Extracted from Law360
By now everyone knows that data breaches happen, and happen often. But few have experienced first-hand the speed and size of a data breach and its aftermath. Although not every data breach results in a lawsuit or government investigation, to put the risk into context, consider the case of Target. On Dec. 19, 2013, Target announced a breach involving approximately 40 million debit and credit cards. Within three days, the U.S. Senate requested that the Federal Trade Commission (FTC) launch an investigation; within four days, three class actions were filed and four state attorneys general launched investigations; within five days, 15 class actions were filed; and within a week, 40 class actions were filed. All told, there were more than 65 class actions filed.
Indeed, the fallout from the breach is not over as just last week it was announced that Target reached a record $18.5 million settlement with 47 states and Washington, D.C. Unfortunately, Target was not the high-water mark for data breaches. Data breaches — usually at the hands of criminals — continue, and the cost of responding to them continues to rise. Against this backdrop, this article provides in-house counsel with the nuts and bolts of what to expect in the wake of a data breach, recent trends in data breach litigation, and basic but important steps a retailer can take to mitigate the risk.
What to Expect Following a Data Breach
Will I get sued?
Whether a lawsuit will follow the disclosure of a data breach appears to be driven by the profile of the breached company, the scope and size of the breach, and the type of information captured. Unsurprisingly, breaches of high-profile companies that are victims of large-scale criminal attacks targeting payment card data are most likely to lead to a lawsuit. It is important to note, however, that the breached company does not have to be a globally recognized brand in order to attract the ire of plaintiffs lawyers. Less well-known companies have been sued in the wake of data breaches affecting payment card information.
What government regulators are active in this space?
Government agencies have taken an interest in data security. This includes the Federal Trade Commission, U.S. Department of Justice, U.S. Secret Service, U.S. Securities and Exchange Commission, Consumer Financial Protection Bureau, and state attorneys general. The most active is the FTC, which has initiated numerous enforcement actions under Section 5 of the FTC Act on the theory that alleged inadequate data security constitutes an unfair trade practice. Also notable is that the SEC has expressed a keen interest in data security. Former SEC Commissioner Luis Aguilar once warned that company “boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility do so at their own peril.”
Trends in Data Breach Litigation
Do plaintiffs have standing to sue?
A core issue in most data breach litigation is the plaintiff’s standing under Article III of the U.S. Constitution to bring an action in federal court. Generally, courts have found that plaintiffs that have suffered direct out-of-pocket losses (such as unreimbursed fraud losses) will have standing. The battleground over the last decade or so, however, has centered on the standing of plaintiffs who have suffered no actual, direct loss but only the risk of future harm. Plaintiffs in the latter category often attempt to establish standing by relying on mitigation expenses (e.g., the cost of credit monitoring) and the time and expense of responding to a data breach. Most — but not all — courts have rejected these arguments. And in 2013, the U.S. Supreme Court in Clapper v. Amnesty Int’l USA cemented that the mere risk of future harm — including the cost to mitigate against that risk — is not enough for purposes of Article III standing. Article III standing, according to the U.S. Supreme Court, requires the risk of future harm to be “certainly impending” or that there is “a substantial risk that the harm will occur.”
Although Clapper presents a significant hurdle to plaintiffs, that Supreme Court decision has not eliminated data breach litigation. For instance, the Seventh Circuit has found plaintiffs without actual out-of-pocket damages to have standing when there are allegations that the breach was caused by criminals and other putative class members have in fact suffered actual harm. Although this decision arguably runs headlong into Clapper and represents the minority view, it makes clear that standing and the ability of plaintiffs to bring lawsuits in the wake of data breaches will likely continue to rage on for years to come.
Plaintiffs’ theories and claims continue to evolve
As the case law has evolved, plaintiffs’ legal theories and claims have evolved as well. There are three that I’ll note here.
First, consumer plaintiffs are continually revamping their theories of alleged harm in order to meet Article III’s standing requirement. For instance, consumer plaintiffs have begun alleging that they have been harmed because they lost the opportunity to earn reward points while waiting for their payment cards to be reissued. Second, plaintiffs — particularly financial institution plaintiffs — are attempting to take advantage of the FTC’s recent flurry of activity in this area by asserting common law claims for “negligence per se” based on an alleged violation of Section 5 of the FTC Act. Plaintiffs rely on a negligence per se theory because it is beyond dispute that Section 5 itself does not provide for a private right of action. Finally, and of particular interest to retailers, we are seeing the coalescence of plaintiffs lawyers who now focus on bringing claims on behalf of financial institutions that allegedly bore the brunt of fraudulent charges and payment card reissuance costs.
Effective Steps to Mitigate Risk
There are several simple steps that in-house counsel can take that go a long way to mitigating risk in the unfortunate event that their company is affected by a data breach.
Insurance: Cyber insurance is critical. But it is more than checking a box — it is important to get the right policy. Each data breach is unique, and they are often multifaceted, including forensic investigations, public relations, government investigations, private litigation, etc. A retailer should analyze its greatest vulnerabilities (potentially using tabletop exercises or role playing), and then ensure that its policy matches up to the risks. In this regard, an experienced insurance broker is invaluable.
Incident Response Plan: Having a plan in place for an incident is critical. Breaches are fast, fluid events. Every hour matters, so having a plan in place is crucial.
Tabletop Exercises/Role Playing: These are simulation exercises to see how the plan will work in case of a real breach, and they are powerful tools for identifying gaps and/or ways to improve the plan.
Prenegotiated Contracts with Key Vendors: Rather than wait to negotiate a contract with a vendor once a breach occurs (which can take significant amount of time), negotiate contracts with key vendors now and have them ready in case of a breach.
