CAN BREACH VICTIMS COMPLAIN IF THEY DON'T LOSE MONEY?
Hannaford Brothers Company suffered a security breach in 2007-08 that helped identity thieves steal 4.2 million credit card numbers. Following the theft, twenty-one complaints against the company were consolidated into a single suit in the U.S. District Court in Maine. Judge Hornby dismissed almost all of the claims in May 2009 because the plaintiffs had not suffered actual monetary losses. The judge determined that, under Maine law, there was no cause for relief for time and effort spent avoiding reasonable harm from identity theft.
In response to a motion from the plaintiffs, on October 5, 2009, he asked the Maine Supreme Judicial Court whether "time and effort alone, spent in a reasonable effort to avert reasonably foreseeable harm, constitute a cognizable injury under Maine common law." This decision will likely have a significant impact on future breach suits involving identity theft throughout the U.S.
MASSACHUSETTS AND NEVADA BOTH HAVE ENCRYPTION LAWS SCHEDULED FOR 2010
At least forty-five states have breach notification laws that allow businesses to avoid costly breach notification requirements if the only personally identifiable information ("PII") involved in a breach was encrypted, but, starting in 2010, two states—Nevada and Massachusetts—will have laws that actually require that PII be encrypted.
Since October 1, 2008 Nevada has had an encryption law, Nevada Revised Statutes § 597.970, that requires anyone doing business in the state to encrypt PII before transmitting it electronically outside of its logical or physical control. This law has been criticized as being vague and ineffective. Effective January 1, 2010, however, Nevada is replacing § 597.970 with Nevada Revised Statutes Chapter 603A, which is both more restrictive and more specific.
Effective March 1, 2010, however, Massachusetts intends to start enforcing a law, 201 Code of Massachusetts Regulations 17.00, that is even more restrictive than Nevada Revised Statutes Chapter 603A. This law will require businesses—no matter where they are located—to encrypt PII on Massachusetts residents. Not only do these laws likely indicate a trend towards more restrictive encryption laws elsewhere, but businesses must evaluate what exposure they have in Nevada and Massachusetts today.
FTC EXTENDS ENFORCEMENT OF RED FLAGS RULE UNTIL JUNE 1, 2010
In what is starting to seem like an FTC policy equivalent of the movie Groundhog Day, on October 30, 2009 the FTC announced that it is delaying enforcement of the Red Flags Rule, again. The latest delay is at the request of several members of Congress and was at least partially triggered by the fact that the House of Representatives passed HR 3763 on October 20, 2009. If HR 3763 becomes law, it will exempt some smaller organizations from the definition of "creditor" under the Red Flags Rule. The FTC has reported that it does not want to enforce provisions of the Red Flags Rule if Congress is preparing to supersede the regulations. Reportedly, this delay is independent from an order issued by the Federal District Court for the District of Columbia granting the ABA’s request for Summary Judgment. The order effectively stated that the FTC was overstepping its authority by attempting to regulate attorneys through its interpretation of the term "creditor" under the law. Regardless of any enforcement delays, the FTC still maintains that the Red Flags Rule is generally applicable to businesses and continues to release guidance on developing effective Identity Theft Prevention policies.
If you have any comments or questions regarding this publication or would like additional information please contact one of the following attorneys: