Legal news from USA: conclusions of the ACI’s 15th Advanced Global Legal and Compliance Forum on Cyber Security and Data Privacy & Protection, held in Washington D.C.

By Martín Francisco Elizalde (*)




The cloud: a new global challenge.


Gettingcloud services is  global tendency. Both public and private sectors have migrated to digital technologies in the cloud to conduct  their operations. The range of documents thus moved is extremely broad, for most  organizations  collect, use, and disclose an enormous amount of data from their users -everyone and everything seems to move up to the cloud.


People that manage  these organizations, including members of the Board of Directors, are exposed to significant risks derived from data breaches, including government penalties, litigation, and reputational damages. These risks have increased not only through cloud computer services but also social media, mobile devices and online communications.


Even when this tendency to move to the cloud  is grounded in both commercial and technological benefits, which analysis  lays well beyond the field  of this work,  it implies legal and technological vulnerabilities that need to be addressed - as news of cyber-attacks are reported on an almost daily basis.


A Forum´s conclusions on class action and breach of information:


Defining  the general duty:


A definition of the duty to protect personal information was provided at the event. It is stated in the “STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH” of the State of Massachusetts:


“Duty to Protect and Standards for Protecting Personal Information. (1) Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information. The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.”


Defining  breach of information:


“According with 201 CMR 17.00, “Standards for the Protection of personal Information of residents of the Commonwealth of Massachusetts”, the following words as used herein shall, unless the context requires otherwise, have the following meanings:


Breach of security, the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.”


Update on Data Security Private Litigation. Where Things Stand:


Litigation arising out of a security breach may be brought by or against a business that experienced the loss. A company may choose to pursue civil or criminal remedies against the person or persons responsible for the breach, which in civil actions may require satellite litigation to compel the disclosure of the identity of an anonymous or pseudonymous thief. A company that experienced a data loss also may be sued by its customers or other third parties allegedly impacted by the breach, including in putative class action suits. Where companies are sued by consumers or their business customers over a security breach, the most common theories of recovery are breach of contract, breach of implied contract, breach of fiduciary duty, public disclosure of private facts and negligence, depending on the facts of a given case. Security breach suits brought by consumers against companies that have experienced a breach therefore frequently are framed in terms of common law and state statutory remedies.


A company's obligation to comply with security breach notification laws often results in publicity that leads to litigation, including class action litigation, as well as regulatory scrutiny (which alternatively may lead to litigation).


Breach of information and Class action:


In terms of requirements to be admitted, basically they are similar to most class actions, regardless of their subject:








•Adequacy of Representation (Class Representative and Counsel) Additional Requirement:


•Damages – Common Issues Predominate and Superior


•Injunctive Relief – Homogenous Class Extras:




•Standing Settlement:


•All the above, plus fair and reasonable.


Breach of information and class action: rules.


Let see what Courts resolved in a breach of information case brought before them:


In re Hannaford Bros. Co. Consumer Data Sec. Breach Litg., 293 F.R.D. 21 (D. Me. 2013)


Facts: Grocery store suffered a massive data breach, resulting in theft of debit and credit card data. Plaintiffs sought to certify a class asserting negligence and breach of implied contract claims. Plaintiffs sought out-of-pocket expenses made to mitigate economic injury.


Ruling: The Court denied Plaintiffs’ motion for class certification. Although Plaintiffs satisfied all of Rule 23(a)’s factors, Plaintiffs failed to meet the predominance requirement of Rule 23(b)(3). Specifically, the “lack of an expert opinion on [Plaintiffs’] ability to prove total damages to the jury [was] fatal” to the predominance inquiry.


Implications: Hannaford predates Comcast by seven days. Thus, it is unclear whether future courts will find the predominance analysis persuasive.


In a more recent case, Tabata v. Charleston Area Med. Ctr., Inc., 759 S.E.2d 459 (W. Va. 2014)


Facts: The Defendant, a healthcare company, inadvertently placed on the internet a database containing personal and medical information. Plaintiffs sought recovery for breach of duty of confidentiality, among other claims. The lower court denied a motion for class certification, finding that the Plaintiffs lacked standing.


Ruling: Reversed. Applying West Virginia law, the Court found that Plaintiffs had standing due to a future risk of identity theft, the Defendant’s failure to keep medical information confidential, and the violations of Plaintiffs’ privacy rights. The Court also found that Plaintiffs satisfied the requirements of Rule 23.


Implications: The analysis was based on West Virginia law, which places a lower threshold on issues such as commonality and predominance. The case drew a terse dissent, which argued that Plaintiffs lacked standing because nobody viewed the personal and medical information on the internet: “No harm, no foul. The plaintiffs lack standing to sue or represent a class of unnamed plaintiffs.”


Conclusions: not a distant mirror


In Argentina there are plenty of firms that enter in LSAs. Issues as the liability of the members of the Board of Directors, frequently arise about the actual possibility of a breach of security that exposes a third party´s personal data.


May be the Forum was held far away. However, its contents and conclusions may be really useful here and now.


(*) Partner at Foresenics Argentina




Industrias marrones y finanzas sostenibles: ¿aliadas o enemigas?
Por María Victoria Tuculet
detrás del traje
Mercedes Balado Bevilacqua
Nos apoyan