Data Security Roundup—October 2016

Executive and Regulatory Developments

Department of Commerce Now Accepting Privacy Shield Self-Certifications

On August 1, 2016, the Department of Commerce began accepting Privacy Shield self-certifications. The Privacy Shield, which replaces the Safe Harbor agreement that was invalidated last year, provides a mechanism for companies to comply with European Union data protection requirements while transferring personal data from the EU to the US. Joining the Privacy Shield program is voluntary. However, once an organization publicly commits to comply with Privacy Shield principles, that commitment is enforceable under US law. To be eligible for Privacy Shield, organizations must be subject to the jurisdiction of the Federal Trade Commission or Department of Transportation, develop a Privacy Shield-compliant privacy policy statement, provide an independent recourse mechanism to investigate unresolved complaints, ensure that procedures are in place to verify compliance, and designate a Privacy Shield contact. Hundreds of organizations have already submitted applications, and some were certified by mid-August.

Rule Finalized Requiring Contractors to Adopt Uniform Treatment of Confidential Information

The US government has finalized a rule, published on September 14, 2016, taking significant steps toward standardizing the treatment of non-classified sensitive US government information by both executive agencies and government contractors.

Controlled unclassified information (CUI) is information held by the Federal Government which is sensitive but unclassified. It includes such broad categories of information as proprietary information, export-controlled information, and certain information relating to legal proceedings. Despite the recent public spotlight on government protection of sensitive data, until this rule there was no unified law governing the designation and safeguarding of CUI; instead, agencies used their own conventions.

The final rule, effective November 14, 2016, will now exclusively govern the treatment of CUI by both executive agencies and government contractors. Although the final rule applies only to federal agencies, the rule requires that all agency-written agreements (including contracts, grants, and licenses) with contractors that involve CUI include a provision requiring the handling of CUI in accordance with the final rule. Further information is available in our October 2016 Advisory.

NIST's Draft Revisions to Cybersecurity Guidance for Government Contractors

On August 16, 2016, the National Institute for Standards and Technology (NIST) released draft revisions to Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (SP 800-171 Rev. 1). The most substantive change to the publication involves the addition of a new standard, PL-2 (System Security Plan). The standard requires the use of a formal system security plan for entities employing NIST 800-171 to articulate, among other details, how the cybersecurity controls required under NIST 800-171 are implemented. Rules governing control of certain federal information (including those governing "covered defense information" and "controlled unclassified information") rely on NIST 800-171 to articulate the controls required for systems processing, storing, or transferring covered information. NIST accepted public comment on the revision until September 16, 2016, and a final revision is expected soon.

Litigation Developments

After Spokeo, the Eighth Circuit Dismisses Suit Involving Allegations of Invasion of Privacy for Lack of Actual Injury

On September 8, 2016, the Eighth Circuit, in Braitberg v. Charter Communications, Inc., held that a defendant's violation of a statute by retaining personal information does not constitute a cognizable injury for the purpose of bringing suit in federal court, absent the defendant's actual disclosure of the retained information to a third party. In Braitberg, the plaintiff brought a putative class action against Charter Communications alleging that it violated the Cable Communications Policy Act by retaining personal information of its customers, even after they cancelled their cable services. The district court dismissed the case in a one-page order without stating its reasoning. On appeal, the Eighth Circuit affirmed the district court's dismissal, relying on the Supreme Court's recent case, Spokeo, Inc. v. Robins, which held that a plaintiff must suffer a concrete and particularized injury in order to bring a suit in federal court, and that allegations of bare procedural violations, without actual injury, do not satisfy the concreteness requirement.

Eighth Circuit Affirms Dismissal of GameStop Privacy Class Action

On August 16, 2016, in Carlsen v. GameStop, Inc., the Eighth Circuit affirmed dismissal of a putative class action alleging that GameStop violated its privacy policy by sharing users' Facebook IDs and browsing history with Facebook. GameStop's privacy policy stated that personally identifiable information would not be shared, and noted that personally identifiable information "may include: your name, home address and zip code, telephone number, e-mail address and (for those purchasing products online) credit card or checking account information including billing and shipping addresses and zip codes." While the phrase "may include" suggested that the list was non-exhaustive, the policy did not specifically include Facebook IDs and browsing history on its list of personally identifiable information. Accordingly, the Court held that "the protection [plaintiff] argues GameStop failed to provide was not among the protections for which he bargained by agreeing to the terms of service, and GameStop thus could not have breached its contract with [plaintiff]." The district court had previously dismissed the action but on different grounds, finding that the named plaintiff lacked standing.

