Todd Ruback January 5th, 2012

Privacy Case of the Week Newsletter

Issue #1-2012

January 5, 2012

Todd B. Ruback, Esq., CIPP/US, CIPP/IT

This issue of the Privacy Case of the Week Newsletter features a precedential case in the Third Circuit, Reilly v. Ceridian Corporation, No. 11-1738 (3^rd Cir., December 12, 2011), a class action data breach case,in which the 3rd Circuit Court of Appeals affirmed an order of US District Court for the District of New Jersey granting the Defendant’s motion to dismiss for lack of standing and failure to state a claim. In following the growing trend among numerous Federal courts, the Court of Appeals held that the Appellants lacked standing and did not reach the merits of a substantive issue. (For some such cases see, Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046, 1051-1053(E.D. Mo. 2009), Key v. DSW, Inc., 454 F. Supp 2d 684, 690 (S.D. Ohio 2006)). 

Ceridian is a payroll processing company based in Minnesota.  They collect personal information about employees of their customers in order to issue payroll checks and withhold taxes.  The Appellants were employees of a law firm, which was a customer of Ceridian.  In 2009 Ceridian suffered a security breach when an unknown computer hacker gained access to the Appellants’ personal information, as well as the personal information of approximately 27,000 other employees of Ceridian customers.  Ceridian performed an investigation of the security breach and as a result sent notification letters to the individuals whose personal information may have been accessed. In 2010 the Appellants filed a lawsuit against Ceridian in the US District Court for the District of New Jersey alleging that they had an increased risk of identity theft, had incurred costs to monitor their credit activity and had suffered emotional distress.   Ceridian soon after filed a motion to dismiss for lack of standing and failure to state a claim. The District Court granted the motion to dismiss, holding that the Appellants lacked Article III standing under the US Constitution, and further held that even if the Appellants had standing, they nonetheless failed to adequately allege the damages, injury and ascertainable loss elements to their claim.  Appellants appealed.

The Court of Appeals, in agreeing with the District Court, held that allegations of hypothetical, possible future injury did not establish standing (injury-in-fact) under Article III of the US Constitution.  As part of its analysis the Court of Appeals stated that ‘Constitutional standing requires an “injury-in-fact, which is an invasion of a legally protected interested that is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical.” Danvers Motor Co. v. Ford Motor Co., 432 F.3^rd 286, 290-291 (3^rd Cir. 2005) (citing Lujan v. Defenders of Wildlife, 504 U.S. 555, 561 (1992).’  The Court of Appeals further stated that the “Appellants’ contentions rely on speculation that the hacker: (1) read, copied, and understood their personal information; (2) intends to commit future criminal acts by misusing the information; and(3) is able to use such information to the detriment of Appellants by making unauthorized transactions in Appellants’ names. Unless and until these conjectures come true, Appellants have not suffered any injury; there has been no misuse of the information, and thus no harm.”

Appellants, in trying to convince the court to go against the growing trend of dismissal for lack of standing in class action breach litigation, relied principally on Piscotta v. Old National Bancorp, 499 F.3^rd 629 (7^th Cir. 2007) and Krottner v. Starbucks Corp., 628 F. 3^rd 1139 (9^th Cir. 2010), whereby those courts conferred standing.  Here, however, the Court of Appeals found those cases had little persuasive value. 

In both Pisciotta and Krottner the threatened harms were significantly more imminent and certainly impending.  In distinguishing those two cases from Ceridian the Court of Appeals stated that ‘In Pisciotta there was evidence that “the [hacker’s] intrusion was sophisticated, intentional and malicious.             499 F. 3rd at 632. In Krottner, someone attempted to open a bank account with a plaintiff’s information following the physical theft of the laptop. See 628 F.3^rd at 1142.  Here, there is no evidence that the intrusion was intentional or malicious.  Appellants have alleged no misuse, and therefore, no injury.  Indeed, no identifiable taking occurred; all that is known is that a firewall was penetrated.  Appellants’ string of hypothetical injuries do not meet the requirement of an “actual or imminent” injury.” ‘

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC (www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in privacy matters.  For additional information about the matters in this bulletin or in the firm’s Privacy and Technology Law Group, please contact Todd B. Ruback, Esq., CIPP, CIPP/IT.

