News and Commentary Impacting Data Privacy and Cybersecurity Programs

Going Once, Going Twice, Sold: Christie’s Client Data Allegedly Sold on Dark Web, Auction House Sued

Global art and luxury auction house Christie’s refused to pay a ransom to data hackers and is now facing a class action lawsuit from its clients. Hacker group RansomHub has claimed responsibility for a cyber-attack on May 9, 2024, alleging that they stole, and have since sold off on the dark web, Christie’s personal client data after the auction house cut off communication during their ransom negotiation.

Now, Christie’s faces a class action lawsuit suit alleging negligence, breach of implied contract, unjust enrichment, and violation of the New York deceptive trade practices act. The complaint filed against Christie’s alleges that roughly 500,000 class action members have been exposed to an invasion of privacy, theft of information, and lost time and opportunity costs connected to attempting to mitigate the potential consequences of the data breach.

Alleged Personal Data Stolen

Whenever there is a data security breach, it is imperative to identify and evaluate what types of data may have been compromised. The complaint against Christie’s alleges that the stolen data includes the plaintiffs’ “full names, genders, passport numbers, expiration dates, dates of birth, birth places, MRZs, countries, and document numbers,”(Artnet.com). MRZ refers to the “machine readable zone” in a passport that encloses the document holder’s personal data.  

Key Takeaways

Incident Response Plan: Proactive organizations should plan and drill for responses to different cybersecurity threats before an incident occurs, so that the right decision can be made at critical moments. A spokesperson from Christie’s told The Register that once they identified a security breach, they swiftly shut down their website to protect their systems.

Cyber Insurance: Cyber insurance can protect businesses from being overwhelmed by ransom and related incident response expenses. The FTC recommends these tips for choosing cyber insurance.

Legal and Specialist Support: The decision of whether to pay a ransom is complex. The best approach is to work with negotiators and lawyers and who have experience in data privacy breaches. It is not uncommon for these professionals to negotiate the ransom price down, sometimes by 20% to 50% or more. The cost of these services can be covered by a cyber insurance policy.  

“Proof of Life” Demonstration: RansomHub claims to have provided Christie’s with “proof of life,” which is a leaked sample of some of the stolen data. However, even a “proof of life” demonstration does not prove that the hacker group has all the data they claim to possess. Hacking large amounts of data is challenging and it’s very possible the group will only extract a fraction of the data they wanted.

Hacker Profile: Different hacker groups have different levels of “credibility,” based on how long they have operated and their (known) history for complying with the ransom agreement after they were paid. RansomHub is a relatively new cybercrime group (although some believe it to be a reboot of an older gang), arriving on the scene in February 2024, but they are already considered one of the top-three most prolific ransomware groups for recent cyber-attacks according to NCC Group. Because they are newer, RansomHub may be perceived as less reliable than other more longstanding gangs.

Legal Liability: Whenever an organization is the victim of a cybercrime, there is a potential for legal liability. Class action lawsuits for data security breaches are increasingly common. However, data breach trials are rare. Although plaintiffs face challenges with respect to proving that a particular data breach has caused actual money damages, defendants frequently settle out of court to avoid legal fees and a protracted, public legal battle. Paying or not paying a ransom involves legal questions that require legal counsel. 

Rare Defense Win as American Bar Association Beats Member Data Privacy Suit

Members of the American Bar Association (“ABA”), one of the largest organizations in the United States for legal professionals, sued the ABA for its alleged failures in responding to a data security breach.

Although data breach class actions typically result in settlement, the United States District Court in the Eastern District of New York dismissed the proposed ABA class action on April 30, 2024.

The plaintiffs alleged that on March 6, 2023, an unidentified “hacker” acquired unauthorized access to the ABA computer system, affecting the records of an estimated 1.5 million ABA members. The ABA allegedly took no action to remove the hacker’s access until March 17, 2023. Compromised personal information allegedly included personal phone numbers and credit and/or debit card information.

Plaintiffs alleged breach of implied contract, violation of the New York Deceptive Acts and Practices Law and Texas Deceptive Trade Practices Act, and, in their proposed multistate class, violations of consumer fraud statues from the District of Columbia and 32 other states (including New York). The ABA moved to dismiss.

