Litigating Privacy,

Litigating Privacy, Litigating Privacy, - Start

Added : 2015-10-31 Views :28K

Download Presentation

Litigating Privacy,

Download Presentation - The PPT/PDF document "Litigating Privacy," is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentations text content in Litigating Privacy,


Litigating Privacy, Cybersecurity, and Data Breach Issues in 2014

American Bar Association David Z. BodenheimerLitigation Section Program Crowell & Moring LLP2014 Spring Meeting Washington, DCScottsdale, AZ

© 2014 Crowell & Moring LLP


Data Breach Litigation in 2014

© 2010 Crowell & Moring LLP



Data Breach Litigation

Overview of Data Breach Litigation

Security Standards

Litigation Lifecycle (Financial)

Litigation Lifecycle (Healthcare)

Litigation with Biggest Buyer

Other Litigation Risks


Security Standards

Federal SecuritySecurity ObjectivesIntegrity, Availability & ConfidentialityAcceptable SecurityNot Perfect SecurityRisk-Based SecurityCommensurate with risk and magnitude of harmPeriodic Risk AssessmentsCost-Effective SecurityCost-effectively reduce risk to acceptable level[FISMA, 44 U.S.C. § 3544]

Illustrative Precedent(Federal Indian Trust Fund)Outdated Security Plans(Over 66%)Uncertified IT Systems(Over 75%)Ineffective TrainingPoor Agency OversightLimited Testing (20 most serious weaknesses)Cobell v. Kempthorne, 455 F.3d 301 (D.C. Cir. 2006)



Security Standards

Framework SecurityVoluntaryConsensus-based StandardsRisk-Based SecurityRisk AssessmentsCost-Effective SecurityCost-effective Risk ManagementSenior Management RoleNot Just IT FunctionRisk Considered at C-SuiteNISTCybersecurity Framework (Feb. 2014)

NIST Cyber Framework



Security Standards

Reasonable SecurityCourts have applied a standard of commercially reasonable securityFactors include:Prior breaches & injuryRisk-based analysisDifficulty to implementHolistic approach (factors as a whole vs. single type of failure)

Illustrative Precedent“Because it had the capacity to do all of those things [i.e., adopt security safeguards], yet failed to do so, we cannot conclude that its security system was commercially reasonable. We emphasize that it was these collective failures taken as a whole, rather than any single failure, which rendered [defendant’s] security system commercially unreasonable.”Patco Const. Co. v. People’s United Bank, 684 F.3d 197 (1st Cir. 2012)




Data Breach Litigation

Overview of Data Breach Litigation

Security Standards

Litigation Lifecycle (Financial)

Litigation Lifecycle (Healthcare)

Litigation with Biggest Buyer

Other Litigation Risks



Data Breach (Financial)

The Breach: Ground Zero


Data Breaches(2012)

Identity Theft

Resource Center



Data Breach (Financial)

Investigation/Clean-Up$105.5 MillionProfessional FeesInvestigationB2B Incentive Payments$35.7 MillionFraud Losses & Fines($20 Million)Insurance Receipts_____________________________________$121.2 Million (total)

SEC 10k Statement“To date, we have not experienced a material loss of revenue that we can confirm has been related to this event. However, this event and our related remediation efforts could potentially have a negative impact on future revenues.”No Loss AccrualsInsufficient Data to Estimate Losses


Stock Impact (2012)“In March 2012, it was reported that a security breach at Global Payments, a firm that processed payments for Visa and Mastercard, could compromise the credit- and debit-card information of millions of Americans. Subsequent to the reported breach, the company’s stock fell more than 9 percent before trading in its stock was halted.” [GAO, June 2012]

Stock Impact ? (2013)

Data Breach (Financial)




Data Breach (Financial)

