Credential stuffing refers to an attack where a hacker uses stolen usernames and passwords, or “credentials,” from an online service that has suffered a data breach to access other online services, according to the AG’s report. Attackers exploit the habit of some consumers to reuse their passwords across multiple websites. Attackers may also use automated software to initiate login attempts using stolen credentials from the dark web.

“Businesses have the responsibility to take appropriate action to protect their customers’ online accounts and this guide lays out critical safeguards companies can use in the fight against credential stuffing,” New York State Attorney General Letitia James wrote in a press release accompanying the report.

Specifically, the AG report states that data security programs should incorporate safeguards against the threat of credential stuffing in four areas: (1) defending against credential-stuffing attacks, (2) detecting a credential stuffing breach, (3) preventing fraud and misuse of customer information, and (4) responding to a credential stuffing incident.

The AG recommends that businesses implement the following safeguards to mitigate the risk of successful credential-stuffing attacks. Which safeguards are appropriate to a business will depend on the size and complexity of the business, the volume and sensitivity of customer information it maintains, the risk and scale of injury, and the software and systems already in use.

Defend against a credential-stuffing attack

• Bot Detection – Businesses can leverage bot detection software to distinguish automated log in attempts from regular “human” log in attempts, and to block malicious bots. The AG noted, however, that in its view CAPTCHA systems have been less effective than bot detection software.
• Multi-Factor Authentication – Multi-factor authentication creates an additional hurdle to logging in to an account by requiring users to not only have appropriate credentials but also a device that issues authentication codes or biometric authentication procedures.
• Passwordless Authentication – Passwordless authentication allows a user to access their account using an authentication procedure, such as a one-time code or emailed link.
• Web Application Firewalls (WAF) – WAFs that guard against malicious traffic can also include safeguards that protect against credential stuffing. These safeguards include rate limiting, which blocks or throttles repeated log in attempts; HTTP request analysis, which analyzes header information and other metadata for indicators of malicious traffic; and IP address blacklists, which block IP addresses known to have engaged in attacks.
• Preventing Reuse of Compromised Passwords – Businesses can implement procedures to prevent customers from reusing passwords that have been previously compromised, using vendors that compile such credentials.

Detecting a Credential Stuffing Breach

• Monitoring Customer Activity – Businesses may monitor indicators of fraudulent activity to protect customer accounts.
• Monitoring Customer Reports of Fraud – Businesses may also review reports from customers about unauthorized transactions or account access.
• Notice of Account Activity – Businesses may notify customers of unusual account activity to help the customer identify unauthorized activity and report it to the business.
• Threat Intelligence – Businesses may utilize threat intelligence firms that monitor dark web activity for discussion of stolen credentials or accounts.

Preventing Fraud and Misuse of Customer Information

• Re-authentication at the Time of Purchase – To prevent attackers from leveraging stolen accounts to make a purchase, the AG states that businesses may require users to re-authenticate stored payment information. For example, the user may be required to re-enter their credit card number or CVV code, or the company might send the user an authentication code.
• Third Party Fraud Detection – Companies may use third-party services that identify suspicious or fraudulent transactions.
• Mitigating Social Engineering – Anticipating that some hackers may try to convince customer service personnel to authenticate their account, companies can develop policies that anticipate social engineering attacks and train relevant personnel on those attacks.
• Preventing Gift Card Theft – The AG suggests that transferring gift cards between customer accounts and transferring funds between gift cards should be restricted or require re-authentication; and that companies should only display the last four digits of a gift card number.

Incident Response

• Investigation – Where companies suspect an attack, the new guidance states that companies should conduct a timely investigation to determine, at a minimum, “whether customer accounts were accessed without authorization, and, if so, which accounts were impacted, and how attackers were able to bypass existing safeguards.”
• Remediation – Companies should take action to remediate credential-stuffing attacks, according to the AG’s guidance. The AG suggests blocking attackers’ continued access to the accounts, resetting passwords, and freezing relevant accounts, where appropriate.
• Notifying Customers – The AG states that businesses should “quickly notify each customer whose account has been, or is reasonably likely to have been, accessed without authorization.” The AG’s report states that customer notice should include the following elements:
  • Disclosing whether the particular customer’s account was accessed without authorization;
  • The timing of the attack;
  • What customer information was accessed; and
  • What actions have been taken to protect the customer.

Finally, given the evolving nature of credential stuffing-related threats, the AG warns that businesses should continually evaluate the effectiveness of applicable controls and implement new procedures where appropriate.

