Data Privacy and Cybersecurity Litigation Update – March 2022March 7, 2022
There’s never a dull moment in the burgeoning field of data privacy and cybersecurity litigation. Every week seems to bring a new court decision or government action. Though by no means exhaustive, the following are summaries of some of the stories we’re closely monitoring.
Cybersecurity insurers grapple with wire fraud claims
Several recent cases highlight the efforts cybersecurity insurers have taken to avoid paying out claims related to wire transfer fraud, pointing to specific language in their policies that limit recovery for such claims.
In SJ Computers, LLC v. Travelers Casualty and Insurance Co. of America, SJ Computers brought suit against Travelers alleging it was improperly denied benefits under its cybersecurity policy for close to $600,000 in damages that SJ sustained as a result of wire transfer fraud. The scheme involved “spoofed” emails being sent from one of SJ’s vendors to SJ’s purchasing manager containing updated wire transfer instructions for the payment of invoices to the vendor. The bad actors then gained access to SJ’s purchasing manager’s email, and sent the invoices to SJ’s CEO, who paid the invoices to the fraudster’s bank accounts. After learning it had been the victim of fraud, SJ sought coverage under the cybersecurity insurance policy it held with Travelers. Travelers claims that because the fraudulent emails resulted in an SJ employee actually updating the wire information, the scheme did not fall under the company’s computer fraud policy, but rather its social engineering fraud subpolicy, which only provided up to $100,000 in coverage. A motion for dismissal filed by Travelers is pending.
In a similar case, Virtu, a financial services company, became the victim of wire fraud when the email of a Virtu executive was hacked. Using the executive’s email, the bad actor ordered capital calls from the company’s accounting department to be sent by wire transfer. Investigators determined that the money—totaling almost $11 million—was actually sent to several Chinese bank accounts owned by the hackers. Virtu sought coverage for the incident with its cybersecurity insurer, Axis, who also took the position that it would only cover up to $500,000 under Virtu’s social engineering fraud policy. Virtu brought suit, seeking coverage for the full amount under the computer fraud policy it held with Axis, which would cover up to $10 million. According to recent court documents, all claims against Axis have been dismissed and the companies have reached a settlement, although terms of the settlement are unknown.
Insurers also denied coverage for yet another company, RealPage, a payment processor for rental property management companies, after hackers gained access to its payment processing account through a phishing scam. The terms of RealPage’s policy with its insurers required that RealPage “hold” funds as a prerequisite to coverage for any funds lost as a result of cyber fraud. As RealPage never “held” the funds that were lost in the scheme, the insurers argued their claim was properly denied. RealPage claimed that because they “controlled” the funds, the funds lost in the scam should be covered. A Fifth Circuit panel denied RealPage’s control argument, finding that the company never held nor controlled any of the funds that were supposed to be directed to the company’s real estate clients. Recently, a federal district court in Texas granted the insurers’ motions for summary judgment, ruling that the insurers were not required to cover RealPage’s losses under the phishing scheme.
It seems likely that questions about insurance coverage will arise when the Delaware Chancery Court decides which party is legally responsible in a wire-transfer-fraud case where hackers made off with $130 million in post-merger sale proceeds.
Facebook must disclose top executives’ emails
In multidistrict litigation arising from Cambridge Analytica’s collection and sale of millions of Facebook users’ personal data, plaintiffs asked to add CEO Mark Zuckerberg and COO Sheryl Sandberg to the list of email custodians. The move would allow the plaintiffs to access some of the top executives’ private email communications. Facebook objected, arguing that the document productions in the case were already comprehensive and that neither Zuckerberg nor Sandberg were likely to hold responsive information.
The special master appointed to oversee discovery disagreed with Facebook’s position, ordering Facebook to turn over Zuckerberg’s and Sandberg’s “privacy-related communications.” The special master found that because Zuckerberg and Sandberg were at the helm of Facebook during the time the users’ data was collected, their communications are likely to contain “uniquely relevant” information relating to the plaintiffs’ allegations of illegal data collection.
Lawsuits against corporate boards for lax security are heating up
In a continuation of a trend of investor claims being brought against corporate boards, two pension funds sued the SolarWinds’ board for allegedly ignoring “elementary” issues with the company’s cybersecurity standards—including in one instance the use of “solarwinds123” as a network password (oof!). T-Mobile investors also filed a derivative suit against the company’s board, alleging violations of the Securities Exchange Act and other claims following a data breach.
