Update on Cybersecurity Issues

Class Actions: Are Courts Opening the Door?
The Seventh Circuit recently issued a decision that could have far-reaching implications with respect to the issue of standing for individual and consumer plaintiffs in data breach class action litigation. Unlike commercial entities, such as payment card issuers—which must incur costs in reissuing credit cards even if the cards have not actually been misused—many consumer plaintiffs will not have lost money or suffered identity theft as a direct result of a breach. Following a Supreme Court decision that held that allegations of “possible future injury” were insufficient to confer standing under Article III of the Constitution, Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), courts hearing data breach actions had held that the increased risk of future identity theft was too speculative to confer standing on a consumer plaintiff.

In Remijas v. Neiman Marcus Group, 794 F.3d 688 (7th Cir. 2015), however, the Seventh Circuit held that certain mitigation costs could constitute actual injury for standing purposes in cases involving stolen payment card information. Many of the plaintiffs in that case had asserted actual injury in the form of fraudulent card charges following the breach of payment card information at a department store, but some plaintiffs had also asserted various other types of injury: the cost of resolving fraudulent charges, the cost of protecting against future identity theft, their financial loss from buying things at a department store that they would not have purchased if they knew the store had inadequate cybersecurity, and their loss of control over their financial information.

The court did not rule on the latter two potential grounds for standing, but it did hold that where a payment card data breach has occurred, mitigation costs could confer standing because there was an objectively reasonable likelihood that the plaintiffs’ payment card information would be misused. Thus, according to the Seventh Circuit, the costs of things like resolving fraudulent charges, obtaining replacement credit cards, and purchasing credit monitoring services could be sufficient to give a consumer plaintiff standing to sue for a data breach, even absent evidence that the particular plaintiff’s information had actually been misused.

It is possible that the Supreme Court may address the standing issue in the coming term. The Court has heard a case, Spokeo, Inc. v. Robins, No. 13-1339, raising the question of whether and under what circumstances a plaintiff asserting a violation of the Fair Credit Reporting Act must show an injury in fact in order to maintain Article III standing. Although the facts of the Spokeo case have nothing to do with cybersecurity, the Court’s decision could provide helpful limits on the Article III standing question, or it could open the door even wider.

Federal Trade Commission Enforcement: The Wyndham Case
The Federal Trade Commission (FTC) has taken an aggressive position with regard to its authority over cybersecurity issues and what companies must do to protect against data breaches. The FTC asserts a right to regulate cybersecurity based on the FTC Act’s prohibition of “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a). The Third Circuit recently agreed with the FTC’s position in Federal Trade Commission v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015), which involved a series of data breaches.

The Wyndham case arose out of data breaches at a hotel chain. According to the FTC, the hotel chain failed to use commercially reasonable methods to safeguard customer information, which resulted in three separate data breaches over the course of more than a year and the theft of payment card information from over 600,000 customers. The FTC sued Wyndham, which unsuccessfully moved to dismiss.

On appeal, the Third Circuit first held that the FTC Act gave the FTC authority to regulate cybersecurity as an unfair trade practice. It is interesting that the court pointed out that the hotel chain’s privacy policy outlined its practice of “safeguard[ing] our Customers’ personally identifiable information by using industry standard practices” and noted that the hotel’s failure to live up to these representations could be inequitable and unfair. The court also concluded that unfairness claims could be based on the likelihood of future injury to customers, rather than a completed actual injury. Thus, even if customers were not able to show that they actually suffered harm from the loss of their personal data, the FTC would still be able to bring an enforcement action. The court also rejected the hotel chain’s claim that it did not have notice of the cybersecurity standards that the FTC was enforcing. The court found that the FTC Act itself, as well as prior enforcement actions by the FTC, provided sufficient notice to the hotel that its practices were substandard pursuant to the FTC Act.

Companies regulated by the FTC should implement cybersecurity best practices to the extent possible; these best practices may help companies avoid regulatory enforcement actions after a breach. A recent cybersecurity guide for businesses issued by the FTC, Start with Security: A Guide for Business, outlines best practices and may be useful. (Other regulatory agencies such as the Securities and Exchange Commission have issued similar guidance; companies regulated by those other agencies should review any industry-specific guidance.) Companies must also be aware of what they are telling customers about their data security and privacy practices. If such representations are made but not realized, they could be found to be deceptive under the FTC Act, as well as state deceptive trade practices laws.

Litigation Against Directors and Officers
Plaintiffs may also seek to hold corporate directors and officers liable after a breach is discovered. For example, after it suffered data breaches, the Wyndham hotel chain faced not only an FTC enforcement action but also a suit against the board of directors. A shareholder sent a demand letter to the board of directors and then, when the board declined to pursue litigation, sued the board. The court dismissed that complaint, finding that the shareholder had failed to plead facts that raised a reasonable doubt about the board’s good faith or reasonable investigation. The court relied heavily on evidence of the board’s thorough investigation of the data breach issue—it noted that the board had discussed cybersecurity issues in 14 board meetings and 16 audit committee meetings, and that it had hired technology firms to investigate the breach. Palkon v. Holmes, No. 2:14-CV-01234 (SRC), 2014 WL 5341880 (D.N.J. Oct. 20, 2014).

In the year since the Palkon case, other derivative actions have followed. One lesson ofPalkon is the need to ensure that the board is informed of data security issues. The board should ensure that the company is keeping in line with industry practices, including guidance by the regulatory agencies, and should continually monitor the company’s cybersecurity risks. That may help avoid being the next victim of a cyberattack, but it will also be helpful in the unfortunate event of a breach.

Keywords: litigation, professional services liability, cybersecurity, data breach, regulatory enforcement, standing

_{Tracey K. Ledbetter is counsel at Sutherland Asbill & Brennan LLP in Atlanta, Georgia.}

^{Copyright © 2016, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).}