Seventh Circuit Revives P.F. Chang's Data Breach Class Action Suit

PRATT’S PRIVACY & CYBERSECURITY LAW REPORT

AN A.S. PRATT PUBLICATION JULY/AUGUST 2016 VOL. 2 • NO. 6

PRATT’S

PRIVACY & CYBERSECURITY LAW REPORT

JULY/AUGUST 2016

EDITOR’S NOTE: LESSONS Victoria Prussen Spears AUDIT PREP: LESSONS FROM OCR HIPAA ENFORCEMENT–PART I Kimberly C. Metzger

VOL. 2 • NO. 6

WHEN ATTORNEYS GENERAL ATTACK: CYBERSECURITY INVESTIGATIONS AND RELATED INSURANCE COVERAGE ISSUES Joseph D. Jean, Brian E. Finch, Carolina A. Fornos, Sheila M. Harvey, and Benjamin D. Tievsky ARE CHANGES IN STORE FOR THE STORED COMMUNICATIONS ACT? Serrin A. Turner

SEVENTH CIRCUIT REVIVES P.F. CHANG’S DATA BREACH CLASS ACTION SUIT Antony P. Kim, Aravind Swaminathan, Emily Tabatabai, and Sam Castic WP29 RELEASES OPINION ON EU-U.S. PRIVACY SHIELD Noëlle Lenoir, Alice Jacquin, and Samuel B. Shepson

Pratt’s Privacy & Cybersecurity Law Report VOLUME 2

NUMBER 6

JULY/AUGUST 2016

Editor’s Note: Lessons Victoria Prussen Spears ................................................................................................. Audit Prep: Lessons from OCR HIPAA Enforcement – Part I Kimberly C. Metzger .................................................................................................... When Attorneys General Attack: Cybersecurity Investigations and Related Insurance Coverage Issues Joseph D. Jean, Brian E. Finch, Carolina A. Fornos, Sheila M. Harvey, and Benjamin D. Tievsky ............................................................................................. Are Changes in Store for the Stored Communications Act? Serrin A. Turner ........................................................................................................... Seventh Circuit Revives P.F. Chang’s Data Breach Class Action Suit Antony P. Kim, Aravind Swaminathan, Emily Tabatabai, and Sam Castic ................... WP29 Releases Opinion on EU-U.S. Privacy Shield Noe¨lle Lenoir, Alice Jacquin, and Samuel B. Shepson ..................................................

187 189

206 213 217 222

QUESTIONS ABOUT THIS PUBLICATION? For questions about the Editorial Content appearing in these volumes or reprint permission, please contact: Deneil C. Targowski at ................................................................................................ 908-673-3380 Email: ........................................................................................ [email protected] For assistance with replacement pages, shipments, billing or other customer service matters, please call: Customer Services Department at ............................................................................. (800) 833-9844 Outside the United States and Canada, please call .................................................... (518) 487-3000 Fax Number ...................................................................................................... . . . . (518) 487-3584 Customer Service Web site ......................................................... http://www.lexisnexis.com/custserv/ For information on other Matthew Bender publications, please call Your account manager or .......................................................................................... (800) 223-1940 Outside the United States and Canada, please call ............................................... (518) 487-3000

ISBN: 978-1-6328-3362-4 (print) ISBN: 978-1-6328-3363-1 (eBook) ISSN: 2380-4785 (Print) ISSN: 2380-4823 (Online)