Todd B. Ruback, Esq., CIPP, CIPP/IT is chair of the Privacy and Technology Law Group at the law firm of DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, P.C. He is also chairman of the Privacy Special Committee of the New Jersey State Bar Association.  He represents insurance carriers as a data breach attorney, providing incident response services and defense litigation. He also performs privacy audits to determine the gaps and maturity of a company’s privacy processes, as well as implements privacy best practices.  He can be reached at 908-757-7800 x196 or by email at truback@newjerseylaw.net.

The information contained in this blog is intended solely for informational purposes; it is a advertising publication of DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis, Lehrer & Flaum P.C.This publication is intended to alert recipients of developments in the law and is not intended to provide legal counsel, advice or opinion on any specific facts or circumstances. The contents are intended as general information only. You are urged to consult a member of this firm or your own attorney concerning your particular situation and any specific legal questions you might have.

• Insurance Law , NJ Business , Privacy Law , Technology Law , Uncategorized
• Comments Off

Todd Ruback December 5th, 2011

Privacy attorney Todd B. Ruback was quoted in an article found in today’s Entrepreneur Magazine entitled “What to Do If Your Business Gets Hacked” by Riva Richmond.  The article can be found at http://www.entrepreneur.com/article/220807.

The information contained in this blog is intended solely for informational purposes; it is a advertising publication of DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis, Lehrer & Flaum P.C.This publication is intended to alert recipients of developments in the law and is not intended to provide legal counsel, advice or opinion on any specific facts or circumstances. The contents are intended as general information only. You are urged to consult a member of this firm or your own attorney concerning your particular situation and any specific legal questions you might have.

• Corporate Law , Employment Law , Insurance Law , NJ Business , Privacy Law , Technology Law
• Comments Off

Todd Ruback November 7th, 2011

Privacy Case of the Week Newsletter

Issue 2

November 7, 2011

By Todd B. Ruback, Esq., CIPP, CIPP/IT

This issue is not about a privacy case, but rather is an update on the California and Texas data breach notification laws. 

California

The amended state data breach notification law, S.B. 24, goes into effect on January 1, 2012 and mandates that businesses and state agencies that are required to provide notice to state residents because of incurred data breaches must, in addition to their other obligations, also do the following:

1. Notify the California Attorney General if notification for any one breach is greater than 500 state residents
2. Notices must be specific and include:

-          Type of information breached

-          Time of the breach

-          Toll free number of the major Credit Reporting Agencies

       3.  If breaches are greater than 500,000 state residents or will cost more than $250,000 to send notices, then in addition to posting notice of the breach on their website and in major statewide media, such as newspapers, the business must notify the California Office of Privacy Protection (State agencies must notify the California Office of Information Security).

Additionally, Covered Entities under HIPAA are deemed to be compliant with the S.B. 24 if they are in compliance with the data breach notification requirements under HIPAA.

Texas

Texas recently expanded the breadth and reach of its state data breach notification law through the passage of H.B. 300.  Under the amended law residents of states which do not presently have a state data breach notification law (Alabama, Kentucky, New Mexico and South Dakota) must be notified of a data breach incurred by a business that conducts business in Texas.  Unfortunately the law does not define “conducts business in Texas”.  The law provides for penalties to the company for non-compliance of its obligation to notify non-Texas residents who are not covered by another state’s data breach notification law.  For non-Texas residents whose states do have a state data breach notification law, H.B. 300 provides that they too must receive notice.  However, if a business complies with the respective state’s data breach notification law, then it is deemed to have complied with H.B. 300.