* * *

Since State AGs don’t typically issue guidance like this, it may be a sign that New York plans to continue to target businesses who have not followed their guidance and have thus allegedly inadequately protected against credential stuffing. While other states aren’t bound by this NY-specific guidance, other State AG offices are likely to take notice and discuss this unusual measure through their standing working groups. As a result, some states may potentially follow suit and launch their own investigations on credential stuffing.

State and federal regulators are active in this space, investigating companies’ compliance with UDAP, FTCA, and FCRA Red Flags. Including the possibility of credential stuffing in your data security risk assessment and policy review may reduce your regulatory exposure.

Please join us for Privacy Priorities for 2022: Legal and Tech Developments to Track and Tackle, a joint webinar between Kelley Drye’s Privacy Team and Ketch, a data control and programmatic privacy platform. This Data Privacy Week webinar will highlight key legal and self-regulatory developments to monitor, along with practical considerations for how to tackle these changes over the course of the year. This will be the first in a series of practical privacy webinars by Kelley Drye to help you keep up with key developments, ask questions, and suggest topics that you would like to see covered in greater depth. Register here.

Also please join us for State Attorney General Consumer Protection Priorities for 2022. This webinar will provide discussion and practical information on the topics mentioned above and other state consumer protection, advertising, and privacy enforcement trends. Register here.

What prompted the FTC’s action?

The Apache Log4j software library is a ubiquitous Java-based logging utility. In December, the Cybersecurity and Infrastructure Security Agency (CISA) cautioned that a critical vulnerability in this popular open-source software rendered “hundreds of millions” of internet-connected devices vulnerable to attack. CISA’s Director advised that the software’s ubiquity makes the scale and potential impact of the vulnerability significant. CISA gave federal agencies until December 24, 2021, to patch the vulnerability or implement other mitigating measures.

A variety of executive branch agencies, including CISA and the White House’s National Cyber Director, promoted the FTC’s warning on social media. The FTC’s warning can be viewed as reiterating the FTC’s longstanding approach to data security (that companies must implement reasonable steps to protect consumer information from unauthorized disclosure or misuse) while simultaneously suggesting that a failure to protect against the Log4j vulnerability is per se unreasonable. The warning references the FTC’s $700 million 2019 settlement with Equifax Inc., in which the FTC alleged among other things that the company’s failure to patch a known vulnerability contributed to exposure of millions of consumers’ personal information. The FTC also notes that it is critical for companies and their vendors who rely on Log4j to act now, “in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”

Legal context

As we’ve addressed here, there is no single federal data security law in the United States requiring companies across the marketplace to implement a uniform set of data security measures. Nonetheless, the FTC’s warning—which goes further than prior FTC business guidance like Start with Security or Stick with Security—asserts that existing laws, including the FTC Act and the Gramm Leach Bliley Act, create a duty for companies to take reasonable steps to mitigate known software vulnerabilities.

Why does this matter for companies with consumer data?

The FTC’s warning reaffirms that data security enforcement remains a priority for the current Commission’s leadership. In addition, the FTC post relays the Commission’s intent to consider the “broader set of structural issues” related to “open-source services,” which it considers to be among the “root issues that endanger user security.” This seems to be a callback to Chair Khan’s strategic vision for approaching competition and consumer protection “holistically” and focusing on what the Commission regards to be “root causes” of harm.

The FTC’s admonitions remind every company with consumer information to assess the risks to that information in their environments and in vendor environments and implement reasonable policies to guard against those risks.

* * *

Please join us for State Attorney General Consumer Protection Priorities for 2022. This webinar will provide discussion and practical information on the topics mentioned above and other state consumer protection, advertising, and privacy enforcement trends. Register here.

Also join us for Privacy Priorities for 2022: Legal and Tech Developments to Track and Tackle, a joint webinar between Kelley Drye’s Privacy Team and Ketch, a data control and programmatic privacy platform. This Data Privacy Week webinar will highlight key legal and self-regulatory developments to monitor, along with practical considerations for how to tackle these changes over the course of the year. This will be the first in a series of practical privacy webinars by Kelley Drye to help you keep up with key developments, ask questions, and suggest topics that you would like to see covered in greater depth. Register here.

Prepared Statements. In their opening statements, the witnesses emphasized the need for minimum standards governing data security.

