The Third Circuit Court of Appeals recently held that current and former employees of a pharmaceutical company whose employment information was published on the Dark Web following a data breach had standing to bring tort and contract claims in the form of a potential class action. The court determined that under certain circumstances, the publication of private facts can constitute an injury in fact, and it would be unfair to require the employees to wait until they suffered actual harm to file suit.
As is the case with many companies, the employees were required to provide their employer with sensitive personal and financial information as a condition of their employment. Their employment agreement stated that the company would “take appropriate measures to protect the confidentiality and security of this information.” After the company suffered a data breach, the employee information was held for ransom. Irrespective of whether the ransom was paid, the employees’ personal information ended up on the Dark Web.
In response to the breach, the lead plaintiff in the class took steps to protect herself, such as reviewing her financial records, placing fraud alerts on her credit reports, and transferring her savings to a new bank. She enrolled in the complimentary one year of credit monitoring offered by the company and paid for additional credit monitoring services out of pocket. Although a lower court ruled that the increased risk of identity theft following a data breach was insufficient to establish standing to sue, the appellate court clarified this ruling. While the trial court relied on a Supreme Court opinion that held that an injury in fact must be “actual or imminent,” the appeals court focused on the word “or,” and concluded the employees sufficiently alleged the harm was imminent. Specifically, the appellate court focused on the disclosure of dates of birth and social security numbers, which “generally stay with us for life,” as well as that the personal information had already been published on the dark web. The court further stated the substantial risk of harm presented by these facts was sufficient to establish an injury in fact.
Assurances made to job applicants and new hires create a duty to safeguard the sensitive information that employers collect. Failure to satisfy this duty could leave employer networks vulnerable to a data breach, and likewise could subject data breach victims to the perpetual risk of identity theft or fraud as well as additional investment of time and money to hopefully mitigate that risk.
The California Attorney General recently resolved a case in which a beauty retailer allegedly violated the state’s “first-in-the-nation landmark privacy law.” The case was brought as part of what the Attorney General called “an enforcement sweeps of online retailers,” and alleged the company failed to disclose its practice of selling users’ personal information, failed to process user opt-out requests, and failed to cure these violations under the thirty-day time frame provided by the California Consumer Privacy Act (“CCPA”). This behavior ended up costing the retailer $1.2M in penalties, as well as go-forward reporting around its compliance with a variety of requirements under CCPA.
Attorney General Rob Bonta cautioned companies to use technologies like Global Privacy Control, calling it a “game changer” for consumers. Bonta further stated that it has been two years since CCPA went into effect and that there are “no more excuses” for violating the law. The press release from the Attorney General’s office also noted that many online retailers allow third parties to install tracking software on their websites. This software provides the retailer with personal information about the buyer, such as the type of device they are using, the items they place in their cart, and even their location.
This case may prove to be the tip of the iceberg. The press release boasted of several other pending “notices to cure” and noted that the California Attorney General’s office is cracking down on data collected as part of customer loyalty programs, online advertising campaigns with deficient privacy disclosures, and data brokers who use faulty links for users to request that their personal information not be sold.
Not only do companies need to have the right disclosures and technical specifications in place, but they should ensure their business partners are compliant with CCPA as well. Additionally, every company doing substantial business with California residents should consult with a privacy attorney.
At some point during the transaction, the processor received fraudulent instructions from an unknown actor claiming to be a payoff representative for the transaction. The processor did not take any additional steps to verify the authenticity of the wire transfer instructions; as a result, the closer sent the funds to an impostor, rather than to the seller’s mortgage company.
The title company submitted a claim under its cyber liability insurance policy. Under the policy’s “Deceptive Transfer Fraud” insuring agreement, the insurer would pay for loss that resulted directly from the title company “having transferred, paid or delivered any Funds … as the direct result of an intentional misleading of [an] employee, through a misrepresentation of a material fact … which is: 1) relied upon by an employee, and 2) sent via a telephone call, email, text, instant message, social media related communication, or any other electronic instruction, including a phishing, spearphishing, social engineering, pretexting, diversion, or other confidence scheme, and, 3) sent by a person purporting to be an employee, customer, client or vendor; and, 4) the authenticity of such transfer request is verified in accordance with … internal procedures.
The insurer denied coverage, explaining that the mortgage company was not a customer, client, or vendor of the title company, and the closer failed to verify the transfer according to procedure and the policy. The title company argued that by holding the payoff funds in its escrow account and delivering those funds of the seller, it provided a service to the lender. Furthermore, in receiving the payoff funds and applying them to the seller’s account, the lender provided a service to the title company, thereby creating a customer relationship with the title company.
The court rejected this argument, citing the plain definitions of the terms at issue (customer, client or vendor), as set forth in Black’s Law Dictionary and the Oxford English Dictionary. Accordingly, the court found that the seller’s mortgage lender was not an employee, client, customer, or vendor of the title company, and therefore the Deceptive Transfer Fraud insuring clause was not applicable. Notably, the court declined to address whether there was compliance with the verification language.
Clear understanding of an insured’s business model is critical when it comes to tailoring policy language for coverage of potential social engineering or other fraudulent transfers. Such language is not one size fits all and must be intentionally crafted to directly address an insured’s unique business interactions.