The amended law adds penalties for non-compliance.  Under the old law the state could impose fines of up to $50,000 for each violation of the state data breach notification statute. In addition to this potential penalty, H.B. 300 provides for statutory penalties of up to $100 per individual per day for failure to provide notice, not to exceed $250,000 for a single breach. Additionally, the state Attorney General may also recover its reasonable expenses for enforcement actions.  The maximum penalty for any one data breach in Texas under H.B. 300 is now $300,000 plus expenses.

Texas also modified its definition of sensitive personal information to include not only name plus social security number, government issued identification card number or financial account number, but also personally identifying information such as the physical or mental health condition, or the health care that was given to a person, or information about the payment about such health care.

H.B. 300 also amends the state’s Health and Safety Code to impose privacy and security requirements that are stricter than HIPAA’s requirements. These more stringent privacy and security requirements on health care extend to entities that are neither “Covered Entities” or Business Associates” under the HIPAA definitions.   Under H.B. 300 a “Covered Entity” is any entity that handles Protected Health Information (as defined by HIPAA). For these entities they must now implement training programs and provide notices to consumers about electronic disclosures that the Covered Entity makes.  In essence, the amended law in Texas imposes new privacy compliance obligations on business that were previously not under the auspices of HIPAA at all.

Penalties for healthcare violations under H.B. 300 range between $5000 per negligent violation to $25,000 for knowing or intentional violations, to $250,000 per violation in which the covered entity knowingly or intentionally uses PHI for financial gain.  There is an annual cap on liability of $250,000, but for repeat offenders where there is a pattern of violations, a court may impose a penalty of up to $1,500,000 annually.

Conclusion:

In a situation of a breach to a company conducting business in Texas where only residents of Alabama, Kentucky, New Mexico or South Dakota are affected, the long arm of Texas may impose penalties and fines for non-compliance with the amended Texas data breach notification law. Penalties and fines are increased to the higher end of the national scale.  Further, any company conducting business in Texas that handles PHI under the expanded concept should actively review its processes to identify any risks and vulnerabilities, so it may impose controls to mitigate such risk.

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC (www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in privacy matters.  For additional information about the matters in this bulletin or in the firm’s Privacy and Technology Law Group, please contact Todd B. Ruback, Esq., CIPP, CIPP/IT.

Todd B. Ruback, Esq., CIPP, CIPP/IT is chair of the Privacy and Technology Law Group at the law firm of DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, P.C. He is also chairman of the Privacy Special Committee of the New Jersey State Bar Association.  He represents insurance carriers as a data breach attorney, providing incident response services and defense litigation. He also performs privacy audits to determine the gaps and maturity of a company’s privacy processes, as well as implements privacy best practices.  He can be reached at 908-757-7800 x196 or by email at truback@newjerseylaw.net.

The information contained in this blog is intended solely for informational purposes; it is a advertising publication of DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis, Lehrer & Flaum P.C.This publication is intended to alert recipients of developments in the law and is not intended to provide legal counsel, advice or opinion on any specific facts or circumstances. The contents are intended as general information only. You are urged to consult a member of this firm or your own attorney concerning your particular situation and any specific legal questions you might have.

• Business , Corporate Law , Insurance Law , Privacy Law
• Comments Off

Todd Ruback October 28th, 2011

Privacy Case of the Week Newsletter

Issue 1

This issue of the Privacy Case of the Week Newsletter features Anderson v. Hannaford Bros., Co., No. 10-2384 and No. 10-2450 (1^st Cir. Oct. 20, 2011).  In this data breach class action law suit the Appellate Court in Maine focused on a narrow set of facts in determining that the plaintiffs had legally recognized damages and thus could survive a Motion to Dismiss.  In Hannaford the defendant was targeted in 2007 by hackers who penetrated the defendant’s computer network for the express purpose of stealing credit/debit card information and ultimately did steal 4.2 million credit/debit card numbers. The trial court dismissed the plaintiffs’ causes of action for negligence and breach of an implied contract, stating that under Maine law damages for the cost and effort associated with mitigation against identity theft were too remote to be foreseeable by the defendant. The Appellate Court took up the case upon the narrow issue of whether the plaintiffs, who had not suffered fraud losses, but had incurred costs and expended efforts to protect their identity and mitigate losses, had damages that were reasonably foreseeable.