Cite this publication as: [author name], [article title], [vol. no.] PRATT’S PRIVACY & CYBERSECURITY LAW REPORT [page number] (LexisNexis A.S. Pratt); Laura Clark Fey and Jeff Johnson, Shielding Personal Information in eDiscovery, [1] PRATT’S PRIVACY & CYBERSECURITY LAW REPORT [189] (LexisNexis A.S. Pratt) This publication is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If legal advice or other expert assistance is required, the services of a competent professional should be sought. LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license. A.S. Pratt is a trademark of Reed Elsevier Properties SA, used under license. Copyright # 2016 Reed Elsevier Properties SA, used under license by Matthew Bender & Company, Inc. All Rights Reserved. No copyright is claimed by LexisNexis, Matthew Bender & Company, Inc., or Reed Elsevier Properties SA, in the text of statutes, regulations, and excerpts from court opinions quoted within this work. Permission to copy material may be licensed for a fee from the Copyright Clearance Center, 222 Rosewood Drive, Danvers, Mass. 01923, telephone (978) 750-8400. An A.S. Prattä Publication Editorial

Editorial Offices 630 Central Ave., New Providence, NJ 07974 (908) 464-6800 201 Mission St., San Francisco, CA 94105-1831 (415) 908-3200 www.lexisnexis.com (2016–Pub. 4939)

Editor-in-Chief, Editor & Board of Editors EDITOR-IN-CHIEF STEVEN A. MEYEROWITZ President, Meyerowitz Communications Inc. EDITOR VICTORIA PRUSSEN SPEARS Senior Vice President, Meyerowitz Communications Inc. BOARD OF EDITORS EMILIO W. CIVIDANES Partner, Venable LLP RICHARD COHEN Special Counsel, Kelley Drye & Warren LLP CHRISTOPHER G. CWALINA Partner, Holland & Knight LLP RICHARD D. HARRIS Partner, Day Pitney LLP DAVID C. LASHWAY Partner, Baker & McKenzie LLP CRAIG A. NEWMAN Partner, Patterson Belknap Webb & Tyler LLP ALAN CHARLES RAUL Partner, Sidley Austin LLP AARON P. SIMPSON Partner, Hunton & Williams LLP RANDI SINGER Partner, Weil, Gotshal & Manges LLP JOHN P. TOMASZEWSKI Senior Counsel, Seyfarth Shaw LLP TODD G. VARE Partner, Barnes & Thornburg LLP THOMAS F. ZYCH Partner, Thompson Hine

iii

Pratt’s Privacy & Cybersecurity Law Report is published nine times a year by Matthew Bender & Company, Inc. Periodicals Postage Paid at Washington, D.C., and at additional mailing offices. Copyright 2016 Reed Elsevier Properties SA, used under license by Matthew Bender & Company, Inc. No part of this journal may be reproduced in any form—by microfilm, xerography, or otherwise—or incorporated into any information retrieval system without the written permission of the copyright owner. For customer support, please contact LexisNexis Matthew Bender, 1275 Broadway, Albany, NY 12204 or e-mail [email protected]. Direct any editorial inquires and send any material for publication to Steven A. Meyerowitz, Editor-in-Chief, Meyerowitz Communications Inc., 26910 Grand Central Parkway Suite 18R, Floral Park, New York 11005, [email protected], 718.224.2258. Material for publication is welcomed—articles, decisions, or other items of interest to lawyers and law firms, in-house counsel, government lawyers, senior business executives, and anyone interested in privacy and cybersecurity related issues and legal developments. This publication is designed to be accurate and authoritative, but neither the publisher nor the authors are rendering legal, accounting, or other professional services in this publication. If legal or other expert advice is desired, retain the services of an appropriate professional. The articles and columns reflect only the present considerations and views of the authors and do not necessarily reflect those of the firms or organizations with which they are affiliated, any of the former or present clients of the authors or their firms or organizations, or the editors or publisher. POSTMASTER: Send address changes to Pratt’s Privacy & Cybersecurity Law Report, LexisNexis Matthew Bender, 630 Central Ave., New Providence, NJ 07974.