• James E. Lee, Chief Operating Officer of the Identity Theft Resource Center, explained that without minimum requirements, companies lack sufficient incentives to strengthen their data security practices to protect consumer data. Lee also advocated for more aggressive federal enforcement rather than the patchwork of state actions, which, he said, produce disparate impacts for the same conduct.
• Jessica Rich, former Director of the FTC’s Bureau of Consumer Protection and counsel at Kelley Drye, emphasized that current laws do not establish clear standards for data security and accountability. She advocated for a process-based approach to prevent the law from being outpaced by evolving technologies and to ensure that it accommodates the wide range of business models and data practices across the economy. Among her recommendations, Rich suggested that Congress provide the FTC with jurisdiction over nonprofits and common carriers and authority to seek penalties for first-time violations.
• Edward W. Felten, former Deputy U.S. Chief Technology Officer, former Chief Technologist of the FTC’s Bureau of Consumer Protection, and current Professor of Computer Science and Public Affairs at Princeton University, focused on the need to strengthen the FTC’s technological capabilities, including increasing the budget to hire more technologists. Notably, Felten advocated for more prescriptive requirements in data security legislation such as requiring companies to store and transmit sensitive consumer data in encrypted form and prohibiting companies from knowingly shipping devices with serious security vulnerabilities.
• Kate Tummarello, Executive Director at Engine, a non-profit organization representing startups, addressed the importance of data security for most startups. Tummarello advocated for FTC standards or guidance with flexible options. Cautioning against overburdening startups, Tummarello explained that newer companies take data security seriously because they do not have the name recognition or relationships with consumers that larger companies may have, and a single breach could be extremely disruptive. Additionally, Tummarello highlighted that the patchwork of state laws provides inconsistent and unclear data security guidance and imposes high compliance costs.

Discussing a Federal Data Security Bill

• Preemption. Witnesses agreed that a preemptive federal law does not necessarily mean a weaker law. Rich offered a middle ground, supporting preemption, but stating the law should fully empower the state AGs to enforce it.
• Private Right of Action. Tummarello expressed concern that lawsuits across the country would contribute to the “patchwork” of laws that increase compliance costs. However, if a private right of action were necessary, she would support only a narrow private right of action with sufficient notice and guardrails, particularly to protect startups vulnerable to bad faith litigation. Lee demurred on whether a private right of action was needed but emphasized that consumers need to be protected no matter what state they live in. Rich stated that if the legislation is strong enough – with robust protections and remedies, full enforcement authority for the states, and significant resources for the FTC – it will protect consumers without the need for a private right of action. However, Rich also described “middle grounds” that could bridge the divide.
• Sensitive Data. Although there were some questions about what constitutes sensitive data, the witnesses agreed that both biometric data and data about children should have heightened protections. Felten addressed concerns regarding artificial intelligence and facial recognition. Lee discussed the importance of protecting biometric data because it is permanent and cannot be changed – unlike a credit card number – if it is compromised.
• Process-Based Approach. Rich emphasized the need for a “scalable” federal law that takes a process-based approach so that it does not quickly become obsolete. She added that the FTC could issue more detailed guidance on a regular basis to highlight particular technologies and safeguards that companies should consider. In contrast, Felten supported specific safeguards that the FTC would require through rulemaking, and Tummarello supported an FTC rule or guidance that would give companies a “menu” of safeguards to consider.
• Inclusion with Data Privacy Bill. All witnesses supported including data security provisions into a federal privacy bill, but Rich stated that a data security law could prevent considerable consumer harm as a stand-alone measure.

FTC’s Role and Enforcement.

• FTC as Enforcer. Similar to last week’s hearing, all witnesses agreed that the FTC was the agency best equipped to oversee and enforce a federal data security law.
• Resources Needed. Felten noted that the FTC only has about ten technologists on staff, but could use 50-60 people in technologist roles to supplement its enforcement efforts. Rich added that technologists need a career path at the FTC, and that the FTC should reexamine the complicated ethics rules governing what technologists may do after they leave the FTC’s employment.
• First time penalties. All witnesses agreed that the FTC should be able to seek penalties for first-time violations. Tummarello, however, said that she supports first-time penalties only if there are clear rules of the road.

Overall, the hearing made clear that there are more areas of agreement than disagreement. The key questions are: (1) Can Congress resolve differences related to a private right of action, whether by ensuring strong protections without it or by compromising on a narrow private right of action? (2) Will Congress be willing to pass federal data security legislation on its own? We will continue to monitor developments on this issue and provide updates as they occur.