 Under Maine law a plaintiff may recover damages under negligence and contract claims for reasonable out-of-pocket mitigation costs and expenses.  The Appellate Court held that because this particular breach targeted credit/debit card information, it was reasonable for the affected consumers to spend money to protect their identities by purchasing credit insurance and also having new credit/debit cards issued. In its holding the Appellate Court distinguished between the targeted hacking of a network with the purpose of stealing credit/debit card information and other types of data breaches such as the inadvertent loss of laptops, in which the loss of the equipment is not linked to a deliberate attempt to commit credit card fraud.  Although other credit card based breach litigation have generally resulted in dismissal at the trial court level, the Appellate Court distinguished Hannaford from those cases because in Hannaford approximately 1800 of the 4.2 million credit/debit cards stolen, or 0.00042%, actually suffered some degree of identity theft or misuse.  Thus, the defendant had notice and was aware that the identity theft or misuse had occurred.

Although the Hannaford holding is contrary to the general trend in data breach litigation, the particular set of facts in this case is so narrow that one should not infer a swing in the data breach litigation pendulum. However, insurance carriers and their insureds would be wise to shift their approach in underwriting by keeping in mind that there is now precedence in distinguishing between breaches that target credit/debit card information and inadvertent data breaches.

Todd B. Ruback is head of the Privacy and Technology Law Group at DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, P.C. ( www.dbnjlaw.com ). He is also chairman on the Privacy Committee of the New Jersey State Bar Association.  He can be reached at truback@newjerseylaw.net or by phone at 908-757-7800 x196. His practice focuses on data breach incident response, litigation defense, and data breach prevention.

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC (www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in privacy matters.  For additional information about the matters in this bulletin or in the firm’s Privacy and Technology Law Group, please contact Todd B. Ruback, Esq., CIPP, CIPP/IT.

The information contained in this blog is intended solely for informational purposes; it is a advertising publication of DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis, Lehrer & Flaum P.C.This publication is intended to alert recipients of developments in the law and is not intended to provide legal counsel, advice or opinion on any specific facts or circumstances. The contents are intended as general information only. You are urged to consult a member of this firm or your own attorney concerning your particular situation and any specific legal questions you might have.

• Business , Corporate Law , Insurance Law , Privacy Law
• Comments Off

Todd Ruback October 24th, 2011

Todd Ruback and Sarah Mahony have co-authored an article entited “An Overview of Recent Stautory Changes to Privacy Law in India in Comparison to Similar U.S. and EU Privacy Rules.” This article appears in the October 2011 issue of the New Jersey Lawyer Magazine (www.njsba.com) and can also be found by clicking the following:  An Overview of Recent Statutory Changes to Privacy Law in India in Comparison to Similar U.S. and EU Privacy Rules

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC (www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in privacy matters.  For additional information about the matters in this bulletin or in the firm’s Privacy and Technology Law Group, please contact Todd B. Ruback, Esq., CIPP, CIPP/IT.

The information contained in this blog is intended solely for informational purposes; it is a advertising publication of DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis, Lehrer & Flaum P.C.This publication is intended to alert recipients of developments in the law and is not intended to provide legal counsel, advice or opinion on any specific facts or circumstances. The contents are intended as general information only. You are urged to consult a member of this firm or your own attorney concerning your particular situation and any specific legal questions you might have.

• Business , Insurance Law , NJ Business , Privacy Law , Technology Law , Uncategorized
• Comments Off

SteveK August 15th, 2011

Steve Kunzman, partner in the firm, will be a co-chair of a comprehensive conference:

Groundwater Contamination and Vapor Intrusion Cases

The seminar, which will be put on by Law Seminars International, will take place at the Sheraton Newark Airport Hotel on September 15 and 16.

