November 19, 2014 Articles

Class Action Suits in the Data Breach Context

Data privacy laws across the country merit increased attention.

By Katherine Ritchey, Jay Johnson, and Nandini Iyer

The number of reported data security breaches has significantly increased of late, as has the number of lawsuits that focus on the alleged access to or misuse of personal information resulting from such breaches. These lawsuits are often brought as class actions in order to capitalize on the high number of individuals about whom misappropriated data pertain and the increasing public sensitivity to privacy and security issues in general. Historically, establishing standing and damages in such suits has proved difficult. Indeed, the vast majority of suits, class action or otherwise, premised on common-law theories (1) fail to survive the pleadings stage because courts generally deem proof of an increased risk of future identity theft insufficient to confer standing, and (2) are difficult to prove in the absence of clear standards of conduct against which companies can be judged.

Enter privacy laws—particularly those directed to payment card and health care information breaches—that provide for statutory damages, minimum security standards, and other things that merit increased attention and purport to allow privacy and security plaintiffs to avoid historical pitfalls in bringing suit.

State Statutory Frameworks Regarding Payment Card Breaches
The 2007 Minnesota Plastic Card Statute, Minn. Stat. § 325E.64 (2007), was the first state privacy law to incorporate portions of the Payment Card Industry Data Security Standard, v. 1.1 (the PCI Standard). The Minnesota statute prohibits a Minnesota company from retaining card security code data, PIN verification codes, or the full contents of magnetic stripe data for more than 48 hours after authorization of a transaction. The statute also provides financial institutions the means to obtain reimbursement for certain costs of a breach resulting from a company’s failure to comply with those requirements, thus providing a statutory vehicle arguably aimed at addressing traditional hurdles to privacy and security suits.

Other states have done the same. For example, in July 2010, Washington adopted a law that gives financial institutions a cause of action against entities that fail to “take reasonable care to guard against unauthorized access” to payment card information when such failure is the proximate cause of a data security breach. Wash. Rev. Code § 19.255.020. The Washington law applies to (1) businesses that process more than six million payment cards annually and that provide, offer, or sell goods or services to residents of Washington; (2) processors or companies that transmit account information; and (3) vendors that manufacture and sell software or equipment designed to process, transmit, or store account information that the vendors do not own. A company is exempt if its compliance with the PCI Standard was validated by an annual security assessment that took place no more than one year prior to any security breach or if compromised account information was encrypted at the time of the breach.

Likewise, Nevada’s Security of Personal Information law was amended in January 2010 to require companies that do business in Nevada to comply with the PCI Standard in its entirety. Nev. Rev. Stat. § 603A.215. The Nevada law exempts an entity from liability for damages resulting from a breach if the entity is compliant with the statute and if the breach was not caused by the entity’s gross negligence or intentional misconduct. The Nevada statute does not provide clear remedies or identify who can bring suit for noncompliance, but its inclusion of the PCI Standard may be used by plaintiffs to establish the applicable standard of care in a common-law negligence action.
           
The data privacy regulations adopted by the Massachusetts Office of Consumer Affairs and Business Regulation that went into effect in 2010, 201 Mass. Code Regs. 17.00 (2010), do not directly incorporate the PCI Standard, but they contemplate similar protections and may be relied on by plaintiffs in payment card breach litigation. For example, under the Massachusetts law, companies must encrypt “all transmitted records and files containing personal information that will travel across public networks, and . . . all data containing personal information to be transmitted wirelessly,” as well as “all personal information stored on laptops or other portable devices.”
           
These laws and regulations provide nontraditional litigation tools that increasingly may be used in class actions involving payment card breaches.

State Statutory Frameworks Regarding Payment Card Breaches
The 2007 Minnesota Plastic Card Statute, Minn. Stat. § 325E.64 (2007), was the first state privacy law to incorporate portions of the Payment Card Industry Data Security Standard, v. 1.1 (the PCI Standard). The Minnesota statute prohibits a Minnesota company from retaining card security code data, PIN verification codes, or the full contents of magnetic stripe data for more than 48 hours after authorization of a transaction. The statute also provides financial institutions the means to obtain reimbursement for certain costs of a breach resulting from a company’s failure to comply with those requirements, thus providing a statutory vehicle arguably aimed at addressing traditional hurdles to privacy and security suits.

Other states have done the same. For example, in July 2010, Washington adopted a law that gives financial institutions a cause of action against entities that fail to “take reasonable care to guard against unauthorized access” to payment card information when such failure is the proximate cause of a data security breach. Wash. Rev. Code § 19.255.020. The Washington law applies to (1) businesses that process more than six million payment cards annually and that provide, offer, or sell goods or services to residents of Washington; (2) processors or companies that transmit account information; and (3) vendors that manufacture and sell software or equipment designed to process, transmit, or store account information that the vendors do not own. A company is exempt if its compliance with the PCI Standard was validated by an annual security assessment that took place no more than one year prior to any security breach or if compromised account information was encrypted at the time of the breach.

