Author Archives: Alex Pearce

The Government Can Sue for a Privacy or Data-Security Violation. What Are the Limits of that Government Power?

Consumers and businesses aren’t the only sources of potential privacy and data-security litigation. Today’s post looks at another important source: the Federal Trade Commission and state consumer-protection regulators.

In many cases, government enforcers don’t have express authority to sue for “privacy” or “data security” violations. Instead, the FTC often sues based on its authority under Section 5 of the FTC Act, which prohibits unfair or deceptive acts and practices. State enforcers invoke their authority under Section 5’s state-law analogues, like N.C. Gen. Stat. §75-1.1. The enforcers argue that the failure to protect consumers’ sensitive data constitutes an “unfair” business practice.    

A new decision from a federal court in California, called FTC v. D-Link Systems, explores the limits of this theory. This post discusses two specific issues from D-Link:

  • Can the FTC use its “unfairness” authority under Section 5 to regulate companies’ data security practices?
  • Can an “unfairness” claim lie under Section 5 without an allegation that consumers suffered either (a) monetary loss or (b) actual disclosure of their sensitive personal data?

The Best Possible Security?

D-Link Systems sold routers and internet-connected security cameras and video baby monitors. D-Link’s marketing materials and user manuals touted the products’ security features. The materials said that the products included “the latest wireless security features to help prevent unauthorized access” and “the best possible encryption.”

Not so, according to the FTC. The Commission claimed the software for D-Link’s products had clear security flaws—flaws that allowed attackers to access the devices over the Internet and to observe consumers through their cameras, or to steal sensitive information stored on a consumer’s home network. 

The FTC sued D-Link, alleging (among other claims) that D-Link’s failure “to take reasonable steps to secure the software” for their routers and cameras amounted to an “unfair” act or practice that violated Section 5. Notably, the FTC did not allege that any consumer had actually been spied on or had their data stolen—just that those harms could result from the security flaws in D-Link’s products.

No Harm, No Foul? 

D-Link moved to dismiss the unfairness claim on two broad grounds.

First, D-Link generally objected to the FTC’s use of its unfairness authority to regulate data security.  According to D-Link, “Section 5 says nothing about data security,” and “[i]f Congress wanted the FTC to regulate data security for the entire economy, it would have clearly said so.”  Even if Section 5 gave the FTC the authority to regulate data security, D-Link argued, the FTC had not given D-Link fair notice—through the formal adoption of clear standards—of “what data-security practices for routers and IP cameras the FTC believes Section 5 to prohibit or to require.”

Second, D-Link argued, the FTC had failed to adequately allege that D-Link’s practices in this case caused or were likely to cause substantial injury to consumers—a necessary element of an unfairness claim under Section 5. The statute, said D-Link, required the FTC to allege actual physical or monetary harm to identifiable consumers. 

It Means What We Say It Means

The court rejected out of hand D-Link’s general challenge to the FTC’s unfairness authority. It explained that “unfairness” was “by its very nature, a flexible concept with evolving content.” That data security was not expressly enumerated in Section 5 thus did not affect the FTC’s ability to exercise its authority to regulate companies’ data security practices. In that regard, the court cited approvingly to FTC v. Wyndham Worldwide Corp., a Third Circuit case from 2015 that rejected the same argument.

The court also rejected D-Link’s “fair notice” argument. Even though adopting specific data-security standards might in theory be “an optimal way” for the FTC to proceed, said the court, the law did not require this as a precondition for bringing an enforcement action. Rather, the FTC had discretion to proceed through individual, ad hoc litigation. And in the court’s view, that approach was especially appropriate in the realm of data security: “data security is a new and rapidly developing facet of our daily lives, and to require the FTC in all cases to adopt rules or standards before responding to data security issues faced by consumers” would be impractical.

What’s the Harm?            

The court agreed with D-Link, however, that the FTC had not adequately pleaded the “injury” element of its unfairness claim. According to the court, the FTC’s failure to allege facts showing that consumers suffered a monetary loss, or had their sensitive personal data accessed or exposed, was fatal to the FTC’s claim. The absence of such facts, despite the FTC undertaking a thorough investigation, indicated that it was just as possible that D-Link’s devices were not likely to substantially harm consumers.

The court therefore dismissed the unfairness claim, but then gave the FTC leave to amend—and a roadmap on how to avoid dismissal the second time around. 

According to the court, rather than relying on the risk of future harm to consumers from a compromised device, the FTC might instead frame the “injury” to consumers as an overpayment for the devices themselves.  The court explained that a consumer’s purchase of a device that was not reasonably secure—let alone as secure as advertised—would be “in the ballpark” of a substantial injury, particularly if that injury were suffered by a large group of consumers.  

Lessons for Companies

D-Link contains some important lessons for companies.

First, the decision confirms that the FTC can use its unfairness authority under Section 5 to regulate data security, and that it can use ad hoc enforcement actions rather than formally-adopted rules and standards. Absent such rules or standards, companies would be well-advised to stay abreast of the informal guidance that the FTC makes available on its website and Business Blog, and of the actions that it brings against other companies.

