On September 5, 2012, the U.S. Court of Appeals for the 11th Circuit overruled, in part, a dismissal of a class action filed first in Florida state court (then removed to federal court), which action arose out of the theft of two unencrypted laptops (Resnick v. AvMed, No. 11-13694).  The laptops of AvMed, a managed care organization, contained protected health information and personally identifiable information for approximately 1.2 million current and former members.  Plaintiffs’ class action alleged that an unknown third party used the information for fraudulent purposes 10 to 14 months after the theft.  AvMed moved to dismiss the class complaint, which the district court granted on the grounds that plaintiffs failed to state a cognizable injury.  Specifically, the district court reasoned that plaintiffs sought to “predicate recovery upon a mere specter of injury: a heightened likelihood of identity theft.”

The 11th Circuit found (after plaintiffs amended their complaint to include only parties alleging actual identity theft) that where plaintiffs allege they have become victims of identity theft and have suffered monetary damages as a result, this constitutes an injury in fact.  Next, the court looked at whether plaintiffs’ injury was fairly traceable to AvMed’s actions.  The court found that even a showing that a plaintiff’s injury is indirectly caused by a defendant’s actions satisfies the fairly traceable requirement and here, plaintiffs alleged that AvMed failed to secure their information, despite plaintiffs’ efforts at protecting their information and in light of the fact that they have become victims of ID theft.  The court found that under Florida law, plaintiffs’ allegations that they suffered monetary loss was a cognizable injury.

The court was also satisfied that the allegations sufficed to establish causation, citing to the 9th Circuit’s ruling in Stollenwerk v. Tri-West, 254 F. App’x 664 (9th Cir. 2007).  The court looked at whether there was a logical connection between events – the sensitive information on the stolen laptops was the same sensitive information used to steal their identities.  Given the facts pled, the 11th Circuit found a sufficient nexus between the lost laptop incident and the identity theft loss.  (The court found that the negligence, breach of contract, etc. claims could stand while the unjust enrichment claim would not).

The dissent found that the complaint should be dismissed for failure to state a claim because the complaint failed to allege a plausible basis for finding that AvMed caused plaintiffs to suffer identity theft.  The dissenting judge argued that it was equally plausible that the identity thieves obtained the information from other third parties, not as a result of the AvMed breach.

The decision may have an impact on how parties view the viability of a class action following a data breach.  The 11th Circuit noted this was the first such review of these issues before them – the ruling, however, may leave open what kind of damages suffice and how far from an incident an identity theft is plausibly related.

On September 22, 2012, Governor Jerry Brown signed  a bill (A.B. 439) that allows defendants to use an affirmative defense to damage claims, where a HIPAA covered entity or business associate can establish certain actions or lack of harm.  The existing law, Confidentiality of Medication Information Act (CMIA), prohibits a health care provider, contractor or health care service plan from dislcosing medical information regarding a patient without first obtaining authorization.  The law allows an individual to bring an action against any person or entity who has negligently released records, also providing for statutory damages of $1,000 per record, i.e., nominal damages (no need to show actual damages).  The new bill, effective Jan. 1, 2013, specifies that, in an action brought by an individual, a court may not award the “nominal” damage where the defendant is entitled to an affirmative defense.  The affirmative defenses apply to HIPAA entities/business associates, who establish:  that there was notification compliance; that the release of information was to another covered entity/business associate; that the release of the confidential information was not medical ID theft; and, that the defendant took appropriate preventive measures (security policies, encryption, retention procedures, remedial measures).  Finally, if the affirmative defense is established, defendant shall not be liable for more than one judgment on the merits for releases of confidential informatoin arising out of the same event, transaction or occurrence.

The US District Court for the Northern District of Illinois (Judge Holderman) recently ruled that the interception of unencrypted, publicly available WiFi networks does not violate provisions of the federal Wiretap Act. In a decision involving admissibility of evidence, the court found that a party’s “intercept” fell within an exception to the Wiretap Act – allowing a person “to intercept or access an electronic communication made through an electronic communication system that is configured so that electronic communication is readily accessible to the general public.”

The issue arose in a a patent infringement case. Innovatio IP Ventures sued commercial users of wireless internet technology, such as hotels and coffee shops, for infringing its patents by making the technology available to their customers, as well as using the technology for managing internal processes. As discovery proceeded in the case, Innovatio used commercially-available WiFi network analyzers to collect information about the Wireless Network Users (hotels, restaurants, etc.) allegedly infringing networks. The process, known as “sniffing,” requires Innovatio’s technicians to enter the Users’ premises during business hours with a laptop and a packet capture adapter. The adapter can intercept data packets traveling wirelessly between the WiFi router provided by the Users and any devices that may be communicating with it.

Innovatio sought a ruling on the admissibility of the information it gained in the sniffing process. The court asked the parties to address the Wiretap Act issues. Rejecting both parties’ technical arguments (and experts),  the court focused on an exception to the Act. The Court distinguished this case from a ruling from the Google Street View litigation, by stating that the earlier ruling relied on accepting the premise that communications could only be intercepted using sophisticated technology. Basically, the court concluded that the technology continues to evolve faster than the court rulings and the legislation. The court noted that the public may still have some lack of awareness regarding the privacy of communications in a coffee shop setting, but that lack of awareness does not mean that parties utilizing technology to capture the communications are in violation of the Wiretap Act.

