chevron-down Created with Sketch Beta.
January 04, 2017 Articles

Hacked: Liability for Inadequate Information Security

By Theresa Allyn Queen

Data Breaches and Other Things That Go Bump in the Night
Millions of individuals and companies fall victim to cybercrimes every year. As technology evolves at an exponential pace, corporations become more vulnerable to increasingly severe malicious and criminal attacks. Sophisticated hackers target corporate systems and customer data. Invidious malware including “ransomware” and “denial of service” attacks can devastate entire businesses. Liability can arise from breaches of a company’s own data, that of its customers, or even that of a third-party contractor, vendor, or partner. Hackers have targeted drivers’ licenses and Social Security numbers, patient medical information, credit card data, employee data, student data, company financials, and government records.

All of this can be quite costly. According to a 2016 IBM study, the average costs of a data breach to an organization exceed $7 million. See Ponemon Inst., 2016 Cost of Data Breach Study: United States (2016). This finding reflects a typical cost of about $221 per lost, stolen, or compromised record. Id. at 1. The more records that are affected, the more expensive a data breach will be. Companies reporting the loss or theft of more than 50,000 records had an average data breach cost of approximately $13.1 million per incident. Id. at 3. Moreover, the cost of a data breach in certain heavily regulated industries, such as banking, financial services, health care, government contractors, or life sciences can be much higher, as are the social costs. Id. at 2.

One of the most significant impacts data breaches can have on businesses is lost business revenues from reputational damage, as organizations struggle to regain their customers’ trust. Id. at 1. Compounding these indirect costs are the direct costs incurred in investigation, incident response, customer notification, and legal expenditure. Many data breach settlements have also included credit monitoring and identity repair for those affected by the breach.

Companies in many industries can also face additional legal challenges—on top of potential customer lawsuits—in the form of federal regulatory agencies. The Consumer Financial Protection Bureau, the Securities and Exchange Commission, and the Federal Trade Commission, among others, all bring enforcement actions against companies they believe are not taking adequate steps to protect their data from cyberattacks.

Regulatory penalties and fines may also apply. For example, a major U.K. telecom company was recently fined £400,000 by the Information Commissioner after hackers obtained the personal data of more than 100,000 customers because of the company’s “failure to implement the most basic cyber security measures,” which allowed hackers to penetrate its systems “with ease.”

To make matters worse, the hackers are not whom you imagine. The popular caricature of hackers as disaffected teenagers wreaking unforeseeable havoc out of angst or ennui is a fiction. The hackers, for the most part, are not teenagers. In most cases, they are foreign governments or government-sponsored professionals, criminal organizations, robots, and even artificial intelligences creating ever-evolving code to exploit your systems’ vulnerabilities.

Modern practices that aggregate vital corporate data in “the cloud,” remote access, and “bring your own device” systems can all weaken enterprise security and increase vulnerability. Outdated or acquired systems and human error compound the risk of a serious data breach. Phishing emails designed to mimic those of reputable companies, and even those of the target company, can infect a system with ransomware, which, as the name implies, holds a system, data set, or device hostage until a ransom is paid for its release. Many companies have elected to pay the ransom only to have their data destroyed anyway.

According to one chief information security officer, it is not a question of whether an organization will be attacked; it is simply a question of when. A 2016 Accenture cybersecurity survey found that nearly 70 percent of the respondents experienced an actual or attempted data theft or internal espionage by corporate insiders. Accenture, The State of Cybersecurity and Digital Trust 2016, at 9 (2016). And not all lapses originate outside the enterprise. One unattended or stolen laptop, for example, can contain millions of records. Internal threats may be just as, if not more, devastating than external ones.

Moreover, many data breaches go undetected. Detection and response, therefore, is critical to accelerate recovery and prevent further damage. Corporate counsel, information security officers, and compliance professionals must work to develop a holistic and rapidly evolving corporate approach to keep up with emergent threats.

Liability for Hacking

Data breaches alone without concrete injury other than fear of future injury. There is, however, some good news. Although there is a split in the circuits, in general, the majority of federal circuit courts require a concrete injury in fact to impose liability for third-party hacking, and the “fear of future injury” is generally not sufficient to confer Article III standing. Generally, in the context of data breach cases, a plaintiff bears the burden of establishing the “irreducible constitutional minimum” of standing by demonstrating (1) an injury in fact, (2) fairly traceable to the challenged conduct of the defendant, and (3) likely to be redressed by a favorable judicial decision. Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1548 (2016).