SEC Disclosure DutyDivision of Corporation FinanceSecurities and Exchange CommissionCF Disclosure Guidance: Topic No. 2 CybersecurityDate: October 13, 2011 Summary: This guidance provides the Division of Corporation Finance's views regarding disclosure obligations relating to cybersecurity risks and cyber incidentsDisclosure DutiesRisk of Cyber IncidentsPrior Security BreachesAdequacy of Preventative Measures

Shareholder Actions

“Delaware’s Court of Chancery ruled in the 1996


case that a director’s good faith duty includes a duty to attempt to ensure that a corporate information and reporting system exists and that failure to do so may render a director liable for losses caused by the illegal conduct of employees. The Delaware Supreme Court clarified this language in the 2006

Stone v.


case – deciding that directors may be liable for the damages resulting from legal violations committed by the employees of a corporation, if directors fail to implement a reporting system or controls or fail to monitor such systems.”

Office of National Counterintelligence Exec. (Oct. 2011)



Data Breach (Financial)

B2B DisputesCustomer Termination“VISA also removed the company from its list of approved processors.” [GAO, June 2012]Contract Disputes33.6% reduction in costs for 2013Due to prior year charges (in part) for two contractual disputes in 2012Contract Settlements$105.5 Million due in part to “incentive payments to certain business partners”

Insurance DisputesInsurance Coverage$30 Million Policy Limit$1 Million DeductibleInsurance Recovery$20 million Recovered under PolicyInsurance DisputeDispute involving excess liability policyIssue: whether policy’s “privacy” & “technology services” coverage applyState Nat’l Ins. Co. v. Global Payments, No. 1:13-CV-01205 (ND Ga. filed Apr. 2013)



Data Breach (Financial)

Consumer ActionClass ActionWillingham Class ActionStandardFailure to maintain reasonable & adequate proceduresFailure to timely notify of breachCauses of ActionNegligenceFederal Stored Comm. ActFair Credit Reporting ActGeorgia Unfair Trade Practices ActOther common law claimsDismissal (Mar. 6, 2013)

SEC 10k StatementBUT: “This event could result in additional lawsuits in the future.”



Data Breach (Financial)

FTC Investigtion“In addition, governmental entities have made inquiries and the Federal Trade Commission has initiated an investigation related to the event.”FTC ImplicationsInvestigations & subpoenasWyndham-style litigationConsent decreesFTC “settled 50 law enforcement actions” relating to data security.Edith Ramirez (FTC Commissioner), Sen. Judiciary Comm., Feb. 4, 2014

Congressional RoleSen. Casey (Apr. 2, 2012)“Following this breach, I wrote to [you] to express my concern and my staff has reached out to staff at the Federal Trade Commission (FTC) and the Federal Reserve.” [Letter cc:’d to FDIC, FCT, NCUA]CEO Responds (Apr. 4, 2012)



Data Breach Litigation

Overview of Data Breach Litigation

Security Standards

Litigation Lifecycle (Financial)

Litigation Lifecycle (Healthcare)

Litigation vs. World’s Biggest Buyer

Other Litigation Risks



Data Breach (Healthcare)

The Breach: Ground ZeroKey Facts4.9 Million TRICARE BeneficiariesBackup Tapes Stolen from Employee’s Car

BiggestData Breaches(2011)

Identity Theft

Resource Center



Data Breach (Healthcare)

$4.9 Billion Suit vs. DoD“The Defense Department has been hit by a $4.9 billion class action lawsuit filed on behalf of four military family members and the 4.9 million Tricare beneficiaries whose personal information was contained on tapes stolen from a car in San Antonio in September.”

