Data Breaches (2024)

In just a relatively short period of time, cybersecurityhas become a top concern. Cyberattacks arebecoming more frequent. A 2016 survey indicateda 38% increase in cyberattacks from 2014 (1).Cybersecurity incidents are also costly. A 2015 studyfound the average global cost of a data breach was$3.79 million, with U.S. companies experiencing anaverage cost of $6.53 million (2). This study found themean time to identify a data breach was 206 days,and the mean time to contain a breach was 69 days (3).Another 2015 study found the mean cost of cybercrimewas $7.1 million, with U.S. companies reporting thehighest average cost at $15 million (4). This study foundthe mean time to resolve a cyberattack was 46 days,with an average cost of $21,155 per day, or $973,130over that period (5).

Most people think of data breaches as informationtechnology problems. However, cybersecuritybreaches must be viewed as legal events because theytrigger legal obligations. When a business suffers acybersecurity incident, it must comply with federal andstate laws and regulations dictating not only that thevictim of a cybersecurity incident must give notice of thebreach, but also how, when and to whom notice mustbe provided. A 2015 survey of cyber insurance claimsfound the average cost for covered crisis services, suchas forensics, notification, credit/ID monitoring and legaladvice, was $499,710.6 Additionally, companies mustdefend against lawsuits and enforcement actions. Thecyber insurance survey found that the average costsfor a covered legal defense was $434,354 and for acovered legal settlement was $880,893 (7). This articlehighlights several of the legal issues a company mustaddress and some of the legal actions it may have todefend against in the wake of a data breach.

State notification requirements

Fifty-one U.S. jurisdictions, including 47 states, theDistrict of Columbia, Guam, Puerto Rico and the U.S.Virgin Islands, have enacted data breach notificationlaws, which mandate notice of a covered breach toaffected individuals. These laws specify the steps that acompany must take in response to a breach that affectsresidents of that state and, in some instances, otherstates. Although the notification laws of each of the51 jurisdictions are similar, they are not identical, andthey contain significant variations as to how they define“breach,” what type of data constitutes “personalinformation,” the types of events triggering noticeobligations, the timing and content of notices, andwhether notice must be sent for an event when there isa very low likelihood of harm resulting from the breach.

Upon a data security breach, a company’s first taskis to identify which jurisdictions’ requirements apply.Often, even the most “local” business finds that it hascollected data from residents of multiple jurisdictionsand that it therefore must comply with the laws ofeach of those jurisdictions with different, sometimesconflicting, requirements. The company must carefullyreview the requirements of each applicable jurisdictionto determine its obligations.

Time is of the essence with regard to notifications.For example, Vermont requires notice to its stateattorney general within 14 business days followingdiscovery of a breach. Some notification statutes donot specify a fixed number of days, but instead requirenotice as soon as practicable and without unreasonabledelay. Government entities may impose fines fordelays, and certain states outline specific penalties upto $500,000 where notice is not provided to affectedindividuals within 180 days.

Federal notification requirements

Currently, there is no single federal data breachnotification law of general application to businessoutside certain regulated areas. However, Congress isconsidering the “Data Security and Breach NotificationAct of 2015.” The U.S. House of Representatives,Energy and Commerce Subcommittee on Commerce,Manufacturing, and Trade approved the proposed Act,which must now be formally introduced in the Housebefore further action can be taken.

This Act would require businesses to implement andmaintain reasonable security measures and practicesto protect and secure personal information theycollect and electronically maintain. The definition ofpersonal information under this Act is more expansivethan most state notification laws, including homeaddress, telephone number, mother’s maiden nameand date of birth. The Act would require companiesto notify individuals whose personal information hasbeen accessed and acquired as a result of the breachwithin 30 days of discovery of the breach. Companieswould not be required to provide notice if there is noreasonable risk of identity theft, economic lossor financial harm. The Act would preemptexisting inconsistent state data breachnotification laws with a uniform nationalstandard. The Federal Trade Commission(FTC) would enforce the rules and collect civilpenalties if those rules are violated. No privateright of action would be permitted.