Likewise, Nevada’s Security of Personal Information law was amended in January 2010 to require companies that do business in Nevada to comply with the PCI Standard in its entirety. Nev. Rev. Stat. § 603A.215. The Nevada law exempts an entity from liability for damages resulting from a breach if the entity is compliant with the statute and if the breach was not caused by the entity’s gross negligence or intentional misconduct. The Nevada statute does not provide clear remedies or identify who can bring suit for noncompliance, but its inclusion of the PCI Standard may be used by plaintiffs to establish the applicable standard of care in a common-law negligence action.
           
The data privacy regulations adopted by the Massachusetts Office of Consumer Affairs and Business Regulation that went into effect in 2010, 201 Mass. Code Regs. 17.00 (2010), do not directly incorporate the PCI Standard, but they contemplate similar protections and may be relied on by plaintiffs in payment card breach litigation. For example, under the Massachusetts law, companies must encrypt “all transmitted records and files containing personal information that will travel across public networks, and . . . all data containing personal information to be transmitted wirelessly,” as well as “all personal information stored on laptops or other portable devices.”
           
These laws and regulations provide nontraditional litigation tools that increasingly may be used in class actions involving payment card breaches.

State Statutory Frameworks Regarding Health Care Information Breaches
Like payment card breaches, data breaches involving health care information also are on the rise. Although the Health Insurance Portability and Accountability Act does not provide a path for class action litigation, state laws may fill the gap.

In California, for example, the Confidentiality of Medical Information Act (CMIA) allows a person to recover $1,000 in “nominal” damages against a health care provider who has negligently “released” the person’s medical information. The CMIA does not require proof of actual damages to the individual whose information has been disclosed. Cal. Civ. Code § 56 et seq.Recent California Court of Appeal decisions hold, however, that plaintiffs seeking nominal damages still must plead and prove something beyond the potential release of confidential health information to unauthorized persons, suggesting that this statute may in fact present standing issues similar to those presented by common-law causes of action.

In Regents of University of California v. Superior Court, 220 Cal. App. 4th 549 (2013), the plaintiffs filed a class action lawsuit seeking nominal damages under the CMIA from the Regents of the University of California, alleging that the regents failed to maintain reasonable systems and controls to prevent the unlawful disclosure of information and thus negligently lost possession of an encrypted external hard drive containing the plaintiffs’ health care information. The court, finding for the Regents, held that the plaintiffs cannot collect statutory damages unless they can plead and prove that their medical information had been “released,” meaning that it was “viewed by an unauthorized individual.” Id. at 570.

Another California appellate court has held similarly. In Sutter Health v. Superior Court, 227 Cal. App. 4th 1546 (2014), the plaintiffs unsuccessfully sought to recover nominal damages under the CMIA for 4 million affected patients. A unanimous panel held that “[t]he mere possession of the medical information or records by an unauthorized person was insufficient to establish breach of confidentiality if the unauthorized person has not viewed the information or records.” Id. at 1553; see also Falkenberg et al. v. Alere Home Monitoring, 2014 WL 5020431, at *3 (N.D. Cal. Oct. 7, 2014) (noting “that, in a stolen computer case, there can be no liability for negligent release of CMI under sections 56.101 and 56.36 absent allegations, and subsequently proof, that the CMI on a stolen computer has been actually viewed by a third party”).

Recent decisions thus show that while the CMIA and other state laws may present opportunities for class action recovery in the context of a breach involving health care information, hurdles still exist.

To Look Ahead
Payment card and health care information laws that provide for statutory damages or minimum security requirements, including those discussed above, merit increased attention. Although it is too early to predict whether litigation premised on such statutory tools will fare better than litigation premised on their common-law counterparts, plaintiffs will continue to utilize the former. And because privacy and security are important and timely topics, we can expect that class action litigation in response to significant data breaches will continue as well.

Companies that collect, process, store, or handle consumer information—be it payment card information, health care information, or other types—should remain proactive in evaluating and addressing their litigation liability risks and should be wary of nontraditional litigation tools that previously were paid little attention.

Keywords: litigation, class actions, derivative suits, data security breach, Minnesota Plastic Card Statute, Nevada Security of Personal Information, California Confidentiality of Medical Information Act

Katherine Ritchey, Jay Johnson, and Nandini Iyer – November 19, 2014


Copyright © 2014, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).