Data Breach Coverage: Underwriting at the Point of Claim?

Posted on July 8, 2009 by Andrew S. Wein

The recently filed case of First Bank v. Federal Insurance Company  reflects yet another financial services provider that was the subject of a data breach incident, and was forced into litigation with its insurers as a result. As detailed in our recent article, First Bank is not alone in having their insurance company deny the claim for coverage arising from the data breach. In this area of privacy and data security, anecdotally at least, it appears that many insurers are "underwriting at the point of claim" -- that is, denying coverage in the hope that the policyholder will abandon pursuit of the coverage.

However, you may be covered, even if you do not have a "cyber" or "data security" policy. In fact, the label or title on the policy matters little, as Federal had issued a policy impressively titled, “Cybersecurity by Chubb for Financial Institutions,” yet disclaimed coverage. That old standby -- Comprehensive General Liability (better known as "CGL") policies -- may well provide you with the coverage you need to defend litigation arising from a data breach.
 

Tags: ,

Federal Agencies Issue FAQs on FACTA Red Flag Compliance

Posted on June 15, 2009 by Donna L. Wilson & Michael P. McGinn

Last week , the Federal Trade Commission, jointly with other federal agencies that regulate financial institutions, released "frequently asked questions" designed to provide additional assistance to companies required to comply with new identity theft rules pursuant to the Fair and Accurate Credit Transactions Act ("FACTA") . 

Those rules were issued in November 2007. Under the regulations, financial institutions are required to develop and implement written programs to detect and respond to possible identity theft as indicated by certain "red flags." These newly required programs were to be in place on or before November 1, 2008.

The FAQs are the latest step in a number of efforts by the FTC and others to assist companies in complying with the new FACTA rules. For instance, in July 2008, the FTC launched an outreach program to explain the rules in greater detail, to clarify the types of institutions to which the rules apply, and to offer guidance as to how these institutions can comply. That outreach effort included an alert providing information relating to definitions and terms used in the rules, including the definitions of “financial institution,” “creditor,” “transaction account,” and “covered account.” In addition, the alert addressed five categories of “red flag” activities.

Financial institutions should continue to monitor for guidance from the federal agencies, and/or consult with counsel, regarding their compliance with the new FACTA rules.

Tags: , ,

Wave of Class Actions for Data Security Breaches

Posted on June 10, 2009 by John W. McGuinness

If your company collects customers’ personal data in the course of its business, be aware of the wave of class actions that have recently been filed arising out of data security breaches. Finkelstein Thompson, a DC-based law firm, over the past year has filed a series of class actions against businesses that have fallen victim to such data breaches.

One such suit, filed in the Northern District of Georgia, asserts claims against RBS WorldPay, Inc. for negligence, breach of implied contracts, and violation of state unfair trade law, after hackers allegedly gained access to the personal information of approximately 1.5 million RBS cardholders. In an incident apparently related to this security breach, Fox News reported -- citing FBI sources-- that thieves, using cloned ATM cards with the stolen data, withdrew $9 million from ATMs in a coordinated attack in 49 cities, including Atlanta, Chicago, New York, Montreal, Moscow, and Hong Kong. This incident has garnered considerable media attention and will likely result in similar suits being filed against RBS across the country as a result of the security breach.

While this sort of case is extremely difficult to sustain given the absence of actual harm, the litigation and reputational costs associated with them are significant for businesses targeted by this litigation, particularly given the resulting media attention. Therefore, be forewarned, and regularly evaluate your data collection, data use, and data maintenance procedures and infrastructure with both your IT personnel and legal counsel.

For further discussion of this case, see our recently published piece in the ABA “Secure Times” newsletter. And for a broader discussion of how other cases have addressed these types of claims, please see our article published in Andrews Litigation Reporter.

(Kelley Drye & Warren LLP Associate Veronica D. Jackson contributed to this post.)

Tags: ,

Identity Theft Litigation Update: Recent Cases Show Trend Toward Dismissal of Speculative Claims

Posted on April 27, 2009 by Andrew S. Wein

Several weeks ago, we discussed how most courts were rejecting lawsuits where the plaintiffs claimed “damages” in the form of an increased risk of identity theft, generally stemming from allegations of an accidental loss or theft of personal confidential information. Since we last blogged on this issue, two recent decisions highlight how that trend is continuing, and that courts increasingly require more than speculation about future harm to sustain a lawsuit over the loss of confidential information.

