The Indiana Attorney General recently asserted a novel claim under the Indiana Deceptive Consumer Sales Act that, if successful, opens the door for data breach victims to file class action lawsuits and recover $500 or more per person in statutory damages and attorney’s fees. Damages can add up fast as a data breach involving 2,000 people could result in $1,000,000 in damages, not including attorney’s fees. Data breaches may also result in a lawsuit by the Attorney General for civil penalties, attorney fees, and injunctive relief. Now is the perfect time to consider hardening your company’s cyber security defenses and increasing your cyber insurance policy limits.
I. The Indiana Deceptive Consumer Sales Act
To date, no court interpreting Indiana law has applied the Indiana Deceptive Consumer Sales Act (the “Act”), Ind. Code § 24-5-0.5, to data breaches. However, by its express terms, the Act is “liberally construed and applied to … protect consumers from suppliers who commit deceptive and unconscionable sales acts….” IC § 24-5-0.5-1. A “supplier” is defined as someone who regularly engages in or solicits consumer transactions, and includes manufacturers, wholesalers, and retailers, regardless of whether the person deals directly with the consumer. IC § 24-5-0.5-(a)(3)(A). An “incurable deceptive act” is defined as “a deceptive act done by a supplier as part of a scheme with intent to defraud of mislead.” IC § 24-5-0.5-2(a)(7). Under the Act, “[a] supplier may not commit an unfair, abusive, or deceptive act, omission, or practice in connection with a consumer transaction,” regardless of “whether it occurs before, during, or after the transaction.” IC § 24-5-0.5-3(a).
The victim of an incurable deceptive act may recover the damages actually suffered as a result of the deceptive act or $500, whichever is greater, and reasonable attorney fees. IC § 24-5-0.5-4(a). If the deceptive act was willful, the court may increase the damages to not exceed the greater of three times the actual damages or $1,000. IC § 24-5-0.5-4(a). In addition, “senior” consumers, over age 60, are entitled to treble damages. IC § 24-5-05-4(i). The Act specifically allows a victim to bring a class action against the supplier and provides that the court may award reasonable attorney fees to the prevailing party. IC § 24-5-0.5-4(b). In addition to a civil suit, the Attorney General can assert a claim under the Act and recover civil penalties and attorney fees and seek injunctive relief. IC § 24-5-0.5-4.
The Act has a variety of defenses and internal limitations. In addition, the Act has a two-year statute of limitations, which is triggered by the date of each occurrence of a deceptive act. IC § 24-5-0.5-5. And, the doctrine of fraudulent concealment can toll the statute of limitations when the defendant conceals, misleads, prevents, or hinders an inquiry.
Although no court has endorsed the application of the Act to data breach lawsuits, the Indiana Attorney General’s claim implies that the Act applies to data breaches. Application of the Act is significant for Indiana data breach victims because Indiana law does not grant consumers the right to sue a data holder for negligence following a data breach, at least according to the federal judge who presided over the Anthem data breach multi-district litigation. Order, In re Anthem, Inc. Data Breach Litig., No. 15-MD-2617 (N.D. Cal. Feb. 14, 2016).
II. The Indiana Attorney General’s Lawsuit Against Medical Informatics Engineering, Inc.
Twelve states, by respective their attorneys general, sued Medical Informatics Engineering, Inc. (“MIE”) and two MIE-related companies in December 2018, following a 2015 data breach involving the records of 3.9 million people. As background, MIE is a third-party provider that licenses a web-based electronic health record application, known as WebChart, to healthcare providers. MIE’s customers were not consumers, but healthcare providers required to comply with the HIPAA federal standards that govern the security of ePHI, including the obligation to follow what is known as the Security Rule. In a nutshell, the Security Rule requires covered entities and their business associates to protect against the unauthorized use of disclosure of ePHI. The Rule requires that these entities employ appropriate administrative, physical, and technical safeguards to maintain the confidentiality, integrity, and availability of ePHI.
On May 26, 2015, MIE and its related entities discovered that the security of ePHI had been breached. The breach began on May 7, 2015. During the following 19-day period, hackers stole 3.9 million individuals’ ePHI. Defendants began notifying affected individuals two months after the initial breach date and 50 days after the May 26, 2015 discovery date. Defendants did not conclude mailing notification letters until six months after the breach discovery date.
The complaint alleges that the defendants failed to implement basic industry-accepted data security measures to protect individual’s health information from unauthorized access. For instance, defendants set up a generic “tester” account which could be accessed using the shared password “tester” and a second account called “testing” with the shared password “testing.” The generic accounts did not require a unique user identification and password in order to gain remote access. Defendants also hired a data security consultant to try and penetrate the systems’ security. The penetration testing identified several deficiencies that were not promptly corrected.
The complaint alleges that defendants failed to implement and maintain an active security monitoring and alert system to detect and alert on anomalous conditions such as data exfiltration, abnormal administrative activities, and remote system access by unfamiliar or foreign IP addresses. The latter fact was particularly significant given the post-breach investigation revealed that two of the IP addresses from which the attack originated were in Germany.
