The news has been saturated lately by stories of data breaches. The IRS discovered recently that a breach of citizens’ tax return information covered more than 330,000 taxpayers, three times that originally identified in May of this year. Target’s data breach in 2013 is back in the news because the company just settled claims against it by Visa for a whopping $67 million, and will likely pay the same to MasterCard. Most recently, many people are facing the personal and economic consequences of the Ashley Madison website data breach in July. A salient question for all entities maintaining customers’ personal information is what is the standard for securing that data? And in determining the answer to that question, entities must know the federal and state laws that potentially apply.
Federal Law: FTC Enforcement
There are certain laws that will apply to almost any U.S. entity gathering personal information. The Federal Trade Commission Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a). The Federal Trade Commission (“FTC”) has for over ten years now used its enforcement authority under the “unfairness” prong to bring actions against compromised entities for failure to use “readily available security measures.” The Third Circuit Court of Appeals in FTC v. Wyndham Worldwide Corp. recently rejected a challenge to the FTC’s power to regulate data security issues, a confirmation of authority that will likely only increase its efforts in the data security arena.
So, what does the federal rule require? The standard for unfairness has been criticized as frustratingly vague, and the Wyndham defendants unsuccessfully argued that the FTC failed to give fair notice of the specific cybersecurity standards the company was required to follow. In rejecting Wyndham’s argument, the Third Circuit suggested two primary sources for a company’s determination of the reasonableness of its security practices, both available on the FTC’s website:
- The FTC’s guidebook, Protecting Personal Information: A Guide for Business, which describes a “checklist” of practices that form a “sound data security plan.” While the checklist does not provide certainty that a company is following the law, as the Wyndhamcourt said, “the FTC’s expert views about the characteristics of a ‘sound data security plan’ could certainly have helped Wyndham determine in advance that its conduct might not survive the cost-benefit analysis.” Opinion at 42.
- Previous FTC complaints and consent decrees in administrative cases raising unfairness claims based on inadequate corporate cybersecurity. The court listed allegations from the FTC’s complaint against CardSystems Solutions Inc. in 2006. Other examples include the FTC’s complaint and 2008 settlement agreement with ValueClick, faulting the company for not using encryption and storing information for longer than necessary for the purposes of its gathering; and its complaint and 2008 settlement agreement with the owner of TJ Maxx, who was criticized post-breach for storing and transmitting personal information in clear text, failing to limit wireless access to its networks, failing to require the use of “strong” passwords by network administrators and others, and failure to use available patches and updated anti-virus software to secure data.
In addition to the general FTC unfairness provision, the FTC “Red Flags Rule” requires banks and financial services companies to establish an identity theft prevention program that is “appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.” It also requires action by covered entities that experience a “red flag”, which is “a pattern, practice, or specific activity that indicates the possible existence of identity theft.” 16 CFR 681.1.
PCI Data Security Standards
More specific requirements govern entities involved in payment card processing, including merchants, processing, acquiring and issuing banks, and service providers, as well as all other entities that store, process or transmit cardholder or authentification data. Those entities are required by the Payment Card Industry Security Standards Council (“PCI SSC”) Data Security Standards (“PCI DSS”) to agree contractually to specific data security requirements.
State Common Law and Statutes
Besides facing liability based on FTC enforcement and contractual agreements with financial institutions, entities who experience a data breach are likely to face litigation brought by affected customers and financial institutions that provided credit or debit cards to those customers. Indeed, class actions now seem inevitable following news of a data breach, and recent opinions have reversed a trend of denying such claims by consumers for lack of standing. For such actions, data breach targets need to be prepared for negligence claims, breach of contract actions based on company privacy policies, and breach of state consumer protection and data security or breach notification statutes. Importantly, companies need to be aware of all the states’ laws which may apply to their data security practices, and may need to tailor their data breach practices to the most stringent of state laws, despite doing the majority of their business elsewhere.
The Target breach illustrates the breadth of applicable state laws when a data breach affects a large company. On December 19, 2013, Target announced that it had been the victim of a criminal attack on its computer network by third-party intruders who stole payment card data and other personal information from Target shoppers who shopped at Target from November 27 through December 18, 2013. The retailer now estimates that about 42 million people had their credit or debit information stolen, with the largest totals coming from California, Texas, and Florida.