Central to the plaintiffs’ claims was the allegation that the ABA as a condition of receiving sensitive membership information impliedly agreed and ultimately failed to use “industry-standard measures” and “commercially reasonable security measures” to protect member information.  The District Court found that the ABA members did not sufficiently identify which such measures the ABA had failed to implement. The court also found that nothing in the plaintiffs’ allegations about the ABA’s privacy policy statements supported the plaintiffs’ claims. 

The case is Troy v. American Bar Ass’n, U.S. District Court for the Eastern District of New York, No. 1:23-CV-03053.

Key Takeaways

Review Privacy Policy: Following a data breach, plaintiffs and courts will scrutinize a company’s public-facing privacy policy or privacy notice and will compare what’s said there with what actually happened. Carefully and periodically review the statements and promises in your privacy policy. Confirm your practice matches your policy. Consider involving data privacy counsel to identify risks.

Unique Dismissal: The ABA members’ claims failed to specifically allege the data security failures. This will not be the case for every plaintiff who files suit; nor will it be the finding of every court presented with similar claims. Ensure your data security policies are up to date, documented, and followed, and that they map to recognized industry standards.  Mistakes happen, but demonstrating good faith compliance with commercially reasonable standards can mitigate liability.

Minnesota Consumer Data Privacy Act Signed Into Law

Minnesota became the 19th state to pass a comprehensive consumer data privacy law on May 24, 2024, when Governor Tim Walz signed the Minnesota Consumer Data Privacy Act (“MCDPA”). The law will take effect on July 31, 2025. Two noteworthy features of the law include:

  • Small Business Exemption: Businesses that satisfy the U.S. Small Business Administration’s definition of “small business” are exempt from the MCDPA, except for a requirement that all businesses (including small businesses) obtain prior consent before selling “sensitive data”.
  • Right to Question Profiing: The MCDPA allows consumers to question the results of profiling. “Profiling” refers to the practice of automated decision making based on personal information that a company has collected about a consumer, such as their economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.  Where a profiling decision relies on inaccurate data, the consumer has a right to correct the data and have the decision reassessed using the revised information.

Vermont Data Privacy Act Vetoed Over Private Right of Action

Vermont narrowly missed becoming the 20th state to adopt a consumer privacy law. On June 13, 2024, Vermont Governor Phil Scott vetoed the General Assembly’s H.121, An act relating to enhancing consumer privacy and the age-appropriate design code (Vermont Data Privacy Act). The legislature did not have enough votes to override the veto.  Once projected to become the second strongest state consumer privacy act, it was slated to take effect on July 1, 2024. Key features of the now dead legislation are outlined below: 

  • Private Right of Action:  H.121 contained a provision that would grant a private right of action for a period of two years, effective January 1, 2027. In an official statement, Governor Scott cited the provision as an “area of risk . . . which would make Vermont a national outlier, and more hostile than any other state to many businesses and non-profits.” Currently, only that California Consumer Privacy Act provides a private right of action, only in the instance of a data breach.
  • Duties to Minors: The bill aimed to limit the amount of time that a minor’s data might be retained, as well as the permissible uses of such data. Controllers and processors would have had a duty to assess and reduce any potential “heightened risk of harm” of processing a minor’s data.
  • Low Consumer Threshold: At 25,000 consumers, if enacted the VTDPA would have held the lowest consumer threshold for applicability of any state consumer data privacy act that includes such thresholds.
  • Exemptions: VTDPA lacked meaningful carveouts for small-businesses and non-profit organizations.

A second bite at the apple? Governor Scott has called for “regional consistency”, displaying a measure of amenability to future consumer privacy legislation. Governor Scott stated, “Vermont should adopt Connecticut’s data privacy law, which New Hampshire has largely done with its new law. Such regional consistency is good for both consumers and the economy.”

Concluding Consideration

The data breaches of Christie’s and the American Bar Association, as well as the resulting class action lawsuits, indicate that there can be very real ramifications to cybersecurity incidents. Proactive planning can make all the difference, such as:

  • Creating cybersecurity protocols
  • Choosing cyber insurance coverage
  • Identifying legal and specialist support available to you before an incident takes place

For further information or guidance on these issues, please contact:

Sherwin M. Yoder, CIPP/US, CIPP/E and CIPM
Partner
203.575.2649
syoder@carmodylaw.com

If you have topics you would like to see discussed, please email us with your ideas. We’d love to hear from you.

This information is for educational purposes only to provide general information and a general understanding of the law. It does not constitute legal advice and does not establish any attorney-client relationship.