It seemed that new data breaches and privacy and data security lawsuits were announced on a near-weekly basis in 2014, and the pace will likely only increase in 2015. In particular, we expect to see a continuation of the following important trends:

PHI Puts Companies at Risk

The Health Insurance Portability and Accountability Act (HIPAA) addresses, among other things, how “Covered Entities” and their “Business Associates” ensure the privacy and security of protected health information (PHI). In 2014, the Department of Health and Human Services Office for Civil Rights (HHS-OCR) stepped up its enforcement of that law and related regulations, including the following:

• A record $4.8 million settlement with New York Presbyterian Hospital and Columbia University following an inadvertent data breach involving PHI on a data network shared by the two entities.

• A $1.73 million settlement with a clinic chain operator after a laptop with unencrypted PHI of 870 people was stolen.

• An $800,000 settlement with Parkview Health System after an employee left 71 boxes of medical records unattended in the driveway of a physician’s home.

This increased enforcement activity comes after a 2013 report released by the HHS’s Office of Inspector General criticized HHS-OCR’s past oversight and enforcement of HIPAA rules. HHS-OCR’s increased efforts will likely continue into 2015.

Companies that retain PHI may face increased private litigation. HIPAA does not provide a private right of action to individuals whose PHI has been compromised, but in some states, plaintiffs have successfully brought state law claims for damages stemming from exposure of their PHI, despite defendants’ contention that HIPAA preempts state law claims. Lately, courts are increasingly allowing plaintiffs to use HIPAA as the standard of care in state law negligence claims. For instance, in November 2014, the Supreme Court of Connecticut stated that HIPAA “may well inform the applicable standard of care in certain circumstances.” Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 102 A.3d 32, 42 (Conn. 2014).

FTC’s Authority To Regulate Data Security Will Continue To Be Challenged

The Federal Trade Commission (FTC) enforces data security under Section 5 of the Federal Trade Commission Act, which empowers the FTC to protect consumers from “unfair methods of competition” and “unfair or deceptive acts or practices.” In 2014, however, two companies challenged the FTC’s authority to address data security:

• Wyndham Worldwide, a hotel company, alleged that the FTC lacked authority to regulate data-security practices and that it was seeking to hold victim companies responsible for criminal actions of hackers. A New Jersey federal district court rejected the argument and refused to “carve out a data-security exception to the FTC’s authority” to protect consumers.

• LabMD, Inc., a clinical testing laboratory, argued that entities covered by HIPAA should be exempted from the FTC’s rules, which LabMD alleges conflict with or impermissibly augment HIPAA rules. The district court dismissed the case for lack of jurisdiction because the FTC had not yet issued a final, appealable decision, and the 11th Circuit Court of Appeals upheld the dismissal.

The Wyndham case is currently on appeal to the Third Circuit, and LabMD will be able to appeal the FTC enforcement action to a federal court once the FTC administrative proceedings are complete. Meanwhile, the FTC has continued its enforcement activity in the area.

Data Breach Plaintiffs Are Successfully Bringing New, Creative Causes of Action

Plaintiffs’ attorneys continue to bring class-action suits based on data-security failures. Initially, courts were resistant to these lawsuits because many times the individuals impacted by a data breach had not suffered cognizable harm that would provide legal standing to allow a court to hear their case. For example:

• A federal court dismissed 31 of 33 plaintiffs from a consolidated class-action against Science Applications International Corp. following a September 2011 data breach where backup tapes containing PHI were stolen from an employee’s car because the plaintiffs were unable to show anything more than a speculative risk of future harm.

• In Galaria v. Nationwide Mutual Ins. Co., the plaintiffs claimed injury based on increased risk of identity theft, increased cost to mitigate that risk, loss of privacy and deprivation of the value of their information. The court nevertheless declined to hear the case.

Now, plaintiffs are looking for new claims that overcome the injury hurdle. Some plaintiffs have attempted to bypass having to show actual harm by relying on statutes that provide statutory damages. For example:

• A former employee recently brought a class-action suit against Coca-Cola for the loss of personal data resulting from the theft of company laptops containing unencrypted personal information. The employee’s claim is for violation of the Driver’s Privacy Protection Act, a federal law that prohibits the disclosure of personal information obtained from motor vehicle records. The act entitles each person whose personal information from a motor vehicle record has been disclosed to damages no less than $2,500.

• Former employees of Sony Pictures brought a class-action suit for violations of the California Confidentiality in Medical Information Act. The Confidentiality in Medical Information Act carries statutory damages of $1,000 per person whose medical information has been compromised.

These claims are creative and are attempts to address the traditional lack of proof of injury that often dooms these types of damage claims. Interestingly, in 2014, Spokeo, Inc., appealed a case to the U.S. Supreme Court, questioning whether statutory damages (or “injury-in-law”) may satisfy the “injury-in-fact” requirement. The Supreme Court has not yet decided whether it will hear the case.

Courts are becoming more receptive to data-breach claims. In the litigation following the 2013 Target data breach, a federal judge found that affected consumers adequately alleged injury because they claimed that the breach resulted in fraudulent payment card charges, restricted access to their bank accounts, caused them to pay unfair late charges and impeded their ability to pay bills. Target argued that since the plaintiffs did not allege that any unlawful charges went unreimbursed or that the banks actually closed the plaintiffs’ accounts, the plaintiffs had not suffered injury. Significantly, the court rejected the argument but said Target could raise it again at summary judgment if the plaintiffs could not prove their allegations.

Insurance Trends

In 2014, insurance companies fought, often successfully, to exclude coverage for data breach losses from traditional policies, including CGL, D&O and crime policies. Insured parties have tried to obtain coverage for breach-related losses under Coverage B (Personal and Advertising Injury) of their CGL policies, which protects the insured from liability arising out of the “oral or written publication, in any manner, of material that violates a person’s right of privacy.” However, some courts have found that Coverage B does not apply to data breach losses because the information was not “published” as required by the policy:

• A New York trial court found that a “publication” occurred when hackers accessed Sony’s customer information but concluded that Sony’s insurance only covered publications made by Sony, not by third-parties.

• A Connecticut court of appeals held that there is no “publication” when there is no evidence that the information was actually accessed by third parties or the public. (In that case, data tapes were lost when they fell out of a van on a highway.)

Insurers took further steps to foreclose coverage under traditional policies in many jurisdictions where, as of May 2014, CGL policies include a new ISO form endorsement that largely excludes coverage for data breach liability. As a result of these developments, and as more companies recognize the potentially devastating financial impact of data breaches, dedicated cyber-liability policies will become increasingly popular in 2015.

Looking Forward

In 2015, data breach events will continue on a frequent basis and large scale. As the law continues to develop in this area, liability for data breach is expanding, and a business must understand the risks it faces as it develops its electronic data policies.

 Emily Westridge Black and Tim Newman also contributed to the piece.