Legal Report July 2015
U.S. JUDICIAL DECISIONS
Data breaches. A federal judge gave preliminary approval to a settlement of a class action lawsuit brought by Target customers against the retailer following a data breach that compromised millions of consumers’ credit and debit card information, along with personal identifying information.
The $10 million settlement stems from a data breach that occurred during the 2013 holiday season when Target disclosed that hackers had stolen credit and debit card information for approximately 40 million customers. It later reported that, along with the financial data that was compromised, hackers also obtained personal information, including e-mail and mailing addresses, from 70 million to 100 million people.
Further details then emerged that Target had been alerted by its computer security system to suspicious activity in its networks, but decided to ignore the alert and allowed the data breach to continue.
Customers affected by the breach originally filed three class-action suits against the retailer—two in California and one in Oregon—in December 2013. Since then, 140 lawsuits have been filed against the retailer from cardholders, banks, and shareholders. The proposed settlement, preliminarily approved by U.S. District Court Judge Paul A. Magnuson, applies only to consumers.
The settlement allows individuals affected by the breach to be awarded up to $10,000 each in damages. Individuals must fill out a form and submit it via a website or postal mail to make their claim and prove that unauthorized charges were made to their credit cards. The form includes questions asking individuals if they used a credit or debit card at a U.S. Target store, if they received notice that their personal information had been compromised, and if they have documentation to support their claim for reimbursement.
Additionally, individuals need to show that they invested time in addressing fraudulent charges and incurred costs from correcting their credit report because of higher interest rates or fees.
Target is also required to appoint a chief information officer—a move the retailer made last summer—setup protocols for responding to online security threats, and provide data security training for its employees. It’s also responsible for paying up to $6.75 million in legal fees for the plaintiffs under the settlement.
Customers can continue to file objections to the terms of the proposed settlement until the final hearing on the settlement November 20, 2015. Even if the settlement is approved, Target still faces claims from three major credit card companies and investigations by the Federal Trade Commission, the Securities and Exchange Commission, and other state and federal agencies. (In re: Target Corporation Customer Data Security Breach Litigation, U.S. District Court for the District of Minnesota, No. 0:14-md-02522, 2015)
Bribery. Thermal-imaging company FLIR Systems settled bribery charges filed by the U.S. Securities and Exchange Commission (SEC) that said the company violated the Foreign Corrupt Practices Act (FCPA) by financing a “world tour” of personal travel for government officials in the Middle East. These officials played a key role in decisions to purchase FLIR products, with the company earning more than $7 million in profits from sales influenced by the improper travel and gifts.
In November 2008, FLIR entered a contract with the Saudi Arabia Ministry of Interior to sell binoculars using infrared technology worth approximately $12.9 million. As a requirement of the contract, MOI officials had to attend a “Factory Acceptance Test” arranged by two FLIR employees. The test later became referred to as a world tour and was a 20-night excursion with stops in Casablanca, Paris, Dubai, Beirut, New York City, and Boston—where a single five-hour day was spent at FLIR’s facility completing an equipment inspection.
According to the SEC, there was no business purpose for the stops outside of Boston, and the value of gifts and the extent and nature of the travel were falsely recorded in FLIR’s records as legitimate business expenses. The company’s internal controls then failed to catch these payments, “despite documentation suggesting that extravagant gifts and travel were being provided,” the SEC reported.
Additionally, between 2008 and 2010 FLIR paid approximately $40,000 in travel expenses for Saudi government officials. This included New Year’s Eve trips to Dubai with airfare, hotel, dinners, and drinks. FLIR also accepted cursory invoices from a company partner without supporting documentation to pay for the extended travel of Egyptian officials in 2011.
FLIR self-reported the misconduct to the SEC and cooperated with the commission’s investigation, which found it violated the antibribery and internal controls and books-and-records provisions of the Securities Exchange Act of 1934. The two former employees at the Dubai office also agreed to settle SEC charges and pay financial penalties.
