Monthly Archives: November 2013

The AvMed Data Breach Settlement: What’s it going to Cost?

$3,000,000, based on the recently proposed settlement agreement involving the 2009 AvMed data breach incident.

Compu2

Once finally approved, this settlement would resolve the claims asserted against AvMed and would provide monetary relief to all affected customers, including customers who were not actually victims of an identity theft.  The proposed settlement in this case goes well beyond the credit monitoring offer that typically results from data breach class action settlements.  According to the plaintiffs’ unopposed motion to approve the settlement:

“All told, the Settlement is a tremendous achievement for the Plaintiffs and proposed Settlement Classes, and provides landmark relief that will serve as a model for other companies who face similar lawsuits.”

The Facts

AvMed, Inc. is a Florida-based health insurance provider.  In December 2009, two laptop computers were stolen from AvMed’s conference room.  The laptops contained the unencrypted personally identifiable information (PII) of 1.2 million AvMed customers.  The unencrypted PII consisted of customers’ names, addresses, Social Security numbers, and medical health information.

The Allegations

According to the affected customers, AvMed’s failure to properly secure their PII (in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) standards) resulted in (1) the theft of some affected customers’ identities, and (2) with respect to all affected customers, the overpayment for insurance coverage.

The first claim (i.e., based on customers whose identities were stolen and suffered economic harm as a result) is fairly straight forward and uncontroversial.

The second claim (related to the overpayment of premiums of all affected customers) is a bit more novel.  This second claim is based on an unjust enrichment theory, which the Eleventh Circuit addressed prior to remanding this case back to the district court.  The Eleventh Circuit recognized the customers’ unjust enrichment claim stating that when AvMed charged customers, as part of premium payments, to fund the administrative costs of data security, then AvMed is unjustly enriched to the extent it subsequently fails to implement the data security measures.  This notion is premised on the fact that customers paid monthly premiums to AvMed, a portion of which was presumably allocated to the data security efforts that AvMed promised its customers.  And, of course, AvMed did not implement these promised data security efforts, but nevertheless retained the entirety of the customers’ premiums.  Accordingly, under this theory of unjust enrichment, the customers paid for undelivered services and thus are entitled to partial refunds of their premiums.

The Settlement

Under the terms of the settlement, AvMed agrees to create a $3M settlement fund. Customers who can show that they actually suffered identity theft as a result of the 2009 data breach can make claims to recover monetary losses associated with the identity theft.  Additionally, all affected customers (whether they suffered actual identity theft or not), will be entitled to claim $10 for each year that they paid premiums to AvMed, subject to a cap of $30.  The cash payments available to all affected customers provide reimbursement for the portion of their insurance premiums that AvMed should have allocated to data protection and security.

Additionally, under the settlement, AvMed is required to implement wide-ranging measures to ensure that its customers’ PII are protected, including:

  1. instituting mandatory security awareness and training programs for all company employees
  2. instituting mandatory training on appropriate laptop use and security for all company employees whose employment responsibilities include accessing information stored on company laptop computers
  3. upgrading all company laptop computers with additional security mechanisms, including GPS tracking technology
  4. adopting new password protocols and full disk encryption technology on all company desktops and laptops
  5. installing physical security upgrades at company facilities and offices to further safeguard workstations from theft
  6. reviewing and revising written policies and procedures to enhance information security

For Comparisons Sake

So, just for fun, here’s how this settlement stacks up against some other recent, high-profile data breach settlements:

  • Johansson-Dohrmann v. Cbr Sys., Inc., No. 12-CV-1115 (S.D. Cal. July 24, 2013) – established a $2.5 million fund to provide approximately 300,000 class members with two years of credit monitoring and identity theft reimbursement.
  • Beringer v. Certegy Check Services, Inc., No. 07­cv-01657 (M.D. Fla. Sept. 3, 2008) – established a $5 million fund to provide approximately 37 million class members with up to two years of credit monitoring and identity theft reimbursement.
  • In re Heartland Payment Sys. Inc. Customer Data Sec. Breach Litig., MDL No. 09-2046 (S.D. Tex. 2012) – established a $2.4 million fund from which to provide over 100 million class members with identity theft reimbursement.
  • Rowe v. Unicare Life and Health Ins. Co., No. 09-cv-02286 (N.D. Ill. Sept. 14, 2011) – established a $3 million fund to provide approximately 220,000 class members with one year of credit monitoring and identity theft reimbursement.

The Nordstrom Case: What’s in an Email Address?

Personal Identification Information (PII), according to the US District Court (Eastern Dist. of California) applying California’s Song–Beverly Credit Card Act of 1974 (“Credit Card Act”) (Cal. Civ.Code §§ 1747 et seq).  In the class action case Capp v. Nordstrom, a customer alleged that Nordstrom requested his email address in connection with a credit card transaction at a Nordstrom retail store for the purpose of sending him an e-receipt.  The customer further alleged that Nordstrom then used his email address to send him unsolicited marketing materials in violation of the Credit Card Act.  The issue, among others, the court was faced with was whether an email address is PII under the Credit Card Act.