The injury-in-fact requirement requires a plaintiff to show that he or she suffered “an invasion of a legally protected interest” that is “concrete and particularized” and “actual or imminent, not conjectural or hypothetical.” Id. When a party’s allegations of injury rest on future harm, standing arises only if that harm is “certainly impending” or “there is a ‘realistic danger’ that the relevant harm will occur.” See Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147, 1161 (2013).

The majority of courts dealing with data breach cases have held that absent allegations of actual identity theft, misuse, or other fraud, the increased risk of such harm alone is insufficient to satisfy Article III standing. See Storm v. Paytime, Inc., 90 F. Supp. 3d 359, 366–67 (M.D. Pa. 2015) (finding no standing where the plaintiffs did not allege that they actually suffered any form of identity theft as a result of the defendant’s data breach); Burton v. MAPCO Express, Inc., 47 F. Supp. 3d 1279, 1284–85 (N.D. Ala. 2014) (finding no standing despite the plaintiff’s allegations of unauthorized charges on his debit card because the plaintiff did not allege that he actually had to pay for the charges).

Post-Spokeo courts have also found that mere disclosure of information in violation of a statute is not sufficient to establish concrete injury. See Attias v. CareFirst, Inc., No. 15-cv-00822, No. 15-cv-00822, 2016 WL 4250232, at *5 (D.D.C. Aug. 10, 2016) (observing that “[e]ven if Plaintiffs’ rights under applicable consumer protection acts have been violated” by sharing of personal information in data breach, “because they do not plausibly allege concrete harm, they have not demonstrated that they have standing to press their claims”); Khan v. Children’s Nat’l Health Sys., No. TDC-15-2125, 2016 WL 2946165, at *7 (D. Md. May 19, 2016) (alleged “violations of state statutes” do not confer standing because loss of privacy due to alleged data breach is not sufficiently concrete).

Data breach itself constitutes injury in fact. Courts in the Ninth and Seventh Circuits, however, have been more willing to find that a simple data breach itself confers standing. See, e.g., In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1214–15 (N.D. Cal. 2014) (finding standing where hacker “spent several weeks” in Adobe’s servers collecting customers’ information despite no allegations that the plaintiffs’ data had been misused); Claridge v. RockYou, Inc., 785 F. Supp. 2d 855, 861 (N.D. Cal. 2011) (finding allegations of harm from hacking and failure to protect personally identifiable information sufficient at the motion to dismiss stage to allege a generalized injury in fact).

Currently pending before the Ninth Circuit is the matter of Cahen v. Toyota Motor Corp., 147 F. Supp. 3d 955 (N.D. Cal. 2015). In Cahen, several consumers brought a putative class action against vehicle manufacturers, alleging that the manufacturers equipped their vehicles with computer technology that was susceptible to being hacked by third parties. The manufacturers moved to dismiss for lack of personal jurisdiction and for lack of standing. Id. at 960.

The plaintiffs in Cahen alleged that when they purchased their cars, the manufacturers knew but did not tell them that the cars contained outmoded technology that made the cars susceptible to hacking, and therefore unsafe. The plaintiffs claimed that despite the defendants’ knowledge of significant security vulnerabilities, they marketed their vehicles as safe. Id. at 959. The manufacturers also used other technology in the cars to track drivers’ location data, which they sold to third parties. Id.

Moving to dismiss the consolidated class actions, the defendants cited Clapper for the proposition that “plaintiffs cannot assert injury in fact based on the risk of future harm from the alleged product defect (that defendants’ cars are susceptible to hacking by third parties).” Cahen, 147 F. Supp. at 966. The defendants argued that “future injury caused by insecure software is not an injury in fact under Article III because such a scenario is too speculative to constitute a ‘certainly impending’ injury.” Id. Agreeing with the defendants, the court found that the plaintiffs did not allege that any future risk of harm is “concrete and particularized as to themselves.” Id. at 967. Rather, the court noted that the plaintiffs “allege only that car owners in general face a risk of hacking at some point in the future. The risk faced by the individual plaintiffs themselves remains speculative.” Id. (emphasis added). Accordingly, the court also found that “the alleged economic injury rests solely upon the existence of a speculative risk of future harm.” Id. at 971.