Federal enforcement actions

Increased scrutiny by government agencies isalso affecting companies that handle sensitivepersonal information. A company may haveto defend itself against a federal enforcementaction concerning privacy and the protection ofpersonal information.

For example, the FTC asserts broad authorityto regulate unfair or deceptive acts or practicesrelating to privacy and data protection underSection 5 of the Federal Trade Commission Act.It has brought numerous enforcement actionsagainst companies, characterizing failure toprovide appropriate data security to reasonablyprotect customer information as an unfair actor practice, and/or noncompliance with thecompanies’ privacy policies or representationsregarding security as deceptive acts or practices.

Reflecting its aggressive enforcementapproach, in 2012, the FTC filed suit againstWyndham Worldwide Corporation claiming itfailed to maintain reasonable and appropriatedata security for consumers’ sensitive personalinformation related to three security breachesby hackers between 2008 and 2010. AlthoughWyndham argued that the FTC’s authoritydoes not extend to data security matters, theU.S. Court of Appeals for the Third Circuit heldthat the FTC’s authority to regulate commerceextends to cybersecurity matters. In 2015, theparties agreed to an injunction order settlingthe action. Under the order, Wyndham isdirected to establish, implement and maintain acomprehensive information security program thatis reasonably designed to protect the security,confidentiality and integrity of customer personalinformation. The order establishes administrative,technical and physical safeguards for theprogram. Wyndham must also comply with the Payment Card Industry’s (PCI) Data SecurityStandards(8)and conduct annual independentaudits to confirm compliance.

As another example, in 2016, the ConsumerFinancial Protection Bureau (CFPB) enteredthe cybersecurity arena with an enforcementaction against Dwolla, Inc., an online paymentprocessing company. Although no cybersecurityincident, data breach or other specific consumerharm occurred, the CFPB’s action highlightedseveral allegedly false and misleading statementsDwolla made about its data security practices,including that 100% of information was securelyencrypted and stored, and that its data-securitypractices exceeded or surpassed industrystandards. Pursuant to its authority under theConsumer Financial Protection Act of 2010,CFPB fined Dwolla $100,000 and secured astrict five-year consent order. The order requiresDwolla to implement a written cybersecurityprogram to protect sensitive consumerinformation, designate a qualified person tomanage cybersecurity, conduct cybersecurity riskassessments, conduct employee data securitytraining, audit data security practices annuallyfor five years, and expand the board’s role incybersecurity oversight and management.

Data breach lawsuits

Data breach lawsuits range from large classactions to those filed by a single person. They arefiled not only by consumers, but also by financialinstitutions, credit card companies and otherbusinesses affected by a data breach. Most databreach lawsuits are filed by breach victims andinvolve causes of action for negligence, breach ofcontract, breach of warranty, breach of fiduciaryduty, false advertising, and unfair or deceptivetrade practices. Plaintiffs typically seek damagesfor unauthorized charges, damage to credit, costof credit monitoring, cost of replacement creditcards, time and expenses incurred to investigate,and emotional distress. Whether breach victimshave suffered actual injury and cognizabledamages to have standing to sue is the criticalissue in many cases. The case law for this fact intensiveissue continues to develop. To defendand resolve these claims, a company must incursignificant legal expense and costs of settlement.

As an example, retailer Target Corporation experienced a malware data breach in 2013 thatallowed hackers to steal payment-card data whencustomers swiped their credit or debit cards.The breach gave rise to claims by consumersand issuer banks. In the consolidated consumercomplaint, 100+ named plaintiffs alleged thatTarget failed to prevent or timely disclose thedata theft and that Target failed to disclose theinsufficiency of its data security practices. Thecomplaint also asserted similar claims on behalfof a putative plaintiff class consisting of everyTarget customer whose credit or debit cardinformation was stolen in the data breach.

