Data Breaches in Finance: Reviewing Exposure, from Litigation and Legislation

Although the term “data breach” often is associated with the unauthorized access of information via some form of online hacking, the term encompasses a far greater range of activities. Data breaches may stem from the loss or theft of a company’s computer or storage media or by an employee’s theft of a customer’s personal information. With these breaches come significant risks and liability for all industries, including loss of sales, accounts, and relationships; damaged reputations; and insurance claims. Moreover, companies may face fines and lawsuits by both private citizens and the government.

Private Rights of Action
Although this may soon be changing, the United States government historically has taken a hands-off approach to cybersecurity, leaving the heavy lifting to the private sector for self-regulation. Melanie J. Teplinsky, “Fiddling on the Roof: Recent Developments in Cybersecurity,” 2 Am. U. Bus. L. Rev. 225 (2013).Such self-regulation can be seen in the payment card industry, which has established a Data Security Standard, “an actionable framework for developing a robust payment card data security process. . . .” Security Standards Council, PCI SSI Data Security Standards Overview.

To date, no state or federal statute affords a victim a private right of action against a financial institution whose data has been compromised; however, institutions can be held liable in the majority of states for a failure to notify customers of a data breach. See Scott L. Vernick & Amy C. Purcell, 1 Data Security & Privacy Law § 7.66 (updated June 2012) (providing a state -by -state summary of these notification laws). The trigger, method, and timing of and any exemptions to the notification requirement differ among states; thus, institutions whose data have been breached must be cognizant of these variations. Lawrence Kaplan & Todd Beauchamp, “Data Breaches,” in 3 E-Commerce & Internet Law § 31.02[9] (2012–2013 update). Although there currently is no comprehensive federal notification law, several lawmakers are advocating such legislation. Grant Gross, “Lawmakers Push for Federal Data Breach Notification Law,” PCWorld, July 18, 2013.

Despite the lack of any statutory framework providing a private right of action, data breaches have been the impetus behind many, albeit largely unsuccessful, lawsuits. The purported damages typically include actual loss, emotional distress, the cost of preventing future losses, and increased risk of future harm. These lawsuits usually assert common-law and statutory causes of action. Theories of recovery primarily include breach of contract, breach of implied contract, breach of fiduciary duty, public disclosure of private facts, and negligence. Ian Ballon, 3 E-Commerce & Internet Law § 27.07. The cases are typically filed by private party plaintiffs acting in a class capacity against large business entity defendants. Data breach litigation is subject to and often ends in pretrial motion practice, and the cases that survive dismissal typically end in settlement rather than a trial on the merits.

Liability in the Private Sector
Failure to establish standing is often the death knell in data breach lawsuits. To confer standing, most courts require injury in fact, such as subsequent identity theft. Henry R. Chalmers, “Data Breach Caseload: About to Blow?,” Litigation News, Vol. 38, No. 2, (Winter 2013), at 8–9. The Seventh Circuit in Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. 2007),however, has held that the threat of future harm or an increased risk of future harm satisfies the injury-in-fact requirement. In the rare case a plaintiff demonstrates standing, claims are typically, but not always, dismissed for the plaintiff’s failure to demonstrate a legally cognizable claim for which the law provides a remedy.

For example, in E-Shops Corp. v. U.S. Bank National Ass’n,678 F.3d 659 (8th Cir. 2012),the Eighth Circuit dismissed a merchant’s lawsuit, brought as a putative class action, against a bank that issued credit cards, allegedly used to make fraudulent purchases from the merchant’s website. The complaint accused the bank of (1) aiding and abetting fraud, (2) intentional interference with contract, (3) violations of the Minnesota Uniform Deceptive Trade Practices Act (MUDTPA) and the Minnesota Consumer Fraud Act (MCFA), and (4) unjust enrichment.

The Eighth Circuit, like many courts preceding it, upheld the dismissal of the case pursuant to Federal Rule of Civil Procedure 12(b)(6) for failure to state a claim. With regard to the fraud, MUDTPA, and MCFA claims, the court found that the complaint lacked the requisite factual allegations. Id. at 665–66.The court dismissed the intentional interference claims because the merchant did not allege how the bank intentionally set out to breach the contract between the merchant and its bank or how the issuing bank made the contract between the merchant and its bank more expensive to perform. Id.Finally, the unjust enrichment claim that the bank “received and retained money, through a profit share or otherwise, belonging to [the merchant] . . .” likewise failed because it was merely an insufficient, bare assertion. Id. at 666.