Class action lawsuits were brought on behalf of customers across the country, alleging violations of consumer protection statutes of 49 states and the District of Columbia, and data breach notification statutes of 38 states. Judge Magnuson of the District of Minnesota denied Target’s motion to dismiss claims brought under the consumer protection laws of 37 states (dismissing those where the states did not allow private rights of action and/or class actions); and denied the motion to dismiss claims based on data breach notification statutes of 26 states (where the states allow private rights of action). While many consumer protection statutes have general “unfair practices” language similar to federal law, some of the states’ laws are surprisingly specific. Target’s home jurisdiction of Minnesota has a particularly specific rule, the Plastic Card Security Act (PCSA), which imposes liability upon merchants who retain credit card information “subsequent to the authorization of the transaction,” or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction. Minn. Stat. § 325E.64.
The class action brought by financial institutions against Target focused entirely on Minnesota law, alleging negligence, violation of the PCSA, and negligence per se because of the PCSA violation. Target tried to limit the application of the Minnesota law to the business it did in Minnesota (only a small part of the transactions at issue), but the court rejected its argument:
The Act does not apply only to business transactions that take place in Minnesota. By its terms, it applies to the data retention practices of any person or entity “conducting business in Minnesota.” Minn. Stat. § 325E.64, subd. 2. Target is a Minnesota company that conducts business in Minnesota, and thus its data retention practices are governed by the Act. And contrary to Target’s assertions, the application of the PCSA to out-of-state transactions does not implicate the dormant Commerce Clause. (citations omitted)
Another example is the Heartland Payment Systems, Inc. Customer Data Security Breach Litigation, 2011 WL 6012598 (S.D. Texas). In the case brought by financial institutions, the company’s argument was the opposite of Target’s. Instead of limiting the application of its home state statute, Heartland argued that the law of its home state, New Jersey, should be the ONLY law applicable (particularly since the court agreed that New Jersey’s Consumer Fraud Act did not protect financial institutions in this circumstance). The court disagreed:
Courts have applied multiple states’ laws in consumer protection cases when choice-of-law rules require doing so. See In re Pharm. Indus. Average Wholesale Price Litig., 252 F.R.D. 83, 93-96 (D. Mass. 2008) (considering the appropriate approach to certifying a consumer class action involving multiple states’ laws). Even if only one state’s law could apply, Rule 8 allows a plaintiff to “set out 2 or more statements of a claim . . . alternatively[.]” Fed. R. Civ. P. 8(d)(2). The rule applies equally to contentions regarding the applicable law. . .
In Heartland, the court dismissed claims based on 22 other states’ consumer-protection laws, finding the plaintiffs lacked standing to bring claims under the laws of states where neither they nor Heartland were located. But the court upheld or allowed repleading of claims under CA, CO, FL, IL, and TX law.
Finally, a US class action has also been filed in the Ashley Madison website breach, where the Toronto-based company’s breach implicates pointed privacy interests in addition to the economic woes typically associated with data breaches. In what is sure to be the first of many suits, a California class action was filed on behalf of a plaintiff who wishes to remain anonymous, seeking damages based on negligence, negligent infliction of emotional distress, Violation of California’s Unfair Competition Law, and Violation Of California’s Customer Records Act.
If Madison Ashley plaintiffs can overcome the arbitration and choice of law clauses in the website’s terms of use, they will certainly face claims under the laws of other states in addition to California. It is yet to be seen whether “reasonable security procedures” are the same under California law as they are under other states’ statutes. See Cal. Civ. Code § 1798.81(b): “A business that owns or licenses personal information about a California resident [must] implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the person information from unauthorized access, destruction, use, modification, or disclosure.”
Faced with vague “fairness” requirements under federal and state law, as well as some specific state security and breach notification laws, the best a data-collecting company can do to protect itself is to pinpoint all the jurisdictions whose laws may be implicated in a breach. Compliance with FTC checklists, timely review of FTC complaints and settlement agreements in similar cases, and compliance with specific state laws should at least give a company comfort that it is applying best practices, and serve as evidence that the entity acted reasonably under the circumstances.
Allyson Haynes Stuart @ http://charlestonlaw.edu/facultymember/47
(original publication in https://www.linkedin.com...)