Showing posts with label data breach. Show all posts
Showing posts with label data breach. Show all posts

Tuesday, January 23, 2024

Plaintiff drops privacy suit that stretched to claim against UMass Medical in nationwide data breach

UMass Chan Medical School
Mass. Office of Travel & Tourism via Flickr CC BY-ND 2.0
Until six days ago, the University of Massachusetts Chan Medical School was defending a privacy suit over a data breach, though the plaintiff liability theories looked thin.

There doesn't seem to be any dispute over the fact of the data breach. UMass Chan was just one of hundreds of organizations nationwide implicated in a breach affecting tens of millions. According to electronic security firm Emsisoft (which has a commercial interest in higher numbers), the breach affected more than 2,700 organizations and the data of more than 94 millions persons (last updated Jan. 18, 2024).

The vulnerability for all of these organizations was a file transfer platform called MOVEit, a product of publicly traded, Burlington, Mass.-based Progress Software Corp. UMass Chan used MOVEit to transfer personal information to other state agencies and programs. Hackers obtained and published the data of more than 134,000 persons, including recipients of state supplemental income and elder services.

According to state officials, WBUR reported, the "exposed data varies by person, but in each case includes the person's name and at least one other piece of information like date of birth, mailing address, protected health information like diagnosis and treatment details, Social Security number, and financial account information." The commonwealth notified affected persons and offered free credit monitoring and identity theft protection.

The complaint filed in federal court in September 2023 sought class action certification. The named plaintiff blamed UMass Chan for weak security and delayed notification resulting in a fraudulent attempt to use her debit card. Wednesday last week, the plaintiff voluntarily dismissed without prejudice, meaning the case might not yet be over.

The articulated causes of action, though, were a stretch. That's not to say that the putative plaintiffs suffered no injury. The problem rather is that the law in most states, including Massachusetts, and at the federal level still fails to define data privacy wrongs in a manner on par with the law of Europe and most of the rest of the world.

There was no statutory cause of action in the UMass Chan complaint. The diversity complaint alleged counts of negligence, breach of contract, and unjust enrichment.

Negligence has not been a productive vein for privacy plaintiffs, who lack the usually prerequisite physical injury. Massachusetts cracks open the door more than most other states to negligence actions based on lesser injury claims, such as emotional distress or economic loss. But it's not a wide opening.

Privacy actions in state law meanwhile are problematic because American common law has not yet well established the nature of the plaintiff's loss according to conventional understandings of injury. Indeed, federal courts disagree over when a statutory state privacy action supplies the "injury-in-fact" standing required by the federal Constitution. 

The named plaintiff in the UMass Chan case hastened to emphasize her contractual relationship with UMass Chan as a service provider, in an effort to anchor the negligence claim within a strong relationship of duty to get through the Massachusetts doorway. She described the identity risk of the debit-card incident to establish economic loss at least.

It's not clear that the pleading could have pushed over the hurdles to negligence recovery. I have advocated for the evolution of common law tort to close the gap in recognition of privacy violations in U.S. law, similarly to how UK courts developed the "misuse of private information" tort in common law to complement transposition of EU data protection. The Massachusetts Supreme Judicial Court could do that; certification would be required here in a federal case. But the trend in American data privacy law rather has been for the courts to wait on legislators to move the ball forward.

The other liability theories were a stretch, too. In contract, the plaintiff alleged herself a third-party beneficiary of data sharing agreements between UMass Chan and its state partners. Third parties can claim rights in a contract, but the proof is stringent. Contract law also raises a damages problem. The plaintiff here was not seeking specific performance, and it's not clear that any recovery in contract law would exceed the remediation the commonwealth already offered.

The equitable claim of unjust enrichment theorized essentially that UMass Chan benefited financially by cheaping out on security. That's creative, but a plaintiff in equity usually wants back something she lost to the defendant. A differential in the cost of contract services is speculative, and it's an attenuated causal chain to allege detriment to UMass Chan clients.

Privacy plaintiffs in the United States have seen some success using laws that predate contemporary data breach. But those theories won't work here. Massachusetts once had a leading data regulatory system for its requirements of secure data management. But the law is now well worn and has not kept up with other states, California being the model. Critically, the Massachusetts regs don't provide for private enforcement.

Some plaintiffs have found success with the dated (1986) Computer Fraud and Abuse Act. But a federal CFAA claim would be leveled properly against the hacker. The alleged culpability of UMass Chan is more accident than abuse.

American privacy plaintiffs flailing to state wrongs in litigation unfortunately is common and will continue as long as the United States lacks a comprehensive approach to data protection. I wrote 10 years ago already that American expectations in data privacy had outpaced legal entitlements.

The pivotal factor in whether MOVEit breach victims find any relief is likely to be the state where they and their defendants are located. Perhaps the case will push commonwealth legislators at last to act on a bill such as the proposed Massachusetts Information Privacy and Security Act (see, e.g., Mass. Tech. Leadership Council).

