Different Degrees of Breach ResponseHannaford Legal Ruling May Re-Shape Breach Notification
The key message from the recent court ruling on the Hannaford data breach: You don't have to suffer fraud to be a victim.
See Also: The Global State of Online Digital Trust
A federal appeals court recently ruled in favor of victims of the 2007 Hannaford data breach. According to this ruling, some victims of the payment card breach at Hannaford, a supermarket chain, can sue for damages resulting from the costs of card replacement, theft insurance and other "reasonable" mitigation efforts. This decision partially overturns a district court ruling that dismissed 26 individual lawsuits against Hannaford, a northeastern U.S. grocery chain.
In all, roughly 4.2 million accounts were compromised and 1800 cases of fraud were reported as a result of the breach, which was masterminded by convicted fraudster Albert Gonzalez, who currently is imprisoned after pleading guilty to several crimes, including the Heartland Payment Systems breach.
The message of this ruling? "Companies need to take more care in their data breach response plans in terms of deciding who actually needs to be provided notification," says Ronald Raether, an Ohio-based attorney with deep experience in breach litigation. "I think Hannaford provides the wake-up call for companies to take a better look at what the law actually requires in terms of notices ..." and then tailor those notices appropriately based on the actual fraud risk the individual accounts might face.
Ideally, Raether says, Hannaford should have prepared one form of letter for the 1800 complaints of actual fraud, but a different form of letter for the remaining 4.2 million who were not defrauded.
"Sending different forms of breach notice letters helps in the defense against class actions," Raether says. "It helps in allowing regulators and others to understand that the scope of the breach and the severity of it may vary considerably among each of those groups. I think overall, it puts the company in a better position to forge ahead and negotiate the troubled waters that come after a data breach in terms of dealing with class actions, regulators and even public relation issues."
In an exclusive interview about the Hannaford decision and its ramifications, Raether discusses:
- The significance of this decision re: data breaches and responsibility;
- The message to merchants and financial institutions;
- Advice for organizations about breach preparedness in 2012.
Raether is a partner at Faruki Ireland & Cox in Dayton, Ohio. His broad experience with technology-related issues spans a broad array of substantive legal areas, including patent, antitrust, licensing and contracts, employment, trademark, domain name disputes, and federal and state privacy statutes. He has been involved in seminal cases addressing compliance with statutes that regulate the use and disclosure of personal information and laws that concern the adequacy of securing against unauthorized access to personal information. Raether has successfully defended companies in over 25 class actions, and has represented companies in over 150 individual FCRA cases.
TOM FIELD: The Hannaford Data Breach. It's been more than three years since the incident - what's new? Hi, this is Tom Field, Editorial Director with Information Security Media Group. I'm talking today with Ronald Raether. He is an attorney and partner at Faruki, Ireland, & Cox LLP.
Ron it was early 2008 when Hannaford entered the news with its data breach that certainly sparked lots of headlines that year and beyond. And the case has just come back into the news with a fresh court decision. What can you tell us about this decision?
RONALD RAETHER: Well, the case is really interesting in that it's the most recent step in the back and forth between plaintiffs' and defendants' counsel around the issue of standing in damages. People may or may not be familiar with Hannaford. It's a grocery store chain out of the New York area where, back in December 2007, they revealed there had been a breach of about $4.2 million credit and debit cards along with the security codes. Included in that, there were about 1800 complaints where customers of Hannaford complained that they had actually been victims of fraud. From that, there were 26 class actions filed across the country that eventually were consolidated through the multidistrict litigation procedure rules in the Federal Court in Maine. Initially, after several motions were filed and an issue was certified to the Maine's Supreme Court, the district court eventually did dismiss the class action on the basis of the absence of any cognizable injury or harm by the named plaintiffs and the disputed class.
Latest Court Decision
FIELD: So, what can you tell us about the significance of this latest decision, not just with Hannaford, but regarding data breaches in general and responsibility for these breaches?
RAETHER: It's really the most recent step in the evolution of the pleading struggle that has happened between the plaintiffs' bar and the defense bar. Early on in data breach cases, defendants were filing motions to dismiss, arguing that the named plaintiffs lacked standing.
What is interesting with Hannaford is that the court sort of took the next step and found that the case could continue to go forward because the plaintiffs had alleged actual misuse as to other credit card holders, and so those plaintiffs which actually hadn't been the victim of identity theft - there wasn't any proof that they had actually been the victim of identity theft - could nonetheless still have a cognizable claim because there was a sufficient threat, an imminent threat of injury because there had been those actual 1800 complaints of fraud. The remaining 4.2 million people could have a claim because they could be threatened enough to feel like they had to take proactive measures and incur out-of-pocket expenses.
Impact on Future Breach Litigation
FIELD: As we said up front, Hannaford is nearly four years old now. We've certainly seen a number of other breaches this year alone. In layman's terms for a business audience, how do you see this Hannaford decision potentially impacting cases that arise from other more recent breaches that we've seen?