See, In Re Innovatio IP Ventures, LLC Patent Litigation, N.D.Ill., No. 1:11-cv-09308, Aug. 22, 2012

The Mobile Device Privacy Act, introduced Wednesday by
Representative Ed Markey, would also require mobile phone makers, network
operators and app developers to get permission from customers before monitoring
their mobile devices.

See update at:

http://www.pcworld.com/businesscenter/article/262244/

The app industry is pushing back saying they can develop systems for protection without need for legislation.

According to the Privacy Rights Clearinghouse, in 2005, DSW Shoe Warehouse suffered a data breach affecting over 1.4 million customers, across 25 states.  Between February 1 and February 14, 2005, hackers gained unauthorized access to the DSW main computer system and then the criminals downloaded credit card and checking account information pertaining to customers (the DSW incident was a part of the same scheme that targeted TJX, Barnes & Noble, Target, Sports Authority, Boston Market -see, The Great Cyberheist, by James Verini, New York Times Magazine, Nov. 10, 2010 –using a technique known as “war driving,” hackers sat in vehicles outside stores with laptops and high-power radio antennae to gain access to networks).  DSW was first alerted of the problem in March of 2005.  In the wake of the breach, DSW incurred expenses relating to customer communications, public relations fees, customer claims/litigation and attorneys fees in connection with the investigations by seven state AG’s and the FTC.  DSW claimed losses of $4 million, including costs associated with charge backs, card reissuance, account monitoring and fines imposed by VISA/MasterCard.

DSW submitted Proofs of Loss to its insurer, National Union, starting in September 2005 (following initial notification of the matter in April 2005).  DSW claimed a total of $6.8 million for the losses plus interest.  At the time, DSW did not have specific data breach coverage for the incident; however, it submitted the claim under a computer fraud rider to a “Blanket Crime Policy.”  (As of 2005, AIG and other insurers provided coverages for network security/privacy liabilities as well as coverages for network incidents, interruptions; at the time, some policies did not specifically address fines/penalties associated with a breach but most now do).

National Union denied coverage for the loss under the crime policy, stating that the claims arose from “third party theft of proprietary confidential customer credit card information.”  The crime policy included an endorsement for “Computer & Funds Transfer Fraud Coverage,” where the insurer agreed to pay for “Loss which the Insured shall sustain resulting directly from… theft of any Insured property by Computer Fraud…”  (Italics added).

The district court granted summary judgment for DSW based upon the policy language and National Union appealed.  The appellate court disagreed with the insurer’s denial analysis and found coverage for DSW by stating that the phrase “resulting directly from” does not unambiguously limit coverage to a loss resulting “solely” or “immediately” from the theft itself (see, Retail Ventures, Inc. v. National Union Fire Ins. Co. of Pittsburgh, Pa., — F.3d—(2012) [emphasis added].

National Union argued that the commercial crime policy was a fidelity bond and provided only first party coverage.  The district court found that the policy covered more than fidelity coverage.  National Union also argued that the “resulting directly from” language required that the theft of property by computer fraud be the “sole” and “immediate” cause of the insured’s loss.  National Union urged that this approach refers to the insured’s own loss, say from employee misconduct, and not the insured’s vicarious liability to third parties.

While the Sixth Circuit acknowledged that other decisions reason that the “resulting directly from” language suggests a stricter causation than proximate cause, the court went on to find that the Ohio Supreme Court would apply a proximate cause standard to determine whether the loss was covered.  The appellate court decided that the “resulting directly from” language was ambiguous.  Further, the court did not find an exclusion to apply.  The court found that the exclusion for “loss of … confidential information of any kind” did not include the hacked customer data as the customer information was not DSW’s confidential information but was obtained from customers in order to receive payment.

Given the trend in available coverages following this and other notable incidents from 2005 to 2007 (Choice Point, TJX), it does not appear likely that many courts will be looking to crime policies or fidelity policies for coverage of these types of losses.  It might not be unexpected, however, that where a policy has language about “computer fraud” or “computer systems” courts will continue to pay careful attention to the language, in particular if there are significant losses following breach incidents.  And, as noted by this court, not all crime policies contain similar “resulting directly from” language or even provisions that address “computer fraud.”  In that regard, the decision may have a limited shelf-life.

The meaningful use rule spells out requirements fo rhow hospitals and physicians must use electronic health records to qualify for a second round of incentives, beginning in 2014.  Participants were required to conduct a risk assessment in Stage 1 and now Stage 2 requires that the EHR technology be designed to encrypt, by default, the electronic health informaton stored locally on end-user devices.

http://www.govinfosecurity.com/hitech-stage-2-rules-unveiled-a-5060

ttp://bits.blogs.nytimes.com/2012/07/29/when-craigslist-blocks-innovations-disruptions/?smid=pl-share