Our increased reliance on the Internet to conduct our daily affairs has thrust an additional spotlight on data security that much important. On another 101 edition of the Ad Law Access podcast, it will cover data security and covers five key points businesses should keep in mind as they continue to refine their data security practices based on FTC settlements and guidance.

Listen on Apple, Spotify, Google Podcasts, SoundCloud, via your smart speaker, or wherever you get your podcasts.

For more information on data security, privacy, and other topics, visit:

• Kelley Drye’s Privacy Law Practice Page
• Advertising and Privacy Law Resource Center
• Ad Law Access Blog
• Ad Law News and Views Newsletter

We have created checklist of general tips to help companies navigate return-to-work privacy and data security issues. In addition to designing COVID-19 testing and screening data collection programs that fit local and state reopening conditions, companies may also wish to consult key sources of federal guidance, including the following:

• EEOC’s Coronavirus and COVID-19 page, which links to guidance on complying with disability protection and non-discrimination obligations.
• OSHA’s COVID-19 site, which contains a broad array of enforcement guidance, general and industry-specific reopening guidelines, and other resources.
• The CDC’s reopening guidance for businesses and workplaces.

• Kelley Drye's COVID-19 Response Resource Center
• Advertising and Privacy Law Resource Center
• Kelley Drye’s Advertising Law Practice Page
• Ad Law Access Blog
• Ad Law Access Podcast
• Ad Law News and Views Newsletter
• Upcoming webinars:
  • Product and Earnings Claims in the Time of COVID-19
  • Trade Association Antitrust 101
  • Additional webinars will be announced soon

1. Information that because of name, number, personal mark, or other identifier could identify a consumer when combined with the consumer’s Social Security number, driver’s license number, financial account number, credit or debit card number, security code or PIN that would permit access to the consumer’s financial account, or biometric records.
2. Information or data, except age or gender, that can be used to identify a particular consumer and that relates to the past, present, or future physical, mental, or behavioral health or condition of any consumer or a member of the consumer’s family; the provision of health care to any consumer; or payment for the provision of health care to any consumer.

• Conduct a Risk Assessment: Conduct risk assessments that identify and mitigate “reasonably foreseeable” internal or external threats to the business and its nonpublic information, including nonpublic information accessible to or held by third-party service providers.
• Implement an Information Security Program: Use the results of the risk assessment to create an information security program. The program must be managed by the board and detail the licensee’s plan for responding to cybersecurity events (an event “resulting in the unauthorized access to, disruption or misuse of, an information system or nonpublic information stored” on an information system).
• Respond to Cybersecurity Events: Conduct a “prompt investigation” of all cybersecurity events and, in most circumstances, notify the Insurance Commissioner, within three business days, of any cybersecurity event that has a “reasonable likelihood” of materially harming a New Hampshire consumer or any material part of the licensee’s normal business operations. This notice must include specific information, including a copy of the licensee’s privacy policy.

The law provides for additional limited exemptions for companies complying with other laws, including the New York Cybersecurity Regulation.

Licensees have one year from the effective date to comply with the risk assessment and information security program requirements, and two years from the effective date to ensure that third-party service providers are implementing appropriate security measures.

We recommend that companies take steps now to assess the applicability of the statute and determine how to best integrate its requirements into existing business practices.

The investigation examined allegations that a Morgan Stanley employee misappropriated client information by transferring data from the Morgan Stanley computer network to a personal website accessed at work, and then onto other personal devices. The exported data subsequently appeared on multiple Internet websites, causing the potential for misuse of the data.

The agency, however, decided to informally close the case without taking further action because Morgan Stanley had established and implemented comprehensive policies and access controls designed to protect against insider theft of personal information. Despite having such policies and controls in place, the FTC found that certain controls applicable to a narrow set of client reports were improperly configured. This allowed the employee to access and misappropriate the data.

The FTC’s initiation of this investigation (and subsequent decision to close the case) provides a few key takeaways for companies that would prefer not to face the FTC:

• Employ reasonable and appropriate safeguards to protect against unauthorized misuse of all sensitive consumer information;
• Establish and implement comprehensive policies designed to protect against employee theft of personal information;
• Have controls in place to ensure that company employees and/or contractors have access to sensitive personal information only on a “need to know” basis;
• Monitor the size and frequency of data transfers by employees;
• Prohibit employee use of USB or other devices to exfiltrate data;
• Block employee access to certain high-risk Web applications and websites; and
• Train employees regularly in meaningful data security practices.