Second, the court’s invitation for the FTC to amend its unfairness claim to focus on consumers’ purchase of devices they expected to be secure may lead regulators, just like consumers, to use “overpayment” theories to avoid dismissal of data-security lawsuits.

Author: Alex Pearce

Defending Breach-of-Contract Claims in Data-Breach Litigation

We’ve previously discussed the “overpayment” theory of injury in data-breach litigation.  This theory rests on the premise that the price of a product or service includes a payment for data security measures.  When a data breach happens, buyers allege they have overpaid for the product or service because the seller failed to provide the agreed-upon measures.  

Data-breach plaintiffs have successfully used this theory to overcome standing challenges brought by defendants under Rule 12(b)(1). 

Today’s post examines a recent federal appellate decision that shows how data-breach lawsuits premised on overpayment theories—which often assert claims sounding in contract—still face an uphill battle under Rule 12(b)(6). 

In that decision—a boon for data-breach defendants—the Eighth Circuit employed a demanding test for the pleading of facts that give rise to an overpayment claim.

Promises Made to Be Broken? 

Kuhns v. Scottrade arose after hackers accessed the internal customer database of Scottrade, a securities brokerage firm. The hackers acquired sensitive personal information of over 4.6 million customers. They then used that personal information to operate a stock price manipulation scheme, illegal gambling websites, and a bitcoin exchange. 

The plaintiffs—Scottrade customers whose personal information was accessed by the hackers—sued Scottrade in federal court in Missouri. Their complaint asserted claims for breach of express and implied contract.

According to the plaintiffs, a portion of the fees they paid to Scottrade for brokerage services was to be used for data management and security. To that end, the plaintiffs pointed to representations that Scottrade made as part of their brokerage agreements. 

Those agreements included a “Privacy and Security Statement” in which Scottrade represented that it would:

  • “maintain physical, electronic and procedural safeguards that comply with federal regulations to guard your nonpublic personal information;” and
  • “offer[ ] a secure server and password-protected environment . . . protected by Secure Socket Layer (SSL) encryption.”

The plaintiffs alleged that the hack occurred because Scottrade didn’t live up to these promises.

For damages, the plaintiffs sought “the monetary difference between the amount paid for services as promised…and the services actually provided.”

The district court dismissed the complaint for lack of standing. It concluded that the plaintiffs’ “conclusory” allegations that they been deprived of the benefit of data management and security services they paid for when they opened their accounts did not constitute a sufficiently concrete injury. 

Overpayment = Concrete Injury

On appeal, the Eighth Circuit rejected that analysis. The Eighth Circuit pointed to an earlier data-privacy decision involving claims premised on an overpayment theory.  In that case, the court held that “a party to a breached contract has a judicially cognizable interest for standing purposes, regardless of the merits of the breach alleged.” 

The Scottrade plaintiffs satisfied that test. Their complaint alleged that they bargained for and expected protection of their personal information, and suffered a diminished value of that bargain when Scottrade failed to prevent the data breach.  Thus, the Eighth Circuit concluded, the plaintiffs had standing to assert the breach of contract claims, “whatever the merits” might be of those claims.

Show Me the Breach

As to the merits, Scottrade argued that even if the plaintiffs had standing, their contract claims that relied on the overpayment theory should still be dismissed under Rule 12(b)(6).

Scottrade argued that the plaintiffs did not allege any specific facts to establish that Scottrade breached its promises regarding data security. To that end, Scottrade observed, the plaintiffs hadn’t alleged any specific security measures that Scottrade had promised but failed to implement.  Nor had they specified any particular laws with which Scottrade’s data security practices failed to comply. 

Data Breach ≠ Contract Breach (necessarily)

The Eighth Circuit agreed with Scottrade.

It concluded that the plaintiffs had failed to allege any specific breach of the security representations in the brokerage agreement.   To that end, the court observed that:

  • the plaintiffs did not identify any specific law or regulation that Scottrade’s data security practices violated; and
  • Scottrade never affirmatively promised that its customers’ data would not be hacked.

Acknowledging that the complaint presented the “possibility” of misconduct, the court nonetheless held that more was required: “It is possible that Scottrade breached the Brokerage Agreement, but we have no idea how.” 

Critically, the court concluded that the mere fact that data breach occurred could not supply the requisite factual basis for the breach of contract claims. It explained that “the implied premise that because data was hacked Scottrade’s protections must have been inadequate” amounted to a “naked assertion devoid of further factual enhancement” that could not survive a motion to dismiss under the Supreme Court’s ruling in Ashcroft v. Iqbal.

The court thus affirmed the district court’s dismissal of the action, albeit under Rule 12(b)(6) rather than Rule 12(b)(1).

Lessons for Litigants

The holding in Scottrade will be a welcome addition to data-breach defendants’ Rule 12(b)(6) arsenal.