Other claims in the complaint include that defendants failed to use encryption and authentication tools despite claims to the contrary in their privacy policy; defendants’ incident response plan was incomplete; there was no documented evidence or checklist to indicate that defendants followed their incident response plan; and there was no documentation that defendants conducted HIPAA Security and Awareness training in 2013, 2014, or 2015, prior to the breach.
In its part of the multi-state complaint, the Indiana Attorney General alleged eleven separate grounds by which the defendants allegedly violated the administrative safeguards, technical safeguards, and implementation specifications required by HIPAA, including:
- Failing to review and modify security measures needed to continue the provision of reasonable and appropriate protection of ePHI in accordance with the Security Rule;
- Failing to conduct an accurate and thorough assessment of the potential risk and vulnerabilities to the confidentiality, integrity, and available of ePHI in accordance with the Security Rule;
- Failing to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level in accordance with the implementation specifications of the Security Rule;
- Failing to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and Security Incident tracking reports;
- Failing to implement policies and procedures that, based upon its access authorization policies, establish, document, review, and modify a user’s right to access to a workstation, transaction, program, or process that includes ePHI;
- Failing to implement policies and procedures to address Security Incidents, including suspected Security Incidents, to mitigate, to the extent practicable harmful effects of security incidents known to MIE, or to document such Incidents and their outcomes;
- Failing to assign a unique name and/or number for identifying and tracking user identity;
- Failing to implement a mechanism to encrypt and decrypt ePHI;
- Failing to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI;
- Failing to implement procedures to verify that a person or entity seeking ePHI is the one claimed; and
- Failing to adhere to the Minimum Necessary Standard when using or disclosing ePHI.
Again, these were failures to comply with the company’s obligations under HIPAA. However, the Indiana Deceptive Consumer Sales Act claims, if upheld by the court, would be applicable to Indiana businesses irrespective of whether they handle ePHI.
III. Specifically Identified “Incurable Deceptive Acts”
The Indiana Attorney General alleged that certain security failings constituted unfair or deceptive acts in violation of Indiana’s Deceptive Consumer Sales Act. These acts included:
- Notifying the affected individuals two months after the initial breach date and over 50 days after the breach discovery date. (In comparison, Indiana law requires that the data holder give notice to affected persons as soon as possible after they discovery the breach pursuant to IC § 24-4.9-3-3(b));
- Failing to conclude mailing notification letters until six months after the breach discovery date;
- Failing to implement basic industry-accepted data security measures in their security framework, including by not requiring the use of unique user identification and passwords in order to gain remote access;
- Continuing to use accounts that were identified during formal penetration testing as high risk, including establishing a generic account at a client’s request so that employees did not have to login with a unique user identification and password;
- Failing to have appropriate security safeguards or controls in place to prevent exploitation of vulnerabilities within their system;
- Failing to have privileged access to the system, which allowed an attacker to submit a continuous string of queries, known as a SQL injection attack. This gave the intruder hints as to why the entry was incorrect and provided valuable insight into the database’s structure;
- Failing to implement the use of parameterized queries, or ensure the sanitization of user input, as recommended by the data security consultant; and
- Failing to implement an adequate and effective post-breach response as the intruder continued to remove records using privileged credentials acquired through the SWL queries.
Significantly, while the lawsuit was filed at the end of 2018, these deficiencies were measured against the standards that existed at the time of the breach in 2015. Best practices continue to evolve. What constituted reasonable data security measures in the past may no longer constitute reasonable data security measures today.
IV. Implications for Indiana Businesses That Hold Consumer Data
Whether or not this particular claim under the Indiana Deceptive Consumer Sales Act is successful, the case serves as yet another reminder and warning that Indiana businesses that hold personally identifying information of consumers have to treat data security as a priority. This includes maintaining an active security monitoring and alert system to detect and act on anomalous conditions, such as data exfiltration, abnormal user and administrator activities, and remote system access by unfamiliar or foreign IP addresses. Adequate data security requires maintaining and implementing up to date data security policies and procedures, engaging in documented training of employees, having an incident response plan, and routinely testing and improving the plan. If you undergo penetration testing and the data security consultant identifies security framework, safeguards, or control deficiencies, you have to address them or at least set a plan in place to address them. If you are under attack, you have to employ an adequate and effective response that should include documented evidence, like a checklist, that indicates that you followed your incident response plan. Once you learn of or suspect a security incident compromising sensitive personal information has transpired, you should engage counsel to determine whether the incident rises to the level of a “breach” under applicable law and whether you have notification obligations for all of the affected individuals.
So how do you evaluate your business’s exposure based on the application of the Indiana Deceptive Consumer Sales Act to data breaches? First, ask how many consumers does your business have records on that include personally identifiable information, like credit card numbers, financial account numbers, debit card numbers, access codes, security codes, or passwords, social security numbers, and driver’s license or state identification card numbers? Estimate your risk exposure by multiplying that number by $500 per consumer and add in a hefty amount for class action plaintiff’s attorney fees. Given this number, does your business have sufficient cyber insurance policy limits? Now is the time to start hardening your cyber security defenses and increasing your cyber insurance policy limits.