The Target Data Breach Lawsuits: Why Every Company Should Care

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.datasecuritylawjournal.com/2013/12/30/the-target-data-breach-lawsuits-why-every-company-should-care/

Plaintiffs’ lawyers were falling over themselves last week in a race to the
courthouse to sue Target as a result of its recent data breach.  By at
least one report, over 40 lawsuits have already been filed against Target,
the first of which was filed the day after the breach became public.  This
post will provide an overview of the lawsuits, analyze their merits,
identify potential concerns for Target, and address some of the larger
public policy implications raised by the lawsuits.  My next post will
provide more specific details about a sample of the lawsuits.

A (Coordinated) Race to the Courthouse

The lawsuits were filed in Federal courts all over the country, including
Alabama, California, Florida, Illinois, Minnesota, Oregon, and Rhode
Island.  At least four of them were the result of coordinated efforts
between plaintiffs’ firms that filed the lawsuits in California, Illinois,
and Oregon, given the similarity of language and structure used in  those
complaints.  (That’s not particularly unusual, but let’s not pretend that
there isn’t a coordinated effort involved here).  The lawsuits will likely
be consolidated or become part of a multidistrict litigation panel, and
there will be an internal battle between the plaintiffs’ lawyers as to whom
will serve as class counsel.

Also interesting is when the lawsuits were filed.  All of these lawsuits
were filed within a few days of the data breach becoming public.  They were
filed before knowing what caused the breach, before knowing when Target
learned of the breach, and before knowing what Target did to prevent the
breach from occurring in the first place.  The developing data breach legal
landscape has shown us that liability from a data breach arises not from
the breach itself (almost every company suffers a breach), but from what
the company did before or after the breach to prevent it and notify
affected individuals.  So the fact that these lawsuits were filed before we
know much about what led to the breach and how Target responded should
raise initial skepticism about the merits of the lawsuits.

On to the Merits . . .

Generally speaking, the lawsuits are not only premature, but weak for at
least two reasons: their legal theories are not sufficiently specific, and
almost none of them allege cognizable harm.

The lawsuits contain numerous causes of action (negligence, statutory
violations, breach of implied and express contracts, invasion of privacy,
bailment, etc.), but the causes of action are based primarily on two legal
theories:  (1) Target failed to act reasonably in adopting safeguards that
would have prevented the breach from happening; and/or, (2) Target didn’t
notify affected consumers quickly enough.  Let’s evaluate these theories
and other weaknesses in the lawsuits separately.

“Failure to Adopt Reasonable Safeguards”

Plaintiffs allege that Target failed to act reasonably to adopt safeguards
to prevent the breach from occurring, but there are no allegations as to
what specifically Target did wrong.  In theLinkedIn lawsuit, for example,
there were allegations that LinkedIn failed to salt or hash sensitive
information, and that LinkedIn’s conduct contradicted a specific provision
of its consumer-facing privacy policy.  The LinkedIn complaint was
dismissed because the court held that the plaintiffs lacked standing, but
you knew upon reading it what the plaintiffs were claiming LinkedIn did (or
failed to do) wrong.

There are no similarly specific allegations in the lawsuits against Target,
probably because the plaintiffs don’t know enough about the facts to plead
anything with the requisite specificity.  They don’t know yet what Target
did wrong, or even if it did anything wrong.  The highly ambiguous pleading
now puts Target in the position of trying to defend itself against a
“moving target” (no pun intended) that plaintiffs will interpret
differently to best suit their needs as the lawsuit progresses.

“Failure to Timely Notify Affected Consumers”

The plaintiffs also claim that Target failed to timely notify affected
consumers of the breach, but there are currently  no facts that support
this theory.  According to all accounts, the breach occurred between
November 27th and December 15th, and Target notified potentially affected
customers a few days thereafter by email and by creating a special web page
(linked to Target.com) with regularly updated information about the breach
and Target’s response.