iv

Seventh Circuit Revives P.F. Chang’s Data Breach Class Action Suit By Antony P. Kim, Aravind Swaminathan, Emily Tabatabai, and Sam Castic* The authors of this article discuss a recent U.S. Court of Appeals for the Seventh Circuit decision, which raises new issues that organizations should consider in crafting post-breach communications. The U.S. Court of Appeals for the Seventh Circuit recently revived a data breach class action against P.F. Chang’s restaurant in an important opinion1 that continues a plaintiff-friendly trend that began with the court’s opinion in Neiman Marcus. The court used statements that P.F. Chang’s made in response to its breach, and protective remediation measures it implemented, to draw inferences that customers were at a risk of identity theft and harm, and then used those inferences to find that plaintiffs had standing to proceed with their litigation. The case raises new issues that organizations should consider in crafting post-breach communications, and important takeaway lessons that may help to increase the likelihood of obtaining dismissal of data breach class actions at the pleadings stage. THE DATA BREACH The P.F. Chang’s data breach follows a common storyline. On June 12, 2014, P.F. Chang’s announced that unauthorized actors had breached its systems and compromised customer credit and debit cards. The company posted a notice to its website directed to all customers who had dined at any P.F. Chang’s location. At the time, P.F. Chang’s had not yet completed its investigation and could not identify the scope of affected restaurants. As a precautionary measure, P.F. Chang’s temporarily switched to a manual card-processing system at all locations across the continental United States. Almost immediately (on June 25), the plaintiffs filed class action lawsuits against P.F. Chang’s in the Northern District of Illinois. Notably, the two named plaintiffs both dined at a P.F. Chang’s restaurant in Northbrook, Illinois, which P.F. Chang’s later determined to have been unaffected by the breach (i.e., not among the 33 *

Antony P. Kim is a partner in the Antitrust & Competition practice group and global co-chair of Orrick, Herrington & Sutcliffe LLP’s Cybersecurity & Data Privacy team. Aravind Swaminathan is partner at the firm and global co-chair of the Cybersecurity & Data Privacy team. Emily S. Tabatabai is of counsel at the firm and a member of the Cybersecurity & Data Privacy team. Sam Castic is a senior associate at the firm and a member of the Cybersecurity and Data Privacy team. The authors may be contacted at [email protected], [email protected], [email protected], and [email protected], respectively. 1 http://media.ca7.uscourts.gov/cgi-bin/rssExec.pl?Submit=Display&Path=Y2016/D04-14/C:143700:J:Wood:aut:T:fnOp:N:1737105:S:0.

217

PRATT’S PRIVACY & CYBERSECURITY LAW REPORT

restaurants from which card data was stolen). One plaintiff alleged he saw unauthorized charges on his debit card statement shortly after the announced breach, cancelled his card, and paid $107 for a credit monitoring service. The other plaintiff had no fraudulent debit card charges, but alleged that he spent time and effort monitoring his card statements and credit reports. COURT TRACKS NEIMAN MARCUS; FINDS PRESENT AND IMMINENT FUTURE INJURIES In reversing the district court’s dismissal, the Seventh Circuit examined both future and present injuries, and held that both were sufficient to support standing. Future Injuries Relying on its prior decision in Neiman Marcus, the Seventh Circuit found that the alleged future injuries were imminent’’ because P.F. Chang’s had acknowledged a data breach, and thus it was reasonable to ‘‘infer a substantial risk of harm . . . because a primary incentive for hackers is ‘sooner or later[] to make fraudulent charges or assume those consumers’ identities.’’ These alleged injuries as to both named plaintiffs (one who had experienced fraudulent charges and the other who had not) were sufficient to establish standing, just as they were in Neiman Marcus.2 Other putative class members, the court ruled, would be ‘‘in the same position as one or the other named plaintiff.’’ Present Injuries On standing to sue for present injuries, the court analyzed the reasonableness of the two named plaintiffs’ remedial steps in expending time and effort to reverse fraudulent charges, procuring identity theft monitoring services, and in monitoring card account activity. P.F. Chang’s had argued that plaintiffs should not have expended time or money to guard against identity theft because unlike in Neiman Marcus and other breaches, the P.F. Chang’s breach did not create any risk of identity theft, only a risk of fraudulent charges to affected cards. The Seventh Circuit rejected that argument, pointing to what it described as P.F. Chang’s ‘‘implicit’’ admission that card data could be used to open new cards because P.F. Chang’s ‘‘encouraged consumers to 2