Target challenged the consumer complaintfor lack of standing and lack of damages,but a federal district court judge rejected thearguments and denied Target’s motion todismiss. This ruling came shortly after a decisionpartially denying Target’s motion to dismiss theconsolidated complaint of the banks that issuedthe credit and debit cards that were subject tothe breach. Thereafter, in early 2015, Targetand the consumer plaintiffs reached a proposedsettlement, which creates a $10 million cashfund to be paid to resolve the claims of anestimated 110 million class members. Under thesettlement, Target must take steps to minimizethe risk of a future breach, designate a chiefinformation security officer, develop a writtensecurity policy and conduct periodic review ofthe controls it has in place to protect customerdata. The court granted final approval of theconsumer class action settlement in November2015, but several individuals appealed the finalapproval to the U.S. Court of Appeals for the Eighth Circuit. The consumer settlement doesnot cover the complaint of the card issuer class,which sought recovery of amounts paid out forthe fraudulent charges against credit and debitcards compromised in the breach. Target andthe financial institutions agreed to settle thoseclaims for $39 million. The court granted finalapproval of the financial institutions’ class actionsettlement on May 12, 2016.

As another example, First Choice FederalCredit Union recently filed a class action againstthe fast-food chain Wendy’s based on a five monthdata breach. The suit claims that Wendy’s“refused to take steps to adequately protect itscomputer systems from intrusion.” From the fallof 2015 through the spring of 2016, hackersaccessed Wendy’s computer systems and stoleinformation concerning millions of consumercredit cards used at multiple Wendy’s locations.

The lawsuit claims that “[a]s a result ofWendy’s data breach, plaintiff and class membershave been forced to cancel and reissue paymentcards, change or close accounts, notify customersthat their cards were compromised, investigateclaims of fraudulent activity, refund fraudulentcharges, increase fraudulent monitoring onpotentially impacted accounts, and takeother steps to protect themselves and theircustomers.” The plaintiffs claim that Wendy’sused outdated and easily hackable computerand credit card systems and that it failed tomeet the October 2015 deadline for embeddedmicroprocessor chip cards and terminals. Thelawsuit further states that “[d]espite the growingthreat of computer system intrusion, Wendy’s systematically failed to comply with industrystandards and protect payment card andcustomer data,” noting that, as a consequence,financial institutions have borne the brunt ofthe data breach. Suits such as this one shouldprompt companies to do more to addressinformation security issues on their networks.

Conclusion

Companies should carefully review and evaluatethe accuracy of statements made in privacypolicies regarding cybersecurity, as well asconduct bi-annual cybersecurity risk assessmentsunder the direction of legal counsel to preserveattorney-client privilege, and annual audits ofpolicies and procedures. Given the increasedscrutiny placed on directors, it is also prudent toenhance communication between managementand the board on cybersecurity matters. In theevent of a breach, it is recommended that legalcounsel coordinate investigations, notificationsand remediation efforts so that the company canclaim attorney-client privilege and work-productprotection in the event of litigation.

End Notes:

1. The Global State of Information Security Survey 2016,PricewaterhouseCoopers, available at http://pwc.com/gx/en/issues/cyber-security/information-security-survey.html.

2, 3. 2015 Cost of Data Breach Study: Global Analysis,Ponemon Institute, LLC, available at http://www.ibm.com/security/data-breach/.

4, 5. 2015 Cost of Cyber Crime Study: Global, PonemonInstitute, LLC, available athttps://www.ponemon.org/blog/2015-cost-of-cyber-crime-united-states

6, 7. NetDiligence 2015 Cyber Claims Study, available athttp://netdiligence.com/downloads/NetDiligence_2015_Cyber_Claims_Study_093015.pdf.

8. The PCI Security Standards Council is a self-regulatedbody formed to enhance payment-card security. TheCouncil’s Data Security Standards are security guidelinesto which PCI-compliant members must adhere.

Marcia Ernst is a partner in SGR’s LitigationPractice. She has extensive experience in complexbusiness and multi-party litigation, includingfraud, business torts, contract disputes and bank relatedlitigation. mernst@sgrlaw.com.