As anyone with breach response experience will tell you, there are a number
of time-consuming steps in the breach response process before notification
can take place.  First, you need to identify and understand the nature of
the compromise, and you have to be reasonably sure that the compromise has
been contained and remediated so it is no longer a threat.  This step alone
can take days or weeks to complete depending on the level of sophistication
of the attack.  Further complicating this step is the coordination with
 law enforcement, who may be concerned that acting too quickly will inhibit
their ability to identify the perpetrators.  After the integrity of your
system has been restored, you need to identify what information was
affected by the breach.  If you learn that personal information was
potentially compromised as a result of the breach, you need to know whose
information was affected so you can quickly inform them and regulatory
authorities in compliance with applicable legal requirements.  Undertaking
this entire process can often take weeks.  Target appears to have done it
within a few days.

There is another factor that must be considered in determining whether
Target complied with any legal obligation to notify consumers – the various
data breach notification laws. 46 states have their own data breach
notification laws and they are triggered by the location of the individual
whose information is compromised, not by the location of the company that
suffered the breach (meaning that they’re all in play with a breach this
size).  Most require notification within a “reasonable” period of time, and
for some that means the breached entity may have as long as 30 to 45 days
to undertake notification.  These laws usually do not “start the clock
running” on notification until the company reasonably believes that it has
identified the full scope of the breach and has contained it.  This makes
sense because you wouldn’t want to tip off the hackers that you are on to
them by issuing a public notification when your systems are still
compromised.  Additionally, it is very difficult to undertake notification
until you know who you need to notify (i.e., whose information was
compromised, where do they live, how can I contact them, etc.), which can
take some time to determine.  Finally, almost all of these laws allow for a
delay in notification where law enforcement believes that such notification
would impede their ability to identify and investigate the hackers. We do
not know whether such a “law enforcement hold” was in place in this breach.
 (Some of the plaintiffs allege in their complaints that no law enforcement
hold was in place, but they couldn’t possibly know that yet).

It is possible that facts could emerge at a later date showing that Target
knew of the compromise much earlier but chose not to notify affected
consumers, but for the time being, the fact that Target notified affected
consumers within a few days of the compromise becoming known easily
disposes of the allegation that Target delayed notifying consumers.

Cognizable Harm

The plaintiffs will also have a very difficult time proving that they
suffered cognizable harm, as evident by the difficulty they have in
pleading it.  Almost half of the lawsuits allege that they suffered
“compensatory damages” or “harm” generally, but fail to describe their
damages with any specificity.  They likely cannot identify any cognizable
harm at this point, further demonstrating the premature nature of these
lawsuits.  Some of the lawsuits seek damages for a “risk” of harm at some
unforeseeable point in the future, or for fraudulent charges that were
almost certainly reimbursed or will be reimbursed by the consumers’
financial institutions, or for potential damage to their credit scores.
 None of these types of damages have been recognized as cognizable in a
data breach lawsuit.

This is not to say that all damages are not cognizable.  In a few
jurisdictions, courts have held that plaintiffs can proceed in pursuing
certain damages.  In the First Circuit, for example, consumers are allowed
to pursue “mitigation expenses” (e.g., the unreimbursed cost of replacing
their cards, obtaining credit reports and credit insurance, etc.).  In the
Eleventh Circuit, consumers have been allowed to pursue the portion of
their service fees/premiums to a company that was used for securing the
consumers’ personal information.  To the extent the plaintiffs have filed
lawsuits in these jurisdictions and are seeking these types of damages,
their allegations of damages may be stronger.

Precedent

Finally, Plaintiffs will have to deal with the majority of case law in data
breach lawsuits that, with some limited exceptions, has not allowed the
lawsuits to proceed.  Two of the most important decisions will be the U.S.
Supreme Court’s decision in Clapper v. Amnesty International and the
Northern District of Illinois’s decision in In re Barnes & Noble Pin Pad
Litigation.  Clapper raised the bar for demonstrating cognizable harm and
standing in privacy violation cases such as this one.  The Clapper decision
was relied on by the Northern District of Illinois in dismissing a data
breach lawsuit against Barnes & Noble that arose from an almost identical
set of facts — the compromise of consumers’ personal information stolen
from PIN pads at a major retailer.  The court held that the plaintiffs
lacked standing because they could not allege that a threatened injury was
“certainly impending” as a result of the breach.

