Businesses operating under numerous regulatory regimes must provide “reasonable” data security for customers’ personal information. Many states' laws, including those of California and Texas, require businesses to use “reasonable security procedures” to protect personal information. Federal statutes like the Gramm-Leach-Biley Act and HIPAA impose similar requirements. Even putting aside such laws, a failure to use reasonable security practices resulting in a data breach may subject a business to agency enforcement and tort liability and its executives to shareholder lawsuits.
So what constitutes reasonable data security? That is an open and debated question, with various organizations proposing differing standards. Now the California attorney general’s office has contributed an authoritative voice on the subject, issuing the February 2016 California Data Breach Report. Based on its analysis of four years of data breaches, the report states that to provide reasonable security, businesses should follow the Center for Internet Security’s October 15, 2015, v.6 Critical Security Controls for Effective Cyber Defense (the Controls). The report also contains other security recommendations and offers an informative analysis of past data breaches.
This article summarizes the report and its recommended Controls. It then discusses how the report’s endorsement of the Controls may affect California attorney general and Federal Trade Commission (FTC) enforcement actions and litigation arising from data breaches, including statutory claims, common law negligence claims, and fiduciary duty claims against breached companies’ officers and directors. In sum, the report’s endorsement of the Controls is an important development in formulating a minimum standard of data protection. Businesses, especially those serving California citizens, should consider implementing the Controls where feasible to minimize litigation risk.
The Report Analyzes Four Years of Data Breaches
The report begins by analyzing 657 data breaches from 2012 through 2015 that involved Californians’ personal information. The report first addresses the causes of data loss, noting that “malware and hacking” remain the primary culprits, causing over half of the breaches and 90 percent of the lost records in the 2012–15 timeframe. The remaining breaches were caused by physical theft or loss of personal information (e.g., a stolen laptop [causing 22 percent of breaches]; accidental disclosure, such as inadvertent posting of personal information to a website [causing 17 percent of breaches]; and insiders’ misuse of personal data [causing 7 percent of breaches]).
The report also discusses common hacking methods. Contrary to popular opinion, the report observes that hacking does not necessarily rely on sophisticated or even newly developed operating system vulnerabilities. In fact, the report indicates that “99.9 percent of exploited vulnerabilities were compromised more than a year after the controls for the vulnerability had been publicly available,” citing to the 2015 Verizon Data Breach Investigation Report. The Verizon report notes that many of the exploited vulnerabilities date back years, indicating the importance of consistently “patching” known vulnerabilities. Another primary source of hacking breaches is phishing. Again citing to Verizon, the report indicates that “23 percent of recipients now open phishing emails and 11 percent click on the attachments.” The report emphasizes training employees to detect and avoid phishing attacks.
The report further analyzes data security threats on an industry-specific level. Although hacking remains the predominant security threat, the report emphasizes that different industries face different security threats. The retail sector faces the largest threat from hackers and, naturally, the “type of data most commonly breached was payment card data.” Another major source of breaches – the health care sector – faces a larger threat from physical breaches, such as lost or stolen computers, with Social Security numbers and medical records being the primary data exposed. The report strongly encourages medical providers to encrypt personal data stored on portable devices to reduce the impact of its loss or theft. The financial sector, also a significant source of breaches, “showed the greatest susceptibility to breaches caused by insiders (employees, service providers).”
Turning to the type of data stolen, the report notes that Social Security numbers are more frequently stolen, more damaging to the consumer, and more valuable to the data thief than payment card information. Unlike Social Security numbers, when credit or debit card account numbers are stolen, victims are able to stop the fraud by closing the account.
Fraud based on a stolen Social Security number is also harder to detect and stop than credit card fraud The report predicts that, as retailers transition to chip-enabled payment cards, “the attractiveness of trying to steal payment card data from in-store systems will decline and the focus of criminals on Social Security numbers will likely increase.” Given the importance of Social Security numbers, the report suggests that businesses should consider ways to reduce the collection of Social Security numbers, expedite their destruction, and ensure their safe electronic storage.
Finally, the report addresses compliance with state breach-notification statutes, a frequent concern of businesses after a data breach. Many statutes require notification to be made “without unreasonable delay” or “as quickly as possible,” but do not otherwise require notification within a specified time. See, e.g., Ca. Civil Code § 1798.82(a); Tex. Bus. & Com. Code § 521.053. The report describes the typical notification time, offering that the “average (mean) time from discovery of a breach to notification of those affected was 40 days, and the median was 30 days. In 25 percent of the breaches consumers were notified in 16 days or less, and in 75 percent of them notification was made in 50 days or less.”