Privacy Act RemediesCriminal Penalties$5,000 fine for willful violationsCivil SanctionsInjunctive relief Damages ($1,000 minimum)*Attorney feesAdministrative RemediesAdverse personnel actionsContract remedies“U.S., Veterans Settle VA Data Breach Privacy Act Class Action for $20 Million,” Privacy Law Watch (1/29/09)



Data Breach (Healthcare)

Seven Class ActionsRichardson et al. v. TMA, SAIC, & DoD (DCDC)Arrellano et al. v. SAIC (W.D. Tex.)Biggerman et al. v. TMA, SAIC, & DoD (DCDC)Moskowitz et al. v. TMA, SAIC, & DoD (DCDC)Palmer et al. v. TMA, SAIC, & DoD (DCDC)Losack et al. v. SAIC (D SD CA)Deatrick v. SAIC(D ND CA)Adcock v. SAIC(D ND FL) (dismissed)

SEC 10k Statement (2012)



Data Breach (Healthcare)

MDL Class ActionClass ActionIn re SAIC Backup Tape Data TheftCauses of ActionNegligenceBreach of express/implied contractInvasion of privacyTexas Deceptive Trade PracticesCalifornia Acts (multiple)Fair Credit Reporting ActPrivacy ActPotential Loss/RiskInsurance Coverage$10 Million Loss RecordedMultiple Factors Affect Loss/Risk

SEC 10k Statement (2013)



Data Breach (Healthcare)

HHS OCR Investigation“The Company has been informed that the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) is investigating matters related to the incident. OCR is the division of HHS charged with enforcement of [HIPAA]. OCR may, among other things, require a corrective action plan and impose civil monetary penalties against the data owner (Department of Defense) and, in certain situations, against the data owners’ contractors, such as the Company.”

SEC 10k Statement (2013)



Data Breach (Healthcare)

Shareholder Demand“The Company has also received three stockholder demand letters related to City Time (one of which is also related to the TRICARE matter described above). An independent committee of the Company’s board of directors reviewed two of the demands and the Company has decided not to pursue the claims outlined in their demand letters. The third demand is under review by the independent committee.”

SEC 10k Statement (2013)



Data Breach Litigation

Overview of Data Breach Litigation

Security Standards

Litigation Lifecycle (Financial)

Litigation Lifecycle (Healthcare)

Litigation vs. World’s Biggest Buyer

Other Litigation Risks



World’s Biggest Buyer

800-Pound Information Gorilla“The Federal government is the largest single producer, collector, consumer, and disseminator of information in the United States and perhaps the world.” (OMB, 2007) “Largest buyer of IT on the planet”VivekKundra (Federal CIO) Sen. Homeland Security Comm. (2011)



Cyber Litigation – FCA Suits

Security Problem- Improper disposal of dataImpact False Claims Act suit“PLASTILAM, INC. failed to take sufficient steps to safeguard confidential data, including the names and Social Security numbers of over 100 Medicare beneficiaries. The investigation revealed that a number of misprinted beneficiary cards were discarded, whole, in an unsecured dumpster.”



Cyber Disputes – Suspension

Security Problem- Misuse of DoD data (wrong purpose)Impact Suspension Loss of $5B Contract“But earlier this month the deputy general counsel of the U.S. Air Force suspended the L-3 unit responsible for the work from receiving new orders because of the investigation. Employees at L-3’s special support programs division were accused of copying government emails and forwarding them without the author’s knowledge.”

L-3 Trips as Lockheed Snatches $5 Billion Contract“A disputed U.S. military contract worth up to $5 billion was finally awarded to Lockheed Martin Corp. (LMT) this week after the U.S. Air Force launched an investigation into possibly inappropriate email activities at rival L-3 Communications Corp. (LLL).L-3, a New York-based provider of military and aerospace equipment, reduced its 2010 outlook as a result of the lost contract, which represented about 3% of its 2009 revenue, according to a government filing. Full-year profit is now expected to be in a range of $8.09 to $8.29 a share, compared to a prior view of $8.13 to $8.33 a share.”



Cyber Litigation vs. Fed. Gov.

