Increasingly, c-suite executives and board members have questions about their companies' cybersecurity practices—or lack thereof. This monthly series is intended to provide high-level answers to some of those questions, specifically focusing on the development of cybersecurity policies, incident-response plans, liability of board members and executives for data breaches and the attorney-client privilege for cybersecurity investigations. Part one of this series launched in last month's edition of The Privacy Advisor, and discussed, "what is cybersecurity?"
Part 2: What is our company’s liability after a data breach?
As the frequency, size and scope of data breaches increases, so do the number of lawsuits and regulatory investigations. Not surprisingly, executives and directors are increasingly examining their cybersecurity risk exposure.
This article provides a high-level overview of the types of lawsuits and regulatory actions that companies face after data breaches and lists the most common legal issues that you are likely to face after a data breach.
Breach notification laws: Forty-seven U.S. states and the District of Columbia have enacted laws that require companies and government agencies to notify individuals and regulators if personal information has been accessed without authorization. Many of these laws vary significantly, including the types of personal information that are covered, the extent of damage that triggers the notification requirement, the form of notification required and the time in which the company must notify of the breach. Regulators could bring enforcement actions for violations of these laws, and in some states, individuals whose information has been compromised can directly sue companies. Over the past decade, members of Congress have proposed legislation that would override the state laws and create a national breach notification law, but the bills never were enacted.
Section 5 of the Federal Trade Commission Act: No federal law generally addresses data security of private companies (except for specialized areas such as health and financial institutions). However, the Federal Trade Commission uses Section 5 of the Federal Trade Commission Act to bring enforcement actions against companies that fail to adequately safeguard customer data. That statute prohibits “unfair or deceptive acts or practices in or affecting commerce,” and defines “unfair” acts as those that cause “substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”
The FTC has taken the position that particularly egregious data security practices are unfair practices (or deceptive, if they violate a company’s promises to customers). Companies typically agree to settle with the FTC before the FTC brings an action in court. The settlements typically require the companies to agree to cybersecurity safeguards and provide the FTC with broad oversight of the company’s data security practices for up to 20 years. Some companies question whether Section 5 provides the FTC with such broad authority over cybersecurity. This year, the U.S. Court of Appeals for the Third Circuit, which is the federal appeals court for Delaware, New Jersey, and Pennsylvania, ruled that Section 5 provides the FTC with this authority.
State data security laws: Approximately a dozen states have enacted laws that require companies to implement reasonable cybersecurity safeguards for the personal information of the states’ residents. Typically, these laws are not terribly onerous, as they do not impose very specific requirements. The exceptions are Nevada’s law, which requires heightened protection for payment card information, and Massachusetts’ data security regulations, which requires specific types of safeguards. Even in states that do not have specific data security laws, regulators or customers may be permitted to bring actions under state consumer protection laws which, like Section 5 of the FTC Act, prohibit unfair and deceptive trade practices.
Payment Card Industry standards: The major credit card labels require retailers and other organizations to comply with the Payment Card Industry Data Security Standard (PCI DSS), a detailed list of requirements for security of payment card information. Among the requirements are firewall configurations, access controls and network testing. If an organization experiences a breach of payment card information and is later found to have been noncompliant with PCI DSS, it may face significant fines. Moreover, a few states have incorporated some elements of PCS DSS into their statutes.
Negligence: Just as a customer can sue a company for negligence after a slip-and-fall in a store, the customer also can sue if inadequate data security practices led to a data breach that exposed the customer’s information. The customer would have to demonstrate that the company failed to perform its duty to reasonably safeguard the customer’s information and that this failure was a reasonably foreseeable cause of the data breach. The customer also would need to demonstrate that the breach harmed the customer. Defendants often argue that data breaches alone—without any evidence of identity theft—are not sufficient to support negligence lawsuits.
Shareholder derivative lawsuits: Directors and executives of publicly traded companies also can face derivative lawsuits from shareholders who claim that their failure to maintain adequate data security led to data breaches, which financially harmed the companies and, subsequently, the shareholders. In recent years Target, Wyndham Hotels and Home Depot have faced such derivative suits after high-profile data breaches. Separately, publicly traded companies should keep in mind that the Securities and Exchange Commission expects them to disclose cybersecurity risks in their annual reports.
This articles is not meant to provide an exhaustive description of every possible liability after a data breach; instead, it provides a summary of some of the most common risks. Companies that handle particularly sensitive information such as health data, children’s personal information, and banking information may face even more stringent requirements.
Moreover, it is difficult to predict with certainty the success such actions, primarily because there have been so few published court decisions arising from cybersecurity and data breaches. It's likely there will be more clarity on many of these issues in the next decade as the number of breaches— and lawsuits—leads to more concrete guidance from courts.
In next month’s installment, we’ll discuss the steps that companies can take to reduce the likelihood that internal communications and reports about cybersecurity and data breaches could be used against them in regulatory actions and lawsuits.
If you want to comment on this post, you need to login.