Settlement of claims arising out of data breaches

April 29, 2015 |

Class actions relating to data breaches is straightforward in the United States.  In light of the very significant data breaches, usually caused by a company’s poor data handling practices, they are becoming quite common.  The Privacy Act provides for an individual taking action seeking compensation, in the Federal or Federal Circuit Court under the Privacy Act provided that:

  • there has been a civil penalty order made for breach of a civil penalty provision (section 25(1)(a)(i)); or
  • an organisation has committed an offence under Part III of the Act, the Credit Reporting Provisions (section 25(1)(a)(ii)).

and

  • loss and damage resulted from either the contravention or the commission of the offence.

Loss and damage includes “injury to the person’s feelings or humiliation”. As such the threshold is quite low.  However otherwise the provision is quite limited in operation.  Absent an offence being committed by a credit reporting agency or credit provider under Part III it is necessary to wait for a civil penalty order being made.  And only the Privacy Commissioner can commence civil penalty proceedings (under section 80W) and obtain a civil penalty order.  He is the gatekeeper. So even if an individual was affected by a data breach if the Privacy Commissioner chose not to take action then the individual may not bring an action under section 25.  That is a significant flaw in the Act.  In practical terms it is even more of a concern given the Privacy Commissioner has to date been remarkably reticent to take enforcement action generally and proactive enforcement action in particular.  There have been no civil penalty proceedings commenced to date. Enforcement is a necessary part of regulation and as the experience of ASIC and ACCC make clear enforcement action has an impact on improving behaviours in a sector or industry.

Of course it remains open for that person to bring an action under other heads.  In that respect ASIC has made it clear that a failure to maintain proper cyber security may be a contravention of the Corporations Act.

In the United States Adobe has followed on the heels of Target in settling class actions for its massive data breach in October 2013, as reported in Adobe Plans to Settle Breach Lawsuit.  The article provides:

Adobe Systems is moving to settle a class-action lawsuit that was filed in the wake of a series of data breaches it first disclosed in October 2013. The breaches reportedly led to the compromise of more than 38 million customer accounts, including details relating to an estimated 3 million payment cards.

Adobe signed a memorandum in February 2015, agreeing to settle the lawsuit in return for all related claims being dismissed. U.S. District Court Judge Lucy H. Koh, who’s presiding over the settlement agreement, then gave both sides until April 30 to hammer out an agreement and submit it to her for preliminary approval.

But the plaintiffs in the class-action lawsuit, in an April 22 joint settlement status report – agreed to by Adobe Systems – said that “while the parties have made significant progress with respect to the formal settlement agreement … finalizing the formal settlement agreement has been more difficult and time consuming than they initially anticipated.” Accordingly, both sides requested more time.

Koh has granted that request, and ordered that the deadline for the settlement agreement be moved to June 10.

Analysis: Why Settle?

News of the continuing settlement discussion follows the March announcement that a judge has granted preliminary approval to a $10 million settlement agreement between Target and consumers who were affected by its massive 2013 data breach.

Security experts say Adobe is likely pursuing a similar course of action, and settling in part to avoid having to defend the security defenses in which it chose – or chose not – to invest. “The [Adobe] case would have come under heavy public scrutiny being heard in Judge Koh’s court, and if the settlement is anywhere near as lightweight as that paid by Target it will be a small price to pay for avoiding the spotlight,” Al Pascual, director of fraud and security for Javelin Strategy & Research, tells Information Security Media Group. “These cases could very well be the start of a trend.”

But the Adobe breach also differs from the Target breach in important ways, Avivah Litan, a vice president at Gartner Research, tells ISMG. “I think Adobe had much more pressure on them than a breached retailer has had,” she says. “Their software is used by virtually every PC user, and vulnerabilities in their software have been a major attack vector for criminals in the past. This, combined with the fact that Adobe claimed [to have] strong information security practices, made it more likely that they would settle rather than let this case go to court.”

Multiple Attacks

Attackers first gained unauthorized access to Adobe’s servers in July 2013, and breached the databases containing personal information in August 2013, according to an order written by Koh. But the intrusion was not discovered until September 2013, which was “when independent security researchers discovered stolen Adobe source code on the Internet.”

Adobe had initially reported that an attack against it had compromised 2.9 million customers’ accounts (see Adobe Breach Affects 2.9 Million), before revising that figure to 38 million. At the time, Brad Arkin, chief security officer at Adobe, said it was part of a series of attacks, including an intrusion that compromised “source code for numerous Adobe products,” including Adobe Acrobat, ColdFusion, and ColdFusion Builder. Arkin said the company believed that the different attacks were related.