The company consented to the SEC’s findings—without admitting or denying them—and agreed to pay disgorgement of $7,534,000, prejudgment interest of $970,584, and a penalty of $1 million for a total of $9,504,584 in charges. FLIR is also required to report to the SEC on its efforts to comply with corrupt practices laws for two years. (In the Matter of FLIR Systems, Inc., Securities and Exchange Commission, Administrative Proceeding, No. 3-16478, 2015)
Privacy. Sen. Mike Lee (R-UT) introduced legislation that would change the provisions under which the government can require providers to disclose the contents of electronic communications.
The bill (S. 356) would amend the Electronic Communications Privacy Act (ECPA) of 1986 to prohibit providers of remote computing services or electronic communication services from knowingly divulging to the government the contents of any communication in electronic storage or maintained by the provider.
Instead, the government would be required to obtain a warrant from a court to disclose the content, regardless of how long the communication has been in the provider’s electronic storage or if it’s being requested from an electronic communication service or a remote computing service.
However, the bill allows delayed notification of a warrant request if the notification would result in endangering the life or physical safety of an individual, flight from prosecution, destruction of or tampering with evidence, intimidation of potential witnesses, or seriously jeopardizing an investigation or unduly delaying a trial.
The bill has 11 bipartisan cosponsors in the Senate. An identical bill (H.R. 283) has been introduced in the House.
Liability. The House of Representatives passed a bill that gives companies legal liability protections when sharing cyberthreat data with the U.S. Department of Homeland Security (DHS).
The National Cybersecurity Protection Advancement Act (H.R. 1731) extends protections to nonfederal entities that conduct network awareness, share indicators or defensive measures, or fail to act based on shared information with DHS. It also exempts nonfederal entities from antitrust laws for cybersecurity purposes if they share cyberthreat indicators or defensive measures, or share assistance related to the prevention, investigation, or mitigation of cybersecurity risks or incidents.
Additionally, the bill expressly prohibits the federal government from using shared information for regulatory purposes. It also prohibits the federal government from using provisions in the bill to require a nonfederal entity to provide information to the government.
As a watchdog measure, the House also approved an amendment to the bill that requires the Government Accountability Office to report to Congress five years after its enactment to review its impact on privacy and civil liberties.
The bill is sponsored by House Homeland Security Committee Chairman Rep. Michael McCaul (R-TX) and is cosponsored by Rep. John Ratcliffe (R-TX). It now moves to the Senate.
Trafficking. The United Kingdom concludes a consultation period this month to determine whether businesses with a certain level of turnover will be required to publish an annual slavery and human trafficking statement.
Provisions within the recently passed Modern Slavery Bill require all businesses over a certain size to disclose what steps they have taken to ensure that their business and supply chain are slavery free. This applies to commercial organizations—corporate bodies and partnerships—that carry on a business or part of a business in any sector in the United Kingdom.
The consultation period was used to decide what minimum turnover threshold to set and the statutory guidance that should be included. Following the consultation period, regulations will be released that detail the minimum and how turnover will be determined. Parliament will then have a chance to debate these regulations before they are enacted in October 2015.
The supply chain provision of the law was introduced to encourage business to take more action on trafficking and slavery. “We believe that once it is made clear what activity major businesses are undertaking to ensure slavery and human trafficking is not taking place in their supply chains or own business, pressure from consumers, shareholders, and campaigners and competition between businesses will encourage those who have not taken effective steps to do so,” according to a report by Home Secretary Theresa May.
Along with increased corporate responsibility, the law consolidates all existing slavery and human trafficking offenses under one act of Parliament, increases the maximum sentence from 14 years to life in prison, establishes an antislavery commissioner, and creates provisions to protect modern slavery victims.
Sick leave. California enacted a law that requires private employers in the state to provide paid sick leave to workers. Under the new law (formerly A.B. 1522), employees are allowed to accrue at least one hour of sick leave for every 30 hours worked and use up to three days of paid sick leave each year after their 90th day of employment.
The law is expected to provide sick leave to approximately 6.5 million Californians and went into effect on July 1.