For more information and to register go to: http://www.lawseminars.com/seminars/11GWATNJ.php

The speakers include noted attorneys, remediation consultants and and other noted experts in the field. The seminar is co-chaired by Ira Gottlieb of McCarter & English. Steven and Ira will also be speaking on insurance coverage issues relating to groundwater claims.

Tags: CERCLA, Contamination, Environmental Law, Ground water, Groundwater, insurance law new jersey, Natural Resource Damages, NJ insurance law, NJ Spill Act, NRD, Pollution, Toxic Torts, Water Resources

• CERCLA , Clean Water Act , Environmental Law , Insurance Law , Natural Resource Damages , NJ Spill Act , Real Estate , Superfund , Toxic Torts
• Comments Off

SteveK June 15th, 2011

On June 14, 2011 the New Jersey Supreme Court ruled that a claim for bad faith against an insurer for failure to settle a case within the limits of an insurance policy is to be decided by a jury.  Wood v. New Jersey Manufacturers Insurance Co. involved a claim by Karen Wood who was bitten by a dog when delivering mail in a condominium complex. New Jersey Manufacturers (NJM) insured the owner of the dog and defended the case under the policy. Prior to trial an arbitrator assessed the damages as $600,000, and apportioned the award 90% to the owner of the dog and 10% to the condominium association.  The arbitration award was rejected by the defendant’s insurer and the matter proceeded to trial. Prior to trial NJM offered to settle the case for $300,000; however, the offer was rejected. The plaintiff did agree to settle the case at or near the policy limits of $500,000. Prior to trial both defense counsel and NJM’s claims handler recommended payment of the policy limits, but NJM’s claims committee refused to increase the offer. In accordance with the Rova Farms decision, the plaintiff placed NJM on notice that the offer was in bad faith.  The matter went to trial and  the jury awared the plaintiff damages  in the amount of $2,422,000. The jury also assessed 51% of the liability to the dog owner. The trial court molded the verdict so that the dog owner was responsible for $1,408,320.33 of the judgment. NJM paid the $500,000 policy limits. The defendant assigned her claim for bad faith against NJM to the plaintiff so that plaintiff could pursue NJM for the judgment in excess of the policy limits. Plaintiff filed a motion for summary judgment which was granted. On appeal, the defendant, NJM, argued that summary judgment was improper for a variety of reasons, including that the matter should have been decided by a jury.  The Appellate Division remanded to the trial court for more specific findings of fact and for the trial court to determine if the matter should be decided by a jury. The N.J. Supreme Court granted certification on the sole issue of whether such claims should be decided by a jury. The Supreme Court decided that this was not an issue of whether or not there is coverage under the policy as is typically contained in a declaratory judgment action, but is a “garden variety” contract action based upon the covenant of good faith and fair dealing which is contained in all contracts.  The Court determined that the claim was legal in nature, not equitable, and was, therefore, to be decided by a jury. The Court was careful to note that not every Rova Farms-bad faith case must be tried to a jury, as the parties may elect to waive the jury either by not demanding it in the first instance, or where the parties agree that a bench trial would be more fitting.

Once a jury trial is demanded in a pleading in New Jersey, both parties must consent to waive the jury demand unless there is no right to a jury for the claims. It is interesting to note that only the plaintiff demanded a jury trial in the pleadings of this case, but that it was NJM that insisted on the jury trial. NJM’s position was joined by the amici curiae Insurance Council of New Jersey, and the Property Casualty Insurers Association of America.  Whether the decision to assert the jury right was a strategic maneuver to avoid an adverse decision and keep the matter open for further negotiation, or was truly an assertion of a substantive right, the decision reveals the importance of assessing whether a jury demand should be included in the initial complaint or answer as the demand may be a significant factor in the overall handling and final trial of a case.

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC ( www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in insurance coverage. For additional information about the matters in this bulletin or in the firm’s insurance practice, please contact Steven A. Kunzman, Esq. who heads our Insurance Coverage Department.