The first notable decision involved a court which was clearly aware of this growing body of case law. In Belle Chasse Automotive Care, Inc. v. Advanced Auto Parts, Inc., United States District Court Judge Kurt Engelhardt of the Eastern District of Louisiana dismissed a claim stemming from a security breach involving confidential information. The plaintiff in Belle Chasse alleged that this breach only had caused an increased risk of identity theft, not an actual identity theft. The court granted defendants’ Rule 12(b)(6) motion, and cited to the growing body of case law from around the nation supporting the position that these allegations amount only to “speculative damages for which [Louisiana] law provides no remedy.” Notably, the Court cited to the Pinero decision we referenced in our prior post and found United States District Court Judge Sarah Vance’s analysis in that case to be “directly on point.”

The second notable decision provides an example of a Court reversing course on this issue, citing this line of cases as authority. The Ruiz v. Gap, Inc. case already was notable in that United States District Court Judge Samuel Conti, in March 2008, had previously ruled  that allegations of a potentially increased risk of future identity theft were sufficient to make out a viable negligence claim under California law. At that time, Judge Conti denied the defendant’s motion to dismiss under Rule 12(b)(6) and held that the plaintiff had alleged an injury in fact, even though he noted that it was unclear what damages the plaintiff would be able to recover even if the plaintiff were to prevail on the merits. Compared to the many cases holding to the contrary, the Ruiz case was generally viewed as an outlier, as one of the few rulings to have held that an allegation of the mere increased risk of identity theft was sufficient to defeat a Rule 12(b)(6) motion.

But just this month, Judge Conti granted summary judgment to the defendants on this same issue. In doing so, the court held that an increased risk of identity theft did not constitute “the level of appreciable harm necessary to assert a negligence claim under California law.” The court expressly rejected parallels to medical monitoring claims in the toxic tort context, and expressly noted similar cases from other jurisdictions – namely Louisiana, Ohio, and Minnesota – none of which were referenced in the court’s 2008 opinion denying the defendants’ motion to dismiss. The decision appears to reflect a reconsideration of sorts by the court – the evidence obtained during depositions seemed to be no different from what the plaintiff alleged in his Complaint, so if those allegations were adequate to defeat a motion to dismiss, testimony to the same effect should have also been adequate to defeat summary judgment. This is merely our own speculation, but it could be that the court became aware, over the course of the past year, of the growing and substantial body of case law which has been rejecting these types of speculative claims.
 

Tags: , ,

Merchants Beware: Protect Your Customers and Company from Credit Card "Skimming"

Posted on April 10, 2009 by John W. McGuinness

The current economic climate has had many consequences, including an apparent increase in economic crimes such as credit card fraud. In recent months, numerous credit card scams involving restaurant chains have been reported. For example, the Washington Examiner reported on March 29 that wait staff at several high-end restaurants in Washington, DC, including M&S Grill, 701 Restaurant, Clyde’s of Gallery Place and Bowie’s Carrabba’s Italian Restaurant, stole credit card numbers from customers and ran up a $750,000 tab at various luxury retail stores. In addition, the article references a similar scam recently uncovered in New Orleans, in which a waitress at Bubba Gump Seafood Company used a skimming device to capture customers’ credit card information. “Skimming” devices, which can easily be purchased over the Internet, are small enough for wait staff to carry in their pockets or aprons, and within a second can capture the electronic information stored in a credit card’s magnetic strip.

While such scams obviously cost consumers, merchants are also victims due to loss of consumer trust, the time and expense of cooperating with authorities and, if applicable, notifying potentially affected customers, and potential lawsuits under negligence and/or negligent hiring theories. Although merchants can never be completely assured that rogue employees will not engage in theft, they should consider the following steps to mitigate their risk:

(1) Handle credit cards in view of the customer. If the customer never loses sight of the credit card, theft is more difficult if not impossible. Retailers, restaurants and other businesses may wish to consider switching to portable credit card processing devices that allow customers to pay at the table.

(2) Carefully screen job applicants. Simple background checks can identify applicants with prior criminal histories.

(3) Educate and monitor employees. Ensure that employees are aware of the risks and consequences of credit card fraud (e.g., mere possession of a skimming device is a felony in many states), and adopt policies for employees handling customer credit cards. Monitor employees and encourage them to report any suspicious activity on behalf of their coworkers.