The report provides several recommendations for businesses directed towards improving security and notification measures, including the following three non-sector-specific recommendations: (1) conduct risk assessments at least annually and update privacy and security practices based on the findings; (2) use strong encryption to protect personal information in transit; and (3) improve the readability of breach notices. Additionally, the report recommends that the healthcare industry consistently use strong encryption to protect medical information on laptops and other portable devices, and consider it for desktop computers. Importantly, the report also includes the following six recommendations specific to the retail industry, suggesting that the Attorney General considers the security measures and breach response actions of the retail industry, to date, inadequate:

1. Update point-of-sale terminals so that they are chip-enabled and install the software necessary to operate this technology.
2. Implement appropriate encryption solutions to devalue payment card data, including encrypting data from the point of capture until the completion of transaction authorization.
3. Implement appropriate tokenization solutions to devalue payment card data, including in online and mobile transactions.
4. Respond promptly to data breaches and notify affected individuals in the most expedient time possible and without unreasonable delay.
5. Improve substitute notice, such as by placing a prominent and conspicuous link to the notice on the website homepage, leaving the link and notice up for at least 30 days, publishing the notice in the most expedient time possible and updating it as the business learns more, and telling consumers what they can do to protect themselves.
6. Work with financial institutions to protect debit card holders in breaches of unencrypted payment card data.

In Hammond, the plaintiffs, after being notified that their personal information, contained on unencrypted back up tapes, had been “lost” while being transported by a third party, brought a putative class action asserting claims for breach of implied contract, breach of fiduciary duty, negligence, and violation of state consumer protection laws. Three of the seven named plaintiffs alleged that they actually had suffered “unauthorized credit transactions” after the tapes were lost, although they ultimately conceded that the charges were either reimbursed or unrelated to the tape loss. Bank of New York’s original motion to dismiss was denied. It then moved for summary judgment based on a lack of Article III standing and argued that the alleged emotional distress or increased risk of harm did not constitute legally cognizable harm.

Discovery in the case, particularly plaintiffs’ deposition testimony, demonstrated that the plaintiffs did not suffer any damages. The court, recognizing the apparent inconsistencies in its decisions on defendant’s motion to dismiss and plaintiffs’ motion for summary judgment, held that a finding that Article III standing exists at the motion to dismiss stage does not necessarily mean that it will be present at summary judgment.

Hammond is the latest in a long line of cases holding that the risk of identity theft is not a cognizable injury. Thus, dismissal in these cases is not an issue of “if,” but of “when.”

Click here to view previous posts on these and other related issues.

As background, Plaintiff, Mr. Joel Ruiz, submitted an online job application to work in a Gap store. As part of the application, Ruiz provided his social security number. Gap later disclosed that laptops were stolen from Vangent, the vendor with whom Gap had contracted for recruiting purposes. The laptops contained Ruiz’s unencrypted personal information, along with the information of nearly 800,000 other Gap job applicants.

Ruiz filed a putative class action alleging, among other things, negligence and violation of California Civil Code § 1798.85. Ruiz later amended his complaint to bring a breach of contract claim against Vangent. As discussed in a prior post, the court previously denied a motion to dismiss on the negligence claim. However, defendants were granted summary judgment on the negligence claim after discovery had done little to cure its speculative nature. See Ruiz v. Gap, Inc., 622 F. Supp. 2d 908 (N.D. Cal. 2009). The court held that an increased risk of identity theft did not constitute “the level of appreciable harm necessary to assert a negligence claim under California law.” Id. at 913.

In the opinion, the Ninth Circuit held that while the increased risk of identity theft created sufficient concern to grant plaintiff Article III standing, the alleged injury was still too speculative to sustain a negligence claim under California law. See Ruiz v. Gap, Inc., No. 09-15971, 2010 WL 2170993, at *1 (9th Cir. May 28, 2010). “It is fundamental that a negligent act is not accountable unless it results in injury to another.” Id. Notably, the court refrained from answering whether money spent on credit monitoring, as the result of personal information theft, supported a negligence claim. Id. However, the court included a footnote citing authority in favor of awarding medical monitoring costs, thus suggesting that it might be inclined to draw a parallel between these issues in the future. Id. at n1.