RAETHER: I think in a couple of ways. So, from the plaintiffs' bar perspective and the threat of class action litigation, early on in the history of data breach litigation, defendants were fairly comfortable that they could have some success on early motions to dismiss. I think the plaintiffs' [attorneys] have learned from these cases and are pleading better complaints, and so as a consequence, the litigation is likely to be more robust, take longer to resolve.
So as a consequence, I think companies need to take more care in their data breach response plans in terms of deciding who actually needs to be provided notification. I think the trend following the February/March 2005 data breach and the media and government reactions to those incidents, the consequence has been that companies have been conservative. By that I mean over-notifying when there is a breach. I think Hannaford provides the wake-up call for companies to take a better look at what the law actually requires in terms of notices. Tailoring those notices based on what is required by the law, and in fact sending different forms of notices depending on what category a specific consumer might fall in, in relation to the amount of risk that the consumer might face from the breach incident.
FIELD: Well that is an interesting point that I would like to follow up on, because it seems like there are a couple of messages here. There is one for merchants who might be suffering the breaches, and certainly for financial institutions whose customers are going to be impacted by it. What do you see as the messages to these two constituencies?
RAETHER: I think they need to be more thoughtful and thorough in their forensic analysis of the breach itself. So, making sure that they act quickly and early to bring in the right third-party or internal resources to do a complete and detailed forensic analysis. Of course, they want to do that under the protection of attorney/client privilege. Then, once that is done, they need to take that data and really park it up against the individual state breach notice laws.
I've written an article on this specific issue of 'when is breach notice actually required,' and for the most part it is an instance in which there is some evidence or fear that the actual consumers are going to be victims of identity theft. Having been involved in a number of data breach responses, there really is a wide spectrum in terms of how much threat there is to the consumers. But let's take Hannaford as an example for a moment. If in response to that breach there had been one form of letter sent out to the 1800 complaints of actual fraud, and obviously breach notice was required with regard to those 1800, but a different form of letter was used for the remaining 4.2 million, or if the forensic evidence showed that there as even more diversity amongst that group of 4.2 million. Sending different forms of breach notice letters helps in the defense against class actions. It helps in allowing regulators and others to understand that the scope of the breach and the severity of it may vary considerably among each of those groups. I think overall, it puts the company in a better position to forge ahead and negotiate the troubled waters that come after a data breach in terms of dealing with class actions, regulators and even public relation issues.
Legal Issues of Note
FIELD: So, Ron, taking a step back from Hannaford, you've certainly been paying attention to litigation that other people haven't been seeing. What are some of the recent legal decisions that you see that organizations really should know more about in terms of breaches, preparing for them and responding to them?
RAETHER: I think in the past we've really been focused on the Federal Trade Commission and the guidance that organization was providing to companies in terms of what data security steps ought to be taken. Of course, the Consumer Financial Protection Bureau will be providing guidance to us as that organization comes into play. I think however in the coming years, and even in 2011, the real activity has been in the Attorney General's. I've seen an increase in staffing within those organizations in the groups that deal with data breach and information security. Notably, you have a group of states that have traditionally been strong in data breach: Massachusetts, Maryland, Illinois. Those states will continue to be actively involved.
I've seen a rise in other states, not traditionally known to be active in this space. So for example this past summer, the Indiana Attorney General entered into an settlement with WellPoint health insurance organization in Indiana, and the important thing there was the whole enforcement action came around the timing of the notice. Indiana complained that WellPoint did not act quickly enough in providing notice. So I think that, following AGs and the opinions that are coming out of them will be important. I also know that this summer the Attorney Generals received HIPAA training from the Department of Health and Union Services, so I expect again to keep an eye on the AGs and their enforcement actions.
Advice for 2012
FIELD: Final question for you. For organizations that are concerned about breach preparedness (as they all should be), what is your advice for them as they go into 2012?
RAETHER: I think that in the past because of the Massachusetts's requirements, somewhat because of HIPAA, there has been too much of an emphasis placed on having complex and voluminous written policies. Because of my feeling that enforcement is going to focus more on deceptive, in other words, inconsistencies between writing and actual practice, I think that those written policies need to be simplified. They need to be written in a way that convey compliance, but also doesn't unnecessarily hamper the company, and what it really needs to be focusing on and that's putting in place practices and procedures to safeguard security and hopefully avoid data breach.
Then I think, finally in 2012, we should always remember that the biggest threat to security is still human beings, employees, and not just employees in terms of intentional misconduct, but also negligence. Employees looking to make their jobs easier, more efficient, taking shortcuts, maybe being helpful to third parties, all of those are the biggest threats to security. So, companies ought to pay particular attention to training and spending time with those employees implementing maybe technical features that can audit and prevent employees from taking shortcuts, all security measures around employees, human factors so that overall hopefully we can avoid breaches or if a breach occurs. We have a good set of documents, a good story to tell the judges and the regulatory agencies about the due diligence and hard work that the company put in place to avoid the breach.