Big Data Can Lead to Big Problems in Cybersecurity
The term cybersecurity is often considered a concept relevant to governments and hackers. As such, typical business law practitioner may not think about addressing cybersecurity issues with a client. Recent trends in business intelligence have changed this. Today, it’s not only about whether a server will be hacked, it’s about the types and amounts of data that are being collected. Applications and websites now collect everything from browsing habits to customer interests to locations. When this information can be combined to distinguish a person’s identity, it becomes PII (personally identifiable information.) And collecting PII can result in big damages. In fact, the damages awarded to date for the big data PII claims overwhelmingly outweigh all damages from merely being hacked. It is now a major area of concern for businesses and the attorneys who counsel them.
Invasion of Privacy
Breaking down a typical hacking scenario, Company X is notified that its server has been breached and PII has been stolen. Consumers quickly file an invasion of privacy suit. The courts’ reaction in nearly all jurisdictions has amounted to a respectful but unhelpful (to the consumer) “So what?” Luckily for Company X, under most court decisions to date, a claim of invasion of privacy is not going to hold up in court unless there are proven damages. How much value is there if someone steals a name and address? What damages can be proven with a stolen credit card number?
Note the recent Barnes and Noble case, where the company announced that 63 of its stores had a security breach and credit card information may have been stolen (In re Barnes & Noble Pin Pad Litigation1). Plaintiffs filed suit based on a number of claims, including untimely and inadequate notification of the security breach, improper disclosure of their PII, loss of privacy, expenses incurred in efforts to mitigate the increased risk of identity theft or fraud, time lost mitigating the increased risk of identity theft or fraud, an increased risk of identity theft, deprivation of the value of plaintiffs’ PII, and anxiety and emotional distress. The suit was dismissed for lack of standing, due to the plaintiffs’ inability to show damages that resulted from the activity of the defendant.
Interesting here is the fact that a credit card number generally sells for up to $90 on the black market. The court acknowledged this but held that there was no proof that the information was in fact disclosed, nor any unreimbursed injuries occurred (In re Barnes & Noble Pin Pad Litigation2). In its analysis the court cited to the Supreme Court case of Clapper v. Amnesty Int’l USA, 3 which held that possible future injuries are not sufficient to establish damages.
The Use of Data
A breach of data is one concern; the use of data collected wrongfully is another. Google and two other companies were recently sued due to their practice of using PII such as IP addresses and browsing history to target ads to consumers (In re: Google Inc. Cookie Placement Consumer Privacy Litigation4). The fact that a particular person’s web browsing history could be sold for up to $52 was acknowledged by the court; however, again, it was not enough to establish damages. The court dismissed the case for lacking of standing.
However the “no damages, no case” provisions of Clapper are not a safe haven for the unwary business owner. As with any instance of litigation, the company has incurred major litigation expenses and a public relations nightmare. Also consider California’s efforts to pass a personal privacy protection act. If passed by the voters in 2014, this piece of legislation will create a presumption of harm for any disclosure of PII. In sum, no longer will invasion of privacy cases in California be dismissed for lack of standing, due to lack of proven damages.
There is also the recent case of Harris v. comScore.5 The company experienced consumer complaints that it collected unauthorized data through the use of software, OSSProxy. The software collects data such as file names, passwords, data entered into web browsers, and the content in PDF files. The information is then uploaded to a server, and the data analyzed and sold by comScore. Presumably weighing the likelihood of dismissal in light of the current trends, comScore proceeded forward with litigation instead of settling the case. Instead of the usual invasion of privacy claims, plaintiffs sued the company for violation of federal statutes. Specifically used were the Stored Communication Act (SCA), 18 U.S.C. § 2701(a); The Electronic Communication and Privacy Act (ECPA), 18 U.S.C. §2511(1)(a); and the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030(a)(2)(C). The court, in allowing the certification of a class, noted that the lack of known damages was not relevant due to the statutory damages that are allowed under the ECPA and SCA claims. This case has now evolved to the largest class ever certified (with more than tens of millions of plaintiffs) with a potential damage award amounting in the billions of dollars.
From the View of the Plaintiffs’ Attorney
As with any litigation mitigation strategy, it’s best to know what the plaintiffs’ attorneys look for when determining whether to file suit. As expected, the most litigated area is PII; they look for violations of laws that apply to the use or maintenance of data. Individual cases are not attractive, the big money for plaintiffs’ attorneys are the class action suits.
Plaintiffs’ attorneys also look for what representations the company has made about managing data—were published security policies violated? If so, there are possible unjust enrichment and breach of contract issues.
Easy cases of negligence are also attractive—were basic security measures ignored that created an environment ripe for intrusion? The National Institute of Standards and Technology has provided recommended minimum levels of protection in its “Cybersecurity Framework,” published in February 2014.6 The business owner should strive to exceed these minimum levels.
Plaintiffs’ attorneys also look for companies that won’t hire big law firms to defend the claim; they want a quick settlement or an easy win in the event of litigation.
From the View of the Attorney General
What does the AG look for when determining whether to file suit? A lack of security procedures; failure to report the breach to the AG’s office and failing to give notice to consumers.
Have a Plan
Every company needs to be aware of cybersecurity and the plan of action in the event of a breach of data. Note that a breach is not always immediately evident. It could be that an employee takes a few days to admit a breach occurred, or the IT department doesn’t discover the breach until several days later. Upon learning of the breach, forensics needs to be performed to find out the source. This is a critical step and the attorney general’s office, the insurance company, and outside forensics experts can all be used to perform this task. Plans need to include disclosure to the attorney general and notification to the affected consumers. Public relations plans, 800 numbers for customers, and credit monitoring services are all services that should be considered in the event of a data breach. Also important is the timeline for notification requirements. Forty-seven states currently have breach notification laws and a federal law is in process. These range from five days to 60 days and vary by industry.
In conclusion, there are several areas of cybersecurity that need to be addressed by general business counsel. Time spent in preparation before a data breach occurs can help prevent class-action litigation and loss of good will. Pertinent questions for the client would be:
1. What types of data are being collected and where is it stored?
2. What types of security measures are used to protect that data?
3. Has there been a security review by the insurance company?
4. What type of plan is in place in the event of a data breach?
5. What privacy notice is listed on the company webpage?
If the client shows exposure in any of these areas, then a broader investigation into its cybersecurity practices is warranted.
6. United States. Department of Commerce. National Institute of Standards and Technology. Improving Critical Infrastructure Cybersecurity Executive Order 13636. Preliminary Cybersecurity Framework. Retrieved from http://www.nist.gov.