It suggests that data-breach plaintiffs who rely on an “overpayment” theory must allege specific facts not only about the data security promises for which they paid, but also about the specific ways in which a defendant’s practices failed to live up to those promises.

And just as importantly, the decision makes clear that neither conclusory allegations of broken security promises, nor the mere fact of a data breach, are sufficient to satisfy that burden.

Author: Alex Pearce

How a Potent Defense Can Stifle Data-Breach Lawsuits by Businesses

Consumers aren’t the only plaintiffs in data-breach litigation. Businesses sue, too.

When they do sue, businesses can be strong plaintiffs. This is because, unlike consumers, businesses usually can establish standing, since they’re more likely to have suffered direct financial loses that can be readily identified.  

This doesn’t mean, however, that a data-breach business plaintiff can waltz untouched through the Rule 12(b)(6) stage.

Instead, a business plaintiff must overcome a different defense: the economic-loss rule.  That rule prevents plaintiffs who suffer economic losses stemming from a contract from trying to recover those losses through non-contract claims. 

A recent decision from a federal court in Colorado involving one of my kids’ favorite mac-and-cheese spots shows how the economic-loss rule can apply when one business sues another over a data breach. This post studies that decision.

A Cyberattack Compromises Diners’ Payment Card Data

SELCO Community Credit Union v Noodles & Company concerns a cyberattack on the Noodles & Company restaurant chain that compromised customers’ credit and debit card information. The plaintiffs were not consumers, but instead credit unions whose cardholders dined at Noodles and whose information was compromised. They sued Noodles for failing to prevent the breach. 

According to the credit unions, Noodles breached a common-law duty to protect its customers’ payment card information by failing to implement industry-standard data-security measures. The credit unions alleged that this breach caused them damages, including the costs to cancel and reissue affected cards and to refund cardholders for unauthorized charges.

The credit union brought tort claims—all based on theories of negligence—against Noodles. Noodles filed a motion to dismiss based on the economic-loss rule, pointing to agreements it and the plaintiffs had entered as participants in the payment-card-processing ecosystem.   

The Payment Card Ecosystem: A Chain of Interrelated Contracts

The court provided the following diagram to explain this ecosystem:

ap

In its motion, Noodles observed that each actor in this ecosystem signed an agreement with at least one other actor in which it agreed to follow rules issued by the bank-card associations. Importantly, the agreements required merchants to maintain a certain level of security for payment-card data—including compliance with a set of detailed best practices for data security in the payment-card industry called the Payment Card Industry Data Security Standard (PCI DSS).

Noodles argued that these agreements also allocated the parties’ rights and responsibilities in the event of a cyberattack. More specifically, the agreements called for the credit unions to guarantee cardholders zero liability for fraudulent transactions. The credit unions, in turn, could partially recover their losses through a loss-shifting scheme managed by the bank-card associations.

According to Noodles, this arrangement reflected “a series of determinations by several sophisticated commercial entities about how the risk of fraudulent transactions should be allocated in the payment card networks.” Noodles accused the credit unions of trying to re-allocate that risk—and violating the economic-loss rule—by bringing tort claims.

An Independent Duty?

The credit unions had two main arguments in response.

First, they argued that Noodles owed them a common-law duty to secure payment-card data and to prevent foreseeable harm to cardholders. This duty, they urged, was separate and distinct from any contract-based duty to comply with PCI DSS. The credit unions made this argument to try to shoehorn their claims into what’s known as the “independent duty” exception to the economic-loss rule.

Second, the credit unions argued that the economic-loss rule should not apply because the credit unions had no contract with Noodles. Thus, the credit unions argued, they never had the chance to “reliably allocate risks and costs” with Noodles.  

The Court’s Decision

The court, like my children, sided with Noodles.

On the independent-duty argument, the court concluded that each duty that Noodles allegedly breached was bound up in the agreements to comply with the bank-card association rules and PCI DSS. Even if Noodles might also have had a common law duty to protect payment card data from a cyberattack, that duty could not be considered “independent of a contract that memorialize[d] it.”

The fact that the credit unions never contracted directly with Noodles had no analytical impact. In the court’s view, the economic-loss rule does not mandate a one-to-one contract relationship. Instead, the court reasoned, the rule asks whether a plaintiff had “the opportunity to bargain and define their rights and remedies, or to decline to enter into the contractual relationship.” The credit unions had that chance here.

Lessons for Litigants

SELCO confirms that the economic-loss rule can provide a powerful shield against attempts—including and especially by businesses—to make end-runs around negotiated limitations and allocations of liability for cyberattacks.

Defendants, however, must be ready to show that the contract on which they rely imposes relevant data-security obligations. Doing so requires that the obligations be clearly defined—well before litigation arises—in any contracts that involve the receipt or handling of sensitive information.

Clearly defining data-security obligations in contracts is already a recognized best practice for information-security risk management.  But as SELCO demonstrates, this type of clarity can also lay the groundwork for deploying the economic-loss rule against lawsuits arising from a successful cyberattack. 

Author: Alex Pearce