The Ninth Circuit also upheld the district court’s dismissal of Ruiz’s claims under CAL. CIVIL CODE § 1798.85. Id. at *3. That section disallows requiring “an individual to use his or her social security number to access an Internet Web site, unless a password or unique personal identification number or other authentication device is also required to access the [site].” Id. Ruiz alleged that Gap and Vangent violated this statute by requiring him to use his social security number to submit his online job application. Id. In upholding the district court’s dismissal of this claim, the Ninth Circuit reasoned that the “plain language of § 1798.85(a)(4) is directed to the initial act of logging onto a website, rather than as information that is subsequently requested….” Id. Therefore, Gap’s policies did not violate the statute.

This opinion is the latest in a growing body of case law holding that the mere fear and risk of identity theft is an insufficient injury to support a cause of action, such as negligence or breach of contract. It is especially beneficial from a defense counsel perspective because it provides binding authority based in California law, which is a well-known hotbed for class actions in this area.

For further discussion of this case, see prior blog posts on this topic (here, here, and here), and previously published article in Andrews Litigation Reporter.

• explores a rule recently announced by VISA and legislation recently proposed by Senate Commerce Committee Chairman, Jay Rockefeller (D-W.Va.) entitled “The Restore Online Shoppers’ Confidence Act” (S. 3386), both of which restrict companies’ ability to share customer payment card information. (Visit Kelley Drye's Advertising Law Blog for related articles on these topics);

• reviews two recently filed class actions, Ferrington, et al. v. McAfee Inc., 5:10-cv-1455 (N.D. Cal.), and Van Tassell, et al. v. United Marketing Group Inc., et al., 1:10-cv-2675 (N.D. Ill.), alleging that the data pass practices of certain on-line marketers violated numerous state consumer protection laws;

• advises on steps companies should consider taking to mitigate the risk that their data pass practices will come under FTC scrutiny; and

• discusses considerations companies should make if they find themselves the subject of a class action relating to their data pass practices.

In Allison, Plaintiff alleged that he and others submitted their personal information to Aetna’s job application website. Soon after, Plaintiff alleged that he began receiving “phishing” emails requesting additional personal information, as the result of an alleged security breach of Aetna’s website. Plaintiff, other applicants, and over 65,000 current and former Aetna employees were sent notification letters advising them of the breach, stating that their email addresses had been accessed but that it was unclear whether additional information had been accessed.

Plaintiff then filed his class action suit alleging that Aetna had failed to “adequately protect the personal information of its current, former, and potential employees….” Plaintiff described the various remedial measure that he and potential class members had been forced to undertake, including time spent to monitor various accounts for signs of identity theft and out-of-pocket expenses for identity theft protection services. The complaint did not allege that Plaintiff, or anyone else, had suffered identity theft, but rather that they were subject to an “a significant risk of identity theft.” The suit asserted various claims including negligence, breach of implied contract, breach of express contract, negligent misrepresentation, and invasion of privacy. Aetna moved to dismiss all claims pursuant to Federal Rules of Civil Procedure 12(b)(1), arguing that Plaintiff lacked injury-in-fact standing., and 12(b)(6), arguing that Allison had failed to state a claim.

The court held that Plaintiff’s increased risk of harm did not create an injury-in-fact because his chance of suffering from identity theft was not imminent and was too speculative. Despite Plaintiff’s conclusory allegations to the contrary, the court found that Plaintiff had merely alleged that unidentified hackers had accessed his email address, thus making actual identity theft unlikely. The court dismissed Allison’s claims based on a lack of standing.

Compared to other recent opinions that address the risk of identity theft, this opinion stops short of addressing the heart of this issue -- namely, does a demonstrated risk of identity theft create an injury upon which relief can be granted? Would the court have ruled differently if Allison's social security number, as opposed to just his email address, had been accessed? Future plaintiffs are likely to attempt to distinguish their claims from Allison by contending that their claims are more fully and adequately plead to demonstrate a more imminent risk of identity theft. However, that does not mean a claim survives a motion to dismiss. In fact, as we discussed just last year, certain courts have held that while the increased risk of harm may be sufficient to satisfy the initial injury-in-fact element for standing, it may not suffice to show "actual damage" to support a claim for damages under negligence and other liability principles.

A recent study released by the Identity Theft Resource Center (“ITRC”), a non-profit organization dedicated exclusively to the prevention of identity theft, suggests that in 2009, while the government appeared to be improving data security, the protection of customers’ private information by some businesses may have worsened. The annual ITRC study is funded by the U.S. Department of Justice’s Office of Victims of Crime and tracks how a data breach occurs and identifies the breach by sector – including general business, medical and health, financial institutions, government/military, and educational.