At the time, Adobe notified all affected customers, reset the passwords for affected accounts, and offered a year of prepaid identify theft monitoring services for anyone whose card details were exposed.

Meanwhile there has been an attempt to block the Target settlement with financial institutions arguing that the total losses far exceed the settlement offered in the proposed settlement.  Given the financial institutions bore the brunt of the breach where 40 million payment cards were compromised this is a fair point.  This is reported in Banks Try to Block Target Settlement which provides:

A group of financial institutions affected by the 2013 Target data breach that exposed at least 40 million payment cards is asking a court for a preliminary injunction to block the proposed settlement between the retailer and MasterCard that would provide $19 million to card issuers.

In documents filed on April 21 in the Minnesota U.S. District Court, the banks allege that “the total losses actually suffered by card-issuing financial institutions are astronomically higher than the $19 million offered under the proposed settlement.” The court papers redact figures representing the banks’ estimated costs related to mitigating the Target incident.

In a joint statement, attorneys representing the banks, Charles Zimmerman of the law firm Zimmerman Reed and Karl Cambronne of the law firm Chestnut Cambronne, note: “The agreement between Target and MasterCard is nothing more than an attempt by Target to avoid fully reimbursing financial institutions for losses they suffered due to one of the largest data breaches in U.S. history. It provides paltry restitution for the substantial losses suffered and seeks to extinguish existing legal claims that are wholly outside the scope of Target’s liability to MasterCard.”

The attorneys add: “This sweetheart deal for Target was negotiated without involvement of the court or the legal representatives of the impacted financial institutions. For these reasons, financial institutions should not agree to this so-called ‘settlement,’ and we hope the court will grant the preliminary injunction we have requested.”

A class action lawsuit filed by financial institutions against Target seeking reimbursement for breach-related expenses is still pending (see:Target Settlement: What About the Banks?).

Misleading Communication?

Besides asking the court to stop the proposed settlement, the banks are also asking the court to stop or limit “misleading and coercive communications” from Target and MasterCard about the proposed deal. The court papers filed this week by the attorneys representing the banks allege, among a list of other things, that Target, acting in concert with MasterCard, misrepresented details of the settlement offer.

A hearing to consider a preliminary injunction will be held on April 27 in Florida middle district U.S. district court by judge Paul Magnuson, who is assigned to handle the case in the U.S. district in St. Paul, Minnesota, but who is temporarily in Florida to help relieve a court backlog there, sources close to the case tell Information Security Media Group.

The court action was filed on behalf of five financial institutions: Umpqua Bank, Mutual Bank, Village Bank, CSE Federal Credit Union, and First Federal Savings of Lorain, “individually and on behalf of a class of all similarly situated financial institutions in the United States.”

In announcing the proposed settlement with MasterCard, Target said it agreed to provide a total of up to $19 million in payments to card issuers. “The settlement is conditioned on issuers of at least 90 percent of the eligible MasterCard accounts accepting their alternative recovery offers, either directly or through their sponsoring issuers, by May 20, 2015,” the retailer said.

Target also is in negotiations with Visa for a breach-related settlement. “Visa takes very seriously our responsibility to work closely with its acquiring clients and Target to resolve this event,” Visa spokesman Jake Standish says.

Good Start?

Al Pascual, who leads the security, risk and fraud practice at research firm Javelin Strategy & Research, says that based on information that’s been discussed by many banks related to the cost of reissuing cards impacted by the Target breach, the total costs likely exceed the $19 million settlement amount agreed upon by Target and MasterCard. However, he notes, “This [settlement] has gotten the ball rolling; it needs more teeth and needs to be refined, but it’s a start. Initially the courts didn’t know how to handle cybercrime cases, and now you see people [who are convicted] getting 10 or 20 years. The courts will get a better handle on [breach] cases as well, and I suspect we’ll see more accountability” by organizations that experience the breaches.

An information security legal expert, who asked to remain anonymous, says: “Motions opposing or seeking modification of proposed settlements are not uncommon. It’s way too early to make any judgments about the short- or long-term impact on the current or future litigation. The best that can be said is that the settlement, or at least a part of it, has been challenged.”

Target declined to comment on the banks’ request to the court. MasterCard did not immediately respond to a request for comment.

One Response to “Settlement of claims arising out of data breaches”

  1. Settlement of claims arising out of data breaches | Australian Law Blogs

    […] Settlement of claims arising out of data breaches […]

Leave a Reply