In Neiman Marcus, the Seventh Circuit found that increased risk of fraudulent credit card charges and ID theft were ‘sufficiently imminent,’ and not speculative, because (a) Neiman Marcus had admitted to suffering a data breach, (b) credit card information was exposed, (c) the exposed cards belonged to 350,000 customers, and (d) 9,200 of those cards had been used to make fraudulent charges. The court opined that Neiman Marcus customers ‘‘should not have to wait until hackers commit identity theft or credit-card fraud . . . because there is an ‘objectively reasonable likelihood’ that such injury will occur.’’ The plaintiffs were also able to show that their mitigation expenses (i.e., time and effort spent resolving fraudulent charges) in response to a confirmed data breach were sufficient to allege present, ‘‘actual injuries.’’

218

SEVENTH CIRCUIT REVIVES DATA BREACH CLASS ACTION

monitor their credit reports (in part for new-account activity) rather than simply the statements for existing affected cards.’’ Thus, the company’s cautionary reminder to monitor credit reports—a statement that many U.S. states statutorily require companies to include in breach notifications—rendered the plaintiffs’ purchase of credit monitoring services and efforts to guard against identity theft reasonable mitigation expenses.3 The court made this finding even though it earlier noted that in the case of the plaintiff who had seen fraudulent card charges, his bank had blocked those charges. The court also held that the named plaintiffs plausibly alleged that their data was actually stolen, even though P.F. Chang’s later determined that the Northbrook, Illinois, restaurant where they dined was not compromised. Again, the court relied on two of P.F. Chang’s communications as evidence to support the inference that all customers, regardless of restaurant, may have been affected: first, P.F. Chang’s June 2015 announcement, made before its internal investigation was completed, which was addressed to customers from ‘‘all of its stores’’; and second, P.F. Chang’s decision to temporarily switch to manual card processing. The court reasoned as follows: ‘‘When the data system for an entire corporation with locations across the country experiences a data breach and the corporation reacts [by implementing a universal, though temporary, switch to manual card-processing in all locations], it is certainly plausible that all of its locations were in fact affected.’’ In other words, even though neither plaintiff had unreimbursed charges on their payment cards, and even though P.F. Chang’s investigation showed that the named plaintiffs did not dine at an affected location, the court, citing P.F. Chang’s post-breach actions and statements, found that the plaintiffs ‘‘plausibly’’ alleged that their data was stolen under Twombly pleading standards. Any argument made by P.F. Chang’s to the contrary ‘‘creates a factual dispute about the scope of the breach [to be addressed at a later stage of the litigation], but it does not destroy standing.’’ WHAT DOES THIS OPINION MEAN? The P.F. Chang’s opinion is troubling in a number of respects, most significantly because (once again) the court looked to post-breach activities to draw inferences about harm to individuals, and used specific post-breach statements to support those inferences. In the wake of a data breach, a host of legal, ethical, and reputational considerations drive hard decisions about communicating with the affected (and potentially affected) populations. First, state breach notification rules—some of which proscribe specific contents in notification communications—encourage, and 3

Of course, had P.F. Chang’s offered to provide free credit monitoring services for its customers, under Neiman Marcus, that fact may have been cited as a concession that plaintiffs suffered nonspeculative and imminent injuries: ‘‘It is telling in this connection that Neiman Marcus offered one year of credit monitoring and identity-theft protection to all customers for whom it had contact information and who had shopped at their stores between January 2013 and January 2014. It is unlikely that it did so because the risk is so ephemeral that it can safely be disregarded. These credit-monitoring services come at a price that is more than de minimis.’’