Security Problem- Prior security risksImpact Protest LitigationCompany’s “nonconformance with system security requirements ‘may have put the Medicare program at risk,’ [and] ‘could have a negative effect on the Offeror’s ability to perform efficiently and protect the confidentiality, integrity, and availability’ [of Mediare data].”Wisconsin Physicians Service Ins. Corp., GAO B-401068.14 (Jan. 2013)

Protest Litigation



Cyber Disputes – DOJ & IGs

Security Problem- Failure to install safeguardsImpactIG investigation False statement risk Criminal exposure

Thompson, Langevin Demand Investigation into Department Cyber Attacks (Sept. 24, 2007)

“criminal investigation”

“fraudulent statement”



Contractor Liability Risks on the Cyber Battlefield

Going on the Offensive: Contractors in Cyber WarInternational Law-Authority to attack? - Authentication? - Rogue virus? U.S. Law- Electronic surveillance & wiretapping laws -Covert operations (Title 10 vs. Title 50)-Posse Comitatus (DoD & domestic operations)

$50 Billion Lawsuit“One lawsuit alone, filed May 12 by a purported national class of Verizon customers, seeks $50 billion in damages.”[“Court Will Decide State Secrets Issues First in NSA Phone Surveillance Class Action Suit,” Privacy Law Watch, June 9, 2006]



Data Breach Litigation

Overview of Data Breach Litigation

Security Standards

Litigation Lifecycle (Financial)

Litigation Lifecycle (Healthcare)

Litigation vs. World’s Biggest Buyer

Other Litigation Risks


IP & Trade Secrets Gone? Do the CEO, CFO, & GC Care?


© 2011 Crowell & Moring LLP




Data Losses & Cyber Breach

2x Library of Congress 38 terabytes of lost data“As an example of the threat, one American company had 38 terabytes of sensitive data and intellectual property exfiltrated from its computers – equivalent to nearly double the amount of text contained in the Library of Congress.” [Sen. Whitehouse, May 10, 2010]2 x

It’s Personal

“As an example, in 2008, [China’s]

APT1 compromised the network of a company involved in a wholesale industry. . . . Over the following 2.5 years, APT1 stole an unknown number of files from the victim and repeatedly accessed the email accounts of several executives, including the CEO and General Counsel.”[Mandiant Report (Feb. 2013)]


One Firm’s IP Loss“For example, a 2011 FBI report noted, ‘company was the victim of an intrusion and lost 10 years’ worth of research and development data –valued at $1 billion – virtually overnight.’”CRS Report, 2013 Cybersecurity Executive Order (Mar. 2013)

$1 Trillion IP Losses“Last year alone, cyber criminals stole intellectual property from businesses worldwide worth up to $1 trillion.” (President Obama, 2009)

IP Cyber Losses



Infiltrated M&A Deals$2.4 Billion Huiyuan Deal. Coca Cola’s deal collapsed after hackers took key files$40 Billion BHP Deal. BHP Billiton Ltd’s bid to acquire Potash Corp. collapsed after cyber theft“Coke Gets Hacked and Doesn’t Tell Anyone,” 2012)

Counter Intel Report“Information was pilfered from the corporate networks of a US Fortune 500 manufacturing company during business negotiations in which that company was looking to acquire a Chinese firm. . . . [T]his may have helped the Chinese firm attain a better negotiating and pricing position.” National Counter-intelligence Executive Report (Oct. 2011)

Cybered M&A Deals



Investors Really Care70% of investors – interested in reviewing corporate cyber practices80% of investors – likely would not invest if history of cyber attacksZogby Analytics Survey (Mar. 2013)

Litigation RisksSEC InvestigationsShareholder SuitsRegulatory Violations (DFARS)Export Investigations (ITAR)B2B DisputesNDA ViolationsTrade Secret Breaches & IP Losses

Data Breach (IP/Trade Secrets)





David Z. BodenheimerCrowell & Moring 624-2713


About DocSlides
DocSlides allows users to easily upload and share presentations, PDF documents, and images.Share your documents with the world , watch,share and upload any time you want. How can you benefit from using DocSlides? DocSlides consists documents from individuals and organizations on topics ranging from technology and business to travel, health, and education. Find and search for what interests you, and learn from people and more. You can also download DocSlides to read or reference later.