Meanwhile, the First Circuit revived a previously-dismissed lawsuit against cloud security company, Carbonite. Investors accused the company’s top executives of calling a new data backup product “super strong,” without checking to see whether the product was working.
These lawsuits most commonly come in one (or both) of two “flavors”: (1) claims that the board members breached fiduciary duties by not adequately addressing and overseeing cybersecurity and data privacy risks, or (2) claims that the board members misled investors about their company’s cybersecurity practices.
And regulators are getting in on the action, too. The FTC has recently warned, “Corporate Boards: Don’t underestimate your role in data security oversight.”
Litigation involving the Illinois Biometric Privacy Act continues to rage
- The Illinois Supreme Court ruled that the state’s workers’ compensation law doesn’t preempt Biometric Information Privacy Act (BIPA) claims.
- Restaurant chain Pret a Manger agreed to settle BIPA claims for $677,000.
- Kronos, Inc., a maker of timeclocks, agreed to pay $15.3 million to settle BIPA claims based on the collection of employee fingerprints.
Class action litigation: many cases, many (big) settlements
- A class of data-breach subjects filed a lawsuit in Cook County, Illinois, alleging that an accounting firm not only had lax cybersecurity practices, but also was very late in reporting a breach… up to a year after the breach was contained.
- A New York federal judge refused to dismiss class claims brought against Apple under two consumer-protection statutes. The lawsuit alleges that Apple made “material misrepresentations” about a software flaw in its iMessage system. The court did, however, dismiss the plaintiffs’ claims for fraudulent misrepresentation and unjust enrichment.
- Wells Fargo recorded its calls to various California businesses without those businesses’ consent. And the $28 million settlement of the class claims brought by those businesses just received a judge’s final approval.
- Facebook has agreed to pay $90 million to settle claims by consumers who complained that Facebook tracked their browsing history after they visited non-Facebook pages that displayed Facebook’s “like” button.
- Objectors complained about an attorneys’ fee award of $97.5 million to class counsel who obtained a $650 million settlement from Facebook.
- Capital One and class plaintiffs who filed suit against the bank are asking for court approval of a $190 million settlement of multidistrict data breach litigation.
- A Wisconsin federal judge has twice refused to approve a much smaller class settlement, focusing on a proposed $320,000 attorney fee award that, so far, he has found is not sufficiently supported in light of a low claims rate and limited other benefits to class members.
- In November, the Office of the Comptroller of the Currency (OCC), Treasury, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (FDIC), published a Final Rule regarding banking organizations that experience a cybersecurity related incident rising to the level of a “notification incident.” The Rule requires organizations to notify their primary federal regulator of the incident as soon as possible, and no later than 36 hours after the organization has determined that a notification incident occurred. The 79-page rule, which takes effect in May 2022, is a must-read for all banking organizations.
- CCPA (and CPRA) compliance: it’s getting REAL! On January 28, 2022, the California AG issued notices to various retailers and hotels that offer customer loyalty programs. This is yet another sign that California is taking CCPA compliance seriously. We haven’t yet seen formal enforcement actions against businesses, but it seems like a question of “when” (not “if”) those will start dropping. For now, the notices being issued are basically warnings to shape up. They all come with a 30-day cure period. But when the new CPRA takes effect on January 1, 2023, that cure period goes away. And there will also be a brand-new regulatory body—the California Privacy Protection Agency—devoted to implementing and enforcing the law.
- The CFPB is looking to the 50-year-old Fair Credit Reporting Act to go after Big Tech’s monetization of consumer data.
- Meanwhile, the FTC is suggesting some ransomware prevention steps for small businesses, which follows even more robust guidance from 2020.
- That FTC guidance is a bit friendlier than guidance the regulator released about the Log4j vulnerability. In between suggestions on how to address that vulnerability, the FTC makes clear that it “intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.” Be warned!
- Not content to let Illinois be the only hotbed for biometric privacy issues, Texas’ AG is seeking to enforce the state’s Capture or Use of Biometric Identifier Act (or “CUBI”) against Facebook for its use of users’ facial geometry—practically the same theory on which Facebook settled Illinois BIPA claims for $650 million, and a theory that commentators expect to be replicated if Texas’ AG is successful in this enforcement action.
- New York employers now have to notify employees if they are being electronically monitored.
- New Jersey’s AG announced a $425,000 settlement with health care providers who suffered a data breach after the providers allegedly failed to adequately protect patient data.