Posted by: Brandon King and Rachelle (Shelley) Glazer
The past year has shed light on many litigation issues stemming from cybersecurity events. Several courts have clarified what it takes for someone whose data has been compromised to satisfy Article III’s injury-in-fact requirement. The US Supreme Court has decided to resolve a circuit split over whether the Computer Fraud and Abuse Act’s “exceed[] authorized access” language requires merely the “improper use” of computer systems, or more, like bypassing a password. Courts have also tackled claims of immunity arising from foreign cyberevents, addressed claims of privilege with respect to cyberattack reports and, most recently, interpreted federal regulations governing the protection of electronic health data. This post provides a brief summary of these litigation developments.
The Value of Lost Data and Standing to Sue – A Maryland federal district court held that customers of a hotel chain—the subject of a vast data-security breach that compromised the private data of its customers—satisfied Article III’s injury-in-fact requirement for several reasons. One of the more notable injuries, however, was “based on the loss of value of their personal information.” In doing so, the court recognized “the value that personal identifying information has in our increasingly digital economy.” This decision implicates one of the most common and complex issues in data-breach litigation—standing—and will provide guidance as courts grapple with advances in technology and the corresponding gap in precedent. See In re Marriott Int’l, Inc., Customer Data Sec. Breach Litig., 440 F. Supp. 3d 447 (D. Md. 2020).
Biometric Privacy– State biometric privacy laws—which dictate the conditions under which collectors of biometric data may obtain, retain, and use biometric data (for example, using a fingerprint scan at a vending machine)—continue to serve as fruitful ground for litigation. Two recent Seventh Circuit decisions analyzed whether plaintiffs satisfied Article III’s injury-in-fact requirement under Illinois’s Biometric Information Privacy Act, which requires private entities to, among other things, make certain disclosures, obtain informed consent before acquiring a consumer’s biometric data, as well as develop a publically available retention-and-destruction policy. In one decision, the court held that a private entity’s failure to obtain the requisite consent or provide the relevant disclosure before acquiring the plaintiff’s fingerprint constituted an injury-in-fact. In another decision, the Court held that an employer’s alleged failure to develop, publicly disclose, and comply with a data-retention schedule and guidelines for the permanent destruction of biometric data when the initial purpose for collection ended was sufficient to constitute injury. In doing so, the Seventh Circuit observed that “regulating the collection, storage, and use of biometrics is closely analogous to historical claims for invasion of privacy.” See Bryant v. Compass Group USA, Inc., 958 F.3d 617 (7th Cir. 2020) and Fox v. Dakkota Integrated Sys., LLC, 980 F.3d 1146 (7th Cir. 2020).
The Supreme Court and the Computer Fraud and Abuse Act – The CFAA imposes liability on persons who “exceed[] authorized access” to computer systems. But does the mere improper use of a computer satisfy that standard (like violating company policy by watching sports on a work computer), or does the phrase refer to violations of restrictions on access to information (like bypassing a password to obtain access). The First, Fifth, Seventh, and Eleventh Circuits apply the former, broader approach, while the Second, Fourth, and Ninth Circuits apply the narrower, access-based approach. In April 2020, the Supreme Court recently granted certiorari to resolve the split; in the interim, however, the Sixth Circuit adopted the narrower approach but, acknowledging the Supreme Court’s pending decision, noted that its interpretation “might not be the final word.” See Supreme Court Docket No. 19-783, Van Buren v. United States.
Foreign Actors and Subject-Matter Jurisdiction – WhatsApp and Facebook sued NSO Group, an Israeli mobile surveillance software company, alleging that NSO sent malware using WhatsApp’s system to over 1000 mobile devices to monitor users. NSO claimed the court lacked subject-matter jurisdiction “because the conduct giving rise to the complaint was performed by foreign sovereigns.” The Court rejected this argument and, in doing so, analyzed the “two relevant doctrines implicated by defendants’ argument: foreign official immunity and derivative sovereign immunity.” As to the former, because the defendants were sued in their individual capacities and the plaintiffs did not seek compensation from the Israeli government, the defendants did not “qualify as foreign officials under the content-based prong of the foreign official immunity test.” The court also rejected the latter argument, reasoning that “there [was] no compelling reason to extend derivative sovereign immunity to a foreign entity working on behalf of a foreign sovereign.” Although an appeal is pending, with the recent SolarWinds breach and allegations that agents affiliated with foreign governments were involved, the opinion will have impact going forward. See WhatsApp Inc. v. NSO Group Techs. Ltd., 472 F. Supp. 3d 649 (N.D. Cal. 2020).
Cyberattack Reports: Privileged or Not? A D.C. federal court recently held that a cybersecurity report commissioned by a law firm and generated by a consultant wasn’t protected by the work-product or attorney-client privileges. As to the work-product privilege, the court observed that the “fact that the Report was used for a range of non-litigation purposes reinforces the notion that it cannot be fairly described as prepared in anticipation of litigation.” The court rejected the attorney-client privilege, reasoning that the law firm’s “true objective was gleaning the consultant’s expertise in cybersecurity, not in ‘obtaining legal advice from its lawyer.’” See Wengui, v. Clark Hill, PLC, No. CV 19-3195 (JEB), 2021 WL 106417 (D.D.C. Jan. 12, 2021).
Electronic Protected Health Information – The Fifth Circuit recently vacated a civil penalty levied against MD Anderson Cancer Center stemming from the loss of electronic protected health information (ePHI) that was not encrypted. There, the unencrypted electronic devices of several MD Anderson employees were stolen or lost. The Government, citing violations of two federal regulations governing the encryption and disclosure of ePHI, imposed civil penalties of $4.3 million. The Fifth Circuit held the penalties were arbitrary and capricious and vacated in full. The regulations at issue were the “Encryption Rule,” which requires HIPAA-covered entities to implement “a mechanism to encrypt” ePHI, and the “Disclosure Rule,” which prohibits HIPAA-covered entities from disclosing ePHI to outside entities. The Court held that MD Anderson satisfied the Encryption Rule because it had implemented various “mechanism[s]” such as furnishing encryption devices to its employees; in doing so, the Court made clear that whether MD Anderson could have done more was not relevant—the only inquiry was whether MD Anderson implemented “a mechanism” (and it did). MD Anderson also complied with the Disclosure Rule, which defined disclosure to “mean[ ] the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.” The Court rejected the argument that HIPAA-covered entities violate this rule merely by “losing control” of ePHI; rather, as worded, the regulation required some affirmative act to violate the rule—but that wasn’t present in this case. See Univ. of Tex. M.D. Anderson Cancer Ctr. v. United States Dep’t of Health & Human Servs., No. 19-60226, 2021 WL 127819 (5th Cir. Jan. 14, 2021).
Comments