Third Circuit Holds Economic Loss Doctrine Bars Negligence Claim in Data Breach Class Action

On August 25, 2016, in Longenecker-Wells v. Benecard Services, Inc., the Third Circuit affirmed dismissal of negligence and breach of implied contract claims against Benecard Services, Inc. arising from a data breach last year. In early 2015, Benecard's computer systems were compromised and unknown third parties subsequently used plaintiffs' personal information to file fraudulent tax returns to obtain tax refunds. The Third Circuit affirmed dismissal of the negligence claim on the grounds that Pennsylvania's economic loss doctrine barred causes of action "for negligence that result solely in economic damages unaccompanied by physical injury or property damage." The Court also affirmed dismissal of plaintiffs' claim for breach of implied contract on the grounds that the plaintiffs had not pleaded "any company-specific documents or policies from which one could infer an implied contractual duty to protect Plaintiffs' information." Mere allegations that an implied contract arose "from the course of conduct" were insufficient to survive a motion to dismiss. On October 5, 2016, the Third Circuit denied plaintiffs' petition for rehearing.

Sixth Circuit Finds Class Plaintiffs Have Article III Standing to Proceed Against Nationwide Mutual Insurance for Data Breach

On September 12, 2016, in Galaria v. Nationwide Mutual Insurance Co., the Sixth Circuit overturned a district court opinion and held that plaintiffs in a putative class action pled injuries that were sufficiently concrete to confer Article III standing, despite plaintiffs' failure to allege any actual fraud or identity theft as a result of the company's data breach. Noting that the purpose of the breach of Nationwide's computer network was to commit fraud with the stolen information, the Court held that plaintiffs were subject to a substantial risk of identity theft and the costs of credit freezes and monitoring plaintiffs incurred were "concrete injur[ies]" sufficient for standing purposes. Further, allegations that "but for" Nationwide's allegedly lax security, the data breach would not have occurred met the threshold for the standing doctrine's causation requirement—at least at the pleading stage. Finally, the Court clarified that "statutory standing" under the Fair Credit Reporting Act does not implicate a federal court's constitutional power to hear a case; it merely refers to whether the law gives plaintiffs a right to sue. Dissenting, Judge Batchelder contended that plaintiffs lacked Article III standing because they were not harmed by the data breach per se; rather, a third-party criminal would actually have to make use of the stolen information before an injury would result. Thus, Judge Batchelder would dismiss the claims against Nationwide on causation grounds and rebuked the majority for "tak[ing] sides" in the growing circuit split over whether an increased risk of identity theft is sufficient for Article III injury purposes in data breach cases. On September 26, 2016, Nationwide filed a petition for rehearing en banc asking the full Sixth Circuit to review the panel's decision, which the Sixth Circuit denied.

State Developments

New York recently announced new proposed regulations aimed at bolstering cybersecurity protections in the financial services industry. The regulations would require banks, insurance companies, and other financial institutions that are regulated by the New York State Department of Financial Services to establish and maintain a cybersecurity program, including designating a Chief Security Officer, adopting a written cybersecurity policy, and implementing new procedures to ensure the security of information systems. Required cybersecurity measures would include an incident response plan, multi-factor authentication for individuals with access to internal systems, encryption of all nonpublic information held or transmitted, and an audit trail system. The proposed regulations would also affect third parties with access to a regulated entity's information systems and nonpublic information, as regulated entities would be required to conduct due diligence on, monitor, and require minimum cybersecurity practices from those third parties. The proposal is subject to a 45-day notice and public comment period before becoming final; if issued, the regulations will go into effect in January 2017. The press release from Governor Cuomo's office and a state-issued summary of the proposed regulations are available here and here. For further information on NY's proposed regulations, see Arnold & Porter's Advisory.