analyzed the plaintiffs' ability to recover under each of these causes of action, rejecting all but the breach of implied contract, negligence and unfair trade practice theories. The Court found that under Maine law, a contract includes "all such implied provisions as are indispensible to effectuate the intention of the parties." When a customer gives a merchant his debit or credit card information, the parties assume that "the merchant will not use the card data for other people's purchase, will not sell or give data to others, and will take reasonable measures to protect the information." This duty supported both the breach of implied contract and negligence claims against the merchant.

The court also found that Hannaford could be subject to suit under Maine's unfair competition law. The Maine statute appears to rather broad (broader than the California UCL) because it permits a consumer who purchases goods or services and "suffers any loss of money or property" as a result of an unfair or deceptive act to sue for "actual damages, restitution" and equitable relief. Here, the plaintiffs claimed that Hannaford failed to disclose the data breach for several months, which caused customers who continued to use plastic at the store to suffer data losses. The court concluded that Hannaford's inaction justified a UCL claim.

Continue reading "Frustration for Consumers Seeking to Recover from a Retailer in a Maine Data Theft Case" »

A thief breaks into the corporate headquarters of your digital media company and steals a laptop. He uses the laptop to gain access to your customers' files, and gleans sensitive information, including their drivers license data, social security numbers and bank account data. Can you be liable to customers for this theft? The answer, at present, is theoretically "yes", but in many cases, "no" -- if you take the right steps.

Many states have statutes protecting personal information of consumers. For example, the California Civil Code requires businesses to: (i) destroy personal information when it is no longer to be retained by the business; (ii) "implement and maintain reasonable security procedures" to protect personal information from unauthorized access; (iii) disclose any breach of security which has caused disclosure of personal information, and (iv) disclose any personal information provided to third parties on the consumer's request. (Fn 1) The Civil Code provides that a customer may sue to recover damages, as well as injunctive relief, for any violation of these rules. (Fn 2)

So if a thief steals your customer data, and your failure to meet these standards causes your customers to suffer losses -- yes -- you can be found liable.

But, while these laws have been on the books for about five years, they do not seem to have resulted in a lot of large judgments. There are no reported appellate cases directly dealing with any of them and few unreported court orders mention them.

One reason for this may be the sheer economics of consumer rights litigation. Most consumer rights cases involve small dollars. Because the plaintiff generally must bear his own attorneys fees, few cases hold the promise of a sufficiently large recovery to warrant paying the fees to win the case. This is why the real action in consumer rights cases is in consumer class actions. Combining thousands or millions of cases together can yield sufficient damages to justify the attorney time expended. In addition, bringing a case as a class action may give plaintiffs an argument that they are also entitled to an attorney fee award under state statutes awarding fees for actions taken in the public interest or in defense of civil rights. (Fn 3)

However, even data theft cases brought as class actions have faced significant hurdles. This is mainly because the lead plaintiffs have often been unable to allege actual injuries resulting from the cyber security breach.

Continue reading "Tort Liability from Data Thefts: The Race is to the Swift" »