Data Breach Claims

Statutory and Civil Liability

The recent increase in the number of cyber-attacks has been matched with an increase in liability to companies and individuals for related data loss. Two types of legal liabilities generally arise from data breaches: statutory and civil. While both will impose liability on the unprepared, the manner of liability and how corporate counsel can protect their companies differ widely.

Statutory Liability

Statutory liability for a data breach comes in two forms: federal law and state law. The federal Gramm-Leach-Bliley Act requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains specific privacy and security rules that mandate “encryption and protection of patients' electronic protected health information held on networks.” Repercussions for HIPAA violations related to data breaches can be severe. Recently, two health-care organizations agreed to settle charges that they potentially violated these safeguards, and agreed to monetary settlements of a combined $4,800,000 ' the largest HIPAA settlement to date. Additionally, the regulatory duties and liability companies are now exposed to come in many additional forms, depending on the specific nature of the business. A data breach may require disclosure to various federal agencies including, but not limited to: the Securities Exchange Commission (SEC), Federal Trade Commission (FTC) or the U.S. Department of Justice (DOJ).

In addition to the federal mandates, 46 states, as well as the District of Columbia, Guam, Puerto Rico and the Virgin Islands, have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information.

Florida's law is a good example of the type of state law imposing liability and penalties for a data breach, as it is one of the strictest in the nation. In that state, a new statute defining what is “protected data” and imposing penalties for failure to take action after a data breach came into effect. The law, signed by Governor Rick Scott on June 20, 2014, is called the Florida Information Protection Act of 2014 or “FIPA.” It repealed Florida's prior data breach notification statue, FL. Stat. ' 817.5681, and replaced it with ' 501.171, and made modifications to Florida law to reach businesses, government and other entities outside the state.

FIPA provides, like the prior statute, that “personal information” includes first name or first initial with the last name; Social Security number; driver's license number or other government-issued ID number; financial account number; or credit or debit card number with security codes. FIPA added that “personal information” will now also include any information about an individual's medical history, mental or physical condition, or medical treatment/ diagnosis; or health insurance policy number or subscriber identification number, and any “unique identifier” used by a health insurer.

The Act further enlarges the definition of “personal information” to include any information that would allow access to an online account. Of importance is that this enlarged definition would include log-in information for social media platforms such as Facebook or Twitter. This appears to be the broadest definition of “personal information” in the United States. The exception to “personal information” covered by FIPA is information already made public or information that is encrypted.

FIPA covers all commercial or governmental entities that acquire, maintain, store or use personal information of individuals in the state. Importantly, FIPA did away with the language limiting Florida's protection of a breach of personal information to those who “conduct business” in the state alone. Thus, companies in other jurisdictions, including internationally, should assume this statute will apply if a breach of security occurs which affects any Florida resident.

The time period to report a breach of personal information under FIPA has been reduced from prior Florida law to 30 days from the time the breach is discovered. However, the statute authorizes the Department of Legal Affairs to grant up to 15 additional days to provide notice for good cause if the request for extension of time is provided in writing to the department within 30 days of the breach.

If 500 or more persons are affected by the breach, FIPA requires that notice also be provided to the Florida Department of Legal Affairs. If the breach affects 1,000 or more persons, additional notice must be given to all nationwide consumer credit reporting agencies.

No such notice is required to affected individuals if, upon conducting an investigation and consultation with law enforcement, it is reasonably determined that no affected individual “has or is likely to suffer identity theft or any other financial harm.” However even “where no harm” has been determined, the covered entity must still provide a written notice to the Florida Legal Affairs Department within 30 days of the determination that “no harm” occurred. In all cases of a data breach, any law enforcement agency may order a delay in providing notice if the law enforcement agency makes a determination that such notification would interfere with a criminal investigation. Thus, FIPA mandates prompt coordination with law enforcement after a breach.

Third parties that maintain “personal information” for a covered entity that suffer a data breach have 10 days under FIPA to report the breach to affected covered entities. Following receipt of this notice, a covered entity becomes responsible under FIPA for providing any necessary notice within the 30-day notice period as required by the statute.