Attribution: Vrysxy
Attribution: Vrysxy

The Facts

According to the customer, a Nordstrom cashier asked him to provide his email address to receive an electronic receipt.  Believing it was required to complete the transaction, the customer provided his email address to the cashier.  The cashier then typed the customer’s email address into the portable sales device, at which point in the transaction the customer’s credit card number and email address were recorded in the same portable device.  As expected, the customer later received an email with his receipt; however, according to the customer, he also received marketing and promotional materials from Nordstrom “on a nearly daily basis.”

The Credit Card Act

Under the Song-Beverly Credit Card Act, a company that accepts credit cards for business transactions cannot “request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the person … or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.”  As to the definition of PII, the statute states that PII means “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.”

The Credit Card Act imposes civil penalties for violations “not to exceed two hundred fifty dollars ($250) for the first violation and one thousand dollars ($1,000) for each subsequent violation.”

The Decision

The statutory definition of PII makes no mention of email addresses. The district court noted that there is no published case deciding the question of whether an email address constitutes PII under the Credit Card Act.  Accordingly, without a controlling California Supreme Court decision on point, the district court was tasked with predicting how the California Supreme Court might decide the issue.

To do so, the district court pointed to a recent California Supreme Court case Pineda v. Williams–Sonoma Stores, Inc. (2011).  In Pineda, the California Supreme Court interpreted the words “personal identification information” to include a cardholder’s ZIP code.  The California Supreme Court’s analysis focused on the notion that a cardholder’s ZIP code can be used, together with the cardholder’s name, to locate his or her full address; and, importantly, a cardholder’s address and her ZIP code both constitute information unnecessary to the sales transaction that can be used for commercial purposes.  As the district court put it:

“In this case, an email address is within the scope of the statute’s broad terms concerning the cardholder as well because a cardholder’s email address pertains to or regards to a cardholder in a more specific and personal way than does a ZIP code.  Instead of referring to the general area in which a cardholder lives or works, a cardholder’s email address permits direct contact and implicates the privacy interests of a cardholder. Therefore, this Court predicts that the California Supreme Court would decide that an email address constitutes personal identification information as those terms are defined by section 1747.08(b) of the Credit Card Act.”

Nordstrom also argued that the Credit Card Act claim would be necessarily preempted by the CAN-SPAM Act if email addresses were determined to be PII.  The district court rejected this argument and held that the customer’s claims were not subject to CAN-SPAM’s preemption because the Credit Card Act applies only to email addresses and does not regulate the content or transmission of the underlying messages.

Introducing Startups to the Crowd: The SEC’s “Regulation Crowdfunding”

As I discussed in a previous post last spring, startups and investors alike have been eagerly awaiting action by the  U.S. Securities and Exchange Commission (“SEC”) to promulgate rules to facilitate equity-based crowdfunding.  Well, alas, the SEC has proposed crowdfunding rules as mandated by the Jumpstart Our Business Startups Act (the “JOBS Act”).  The JOBS Act, enacted back in April of 2012, is intended to enable startups and small businesses to raise capital through crowdfunding. The public comment period is set for 90 days, which means that equity-based crowdfunding could become a reality in early 2014.

GPL
GPL

The text of the SEC’s notice of proposed rulemaking is an ambitious 585 pages.  Unlike the SEC, I value brevity.  So, after providing a quick refresher on crowdfunding and the Securities Act, the remainder of this post will discuss the key provisions that potential crowdfunding issuers (i.e., the startups) and investors (i.e., the crowd) may find interesting.   Specifically, I will point out a few key aspects of the long-awaited crowdsourcing rule’s requirements for exemption from the registration requirements of the Securities Act.

Background: Crowdfunding and the Securities Act

Currently, the only type of crowdfunding that is authorized in the US are those forms that do not involve the offer of a share in any financial returns or profits that the fundraiser may expect to generate from business activities financed through crowdfunding.  Examples of crowdfunding websites that have become mainstream include the likes of indiegogo and Kickstarter.  These platforms prohibit founders (the project starter) from offering to share profits with contributors (i.e., equity or security transactions) because such models would trigger the application of federal securities laws.  And, under the Securities Act, an offer and sale of securities must be registered unless an exemption is available.

However, newly created Section 4(a)(6) of the Security Act, as promulgated under the JOBS Act, provides an exemption (the “crowdfunding exemption”) from the registration requirements of Securities Act Section 5 for certain crowdfunding transactions.  With the introduction of this exemption, startups and small businesses will be able to raise capital by making relatively low dollar offerings of securities to “the crowd” without invoking the full regulatory burden that comes with issuing registered securities.  Additionally, the crowdfunding provisions create a new entity, referred to as a “funding portal”, to allow Internet-based platforms to facilitate the offer and sale of securities without having to register with the SEC as brokers.  Together these measures were intended to help small businesses raise capital while protecting investors from potential fraud.