The case is Suarez v. The University of Massachusetts Chan Medical School (D. Mass. filed Sept. 18, 2023).

Friday, September 25, 2020

Boston Bar panel surveys landscape of privacy law, data protection policy, class action litigation

Attorneys Melanie Conroy, Marjan Hajibandeh, and Matthew M.K. Stein
We had great fun yesterday, as lawyer fun goes, talking about privacy law in the United States, from the impact of the Privacy Shield collapse to the latest litigation under California's groundbreaking consumer privacy protection law.  I was privileged to appear in a Boston Bar Association program on privacy class action litigation, led by attorney Melanie A. Conroy, CIPP/US, of Pierce Atwood LLP, alongside practicing-attorney panelists Matthew M.K. Stein, of Manatt, Phelps & Phillips, LLP, and Marjan Hajibandeh of CarGurus, Inc. 

Our topical reach was a breathless sprint across a dramatic landscape.  We opened with our respective thoughts on developments in privacy law, Conroy observing that the fast-paced field has undergone seismic shifts again and again in recent years, from the implementation of the California Consumer Privacy Act (CCPA) to the $18m Equifax data breach settlement in Massachusetts.

I spoke to the impact of the European Court of Justice decision ("Schrems II" (ECJ July 16, 2020)) invalidating the U.S.-EU Privacy Shield as a motivator for U.S. reform.  Besides the significance of the case in Europe and our foreign relations, the decision signals that a quarter century after adoption of the first European Data Protection Directive, Europe's patience with American recalcitrance has finally run out.

Julie Brill (MS CC) and William Kovacic
Former Federal Trade Commissioner Julie Brill told the Senate Commerce Committee this week that in two years, 65% of the world will be living under data protection laws, most of them modeled after the EU General Data Protection Regulation (GDPR).  As former Federal Trade Commission (FTC) Chairman William Kovacic put it, if we don't pass legislation in the United States, "we will get a national privacy policy: the GDPR."  As I tweeted this week, hearing testimony drove the usually cool and collected Senator Maria Cantwell (D-Wash.) to exclaim, "My God, this is clear, we need a strong privacy law." And Americans are ready; Brill said that nine out of ten Americans now believe that privacy is a human right.

Sen. Cantwell
Our panel ran down the latest developments in class action privacy litigation, loosely divided on the fronts of biometric data class actions, mostly arising under Illinois's pioneering Biometric Information Privacy Act; CCPA-related class actions in California; and data breach litigation.  I ran down cases in the latter vein and talked some about the present circuit split over Article III standing.  Federal courts have divided over whether "theft alone" can constitute concrete injury for constitutionally minimal standing, or plaintiffs must show some subsequent misuse of their data.  This issue is not limited to the data breach area, but has implications across a wide range of statutory enforcement systems, including the Fair Credit Reporting Act.

For my part, I predict that our dawning, if belated, understanding of the monetary value of personally identifiable information (PII) will lead us to the inevitable conclusion that theft alone suffices.  This is evidenced, for example, in Hogan v. NBCUniversal (D.R.I. filed Aug. 27, 2020), over the sale of Golf Channel subscriber identities, which subsequently were associated with other PII and resold.  Though for the time being, my favored conclusion is arguably not the inclination evidenced in the U.S. Supreme Court in Spokeo, Inc. v. Robins, in 2016.  Senator Dick Blumenthal (D.-Conn.) mentioned this week, apropos of current events, that Justice Ginbsburg, joined by Justice Sotomayor, dissented in Spokeo on just this point.

The late Justice Ginsburg; Sen. Blumenthal
Our next panel focus was developments in the First Circuit and Massachusetts.  In Massachusetts Superior Court in Boston, data breach litigation, filed in May 2019, against Massachusetts General Hospital, Brigham & Women's Hospital, and the Dana-Farber Cancer Institute, over online patient-service communications occurring outside secure portals, raises the very question of concrete harm, which may be resolved differently at the state level than under the federal Constitution.  Meanwhile in federal court, the same issue in data breach litigation, filed in March 2020, in Hartigan v. Macy's, highlights the lack of First Circuit precedent on the question since Spokeo, while citing strong pre-Spokeo indications that the First Circuit would favor the misuse-required position.

In parting observations, I offered that we have a long road ahead.  Of all the bills pending in Congress (see EPIC's excellent April report), only some propose a private cause of action and none attacks the problem of government surveillance, both purported prerequisites to European restoration of authorized trans-Atlantic data flow.  Within the U.S Congress, there appears to be bipartisan support for some kind of nationwide privacy legislation.  But the questions of private or FTC enforcement, and whether preemption would mean a legislative floor or ceiling remain sticking points that could derail the process.