The battle against data thieves heats up, January 20, 2015

The battle against data thieves heats up

Suppose a company you've done business with is hacked, and the hackers get your name, user ID, password, credit-card number, and other personal info.

1) Does the company have to notify you to tell you that your information has been stolen?

2) If it happens that the company's lax security controls contributed to the theft, do you have a cause of action against the company even if you haven't lost any money or suffered other direct, quantifiable damages?

The answer to the first question is maybe, depending on the state in which you reside. However, just last week President Obama proposed a federal data-breach law that would create a single nationwide standard specifying when and how consumers would need to be notified when their personal data is stolen due to a data breach by an organization they have interacted with. At present, nearly all states have their own statutory data-breach notification requirements. The bad news is that the federal law might actually be less stringent in some areas than the state statutes.

Many of the questions pertaining to the President's proposal are answered by Robert E. Cattanach and Bradley Hammer in a January 19, 2015, post on the JD Supra Business Advisor. For example, the federal law applies only to organizations that collect personal information from at least 10,000 people in a 12-month period. Most state data-breach statutes apply to all organizations that collect such information. This indicates the state laws will not be completely preempted by the federal rule.

The Obama proposal broadens the definition of "personal information" to include home address and phone number; mother's maiden name; full birth date; any government-issued identification number (including driver's license number); any financial account information (including bank routing numbers); user names and email addresses in combination with passwords or security questions; and any combination of your first name-last name-middle initial, identifying number, and security code, password, or source code used to generate a password.

The definition of a "data breach" is similar in the federal proposal to existing state laws. Likewise, requirements for notifying individuals of a breach of their personal information are much the same. However, the federal statute would require notification of a federal agency, and subsequently the U.S. Postal Service, the FBI, and the Federal Trade Commission in the event of massive data breaches and breaches involving national security or law enforcement.

In a January 15, 2015, post on the Krebs on Security site, Brian Krebs explains that it's uncertain whether the federal law would serve as a baseline, and state laws could impose more stringent requirements on organizations who have lost individuals' sensitive information. Apart from the unresolved federal-preemption questions, critics point out that the law leaves open whether the companies would be required to disclose how the breach occurred. Another open question is whether organizations would have to notify people when their encrypted data has been lost. Currently, the encryption exemption excludes such data, but what happens when the company also loses the data's encryption key?

Easing the burden on plaintiffs to prove damages resulting from a breach

The answer to the second question -- whether individuals may sue for the increased risk of damages and other indirect costs resulting from the breach -- is probably not, although this may be changing slowly.

To date, few courts have recognized a right to damages for plaintiffs whose personal information -- including Social Security numbers, bank account numbers, credit-card numbers, and other data -- has been stolen as the result of a data breach suffered by a third party with whom they've transacted business. The only exception is when the plaintiffs can prove they've incurred quantifiable, direct damages, such as theft of funds from a compromised bank account. In nearly all cases, the risk of future damage alone, and the costs of heightened monitoring of accounts and other preventive actions, have been ruled insufficient to prove standing to sue for damages.

Similarly, defendants' motions to dismiss class action suits following large-scale data breaches are nearly always granted for two reasons. First, Federal Rule of Civil Procedure 23(b)(3) requires that the members of the class have suffered the same damage, that "questions of law or fact common to class members predominate over any questions affecting only individual members, and that a class action is superior to other available methods for fairly and efficiently adjudicating the controversy." Second, when the members of the class seek damages at a level specified by a state statute (generally $500), the courts have still required that each member prove individualized damages.

The uphill climb class-action plaintiffs face in such situations are explained by Nicholas Ranjan and James P. Angelo in a December 15, 2014, post on the K&L Gates site.

The burden is not much easier on individual plaintiffs in suits alleging damages due to loss of their personal information in a data breach. How do you prove that the breach increased the risk of fraud, and that the increased risk isn't the result of some other unrelated factors? The victim of the breach may be a member of what MIT Professor Arnold Barnett calls an "at-risk population" whose fraud risk is higher independent of any specific data breach. Barnett describes the difficulty of calculating damages resulting from a data breach in an article from August 2012 on the Analysis Group Forum.

Class action suit against Target survives motion to dismiss

An organization's liability resulting from a data breach may widening, if two recent decisions by a federal district court in Minnesota are indicators of a trend. Kristin Ann Shepard and Marty Solomon explain in a January 14, 2015, post on JD Supra Business Advisor that the court dismissed Target's motion to dismiss a consumer class-action suit resulting from the company's massive data breach in 2013. The court rejected Target's claim that the 114 plaintiffs lacked standing under Article III of the U.S. Constitution because they failed to allege any "concrete, certainly impending injury" caused by the breach.

Target did manage to get some claims dismissed under notification statutes in several states, as well as the plaintiff's bailment charges. The court let stand the plaintiff's unjust enrichment claims under the theory that they "would not have shopped" at Target if they had been timely notified of the breach. Finally, the plaintiff's breach of implied warranty claims survived Target's motion to dismiss, but their breach of express contract claims were dismissed.

The class of putative financial institutions was allowed to proceed with its claims against Target for negligence, negligence per se, and violation of Minnesota's credit-card security statute, which the court ruled applies outside of the state as well. (A January 13, 2015, article on JD Supra Business Advisor by Melody McAnally provides more information on the bank's initial court victory against Target.)

While Target is far from bereft of defenses against the class-action claims of consumers and financial institutions, other potential plaintiffs may be encouraged by the courts' rulings to pursue their claims against the company, and against other organizations that lost their personal information due to a data breach. Most importantly, if companies know they may be hit hard in the pocketbook following their loss of customers' personal information in a breach, they're much more likely to increase their data-security efforts.

It's about damn time!

-----------------------------------------------------------------------

Live longer by dancing through those commercial breaks

Everybody knows you shouldn't make a big change in lifestyle simply because you read about the results of some study. Still, after I heard about the dangers of prolonged sitting, as reported by Tech Times' Rhodi Lee in a January 20, 2015, article, I made a mental note to stand up and move around for a few minutes every hour. All because of research published in the Annals of Internal Medicine on January 19, 2015, which compiled and analyzed the results 47 other studies on the effects of sitting for long periods of time.

The upshot? A sedentary lifestyle increases your risks of heart disease, cancer, diabetes, and premature death -- by 15 to 20 percent in some cases, and by up to 90 percent for diabetes. More bad news: exercising regular doesn't mitigate the increased risk. "Prolonged sitting" is defined as between eight and 12 hours a day. To avoid the perils of a good, long sit, the researchers recommend that we stand up or move around for a few minutes each half hour we're sitting at a desk. And while we're watching TV, we should get up and dance to the commercials -- or maybe skip the commercials and do a few brisk laps around the living room.

Your dog will love it.

-------------------------------------------------------------------------------

Can you have your pizza and longevity, too?

Some studies you might benefit from overreacting to -- even if they eventually turn out to be not so telling as they first appeared. In a January 7, 2015, article in the New York Times, Gretchen Reynolds reports on the findings of researchers at King's College of London and the University of Birmingham in England who studied the health of very active older folks. They concluded that regular vigorous physical activity can keep your body young.

The subjects were men and women between the ages of 55 and 79 who bicycle regularly and are able to cover 62 miles in six-and-a-half hours for the men, and 37 miles in five-and-a-half hours for the women. They were not competitive athletes but rather "serious recreational riders." When they were given various physical ability tests, the riders were found to perform much closer to young adults than to other people their own age in terms of balance, reflexes, metabolic health, and memory.

Unfortunately, a high exercise level didn't prevent age-related declines in muscle power and mass, and aerobic capacity. Still, the cyclists rated much higher than others in their age group in these categories as well. As usual, the researchers warn against coming to conclusions based on the results of a single study, but they point out that staying active has benefits beyond possibly delaying the physical effects of aging. It makes you feel good, too, and you don't need a study to tell you that.

Excuse me, but it's time for me to hop on the old two-wheeler and ride -- all the way to the taqueria across town.