Startups:  Limits on Amount Raised

The exemption from registration provided by Section 4(a)(6) is available to a U.S. startup (the issuer) provided that “the aggregate amount sold to all investors by the issuer, including any amount sold in reliance on the exemption provided under Section 4(a)(6) during the 12-month period preceding the date of such transaction, is not more than $1,000,000.”

In the proposed rule, the SEC clarifies that only the capital raised in reliance on the crowdfunding exemption should be counted toward the limitation.  In other words, all capital raised through other means will not be counted against the $1M sold in reliance on the crowdfunding exemption.  As the SEC stated in its notice of proposed rule:

“If an issuer sold $800,000 pursuant to the exemption provided in Regulation D during the preceding 12 months, this amount would not be aggregated in an issuer’s calculation to determine whether it had reached the maximum amount for purposes of Section 4(a)(6).”

Startups: Limits on the Method of Crowdfunding

Under Section 4(a)(6)(C), an offering seeking the crowdfunding exemption must be “conducted through a broker or funding portal that complies with the requirements of Section 4A(a).”  This means that crowdfunding can only occur through an intermediary, and that intermediary must meet the requirements of either (1) a broker, or (2) a funding portal. The SEC proposed two related limitations here:

1)      Single intermediary – Prohibits an issuer from using more than one intermediary to conduct an offering or concurrent offerings made in reliance on the crowdfunding exemption.  For example, you couldn’t use both FundMyStartUp.com and CrowdfundMyDreams.com for the same offering or even for different offerings when conducted concurrently.

2)      Online-only requirement – Requires that an intermediary (i.e., the broker or funding portal) effect crowdfunding transactions exclusively through an intermediary’s platform. The term “platform” means “an Internet website or other similar electronic medium through which a registered broker or a registered funding portal acts as an intermediary in a transaction involving the offer or sale of securities in reliance on Section 4(a)(6).”

According to the SEC’s notice, with respect to the online-only requirement:

“We believe that an online-only requirement enables the public to access offering information and share information publicly in a way that will allow members of the crowd to decide whether or not to participate in the offering and fund the business or idea.  The proposed rules would accommodate other electronic media that currently exist or may develop in the future. For instance, applications for mobile communication devices, such as cell phones or smart phones, could be used to display offerings and to permit investors to make investment commitments.”

A Quick Note about Funding Portals

As mentioned above, to fit within the crowdfunding exemption, the offering must be conducted through a broker or funding portal that complies with the requirements of Securities Act Section 4A(a).

Exchange Act Section 3(a)(80) (added by Section 304 of the JOBS Act), defines the term “funding portal” as any person acting as an intermediary in a transaction involving the offer or sale of securities for the account of others, solely pursuant to Securities Act Section 4(a)(6), that does not: (1) offer investment advice or recommendations; (2) solicit purchases, sales or offers to buy the securities offered or displayed on its platform or portal; (3) compensate employees, agents or other person for such solicitation or based on the sale of securities displayed or referenced on its platform or portal; (4) hold, manage, possess or otherwise handle investor funds or securities; or (5) engage in such other activities as the Commission, by rule, determines appropriate.”

Under the SEC’s proposed rules, the definition of “funding portal” is exactly the same as the statutory definition, except the word “broker” is substituted for the word “person”.  The SEC is making clear that funding portals are brokers (albeit a subset of brokers) under the federal securities laws.

Investors: Limits on Amount Invested

Under Section 4(a)(6)(B), the aggregate amount sold to any investor by an issuer, including any amount sold in reliance on the exemption during the 12-month period preceding the date of such transaction, cannot exceed: “(i) the greater of $2,000 or 5 percent of the annual income or net worth of such investor, as applicable, if either the annual income or the net worth of the investor is less than $100,000; and (ii) 10 percent of the annual income or net worth of such investor, as applicable, not to exceed a maximum aggregate amount sold of $100,000, if either the annual income or net worth of the investor is equal to or more than $100,000.”

Because the statutory definition above creates some potential ambiguity, the SEC’s rule seeks to clarify the relationship between annual income and net worth for purposes of determining the applicable investor limitation.  Essentially, the proposed rules take a “whichever is greater” method for measuring whether limitation (i) or (ii) applies.  As the rule proposes,

  • Where both annual income and net worth are less than $100,000, then the limitation will be set at the greater of (a) $2,000 or (b) the greater of (x) $5% of annual income or (y) 5% of net worth.
  • Where either annual income or net worth exceeds $100,000, then the limitation will be set at the greater of (a) 10% of annual income or (b) net worth; provided, however, in either case (a) or (b) may not exceed $100,000.

Related to investor limits, but more important for startups to understand, the proposed rules alleviate burdens associated with vetting investor suitability.  Specifically, the rule allows startups to reasonably rely on the efforts that the intermediary takes in order to determine that the amount purchased by an investor will not cause the investor to exceed investor limits.