The highlights of the 2009 ITRC study include the following:

• Breaches within the general business sector (not including companies in the more heavily-regulated financial and medical sectors) climbed from 21% to 41% between 2006 to 2009, the worst sector performance by far.
• Paper breaches increased 46% from 2008 and now account for nearly 26% of known breaches.
• The number of breaches caused by a malicious attack surpassed the number resulting from human error for the first time in three years.
• In only six of the total 498 breaches reported was encryption or other strong security feature protecting the exposed data utilized.

These statistics highlight the importance of consistently evaluating the measures your company takes to secure private data. Otherwise, your company runs the risk of being sued for breach of privacy, including in the individual and class action context, or becoming the subject of investigation by state and/or federal regulators, who are becoming increasingly aggressive about investigating privacy breaches. Your company may also find itself liable to third-parties with whom it does business, including credit card issuers and merchant banks, especially if your company’s privacy protections fail to meet the industry standard. [Click here for a post from the Kelley Drye Advertising Group’s “Ad Law Access Blog” regarding a recent law passed in the state of Washington that establishes such liability.]

Click here for more information about ITRC’s 2009 Data Breach study.

However, you may be covered, even if you do not have a "cyber" or "data security" policy. In fact, the label or title on the policy matters little, as Federal had issued a policy impressively titled, “Cybersecurity by Chubb for Financial Institutions,” yet disclaimed coverage. That old standby -- Comprehensive General Liability (better known as "CGL") policies -- may well provide you with the coverage you need to defend litigation arising from a data breach.

Those rules were issued in November 2007. Under the regulations, financial institutions are required to develop and implement written programs to detect and respond to possible identity theft as indicated by certain "red flags." These newly required programs were to be in place on or before November 1, 2008.

The FAQs are the latest step in a number of efforts by the FTC and others to assist companies in complying with the new FACTA rules. For instance, in July 2008, the FTC launched an outreach program to explain the rules in greater detail, to clarify the types of institutions to which the rules apply, and to offer guidance as to how these institutions can comply. That outreach effort included an alert providing information relating to definitions and terms used in the rules, including the definitions of “financial institution,” “creditor,” “transaction account,” and “covered account.” In addition, the alert addressed five categories of “red flag” activities.

Financial institutions should continue to monitor for guidance from the federal agencies, and/or consult with counsel, regarding their compliance with the new FACTA rules.

One such suit, filed in the Northern District of Georgia, asserts claims against RBS WorldPay, Inc. for negligence, breach of implied contracts, and violation of state unfair trade law, after hackers allegedly gained access to the personal information of approximately 1.5 million RBS cardholders. In an incident apparently related to this security breach, Fox News reported -- citing FBI sources-- that thieves, using cloned ATM cards with the stolen data, withdrew $9 million from ATMs in a coordinated attack in 49 cities, including Atlanta, Chicago, New York, Montreal, Moscow, and Hong Kong. This incident has garnered considerable media attention and will likely result in similar suits being filed against RBS across the country as a result of the security breach.

While this sort of case is extremely difficult to sustain given the absence of actual harm, the litigation and reputational costs associated with them are significant for businesses targeted by this litigation, particularly given the resulting media attention. Therefore, be forewarned, and regularly evaluate your data collection, data use, and data maintenance procedures and infrastructure with both your IT personnel and legal counsel.

For further discussion of this case, see our recently published piece in the ABA “Secure Times” newsletter. And for a broader discussion of how other cases have addressed these types of claims, please see our article published in Andrews Litigation Reporter.

The first notable decision involved a court which was clearly aware of this growing body of case law. In Belle Chasse Automotive Care, Inc. v. Advanced Auto Parts, Inc., United States District Court Judge Kurt Engelhardt of the Eastern District of Louisiana dismissed a claim stemming from a security breach involving confidential information. The plaintiff in Belle Chasse alleged that this breach only had caused an increased risk of identity theft, not an actual identity theft. The court granted defendants’ Rule 12(b)(6) motion, and cited to the growing body of case law from around the nation supporting the position that these allegations amount only to “speculative damages for which [Louisiana] law provides no remedy.” Notably, the Court cited to the Pinero decision we referenced in our prior post and found United States District Court Judge Sarah Vance’s analysis in that case to be “directly on point.”