The Ninth Circuit’s resolution of the injury-in-fact question in Cahen will have far-reaching implications for the viability of security breach or hacking class actions in the absence of demonstrable harm. See Cahen v. Toyota Motor Corp., No. 16-15496 (9th Cir. filed Mar. 22, 2016).

Allegations of misuse, fraud, or identity theft are generally sufficient to establish injury. Allegations of misuse of data, actual identity theft, and fraud, however, have been found to be sufficient to confer Article III standing. See In re, Inc., 108 F. Supp. 3d 949, 962 (D. Nev. 2015) (dismissing class complaints but granting leave to amend to include customers who experienced actual identity theft, fraud, or misuse of stolen data); see also Irwin v. Jimmy John’s Franchise, LLC, 175 F. Supp. 3d 1064 (C.D. Ill. 2016) (finding the plaintiff had stated a claim for implied contract to safeguard the customers’ information and take reasonable measures to protect customer information and to timely notify them of a security breach).

Practical Guidance and Baby Steps
Companies looking to minimize legal exposure for data breaches should first work to ensure that they have dedicated adequate resources to data privacy and security. That process should begin with an initial assessment of the current state of privacy and information security measures and vulnerabilities. While it can be challenging to obtain managerial approval to address threats that are abstract and intangible, enterprise security is not a discretionary cost. Investment in it should be viewed as a corporate priority. Management should consider working to address funding gaps and budget deficits that prevent allocation of adequate resources to information security. Ensuring that employees are trained properly and working to promote information security as a value within an organizations can also help minimize exposure.

Investment in data loss prevention, by itself, can help to reduce the overall risks of liability. Many hackers succeed by exploiting known flaws in commonly used and outdated software. Patching these holes can be much easier than extracting a virus or other malware after a system-wide infection. The elimination of unacceptable vulnerabilities and adherence to the current “state of the art” can also potentially serve as a defense if litigation should arise.

Existing security software, firewalls, encryption, and analytics should be continually and meticulously updated, ideally under the watchful supervision of a dedicated information security officer. Proactive monitoring of active cybersecurity measures can also help demonstrate appropriate diligence.

Companies should also consider taking steps to ensure that the technological detection and responses are appropriate to their systems and practices. For example, many hackers time their attacks to backup tape cycles to ensure that not just the current servers, but all existing copies, have the same virus, malware, or ransomware. Some malware can also disable a system’s ability to back itself up. It is, therefore, important to keep an unconnected, “failsafe” backup that is physically separated from operational servers.

Dedicated response teams are also important, but the members of a response team must know and understand their roles and responsibilities. Clear reporting and escalation channels should be established. If news regarding a cyberattack takes days to reach the attention of top management, millions more records can be compromised before proper action is taken. Auditors will also want to frequently evaluate the company’s cybersecurity protocol’s robustness and effectiveness.

Managerial sophistication can go a long way toward increasing preparedness, speeding up response times, and limiting legal exposure. A high-level information security officer with a direct reporting line to the CEO or board of directors can help to ensure prompt and effective remedial measures are taken. Direct reporting can also minimize organizational conflicts of interest and red-tape. On the financial side, the company will want to consider transferring remaining risks to cyber liability insurance.

Companies should be diligent about updating information governance, document retention, and privacy policies and work to audit and ensure compliance with existing policies and procedures. Minimizing the data collected and stored and the period of storage can also help reduce the likelihood of a catastrophic data breach.

Certain data may also be governed by multiple differing regulations or privacy obligations. A company that does business in multiple states and countries or across corporate forums should keep track of its notice and reporting obligations for every place in which it does business. Some countries, states, or agencies have mandatory reporting obligations that may directly contradict privacy requirements in others. Failure to identify the proper reporting and privacy obligations can exacerbate matters. Taking these measures may help a company avoid being thrown into a regulatory and legal quagmire following a data breach.

Lastly, the company should consult with counsel for its regulatory, compliance, and litigation needs, so management knows whom to call when an incident occurs. In this way, proper planning can help minimize the disruption of the inevitable breach.

Keywords: litigation, woman advocate, data breach, cybersecurity, cyberattacks, cybercrime, ransomware, denial of service, hacking, standing, injury, data privacy, information security

Copyright © 2018, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).