Although FIPA specifically mandates that it does not create a private cause of action, the statute authorizes the Florida Department of Legal Affairs to bring an enforcement action against covered entities. Failure to provide adequate notice under FIPA is a violation of the Florida Deceptive and Unfair Trade Practices Act and is subject to following civil penalties:

• $1,000 per day for the first 30 days;
• $50,000 thereafter for each 30-day period or portion thereof for up to 180 days;
• $500,000 as the maximum amount of total penalties for violations continuing more than 180 days.

Accordingly, faced not only with federal law, which will vary depending on the type of information your business is dealing with, but state law that will vary widely depending on the locality of your business, the first step for any corporate counsel for a business entity operating with information of customers, consumers, clients, patients or the public of any kind should be to seek advice from outside counsel within their state as to the requirements and liability required by the federal government for the type of business it is engaged in, and the statutory requirements mandated by the state it operates in.

However, state and federal statues are not the only foundation of liability for a computer breach. Aside from liability imposed by statute or code, civil actions based upon contract and tort claims are common against companies that have suffered data breaches.

Civil Liability

Typically, when a data breach occurs, plaintiffs bring contract-based actions based upon a contractual promise to protect personal information. Where no specific terms in the contract regarding protection of personal information exist, savvy plaintiffs will point to promises made to protect personal information, and attempt to incorporate such promises into the terms of the contract. Moreover, plaintiffs are increasingly claiming that an “implied contract” exists to safeguard data if such data is collected from customers or clients. The theory of “third-party beneficiaries” is also used to widen the net of potential parties in data-breach suits. In such claims, those without a direct contractual relationship with an entity that suffered a data breach will seek to enforce the terms of a company's contract with someone else to safeguard information. The hurdle for such claims is that the plaintiff must establish that the contracting parties intended to actually benefit the plaintiffs.

Damages in breach-of-contract claims for data loss cases are often problematic for plaintiffs to prove, but courts are becoming increasingly open to allowing such suits for remote or unknown damages. The reason for this difficulty is that many plaintiffs in data breach cases have not experienced any actual misuse/fraud from the breach. Accordingly, for those Plaintiffs where the pilfered information has not actually been used, the argument is that they are at an increased risk of future harm. (i.e., that their information will be used in the future against their business interests or to commit future fraud and theft). Where data or trade secret information is lost, the hurdle is lower for a plaintiff who can show his intellectual property is being used in the marketplace.

Tort-based theories of liability in data breach cases usually center around negligence and/or negligent misrepresentation claims. Under such claims plaintiffs generally allege that the breached defendant had a duty to exercise reasonable care in protecting the plaintiffs' personal information, but breached that duty by failing to establish adequate protocols or by failing to provide timely notification of the breach. In such claims the plaintiff must demonstrate: 1) the existence of a duty to exercise due care; 2) breach of that duty; 3) causation; and 4) damages.

As set forth in more detail below, plaintiffs will face the same requirements to show recognizable injury and causation, but must also show that the defendant owed them a duty of care. When negligent and/or intentional misrepresentation is included in a claim, the plaintiff must prove that: 1) a material misrepresentation existed; 2) it was made with negligence (without reasonable grounds that it was true); 3) the plaintiff relied on the statement(s) and; 4) as a result, the plaintiff suffered injury.

For tort claims, a usual defense that is raised relates to the economic loss doctrine, which seeks to prevent a purchaser of a product or service from recovering in tort for economic losses where no additional damage to person or property exists. The economic loss doctrine requires such plaintiffs generally to maintain the action on a contract theory alone. Although often effective, each state's laws on the economic loss doctrine vary, and many states have seen an erosion by the court's of the economic loss doctrine's application.

What to Do Before And After a Breach

Insurance ' Before

Faced with the daunting numbers of data breach incidents and increased liability under federal and state law, as well as through civil lawsuit exposure, the insurance industry has responded with numerous products to insure against the increased risk. It was recently reported that one in three companies now has insurance designed to protect against data breaches. Marsh LLC, a New York insurance brokerage firm, recently noted that cyber insurance policies sold to retailers, hospitals, banks, and businesses rose 20% over the last year. Such insurance is designed to fill the holes in coverage that may exist in traditional commercial policies. Initially, such policies were designed to protect against data loss and exposure of personally identifiable information, but have grown to include loss of trade secret material and other confidential data.