In contrast, the U.S. District Court for the Northern District of Illinois, in Shames-Yeakel v. Citizens Financial Bank, 677 F. Supp. 2d 994, 996 (N.D. Ill. 2009), refused to dismiss a state-law negligence claim brought by bank customers following a third party’s unauthorized access to their online account and subsequent theft of $26,500 from their home equity line of credit. The court, drawing on the common-law duty of a fiduciary institution to protect customers’ confidential information combined with a financial institution’s “duty not to disclose information concerning one of its customers unless it is to someone who has a legitimate public interest,” held that “banks must certainly employ sufficient security measures to protect their customers’ online accounts.” Id. at 1008.

Several federal laws have sought to protect consumer financial privacy, including the Gramm-Leach-Bliley Act (GLB), Pub. L. 106-102, 113 Stat. 1338 (enacted Nov. 12, 1999), and the Federal Trade Commission’s (FTC’s) “Safeguards Rule,” 16 C.F.R. pt. 314, and “Red Flags” requirements, 16 C.F.R. pt. 681. GLB applies to businesses significantly engaged in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. § 1843(k). Pursuant to GLB, financial institutions are required to develop and implement programs aimed at addressing data breaches with respect to data maintained by the financial institution or its service providers.15 U.S.C. § 801. It contains the following congressional policy: It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information. Id. § 801(a).

Despite the stated policies and requirements, GLB does not contain a penalty provision or create a private right of action. In Wells Fargo, N.A. v. Jenkins, 744 S.E.2d 686, 687 (Ga. 2013), a Wells Fargo customer argued that Wells Fargo was negligent pursuant to a Georgia state law allowing “a plaintiff to recover damages for the breach of a legal duty. . . .” The negligence claim stemmed from the theft of the customer’s identity when a Wells Fargo bank teller divulged the customer’s confidential information to her husband. The Georgia Supreme Court held that GLB sets forth an aspirational statement of Congress, rather than establishing a legal duty giving rise to a cause of action against financial institutions for negligence. Id. at 688.

Several other federal laws have facilitatedlawsuits against financial institutions following a data breach, including the Stored Communications Act, 18 U.S.C. § 121 et seq., the Truth in Lending Act (TILA), 15 U.S.C. § 1601 et seq., the Electronic Funds Transfer Act (EFTA), 15 U.S.C. § 1693 et seq., and the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq. Most of these lawsuits do not allege that the data breaches, in and of themselves, violate the laws; rather, they take issue with the actions of the financial institutions in response to the breaches.

For example, in Shames-Yeakel, discussed above, the plaintiff customers’ refusal to reimburse the defendant bank for the loss led to the bank reporting the account as delinquent to the national credit bureaus and threatening to foreclose on the customers’ residence. The plaintiffs alleged, in addition to the state-law negligence claims discussed above, violations of TILA, EFTA, FCRA, and the Indiana Uniform Consumer Credit Code (IUCCC), and breach of contract. The plaintiffs voluntarily dismissed their IUCCC and contract claims, and Citizens moved for summary judgment on the remaining claims. The court granted summary judgment on the EFTA claims but denied it on the TILA and FCRA claims for various reasons, including the existence of material facts concerning the reasonableness of the bank’s decision to report the debt without recognizing that the debt was disputed. 677 F. Supp. 2d at 1005, 1009. 

Government Agency Exposure
In addition to private lawsuits, data breaches may prompt governmental action. On the state level, many breach notification laws allow the state attorney general to initiate an action for failure to provide notice in accordance with the law. Scott L. Vernick & Amy C. Purcell, 1 Data Security & Privacy Law § 7:10 (2013). On the federal level, enforcement depends on what law has been violated. For example, GLB’s enforcement lies with the financial institution’s primary federal regulator, including the Federal Reserve Board, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, the Federal Deposit Insurance Corporation, and the FTC. Steven C. Bennett & Michele N. Bradley, 2 Data Security & Privacy Law § 13:22 (2013).The FTC in particular has proactively enforced GLB’s provisions. Id.