(Kelley Drye & Warren LLP Associate Joanna Baden-Mayer contributed to this post)

Tags: , ,

Fears of Future Identity Theft Generally Not Sufficient To Establish "Actual Damages" In A Lawsuit

Posted on March 18, 2009 by Andrew S. Wein

Over the last few years, incidents involving disclosures of personal information by consumer financial service providers have been big news, ranging from the theft of laptop computers containing social security numbers, to hacker attacks on computer networks containing confidential information, to the more "vanilla" theft of personal documents. Not surprisingly, the plaintiffs' bar has been attempting to turn all of this worry about identity theft into big money - even where no identity theft has occurred. However, courts around the nation have been considering such claims, and responding with a virtually uniform voice to state that, however the claim may be styled, a plaintiff's speculative fear of potential future identity theft does not constitute "actual damages" under the law, and accordingly reject such lawsuits.

In the latest court opinion to address this issue, Pinero v. Jackson Hewitt Tax Service, Inc., No. 08-3535, 2009 U.S. Dist. LEXIS 660, (E.D. La. January 7, 2009), Chief Judge Sarah S. Vance dismissed various statutory and tort claims, including negligence, breach of contract, violations of a Louisiana data breach notification statute, and claims under the Tax Reform Act of 1976, against a national franchisor of income tax preparation services and its local independent franchisee. In the Pinero case, the plaintiff contended that the independent franchisee had failed to dispose of certain documents properly, which allegedly contained personal information. However, the plaintiff neither contended that her documents fell into the hands of a wrong-doer, nor that she had suffered any actual identity theft. Her damages claims were largely based on alleged emotional injuries and mental anguish, and theoretical consequential damages about steps she might need to take to deal with potential identity theft.

The Court rejected this theory of damages, and dismissed 6 of 7 claims, including negligence, breach of contract, and violations of the Louisiana data breach notification statute, holding that this type of speculative “injury” does not meet the required damages element. Also, in a holding of first impression, Judge Vance dismissed the federal claim for statutory penalties under the Tax Reform Act of 1976, ruling that commercial tax preparers are simply not subject to the provisions of the law governing disclosure of tax return information by the I.R.S. or its agents. The Court further ruled that the Louisiana data breach notification statute did not apply to paper documents – notably, Louisiana is not alone in this regard. Judge Vance also dismissed claims for fraudulent inducement and the Louisiana unfair trade practice law for a failure to adequately allege an intent to defraud. The Court only let the invasion of privacy claim survive, albeit noting skepticism about whether such a claim could succeed on the merits.

For further discussion of this case, see our recently published piece in the ABA "Secure Times" newsletter. And for a broader discussion of how other cases have addressed these types of claims, please see our article published in Andrews Litigation Reporter.

(Donna L. Wilson, Andrew S. Wein, and Veronica D. Gray represent Jackson Hewitt Tax Service in this case.)
 

Tags: , ,

Welcome to the Consumer Financial Services Blog

Posted on March 5, 2009 by Donna L. Wilson

Which among the following businesses are potentially subject to consumer financial services laws, rules, and regulations?

A. a retail clothing chain
B. a bank or mortgage company
C. an internet retailer
D. a fast food franchisor
E. all of the above

If you answered E, “All of the above,” you are CORRECT. However, many companies do not realize their businesses are subject to consumer financial services laws and, consequently, their businesses may not be compliant.

The focus of the Consumer Finance Law Blog is to keep – all on one site – "non-traditional financial service providers," such as retailers, potentially subject to consumer financial services laws abreast of recent developments in:

  • State consumer protection statutes and regulations
  • State privacy statutes
  • Privacy and consumer protection litigation
  • Card Association Rules
  • Equal Credit Opportunity Act
  • Electronic Funds Transfer Act
  • Fair Credit Reporting Act
  • Fair Credit Transactions Act
  • Fair Debt Collection Practices Act
  • Fair Housing Act
  • Gramm Leach Bliley Act
  • National Automated Clearing House Association Rules
  • Payment Card Industry Data Security Standard
  • State Money Transmitter Statutes
  • State Retail Installment Sales Act
  • State and Federal Unfair and Deceptive Trade Practices Acts
  • TILA, RESPA, and related federal and state consumer disclosure and notice requirements

Kelley Drye & Warren LLP’s Consumer Financial Services practice and the editors of this Blog – Donna Wilson, Joel Hewer, and John McGuinness, with invaluable contributions from analyst Michael McGinn – welcome you and hope that you find our posts interesting, educational, and thought provoking. We also welcome your feedback and invite you to suggest topics or recent decisions of interest that you would like us to address.

Tags: , , , , , , ,