Data Breaches

They're not just problems for the IT department -- they can be legal headaches too

In just a relatively short period of time, cybersecurity has become a top concern. Cyberattacks are becoming more frequent. A 2016 survey indicated a 38% increase in cyberattacks from 2014 (1). Cybersecurity incidents are also costly. A 2015 study found the average global cost of a data breach was $3.79 million, with U.S. companies experiencing an average cost of $6.53 million (2). This study found the mean time to identify a data breach was 206 days, and the mean time to contain a breach was 69 days (3). Another 2015 study found the mean cost of cybercrime was $7.1 million, with U.S. companies reporting the highest average cost at $15 million (4). This study found the mean time to resolve a cyberattack was 46 days, with an average cost of $21,155 per day, or $973,130 over that period (5).

Most people think of data breaches as information technology problems. However, cybersecurity breaches must be viewed as legal events because they trigger legal obligations. When a business suffers a cybersecurity incident, it must comply with federal and state laws and regulations dictating not only that the victim of a cybersecurity incident must give notice of the breach, but also how, when and to whom notice must be provided. A 2015 survey of cyber insurance claims found the average cost for covered crisis services, such as forensics, notification, credit/ID monitoring and legal advice, was $499,710.6 Additionally, companies must defend against lawsuits and enforcement actions. The cyber insurance survey found that the average costs for a covered legal defense was $434,354 and for a covered legal settlement was $880,893 (7). This article highlights several of the legal issues a company must address and some of the legal actions it may have to defend against in the wake of a data breach.

State notification requirements

Fifty-one U.S. jurisdictions, including 47 states, the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands, have enacted data breach notification laws, which mandate notice of a covered breach to affected individuals. These laws specify the steps that a company must take in response to a breach that affects residents of that state and, in some instances, other states. Although the notification laws of each of the 51 jurisdictions are similar, they are not identical, and they contain significant variations as to how they define “breach,” what type of data constitutes “personal information,” the types of events triggering notice obligations, the timing and content of notices, and whether notice must be sent for an event when there is a very low likelihood of harm resulting from the breach.

Upon a data security breach, a company’s first task is to identify which jurisdictions’ requirements apply. Often, even the most “local” business finds that it has collected data from residents of multiple jurisdictions and that it therefore must comply with the laws of each of those jurisdictions with different, sometimes conflicting, requirements. The company must carefully review the requirements of each applicable jurisdiction to determine its obligations.

Time is of the essence with regard to notifications. For example, Vermont requires notice to its state attorney general within 14 business days following discovery of a breach. Some notification statutes do not specify a fixed number of days, but instead require notice as soon as practicable and without unreasonable delay. Government entities may impose fines for delays, and certain states outline specific penalties up to $500,000 where notice is not provided to affected individuals within 180 days.

Federal notification requirements

Currently, there is no single federal data breach notification law of general application to business outside certain regulated areas. However, Congress is considering the “Data Security and Breach Notification Act of 2015.” The U.S. House of Representatives, Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade approved the proposed Act, which must now be formally introduced in the House before further action can be taken.

This Act would require businesses to implement and maintain reasonable security measures and practices to protect and secure personal information they collect and electronically maintain. The definition of personal information under this Act is more expansive than most state notification laws, including home address, telephone number, mother’s maiden name and date of birth. The Act would require companies to notify individuals whose personal information has been accessed and acquired as a result of the breach within 30 days of discovery of the breach. Companies would not be required to provide notice if there is no reasonable risk of identity theft, economic loss or financial harm. The Act would preempt existing inconsistent state data breach notification laws with a uniform national standard. The Federal Trade Commission (FTC) would enforce the rules and collect civil penalties if those rules are violated. No private right of action would be permitted.

Federal enforcement actions

Increased scrutiny by government agencies is also affecting companies that handle sensitive personal information. A company may have to defend itself against a federal enforcement action concerning privacy and the protection of personal information.

For example, the FTC asserts broad authority to regulate unfair or deceptive acts or practices relating to privacy and data protection under Section 5 of the Federal Trade Commission Act. It has brought numerous enforcement actions against companies, characterizing failure to provide appropriate data security to reasonably protect customer information as an unfair act or practice, and/or noncompliance with the companies’ privacy policies or representations regarding security as deceptive acts or practices.

Reflecting its aggressive enforcement approach, in 2012, the FTC filed suit against Wyndham Worldwide Corporation claiming it failed to maintain reasonable and appropriate data security for consumers’ sensitive personal information related to three security breaches by hackers between 2008 and 2010. Although Wyndham argued that the FTC’s authority does not extend to data security matters, the U.S. Court of Appeals for the Third Circuit held that the FTC’s authority to regulate commerce extends to cybersecurity matters. In 2015, the parties agreed to an injunction order settling the action. Under the order, Wyndham is directed to establish, implement and maintain a comprehensive information security program that is reasonably designed to protect the security, confidentiality and integrity of customer personal information. The order establishes administrative, technical and physical safeguards for the program. Wyndham must also comply with  the Payment Card Industry’s (PCI) Data Security Standards (8) and conduct annual independent audits to confirm compliance.

As another example, in 2016, the Consumer Financial Protection Bureau (CFPB) entered the cybersecurity arena with an enforcement action against Dwolla, Inc., an online payment processing company. Although no cybersecurity incident, data breach or other specific consumer harm occurred, the CFPB’s action highlighted several allegedly false and misleading statements Dwolla made about its data security practices, including that 100% of information was securely encrypted and stored, and that its data-security practices exceeded or surpassed industry standards. Pursuant to its authority under the Consumer Financial Protection Act of 2010, CFPB fined Dwolla $100,000 and secured a strict five-year consent order. The order requires Dwolla to implement a written cybersecurity program to protect sensitive consumer information, designate a qualified person to manage cybersecurity, conduct cybersecurity risk assessments, conduct employee data security training, audit data security practices annually for five years, and expand the board’s role in cybersecurity oversight and management.

