Significant Case Developments
Data Security Auditor May be Drawn Into Data Breach Class Action for Failing to Identify Vulnerabilities
Storm v. Paytime, Inc., No. 14-cv-01138-JEJ (M.D. Pa.).
In August, Paytime, Inc., a payroll services company, moved to dismiss a putative class action filed in the wake of a data breach in which the personal and financial information of more than 230,000 people was compromised. Paytime argued that the plaintiffs lack standing, have failed to plead actual harm, and were not a party to or intended beneficiary of any contract with Paytime.
On September 30, while the motion to dismiss was pending, Paytime ran up against the court’s deadline for joining additional parties and filed a motion for leave to file a third party complaint against its data security auditor. Six months prior to the data breach, SotirIS, a provider of integrated business solutions and cloud hosting, performed a “comprehensive breach assessment” for Paytime. According to Paytime, “SotirIS failed to identify vulnerabilities in Paytime’s computer systems and, therefore, contributed to the occurrence of the data security event.” Therefore, Paytime argues, if Paytime were found liable “for such a vulnerability, then SotirIS is liable to [Paytime] for contribution and indemnification.”
The plaintiffs have not yet opposed Paytime’s motion for leave to file a third party complaint. As of October 7, the motion to dismiss was fully briefed.
Wyndham and its Directors Duck Shareholder Derivative Suit About Data Breach
Palkon v. Holmes, No. 2:14-cv-01234, 2014 WL 5341880 (D.N.J. Oct. 20, 2014).
As Wyndham Worldwide Corp. escalates its fight over the FTC’s power to regulate data security practices to the Third Circuit (see our July issue), its directors, at least, can breathe a sigh of relief. On October 20, the U.S. District Court for the District of New Jersey dismissed a shareholder derivative suit against the directors and Wyndham. As we and our colleagues previously reported, Wyndham allegedly experienced three data breaches between 2008 and 2010, compromising the credit card information of more than 619,000 consumers and allegedly leading to fraud on those accounts of more than $10.6 million.
The shareholder derivative suit charged that the directors failed to ensure adequate data security measures were in place, failed to timely report the breach, and had wrongly refused a shareholder demand that the board bring a lawsuit based on the breach. Applying Delaware law, the court found that the board’s decision to refuse the shareholder demand fell under the business judgment rule and that the plaintiff had failed to plead facts that the board had acted either in bad faith or based on an unreasonable investigation. The court therefore dismissed the suit with prejudice.
Cybercrime in the News
Leader of “Most Sophisticated Cybercrime Ring” Sentenced to 11 Years, Ars Technica (Oct. 27, 2014).
FCC Delves Into Data Security Regulation, Fining Companies for $10 Million
The Federal Communications Commission announced on October 24 its intention to fine two telecom companies $10 million for storing the personally identifiable information of more than 300,000 customers online without firewalls, encryption, or any protection. While the Federal Trade Commission routinely fines companies for data security failures, this is the Federal Communication Commission’s first data security enforcement action and, according to the press release, “the largest privacy action in the Commission’s history.”
The FCC alleges in a Notice of Apparent Liability for Forfeiture that the failure of the two wireless carriers, TerraCom, Inc. and Yourtel America, Inc., to protect the Social Security numbers and other personal information of their customers amounted to a violation of Sections 222(a) and 201(b) of the Communications Act. Section 222(a) requires telecommunications companies to maintain the confidentiality of customers’ “proprietary information.” Section 201(b) provides that “[a]ll charges, practices, classifications, and regulations for and in connection with [interstate and foreign] communication service [by wire or radio], shall be just and reasonable, and any such charge, practice, classification, or regulation that is unjust or unreasonable is declared to be unlawful.” The companies’ alleged false statements about their security practices in their privacy policies and their failure to notify customers about the breach also violated Section 201(b) of the Communications Act, according to the FCC.
In calculating the $10 million Section 222(a) fine, the FCC noted that each of the more than 300,000 customer records amounted to a single violation of the Communications Act (assuming that each customer only had one record). And while it calculated a $1.5 million fine for the 201(b) violations, the FCC acknowledged that it had never before used that section to regulate carrier’s data security or data breach notification practices and stopped short of proposing such a fine. However, the FCC declared, “[C]arriers are now on notice that in the future we fully intend to assess forfeitures for such [201(b)] violations.”
FDA Issues Guidance on Cybersecurity for Medical Devices
On October 2, the FDA issued guidance on cybersecurity for medical devices containing software in order “to assist industry by identifying issues related to cybersecurity that manufacturers should consider in the design and development of their medical devices as well as in preparing premarket submissions for those devices.”
Adopting the NIST Cybersecurity Framework’s basic tenets (identify, protect, detect, respond, and recover), the FDA recommends that manufacturers identify potential risks; develop security functions to protect devices; take steps to detect security compromises; provide information about steps to take to respond to a breach; and ensure that users are able to recover the functionality of the device after a breach. In particular, medical devices should be configured to limit access to trusted users only and to ensure trusted content. At the same time, “security controls should not unreasonably hinder access to a device intended to be used during an emergency situation.”
The FDA provides manufacturers with several specific examples of documentation they should provide in premarket submissions (e.g., a traceable matrix linking actual cybersecurity controls to risks considered). The guidance also lists a number of consensus standards relating to information technology and medical device security.
In late October, following the release of the guidance, the FDA also hosted a workshop and a webinar addressing cybersecurity in medical devices.
TD Bank Settles Multistate AG Data Breach Enforcement Action
On October 16, Connecticut Attorney General George Jepsen announced that TD Bank, N.A. agreed to pay $850,000 to resolve claims involving a 2012 data breach in which nine unencrypted backup tapes containing the personal information of more than 260,000 customers were missing. Nine state attorneys general – from Connecticut, Florida, Maine, Maryland, New Jersey, New York, North Carolina, Pennsylvania and Vermont – signed on to the settlement following a year-and-a-half-long investigation of TD Bank’s security policies and procedures. The bank properly notified the affected customers and offered free credit monitoring services.
In addition to paying $850,000, TD Bank agreed:
- To comply with state’s data breach notification laws in the future;
- To maintain “reasonable security policies and procedures;”
- To encrypt any backup tapes being transported off the bank’s premises;
- To periodically review its policies with respect to the collection, storage, and transfer of personal information; and
- To train employees on data privacy and security procedures.
Ireland’s Data Protection Agency Prosecutes Company Directors
On October 6, the Irish Office of the Data Protection Commissioner announced that M.C.K. Rentals Limited and its two directors pleaded guilty to violations of Sections 22 and 29 of Ireland’s Data Protection Acts. According to the Data Protection Commissioner, M.C.K. obtained personal data from the Department of Social Protection and Primary Care Reimbursement Services and provided the data to credit unions without permission.
This is the first time that the Data Protection Commissioner has prosecuted company directors. Section 29 of the Data Protection Acts expressly permits actions against company directors or officers who consent to or negligently allow a violation. Although the two directors were charged with 23 counts of breaches of Section 29, they pleaded guilty to one charge each and were fined € 1,500 each. (M.C.K. pleaded guilty to 5 of 22 counts and was fined € 7,500.)