Tags: Insurance, insurance law new jersey, insurance law NJ, New Jersey insurance law, NJ insurance law

• Defense Litigation , Insurance Law
• Comments Off

Todd Ruback May 23rd, 2011

By Todd B. Ruback, Esq., CIPP, CIPP/IT

truback@newjerseylaw.net

May 23, 2011

On April 13, 2011 India issued final regulations that implement parts of the Information Technology Act of 2008.  The new regulations will have a significant impact on US companies that outsource to India, because they seemingly apply to outsourcing providers.  Since many insurance policies require the insured to comply with all data protection laws, it is prudent for risk management executives and the insured to assess whether the insured’s India-based outsourcing partners are in compliance with the new privacy regulations.  The assessment should be both technical and functional to determine whether the outsourcing partners are meeting the new obligations imposed upon them by the regulations.  If they are not, then the US based companies could be in violation, by extension of their outsourcing partners, of the India privacy regulations and subject to liability.  Further, US financial services companies could be in violation of the Gramm-Leach-Bliley Act, which under certain circumstances could be a breach of their insurance policies.

The India privacy rules are unique in three ways:

1. They apply to individuals who provide their personal information even if they are outside of India.
2. All personal information must be protected according to ISO 27001standards.
3. Prior written consent must be obtained for the collection of sensitive personal information, which includes financial information.

For Personal Information:

Notice- Notice must be given to individuals when their personal information is being collected.  Notice includes disclosing the purpose of the collection of the information, the use of the information, the intended recipients of the information, the name and address of the organization collecting the information, and the name of the organization that will retain the information.  

Privacy Policy-Organizations covered by the new privacy rules must establish and make a privacy policy readily and easily available. 

Right to Access- Organizations must give the individuals the right to access and correct their personal information.

Security- Organizations must secure information according to accepted and approved technical standards, specifically ISO 27001. 

Dispute Resolution- Organizations must also establish and maintain a dispute resolution process.

For Sensitive Personal Information:

There are additional layers of obligations when sensitive personal information is going to be collected.  Sensitive personal information is broadly defined, but it includes passwords, financial information about a bank account, or a credit/debit card, or other payment instruments, physical or mental health conditions, medical records, sexual orientation or biometric information.  When an organization is collecting sensitive personal information, then prior written consent (email, fax or letter) must first be obtained.  The individual always has the right to refuse to provide the sensitive personal information and to withdraw any prior consent.  The organization cannot refuse to provide the service if the sensitive personal information is not provided. Before a person’s sensitive personal information can be disclosed to a third party, the individual must also give prior written consent to the disclosure, unless it is allowed by contract or is required for legal compliance.  And the transfer of sensitive personal information to any other organization, if outside of India, is only allowed if that country has a privacy law that ensures the same level of data protection as India or if it is necessary to perform the function for which the information is collected.

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC (www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in technology and privacy matters. We have affiliated offices in New York, Philadelphia, London, and Boca Raton.  For additional information about the matters in this bulletin or in the firm’s insurance practice, please contact Todd. R. Ruback, Esq., CIPP, CIPP/IT, who heads the Privacy and Technology Law Department, at truback@newjerseylaw.net or at 908-757-7800 x196.

Tags: Data Protection, Insurance, insurance law new jersey, New Jersey insurance law, outsourcing, privacy, Privacy Law

• Insurance Law , Privacy Law
• Comments Off

Todd Ruback May 5th, 2011

Privacy Concerns for the Risk Manager:

It’s Not Just About Private Litigation

 By Todd B. Ruback, Esq., CIPP, CIPP/IT

May 5, 2011

The FTC is stepping up enforcement actions of alleged privacy violations by companies.  Additionally, many State Attorneys Generals, seeing regulatory enforcement as a means to generate positive press as well as revenue, are also taking a more aggressive posture on alleged privacy violations.  This trend is important to the privacy risk manager because many insurance policies now cover the costs to respond to privacy regulatory actions.  It is extremely expensive and time consuming to go through such a regulatory investigation.  Many such investigations result in voluntary Consent Orders that often require the companies to implement and maintain comprehensive information security programs, and to obtain independent third party audits certifying compliance for a number of years, sometimes as many as twenty.   What isn’t clear is whether these subsequent costs to comply with the Consent Orders are an insurable event.