The Report Recommends Implementing the Controls
Based on its data-breach analysis, the report provides four primary recommendations for improving data security. First, the report notes that section 1798.81.5 of the California Civil Code mandates that all businesses owning, licensing, or maintaining “personal information about a California resident shall implement and maintain reasonable security procedures and practices.” The report recommends the Controls as constituting “a minimum level of information security” and indicates that failing to implement the Controls applicable to a business “constitutes a lack of reasonable security,” presumably in violation of section 1798.81.5.
According to the Center for Internet Security, the 20 Controls are “informed by actual attacks and effective defensives” and are “prioritized, well-vetted, and supported security actions that organizations can take to assess and improve their current security state.” The Controls are available at https://www.cisecurity.org/critical-controls.cfm. Each Control consists of a specific recommendation, such as Control 1’s recommendation to “actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access,” followed by an explanation of the Control’s importance and a set of specific actions, or “sub-controls,” that organizations have taken to implement the Control. The report summarizes the Controls, or “CSCs,” in the following chart, grouped by each set of Controls’ general recommended action.
Recommend Action |
Applicable Controls |
Count Connections |
Know the Hardware and Software Connected to Your Network (CSC 1, CSC 2) |
Configure Securely |
Implement Key Security Settings (CSC 3, CSC 11) |
Control Users |
Limit User and Administrator Privileges (CSC 5, CSC 14) |
Update Continuously |
Continuously Assess Vulnerabilities and Patch Holes to Stay Current (CSC 4) |
Protect Key Assets |
Secure Critical Assets and Attack Vectors (CSC 7, CSC 10, CSC 13) |
Implement Defenses |
Defend against Malware and Boundary Intrusions (CSC 8, CSC 12) |
Block Access |
Block Vulnerable Access Points (CSC 9, CSC 15, CSC 18) |
Train Staff |
Provide Security Training to Employees and Vendors with Access (CSC 17) |
Monitor Activity |
Monitor Accounts and Network Audit Logs (CSC 6, CSC 16) |
Test and Plan Response |
Conduct Tests of Your Defenses and Be Prepared to Respond Promptly (CSC 19, CSC 20) |
In addition to the Controls, the report identifies a number of other “authoritative information security standards that organizations can and do use to develop their programs.” Those standards include those promulgated by the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (IOS). The report also identifies FTC and Federal Communication Commission publications that identify cybersecurity best practices. The report offers a helpful appendix that cross-references the Controls with the NIST, IOS, and other major industry cybersecurity standards.
The report then makes three other suggestions for improving data security. It suggests using “multifactor authentication” on “consumer-facing online accounts that contain sensitive personal information.” Multifactor authentication, as the name suggests, requires multiple identification methods, not just a username and password. For example, online authentication could require entry of a username, password, and text received on the user’s cell phone. The report also recommends “encryption of data in transit,” suggesting that “organizations, particularly health care, should consistently use strong encryption to protect personal information” on portable devices. Finally, the report recommends that organizations strongly encourage consumers affected by a data breach to place free “fraud alerts” on their credit files, which makes it much harder for identity thieves to use stolen personal information to open new accounts.
The Report’s Impact on Agency Enforcement Actions
The report’s endorsement of Controls raises the question of what role those standards, or comparable industry standards, will play in agency enforcement actions and in litigation. As to agency use, we can reasonably expect that the California attorney general will consider whether a company violated the Controls in deciding to pursue an enforcement action. That conclusion is supported by the attorney general’s prior enforcement actions based on businesses’ failure to comply with applicable standards. For example, in 2013, the attorney general sued Citibank for violating California’s unfair competition law, Bus. & Prof. Code § 17200 et seq., based on a data breach allegedly resulting from Citibank’s failure to comply with federal and industry cybersecurity guidelines. The attorney general and Citibank resolved the lawsuit by entering into a consent judgment.
Federal regulators may not emphasize the Controls as much as the California attorney general, and may look to other established, but similar, standards in assessing whether to bring an enforcement action. The primary federal enforcement regulator for cybersecurity, the FTC, has developed its own set of recommended security practices through “the lessons learned from the more than” 50 data-security-related FTC enforcement actions. The FTC has summarized those standards in the June 2015 Start with Security: A Guide for Business. Companies that suffer a data breach from violating the FTC’s recommended practices will probably have an increased risk of facing enforcement actions. Indeed, in FTC v. Wyndham Worldwide Corp., 799 F.3d 236, 257–59 (3d Cir. 2015), the court held that the FTC’s allegations of poor security practices against other companies – the same allegations now summarized in Start with Security – gave Wyndham sufficient notice of the types of security deficiencies that could violate federal law.