The second notable decision provides an example of a Court reversing course on this issue, citing this line of cases as authority. The Ruiz v. Gap, Inc. case already was notable in that United States District Court Judge Samuel Conti, in March 2008, had previously ruled that allegations of a potentially increased risk of future identity theft were sufficient to make out a viable negligence claim under California law. At that time, Judge Conti denied the defendant’s motion to dismiss under Rule 12(b)(6) and held that the plaintiff had alleged an injury in fact, even though he noted that it was unclear what damages the plaintiff would be able to recover even if the plaintiff were to prevail on the merits. Compared to the many cases holding to the contrary, the Ruiz case was generally viewed as an outlier, as one of the few rulings to have held that an allegation of the mere increased risk of identity theft was sufficient to defeat a Rule 12(b)(6) motion.

But just this month, Judge Conti granted summary judgment to the defendants on this same issue. In doing so, the court held that an increased risk of identity theft did not constitute “the level of appreciable harm necessary to assert a negligence claim under California law.” The court expressly rejected parallels to medical monitoring claims in the toxic tort context, and expressly noted similar cases from other jurisdictions – namely Louisiana, Ohio, and Minnesota – none of which were referenced in the court’s 2008 opinion denying the defendants’ motion to dismiss. The decision appears to reflect a reconsideration of sorts by the court – the evidence obtained during depositions seemed to be no different from what the plaintiff alleged in his Complaint, so if those allegations were adequate to defeat a motion to dismiss, testimony to the same effect should have also been adequate to defeat summary judgment. This is merely our own speculation, but it could be that the court became aware, over the course of the past year, of the growing and substantial body of case law which has been rejecting these types of speculative claims.

While such scams obviously cost consumers, merchants are also victims due to loss of consumer trust, the time and expense of cooperating with authorities and, if applicable, notifying potentially affected customers, and potential lawsuits under negligence and/or negligent hiring theories. Although merchants can never be completely assured that rogue employees will not engage in theft, they should consider the following steps to mitigate their risk:

(1) Handle credit cards in view of the customer. If the customer never loses sight of the credit card, theft is more difficult if not impossible. Retailers, restaurants and other businesses may wish to consider switching to portable credit card processing devices that allow customers to pay at the table.

(2) Carefully screen job applicants. Simple background checks can identify applicants with prior criminal histories.

(3) Educate and monitor employees. Ensure that employees are aware of the risks and consequences of credit card fraud (e.g., mere possession of a skimming device is a felony in many states), and adopt policies for employees handling customer credit cards. Monitor employees and encourage them to report any suspicious activity on behalf of their coworkers.

In the latest court opinion to address this issue, Pinero v. Jackson Hewitt Tax Service, Inc., No. 08-3535, 2009 U.S. Dist. LEXIS 660, (E.D. La. January 7, 2009), Chief Judge Sarah S. Vance dismissed various statutory and tort claims, including negligence, breach of contract, violations of a Louisiana data breach notification statute, and claims under the Tax Reform Act of 1976, against a national franchisor of income tax preparation services and its local independent franchisee. In the Pinero case, the plaintiff contended that the independent franchisee had failed to dispose of certain documents properly, which allegedly contained personal information. However, the plaintiff neither contended that her documents fell into the hands of a wrong-doer, nor that she had suffered any actual identity theft. Her damages claims were largely based on alleged emotional injuries and mental anguish, and theoretical consequential damages about steps she might need to take to deal with potential identity theft.

The Court rejected this theory of damages, and dismissed 6 of 7 claims, including negligence, breach of contract, and violations of the Louisiana data breach notification statute, holding that this type of speculative “injury” does not meet the required damages element. Also, in a holding of first impression, Judge Vance dismissed the federal claim for statutory penalties under the Tax Reform Act of 1976, ruling that commercial tax preparers are simply not subject to the provisions of the law governing disclosure of tax return information by the I.R.S. or its agents. The Court further ruled that the Louisiana data breach notification statute did not apply to paper documents – notably, Louisiana is not alone in this regard. Judge Vance also dismissed claims for fraudulent inducement and the Louisiana unfair trade practice law for a failure to adequately allege an intent to defraud. The Court only let the invasion of privacy claim survive, albeit noting skepticism about whether such a claim could succeed on the merits.

For further discussion of this case, see our recently published piece in the ABA "Secure Times" newsletter. And for a broader discussion of how other cases have addressed these types of claims, please see our article published in Andrews Litigation Reporter.