The FTC recently settled charges it had brought against two companies, Ceridian Corporation and Lookout Services, Inc, that allegedly failed to protect the sensitive information of employees of their business customers.  The FTC alleged that the companies failed to have reasonable and appropriate security measures in place to protect this sensitive information, and therefore violated certain provisions of the FTC Act.  In settling with the FTC, both companies agreed to not misrepresent claims about the privacy, confidentiality or the integrity of personal information in the future, to implement comprehensive information security programs and to obtain independent third party audits of the programs every other year for twenty years.  As anyone who has to comply with twenty year Consent Orders will attest, this new layer of compliance, results in added burdens and costs to management and can have a completely unnecessary and negative margin impact.

Ceridian is a provider of human resource services.  Businesses outsource certain human resource functions, such as the payroll, to Ceridian and therefore Ceridian will have access to a lot of personal information about the employees of its customers.  Ceridian held out that it offered “Worry-free Safety and Reliability” in protecting the personal information of the employees of its business customers.  It stated that its “…comprehensive security program is designed in accordance with ISO 27000 series standards, industry best practices and federal, state and local regulatory requirements.”  The FTC, in its complaint, alleged that Ceridian’s security of personal information was in fact inadequate. The FTC alleged, among other things, that Ceridian did not adequately protect its network from reasonably foreseeable attacks and that it also indefinitely stored personal information in a readable text on its network, without a business purpose or reason.  A data breach occurred in December 2009 via a web-based payroll application.  Approximately 28,000 employees of Ceridian business customers had their personal information compromised.   

Lookout Services, Inc. licenses a web-based product that gives employers the ability to comply with US immigration laws.  The product stores personal information such as names, addresses, dates of birth, and SSNs.  The FTC alleged that the company, despite claims to the contrary, did not provide adequate security to keep personal information reasonably secure from unauthorized access.  The FTC alleged, by way of example, that personal information could be accessed without using a user name or password, rather by simply entering a URL into a web browser.  Other examples of alleged inadequate security included the failure to require strong passwords, failure to require periodic changes to user passwords, and a lack of employee training on security of personal information.  As a result of these alleged poor privacy practices, a data breach occurred when an employee of one of the company’s business customers accessed personal information in the Lookout Services database, including the SSN of almost 37,000 people.

The privacy risk manager, in addition to being concerned about the private lawsuits resulting from these data breaches, also must think about the concordant regulatory investigations and responses to these same data breaches.  In essence, an insurer may be asked by an insured to cover the costs of the same transgression multiple times.  Many insurance companies are now requiring, as part of the underwriting process that the applicant companies go through a privacy assessment prior to coverage being approved, as well as an annual health check up.  Privacy assessments will help the risk manager identify areas of potential risk in an applicant’s security program so that remediation can be taken to meet the FTC’s standards for adequate and reasonable safeguards of personal information.  Further, once an event has happened, a risk manager may want to do a privacy assessment of the insured, often under the umbrella of privacy counsel, to help identify potential areas of concern for future litigation, as well as to identify areas of remediation to reduce the risk of future events.

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC (www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in technology and privacy matters. We have affiliated offices in New York, Philadelphia, London, and Boca Raton.  For additional information about the matters in this bulletin or in the firm’s insurance practice, please contact Todd. R. Ruback, Esq., CIPP, CIPP/IT, who heads the Privacy and Technology Law Department, at truback@newjerseylaw.net or at 908-757-7800 x196.

Tags: deceptive trade practices, FTC Act, Insurance, privacy, unfair trade practices

• Defense Litigation , Insurance Law , Privacy Law
• Comments Off

Todd Ruback April 20th, 2011

Continue Reading »

Tags: credit card, Insurance, privacy, zip code

• Insurance Law , Privacy Law
• Comments Off