Legislation on the Horizon
President Obama’s February 12, 2013, executive order entitled “Improving Critical Infrastructure Cybersecurity” may be symptomatic of an underlying need for a more robust legislative approach to data security, currently missing from enacted U.S. law. The executive order requires federal agencies and certain critical private sector operators to cooperate to reduce cybersecurity threats and establish best practices standards. Despite little or no consensus, a relatively high level of legislative activity remains in the area of data security relevant to those charged with mitigating risk for financial services industry participants. The following is a brief summary of some of the related legislation currently pending before Congress.

The proposed Cyber Privacy Fortification Act of 2013 (H.R. 1121), referred to committee on March 13, 2013, would amend the federal criminal code to impose criminal penalties for intentional failures to provide required notices of a security breach involving sensitive personally identifiable information. The proposed act would require a person who owns or possesses data in electronic form containing a means of identification and who has knowledge of a “major security breach” (as defined in the act) of the system containing such data maintained by such person to provide prompt notice to the U.S. Secret Service or Federal Bureau of Investigation (FBI). The bill would authorize the U.S. Attorney General and any state attorney general to bring civil actions and obtain injunctive relief for violations of federal laws relating to data security. It further requires federal agencies, as part of their rulemaking process, to prepare and make available to the public privacy impact assessments that describe the impact of certain proposed and final agency rules on the privacy of individuals, and it establishes mechanisms for implementation of such assessments.

The proposed Geolocational Privacy and Surveillance Act (H.R. 1312), referred to committee March 21, 2013, would amend the federal criminal code to prohibit, with certain limited exceptions, intentionally

The proposed act would further prohibit a person providing covered services from intentionally divulging geolocation information pertaining to another person, with exceptions; and it would preclude the use of such information, and evidence derived from it, as evidence. It would also allow any person whose geolocation information is intercepted, disclosed, or intentionally used in violation of the act to recover civil damages.

The Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2013 (the SECURE IT Act, H.R. 1468), was referred to committee April 10, 2013. This exhaustive bill would, among many other things, require commercial entities that acquire, maintain, store, or utilize personal information (covered entities) to take reasonable measures to protect and secure data in electronic form containing personal information. It would also direct a covered entity that owns or licenses such data to give notice of any breach of the security of the system that the entity reasonably believes has caused or will cause identity theft or other financial harm to persons whose personal information was (or appears to have been) accessed and acquired by an unauthorized person.

In addition, the proposed act would require a covered entity to notify the Secret Service or the FBI of a security breach of personal information involving more than 10,000 individuals. It would also require a third-party entity contracted to maintain, store, or process data containing personal information to notify the covered entity of a breach of security of a system, and would require a service provider to notify the covered entity if it becomes aware of a breach of security involving personal information owned or possessed by a covered entity and whether such covered entity can be reasonably identified. Enforcement authority would be delegated to the FTC, and civil monetary penalties would be available for violations of such information protection and notification requirements.

The Application Privacy, Protection, and Security Act of 2013 (the APPS Act, H.R. 1913), referred to committee May 9, 2013, would, among other things, require mobile device application developers to notify users and obtain their consent regarding terms and conditions pertaining to collection, storage, use, and sharing of personal data, before the application in question actually collects personal data about the user. The act would exclude from such notice and consent requirements any “de-identified data” that could not reasonably be used to identify or infer information about, or otherwise be linked to, a particular individual or mobile device. The bill would require developers to provide users with a method to withdraw such consent and to request that the developer delete personal data or refrain from further data collection or sharing, and take measures to prevent unauthorized access to personal and de-identified data. Violations of the proposed act would be treated as unfair or deceptive acts under the Federal Trade Commission Act.

Given the importance of data protection to the national economy and the increasing risk of cyber threats, it is anticipated that federal and state legislatures will propose other similar bills that could have an impact on the financial services industry. It remains to be seen, however, whether any of this proposed legislation will be enacted into law.

Keywords: litigation, Cyber Privacy Fortification Act of 2013, Geolocational Privacy and Surveillance Act, SECURE IT Act, Application Privacy, Protection, and Security Act of 2013, Shames-Yeakel v. Citizens Financial Bank