The Report’s Impact on Claims under California Civil Code § 1798.81.5 and Similar Statutes
The report has clear implications for claims brought under section 1798.81.5. Section 1798.84 allows for a “customer injured” by a violation of section 1798.81.5 to “institute a civil action to recover damages,” although case law suggests that this private cause of action is limited to California residents. See In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 973 (S.D. Cal. 2014). Plaintiffs claiming that businesses violated section 1798.81.5 by failing to maintain “reasonable security procedures and practices” are likely to support such allegations by identifying specific Controls that the defendants violated or ignored.
Although the report may be less persuasive outside of California, plaintiffs alleging claims under other states’ statutes similar to section 1798 may point to violations of the Controls to bolster their allegations. Texas, Oregon, Maryland, Nevada, Arkansas, Rhode Island, Indiana, and Utah have data-protection statutes similar to section 1798.81.5, requiring “covered entities to implement and maintain reasonable data security practices.” Patricia Bailin & Arielle Brown, Preparing for a Data Breach: Data Security Regulations & Best Practices, 23 Westlaw J. Health L. 2, at *4 (2015). Massachusetts has a similar, albeit more detailed, security requirement. See 201 CMR 17.00 et seq. Certain federal data-protection standards also contain a “reasonableness” requirement, such as HIPAA’s requirements for “reasonable and appropriate” security of protected information. 42 U.S.C. § 1320d-2(d)(2). Some of those data-protection statutes provide for private causes of action, whereas those that do not could provide the basis for a negligence per se claim.
The Report’s Impact on Common-Law Negligence Claims
The California attorney general’s approval of the Controls is likely to lead to plaintiffs relying on a violation of those Controls as the basis for negligence claims against a hacked defendant. However, the success of those efforts is hard to predict. Case law addressing the applicable standard of care in data-breach negligence claims is sparse, and plaintiffs face imposing hurdles in pursuing post-breach negligence claims.
According to several analyses of data-breach litigation, negligence is one of the most commonly asserted post-breach claims. See, e.g., Bryan Cave LLP, 2015 Data Breach Litigation Report at 8. Consumer plaintiffs typically assert negligence claims on the grounds that a hacked defendant owed a duty of care to protect their personal information and breached that duty by using deficient security measures, thereby allowing the hacker to steal their information. Additionally, financial institutions have sued hacked retailers, most notably Target, for negligence based on its failure to protect the institutions’ cardholder data.
Despite the frequency of post-breach negligence claims, the case law is limited on the applicable standard of care for data protection. Courts have dismissed many post-breach consumer negligence claims for failing to allege cognizable damages, frequently on the grounds that plaintiffs could not show they had actually lost money or suffered identity theft because of the data breach, although those standing issues may not be as pronounced for financial institution claims. See, e.g., Reilly v. Ceridian Corp., 664 F.3d 38, 42, 44 (3d Cir. 2011). Courts have dismissed negligence claims under the economic loss rule which, in some states, bars recovery for negligence claims when the plaintiff has only suffered an economic loss, rather than personal injury or property damage. See, e.g., In re TJX Cos. Retail Sec. Breach Litig., 564 F.3d 489, 498–99 (1st Cir. 2009). Courts have also refused to impose a legal duty on businesses to protect personal information out of reluctance to expand potential tort liability without legislative imprimatur. See, e.g., Dittman v. UPMC, No. GD–14–003285, 2015 WL 4945713, at *3 (C.P. Allegheny Cty. May 28, 2015). Other courts, however, have imposed duties on businesses to protect consumers’ personal information and financial institutions’ customer data. See In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 966 (S.D. Cal. 2014) (holding a legal duty existed to “safeguard a consumer’s confidential information entrusted to a commercial entity”); In re Target Corp. Customer Data Sec. Breach Litig., 64 F. Supp. 3d 1304, 1310 (D. Minn. 2014) (holding plaintiff financial institutions had “adequately pled that Target owed them a duty of care”).