219

PRATT’S PRIVACY & CYBERSECURITY LAW REPORT

at times require, quick notification to consumers in order to give consumers a chance to take steps to mitigate any potential risk. State Attorneys General and other regulators champion speedy notification (and can be very critical when notifications take ‘‘unreasonably’’ long), and because a company is usually required to note the date the incident was discovered, there is tremendous pressure to communicate and notify early. Second, the conventional practice is to communicate in a way that treats all customers fairly and equally—even if doing so results in over-notification beyond the affected population—and to provide a certain level of transparency. As a result, it is common for companies to err on the side of early and broad notification even before all of the facts are known. The P.F. Chang’s decision, and the Neiman Marcus opinion before it, upend that conventional thinking, and should force companies to think very carefully about when, what, and how they communicate, and to whom. Here are some considerations for companies in a post-P.F. Chang’s world: 



Early Announcements Are Risky. P.F. Chang’s serves as a cautionary tale for making public announcements regarding a security incident before the internal forensic investigation is complete. To the extent that reputational and other considerations require early communications, organizations should be very careful in disseminating information too broadly (e.g., sending an e-mail alert to all employees about a potential security incident) or in over-disclosing to external stakeholders (e.g., notifying all customers versus a subset of customers). Organizations should also anticipate, and even embrace, the predictable tension between the communications team and the legal team on what should be said, when, and to whom. This is a healthy process that will result in a risk-appropriate communication strategy. One Size May Not Fit All For Precautionary Messages. It is critical to understand the nuances of the state-specific notification requirements. Many states (including Hawaii, Michigan, Missouri, North Carolina, Vermont, Virginia, and Wyoming) explicitly require that the reporting company include specific recommendations to consumers on risk mitigation, including an admonition to monitor credit reports. These statements are not optional.4 However, notwithstanding variations across state rules, a commonly accepted practice is for organizations to issue a standard notification that complies with substantially all of the states’ various requirements (except Massachusetts), and supplement certain notifications based on state-specific requirements (e.g., instructions on contacting a specified state agency/regulator). This means that all of the various state-required language and disclosures are often provided to all individuals, even if not entirely applicable or legally required. Although they often reflect sound security practices that consumers should follow in any circumstance, organizations should recognize the risk in

4 Other states, such as California, provide the option of disclosing advice on steps that the person may take to protect themselves from the breach.

220

SEVENTH CIRCUIT REVIVES DATA BREACH CLASS ACTION



delivering risk mitigation recommendations, and perhaps provide them only to consumers whose states’ laws explicitly require it. Carefully Identify and Describe Protective Measures. Certain state statutes require disclosure of the measures that the company has taken to contain, mitigate or minimize the incident. For example, Michigan requires that the company ‘‘generally describe what the [company] providing the notice has done to protect data from further security breaches.’’ Wyoming requires a description in general terms of ‘‘the actions taken by the individual or commercial entity to protect the system containing the personal identifying information from further breaches.’’ Similar requirements exist in North Carolina, Vermont, and Virginia. It was these statements, however, that the Seventh Circuit used in P.F. Chang’s to infer the scope of individuals who were affected by the breach. Thus, although statutorily required, P.F. Chang’s demonstrates how organizations should thoughtfully articulate the containment and remedial measures taken in response to an incident. Indeed, just as in P.F. Chang’s, in certain situations, taking a potentially affected system offline can be an effective containment and mitigation strategy that helps to protect consumers, but communicating that measure should be done carefully, with analysis of the downstream effects in litigation that such statements may have.

Ultimately, one can question the Seventh Circuit’s policy decision to use legally required notification statements and pro-consumer remedial measures to infer harm (both present and future) for standing purposes. However, given the court’s opinion, no one should question the need to carefully consider how the timing and content of post-breach communications may affect litigation strategy and tactics.

221