Data breach lawsuits

Data breach lawsuits range from large class actions to those filed by a single person. They are filed not only by consumers, but also by financial institutions, credit card companies and other businesses affected by a data breach. Most data breach lawsuits are filed by breach victims and involve causes of action for negligence, breach of contract, breach of warranty, breach of fiduciary duty, false advertising, and unfair or deceptive trade practices. Plaintiffs typically seek damages for unauthorized charges, damage to credit, cost of credit monitoring, cost of replacement credit cards, time and expenses incurred to investigate, and emotional distress. Whether breach victims have suffered actual injury and cognizable damages to have standing to sue is the critical issue in many cases. The case law for this fact intensive issue continues to develop. To defend and resolve these claims, a company must incur significant legal expense and costs of settlement.

As an example, retailer Target Corporation  experienced a malware data breach in 2013 that allowed hackers to steal payment-card data when customers swiped their credit or debit cards. The breach gave rise to claims by consumers and issuer banks. In the consolidated consumer complaint, 100+ named plaintiffs alleged that Target failed to prevent or timely disclose the data theft and that Target failed to disclose the insufficiency of its data security practices. The complaint also asserted similar claims on behalf of a putative plaintiff class consisting of every Target customer whose credit or debit card information was stolen in the data breach.

Target challenged the consumer complaint for lack of standing and lack of damages, but a federal district court judge rejected the arguments and denied Target’s motion to dismiss. This ruling came shortly after a decision partially denying Target’s motion to dismiss the consolidated complaint of the banks that issued the credit and debit cards that were subject to the breach. Thereafter, in early 2015, Target and the consumer plaintiffs reached a proposed settlement, which creates a $10 million cash fund to be paid to resolve the claims of an estimated 110 million class members. Under the settlement, Target must take steps to minimize the risk of a future breach, designate a chief information security officer, develop a written security policy and conduct periodic review of the controls it has in place to protect customer data. The court granted final approval of the consumer class action settlement in November 2015, but several individuals appealed the final approval to the U.S. Court of Appeals for the Eighth Circuit. The consumer settlement does not cover the complaint of the card issuer class, which sought recovery of amounts paid out for the fraudulent charges against credit and debit cards compromised in the breach. Target and the financial institutions agreed to settle those claims for $39 million. The court granted final approval of the financial institutions’ class action settlement on May 12, 2016.

As another example, First Choice Federal Credit Union recently filed a class action against the fast-food chain Wendy’s based on a five month data breach. The suit claims that Wendy’s “refused to take steps to adequately protect its computer systems from intrusion.” From the fall of 2015 through the spring of 2016, hackers accessed Wendy’s computer systems and stole information concerning millions of consumer credit cards used at multiple Wendy’s locations.

The lawsuit claims that “[a]s a result of Wendy’s data breach, plaintiff and class members have been forced to cancel and reissue payment cards, change or close accounts, notify customers that their cards were compromised, investigate claims of fraudulent activity, refund fraudulent charges, increase fraudulent monitoring on potentially impacted accounts, and take other steps to protect themselves and their customers.” The plaintiffs claim that Wendy’s used outdated and easily hackable computer and credit card systems and that it failed to meet the October 2015 deadline for embedded microprocessor chip cards and terminals. The lawsuit further states that “[d]espite the growing threat of computer system intrusion, Wendy’s systematically failed to comply with industry standards and protect payment card and customer data,” noting that, as a consequence, financial institutions have borne the brunt of the data breach. Suits such as this one should prompt companies to do more to address information security issues on their networks.

Conclusion

Companies should carefully review and evaluate the accuracy of statements made in privacy policies regarding cybersecurity, as well as conduct bi-annual cybersecurity risk assessments under the direction of legal counsel to preserve attorney-client privilege, and annual audits of policies and procedures. Given the increased scrutiny placed on directors, it is also prudent to enhance communication between management and the board on cybersecurity matters. In the event of a breach, it is recommended that legal counsel coordinate investigations, notifications and remediation efforts so that the company can claim attorney-client privilege and work-product protection in the event of litigation.

End Notes:

1. The Global State of Information Security Survey 2016, PricewaterhouseCoopers, available at http://pwc.com/gx/en/issues/cyber-security/information-security-survey.html.

2, 3. 2015 Cost of Data Breach Study: Global Analysis, Ponemon Institute, LLC, available at http://www.ibm.com/security/data-breach/.

4, 5. 2015 Cost of Cyber Crime Study: Global, Ponemon Institute, LLC, available at http://img.delivery.net/cm50content/hp/hosted-files/2015_GLOBAL_CCC_FINAL_3.pdf.

6, 7. NetDiligence 2015 Cyber Claims Study, available at http://netdiligence.com/downloads/NetDiligence_2015_Cyber_Claims_Study_093015.pdf.

8. The PCI Security Standards Council is a self-regulated body formed to enhance payment-card security. The Council’s Data Security Standards are security guidelines to which PCI-compliant members must adhere.

Marcia Ernst is a partner in SGR’s Litigation Practice. She has extensive experience in complex business and multi-party litigation, including fraud, business torts, contract disputes and bank related litigation. mernst@sgrlaw.com.