On October 27, 2012, plaintiff Elizabeth Nowak filed a putative class action against Barnes & Noble (“B&N”) arising out of the PIN pad tampering incident reported by the company as of October 23, 2012 (see press release of October 24, 2012:
In its press release, Barnes & Noble advised that it detected tampering with PIN pad devices used in 63 of its stores. The tampering was limited to one compromised PIN pad in each of the affected stores. The B&N statement says that criminals planted bugs in tampered PIN pad devices and that it disconnected all PIN pads from its stores, nationwide, by close of business September 14, 2012. The press release further advised that the company notified federal law enforcement authorities and it was “supporting” the investigation.
In the complaint, filed in the USDC for the Northern District of Illinois, plaintiff alleges that B&N’s security failures enabled skimmers to steal financial data within B&N stores, allowing for unauthorized purchases and putting the class members’ financial information at serious and ongoing risk ( skimmers – a device made to be affixed to the mouth of an ATM and secretly swipe credit and debit card information when bank customers slip their cards into the machines to pull out money, see http://krebsonsecurity.com/all-about-skimmers/). Plaintiff alleges that B&N failed to disclose the extent of the breach and failed to individually notify each affected customer. Plaintiff asserts claims for breach of implied contract and violation of the Illinois Consumer Fraud and Deceptive Business Practices Act.
The individual plaintiff, Nowak, states that she shopped at a B&N store in Illinois prior to September 14, 2012 and that at on at least one of these occasions, she swiped her debit card through one of the store’s PIN pad terminals. While plaintiff alleges that B&N customers are subect to continuing damage from having their personal information compromised, the allegations do not contain any specific reference to plaintiff’s alleged loss or injury from identity theft, credit card fraud, or other specific costs related to card reissuance or credit monitoring. Plaintiff alleges that B&N failed to directly notify individual customers and that B&N was aware of the problem for six weeks before making a public announcement about the scam. Plaintiff further alleges that B&N failed to post signs in each of its affected stores to notify returning customers that their financial information may have been compromised (plaintiff does not allege a specific violation of any breach notification statute, although the Illinois statute does allow for substitute notice if the cost of providing notice would exceed $250,000 or the affected class exceeds 500,000 – substitute notice would not have included posting signs in the stores to notify returning customers that their financial information may have been compromised; substitute notice would only be through email, conspicuous posting on the entity’s website or notification to statewide media).
In a bit of turn-about is fair play, HHS reveals that Centers for Medicare and Medicaid Services failed to meet the patient notification deadline under the HITECH breach notification rule. The report also cited some stats on medical ID theft. CMS has a database of Medicare ID and claim numbers that have been used or are suspected of having been used in ID theft. As of February 2012, the database had in excess of 280,000 beneficiaries and 5,000 providers. CMS is supposed to be tracking unusual billing activity and establishing scores to identify claims for review but guidance is lacking on how to use the database and identifying billing and medical ID fraud.
On September 5, 2012, the U.S. Court of Appeals for the 11th Circuit overruled, in part, a dismissal of a class action filed first in Florida state court (then removed to federal court), which action arose out of the theft of two unencrypted laptops (Resnick v. AvMed, No. 11-13694). The laptops of AvMed, a managed care organization, contained protected health information and personally identifiable information for approximately 1.2 million current and former members. Plaintiffs’ class action alleged that an unknown third party used the information for fraudulent purposes 10 to 14 months after the theft. AvMed moved to dismiss the class complaint, which the district court granted on the grounds that plaintiffs failed to state a cognizable injury. Specifically, the district court reasoned that plaintiffs sought to “predicate recovery upon a mere specter of injury: a heightened likelihood of identity theft.”
The 11th Circuit found (after plaintiffs amended their complaint to include only parties alleging actual identity theft) that where plaintiffs allege they have become victims of identity theft and have suffered monetary damages as a result, this constitutes an injury in fact. Next, the court looked at whether plaintiffs’ injury was fairly traceable to AvMed’s actions. The court found that even a showing that a plaintiff’s injury is indirectly caused by a defendant’s actions satisfies the fairly traceable requirement and here, plaintiffs alleged that AvMed failed to secure their information, despite plaintiffs’ efforts at protecting their information and in light of the fact that they have become victims of ID theft. The court found that under Florida law, plaintiffs’ allegations that they suffered monetary loss was a cognizable injury.
The court was also satisfied that the allegations sufficed to establish causation, citing to the 9th Circuit’s ruling in Stollenwerk v. Tri-West, 254 F. App’x 664 (9th Cir. 2007). The court looked at whether there was a logical connection between events – the sensitive information on the stolen laptops was the same sensitive information used to steal their identities. Given the facts pled, the 11th Circuit found a sufficient nexus between the lost laptop incident and the identity theft loss. (The court found that the negligence, breach of contract, etc. claims could stand while the unjust enrichment claim would not).
The dissent found that the complaint should be dismissed for failure to state a claim because the complaint failed to allege a plausible basis for finding that AvMed caused plaintiffs to suffer identity theft. The dissenting judge argued that it was equally plausible that the identity thieves obtained the information from other third parties, not as a result of the AvMed breach.
The decision may have an impact on how parties view the viability of a class action following a data breach. The 11th Circuit noted this was the first such review of these issues before them – the ruling, however, may leave open what kind of damages suffice and how far from an incident an identity theft is plausibly related.
On September 22, 2012, Governor Jerry Brown signed a bill (A.B. 439) that allows defendants to use an affirmative defense to damage claims, where a HIPAA covered entity or business associate can establish certain actions or lack of harm. The existing law, Confidentiality of Medication Information Act (CMIA), prohibits a health care provider, contractor or health care service plan from dislcosing medical information regarding a patient without first obtaining authorization. The law allows an individual to bring an action against any person or entity who has negligently released records, also providing for statutory damages of $1,000 per record, i.e., nominal damages (no need to show actual damages). The new bill, effective Jan. 1, 2013, specifies that, in an action brought by an individual, a court may not award the “nominal” damage where the defendant is entitled to an affirmative defense. The affirmative defenses apply to HIPAA entities/business associates, who establish: that there was notification compliance; that the release of information was to another covered entity/business associate; that the release of the confidential information was not medical ID theft; and, that the defendant took appropriate preventive measures (security policies, encryption, retention procedures, remedial measures). Finally, if the affirmative defense is established, defendant shall not be liable for more than one judgment on the merits for releases of confidential informatoin arising out of the same event, transaction or occurrence.