I expect the plaintiffs to rely on the recent decisions by the Eleventh
Circuit, the First Circuit, and the Southern District of Florida that
allowed data breach lawsuits to proceed.  Therefore, I would closely
monitor what happens in the two Florida lawsuits and the Rhode Island
lawsuit, or any others that are subsequently filed in the Eleventh or First
U.S. Circuits.

Should Target Still Be Worried?

Despite the premature nature and overall weaknesses of the lawsuits as
filed, Target still has cause for concern. First, even though legal
precedent is heavily in its favor (this blog post cites only a few of the
many opinions dismissing data breach lawsuits), the development of the law
is still in its early phases, and as evident from the previous paragraph,
some courts where lawsuits against Target are pending have allowed data
breach lawsuits to proceed.

Another concern is how the facts emerge.  For example, if it turns out that
Target knew about the breach long before it was disclosed publicly, knew
that personal information had been compromised, knew whose information had
been compromised, knew that the information was not encrypted, and was
under a legal obligation to notify affected individuals, then the
plaintiffs’ “failure to timely notify” will strengthen.

Target also has to be concerned about trying to keep the focus where the
law requires it.  The plaintiffs’ lawyers are going to try to shift the
focus from what Target did (the sophisticated and complex information
security program Target likely had in place) to what Target could have done
(the one “error” Target made that could have prevented the breach).
 According to one study, 97% of breaches are avoidable (in hindsight)
through simple or intermediate controls.  Why is that important?  Because I
have little doubt that the plaintiffs’ lawyers will be able to find a
cybersecurity “expert” somewhere willing to testify that Target could have
done something that would have prevented the breach from occurring, thereby
trying to create an issue of fact as to the reasonableness of Target’s
conduct.  Target will need to try hard to keep the focus on the correct
legal standard.  The legal standard isn’t whether Target could have done
something to prevent the breach, but whether it acted reasonably to prevent
the breach.  In other words, the plaintiffs’ lawyers will try to persuade
the courts that liability should be determined by whether the breach was
preventable, and Target will try to keep the focus on the fact that it
adopted a highly sophisticated, expensive, and (for the most part) very
effective information security program and made the security of its
consumers’ information the highest priority.  If plaintiffs succeed in
shifting the focus away from the legal standard, every company should be
very concerned, because so many data breaches are, in hindsight,
preventable, which means that almost every company could face potential
liability if they suffer a breach.

So why should EVERY Company Care About These Lawsuits . . .

The lawsuits are premature, not well supported by precedent, and based
heavily on rank speculation as to the safeguards Target had in place and
how quickly it responded.  Despite these weaknesses, however, every company
should care about what happens to these lawsuits.  Target is a very large
company that undoubtedly had in place complex and sophisticated safeguards
to protect against this type of a data breach, and from what we know so
far, they notified affected individuals very quickly.  If there is anything
less than a dismissal or summary judgment entered in all of these cases,
then the proverbial blood will be in the water and we can expect the
floodgates of data breach litigation to open.  Almost every company that
suffers a data breach could be held liable because few are going to have
the level of security and response efforts that an organization like Target
has in place.

The public policy consequences of Target being held liable are significant.
 Companies will be less inclined to reveal breaches due to potential
liability exposure, so consumers will be less likely to know when their
information has been accessed, precluding them from responding adequately
to protect themselves.  Instead of investing resources into physical,
technical, and administrative safeguards that could improve the security of
consumers’ information, companies will be forced to spend their resources
on litigation costs, settlements, and awards to plaintiffs.  The
individuals who will benefit most won’t be the consumers (who could each
receive nominal awards for mitigation expenses), but the attorneys who will
reap significant attorney’s fees awards in class action lawsuits.  So what
happens to these lawsuits will be important to any company that collects,
stores, uses, and disposes of sensitive consumer information, which is
almost every company doing business in this modern economy.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.