The few courts that have reached the applicable standard of care in data-breach negligence claims have looked to standards comparable to the Controls. For example, in Shames-Yeakel v. Citizens Fin. Bank, 677 F. Supp. 2d 994 (N.D. Ill. 2009), a hacker obtained access to the plaintiffs’ home equity credit line and transferred funds to a foreign account. The bank demanded that the plaintiff repay the stolen funds; the plaintiffs sued the bank on a variety of grounds, including negligence, for failing to secure their account. The federal district court denied the bank’s motion for summary judgment on the negligence claim, holding that the bank’s failure to comply with the Federal Financial Institutions Examination Council’s guidance on Internet banking security created a fact issue as to whether the bank had breached its duty of care. Additionally, at least one commentator has encouraged courts to consider the 2014 NIST Cybersecurity Framework as an “appropriate standard of care” in negligence actions. Scott J. Shackelford, et al., Toward a Global Cybersecurity Standard of Care?: Exploring the Implications of the 2014 NIST Cybersecurity Framework on Shaping Reasonable National and International Cybersecurity Practices, 50 Tex. Int’l L.J. 305, 344–45 (2015).
Another source of standards of care may be common practice within a defendant’s industry. In In re Sony Gaming Networks, 996 F. Supp. at 966, the court held plaintiffs’ allegations that Sony failed to employ “industry-standard” encryption constituted a breach of Sony’s duty of care, but dismissed the negligence claim on other grounds. Similarly, in In re Target, the district court held that the plaintiffs had sufficiently pled that Target breached its duty of care by failing to “maintain appropriate data security measures” and disabling “some of the features of its security measures.” In sum, court decisions addressing the appropriate standard of care suggest that a failure to comply with the Controls or comparable industry standard practice could constitute a breach, giving rise to negligence liability.
On a related note, failure to adhere to industry standard security practices may give rise to other bases for liability besides negligence. Courts have allowed consumers to proceed with deceptive trade and practices claims by alleging that they relied on a business’s representations that it adhered to industry standard security practices after a post-breach investigation revealed those representations to be untrue. See In re LinkedIn User Privacy Litig., 5:12-CV-03088-EJD, 2014 WL 1323713, at *5 (N.D. Cal. Mar. 28, 2014).
The Report’s Impact on Post-Breach Shareholder Litigation
Plaintiffs may also rely on a breached company’s failure to comply with the Controls in asserting fiduciary duty claims against its officers and directors. Officers and directors owe fiduciary duties of loyalty and good faith to their company and, in some cases, to its shareholders, depending on applicable state law. In the last several years, shareholders have alleged that directors and officers of breached companies violated those fiduciary duties by failing to properly implement and supervise data-security programs.
Recent high-profile data breaches, for example, have led to shareholder litigation. The Target data breach led to a shareholder derivative suit against Target’s officers and directors for breaching their fiduciary duties by allegedly “(i) failing to implement a system of internal controls to protect customers’ personal and financial information; and (ii) failing to oversee and monitor [Target’s] internal control system.” See Davis et al. v. Steinhafel et al., 14-cv-00203-PAM-JJK, Consol. S’holder Derivative Compl. ¶ 6 (D. Minn. July 18, 2014). That suit is currently stayed pending the conclusion of Target’s internal investigation. The Wyndham Hotels data breach also led to a shareholder derivative suit. The district court dismissed the Wyndham suit because the board refused the plaintiff’s demand to sue on behalf of the company, and the plaintiff did not sufficiently plead that the board’s refusal fell outside the business judgment rule. See Palkon v. Holmes, 2:14-CV-01234 SRC, 2014 WL 5341880, at *6 (D.N.J. Oct. 20, 2014).
Shareholder-plaintiffs face a high burden in succeeding on fiduciary duty claims against directors and officers based on alleged failures to implement and oversee data-security programs. Such “duty to monitor” or “oversight” claims require a showing that directors “utterly failed to implement any reporting or information systems” or “having implemented such a system or controls, consciously failed to monitor or oversee its operations,” often a difficult predicate to meet. Stone ex rel. AmSouth Bancorporation v. Ritter, 911 A.2d 362, 370 (Del. 2006); Anne Tucker Nees, Who’s the Boss? Unmasking Oversight Liability Within the Corporate Power Puzzle, 35 Del. J. Corp. L. 199, 205 (2010) (“In theory, directors face potential liability for failed oversight. But in practice it is viewed as an unworkable and virtually meaningless standard . . . .”).
Accordingly, a board’s decision not to implement government-endorsed security standards such as the Controls may not lead to liability if based on the board’s reasonable business judgment. However, officers and directors face significant other reputational, regulatory, and litigation risks from a data breach such that they should give the attorney general’s recommendations close consideration.