By now everyone knows that data breaches happen, and happen often. But few have experienced first-hand the speed and size of a data breach and its aftermath. Although not every data breach results in a lawsuit or government investigation, to put the risk into context, consider the case of Target. On Dec. 19, 2013, Target announced a breach involving approximately 40 million debit and credit cards. Within three days, the U.S. Senate requested that the Federal Trade Commission (FTC) launch an investigation; within four days, three class actions were filed and four state attorneys general launched investigations; within five days, 15 class actions were filed; and within a week, 40 class actions were filed. All told, there were more than 65 class actions filed.
Indeed, the fallout from the breach is not over as just last week it was announced that Target reached a record $18.5 million settlement with 47 states and Washington, D.C. Unfortunately, Target was not the high-water mark for data breaches. Data breaches — usually at the hands of criminals — continue, and the cost of responding to them continues to rise. Against this backdrop, this article provides in-house counsel with the nuts and bolts of what to expect in the wake of a data breach, recent trends in data breach litigation, and basic but important steps a retailer can take to mitigate the risk.
What to Expect Following a Data Breach
Will I get sued?
Whether a lawsuit will follow the disclosure of a data breach appears to be driven by the profile of the breached company, the scope and size of the breach, and the type of information captured. Unsurprisingly, breaches of high-profile companies that are victims of large-scale criminal attacks targeting payment card data are most likely to lead to a lawsuit. It is important to note, however, that the breached company does not have to be a globally recognized brand in order to attract the ire of plaintiffs lawyers. Less well-known companies have been sued in the wake of data breaches affecting payment card information.
What government regulators are active in this space?
Government agencies have taken an interest in data security. This includes the Federal Trade Commission, U.S. Department of Justice, U.S. Secret Service, U.S. Securities and Exchange Commission, Consumer Financial Protection Bureau, and state attorneys general. The most active is the FTC, which has initiated numerous enforcement actions under Section 5 of the FTC Act on the theory that alleged inadequate data security constitutes an unfair trade practice. Also notable is that the SEC has expressed a keen interest in data security. Former SEC Commissioner Luis Aguilar once warned that company “boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility do so at their own peril.”
Trends in Data Breach Litigation
Do plaintiffs have standing to sue?
A core issue in most data breach litigation is the plaintiff’s standing under Article III of the U.S. Constitution to bring an action in federal court. Generally, courts have found that plaintiffs that have suffered direct out-of-pocket losses (such as unreimbursed fraud losses) will have standing. The battleground over the last decade or so, however, has centered on the standing of plaintiffs who have suffered no actual, direct loss but only the risk of future harm. Plaintiffs in the latter category often attempt to establish standing by relying on mitigation expenses (e.g., the cost of credit monitoring) and the time and expense of responding to a data breach. Most — but not all — courts have rejected these arguments. And in 2013, the U.S. Supreme Court in Clapper v. Amnesty Int’l USA cemented that the mere risk of future harm — including the cost to mitigate against that risk — is not enough for purposes of Article III standing. Article III standing, according to the U.S. Supreme Court, requires the risk of future harm to be “certainly impending” or that there is “a substantial risk that the harm will occur.”
Although Clapper presents a significant hurdle to plaintiffs, that Supreme Court decision has not eliminated data breach litigation. For instance, the Seventh Circuit has found plaintiffs without actual out-of-pocket damages to have standing when there are allegations that the breach was caused by criminals and other putative class members have in fact suffered actual harm. Although this decision arguably runs headlong into Clapper and represents the minority view, it makes clear that standing and the ability of plaintiffs to bring lawsuits in the wake of data breaches will likely continue to rage on for years to come.
Plaintiffs’ theories and claims continue to evolve
As the case law has evolved, plaintiffs’ legal theories and claims have evolved as well. There are three that I’ll note here.
First, consumer plaintiffs are continually revamping their theories of alleged harm in order to meet Article III’s standing requirement. For instance, consumer plaintiffs have begun alleging that they have been harmed because they lost the opportunity to earn reward points while waiting for their payment cards to be reissued. Second, plaintiffs — particularly financial institution plaintiffs — are attempting to take advantage of the FTC’s recent flurry of activity in this area by asserting common law claims for “negligence per se” based on an alleged violation of Section 5 of the FTC Act. Plaintiffs rely on a negligence per se theory because it is beyond dispute that Section 5 itself does not provide for a private right of action. Finally, and of particular interest to retailers, we are seeing the coalescence of plaintiffs lawyers who now focus on bringing claims on behalf of financial institutions that allegedly bore the brunt of fraudulent charges and payment card reissuance costs.
Effective Steps to Mitigate Risk
There are several simple steps that in-house counsel can take that go a long way to mitigating risk in the unfortunate event that their company is affected by a data breach.
Insurance: Cyber insurance is critical. But it is more than checking a box — it is important to get the right policy. Each data breach is unique, and they are often multifaceted, including forensic investigations, public relations, government investigations, private litigation, etc. A retailer should analyze its greatest vulnerabilities (potentially using tabletop exercises or role playing), and then ensure that its policy matches up to the risks. In this regard, an experienced insurance broker is invaluable.
Incident Response Plan: Having a plan in place for an incident is critical. Breaches are fast, fluid events. Every hour matters, so having a plan in place is crucial.
Tabletop Exercises/Role Playing: These are simulation exercises to see how the plan will work in case of a real breach, and they are powerful tools for identifying gaps and/or ways to improve the plan.
Prenegotiated Contracts with Key Vendors: Rather than wait to negotiate a contract with a vendor once a breach occurs (which can take significant amount of time), negotiate contracts with key vendors now and have them ready in case of a breach.