Last year, Target Chief Financial Officer John Mulligan disclosed that the high-profile 2013 data breach of the retail giant cost Target $61 million in out-of-pocket expenses during the fourth quarter, of which $44 million was covered by insurance. Thus, although costly, insurance was able to alleviate the devastating costs of the cyber breach to the company's bottom line.

Both first- and third-party coverage is generally available in the marketplace. First-party coverage relates to costs resulting from the insured's actions as a result of the breach (i.e., costs for hiring professionals to assist in the investigation and response; attorney fees to advise on notification and other legal requirements; crisis management firms; computer forensics firms, etc.). Third-party coverage is designed to indemnify liability to third parties allegedly resulting from a covered claim. Such cyber-risk policies are generally available only on a claims-made basis. In a claims-made policy, coverage is triggered when a claim is made against the policyholder during the policy period. This is important as it often takes significant time to realize a cyber breach has taken place. Thus, a new policy may well apply to a new claim that is based on a breach that occurred before the policy's inception. An analysis of your business operations and potential liabilities should be the first order of business with your attorneys and insurance agent to secure the appropriate insurance coverage.

Notice ' After

After a breach has been detected, the first thing that must be done is provide notice. This notice should be given to the following entities, depending on applicable state and federal law: 1) state and federal regulators or agencies responsible for monitoring applicable cyber material and breaches; 2) the customers and consumers whose information is subject to the breach; and last, 3) your insurers. After a data breach, especially one involving the disclosure of “personal information,” notice to regulators, law enforcement and affected individuals is often required by statute or rulemaking as discussed above.

Business entities responding to a network/privacy breach must additionally act in compliance with contractual notice obligations. This notice may be mandated to be given to the clients or customers of the corporation in specific times and manner based upon an agreement or contract the corporation suffering the breach has with its clients or customers. Moreover, the policies of insurance the corporation has covering such breaches likely has specific notice requirements.

Every cyber risk policy contains a section describing the insured's duties in the event of a claim or loss, and when and how notice of a loss must be provided to the insurer is set forth in the policy. As network and privacy liability policies often include provisions of both first- and third-party insurance, the insured's duty to give notice may depend on the type of exposure at issue. When the breach arises, you should immediately seek a quick consultation with your outside counsel who is familiar with your policies to meet the requirements of notification set forth in the policy.

Defenses

It is an old but true saying: The best defense is a strong offense. In the data breach liability world, this means that having a robust plan and procedures in place to prevent a data breach will be central to showing that your company met the standard of care in doing everything it could to protect the data in its possession. Similarly, compliance with state and federal notice requirements, as set forth above, will alleviate the specter of state or federal liability on top of civil liability.

One of the major threats in a cyber breach case is a class action claim. The proliferation of cyber security data breaches has mirrored an increase in class action data breach litigation. Most class actions filed after a data breach occurs seek injuries for increased risk of “identity theft”, fraudulent financial charges on credit cards, and costs incurred from having to enroll in third-party credit-monitoring services. However, not every data breach results in an injury. Accordingly, the major defense to any data breach claim is that the claimant does not have standing as no impact or real injury has occurred. Case law supports that this can be a significant hurdle to plaintiffs' claims, and an invaluable defense for your company.

Standing derives from Article III of the U.S. Constitution, which limits the powers of the federal judiciary to the resolution of “cases” and “controversies.” U.S. Const. Art. III, ' 2. A plaintiff must plead and ultimately prove that he or she has suffered sufficient injury to satisfy the “case or controversy” requirement. A plaintiff must allege at the pleading stage: 1) an injury-in-fact that is concrete and particularized, as well as actual or imminent; 2) that the injury is fairly traceable to the challenged action of the defendant; and 3) that the injury can be remedied by a favorable ruling. If the plaintiff cannot satisfy this, the claim must be dismissed.

Conclusion

Although businesses operating in today's world face increased threats and liabilities related to a data breach, those businesses that partner with a strong and knowledgeable law firm that is well versed in cyber law and data breach claims are ready for today's challenges and opportunities. Your outside counsel should work not only with your business on risk management and claim avoidance, but also with your computer technology professionals and personnel to successfully navigate the dangerous waters of today's business environment where a data breach is a constant and continual threat.

Wayne M. Alder is a shareholder at Becker & Poliakoff. He may be reached at [email protected].