Understanding the Swinging Pendulum That is Data Breach Law

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.claimsjournal.com/news/national/2015/01/07/259895.htm

In today’s technology-driven economy, organizations of all sizes are
exposed to increasingly complex computer security risks. The evolving
sophistication of the hacking community only increases the likelihood of a
targeted cyber-attack and forces companies to recognize the importance of
protecting this valuable data. Additionally, human error accounts for a
large percentage of compromised data due to lost laptops, smartphones
and/or inadvertent disclosure of sensitive personal and/or corporate
confidential information. Companies in all industries face a heightened
scrutiny in the regulatory realm due to enhanced enforcement by
governmental entities. In addition, nearly every state in the country
maintains data breach laws requiring timely notification of individuals
whose information may have been compromised as well as adherence to the
standards imposed by the Payment Card Industry (PCI) for those companies
accepting credit cards. Just one security failure or privacy security could
lead to intense regulatory scrutiny and costly civil litigation.

We read about data breaches affecting millions of individuals on almost a
weekly basis. What is the future of ligation regarding these breaches?

The main hurdles Plaintiffs must overcome are standing and damages.
Generally, for a case to survive a motion to dismiss there must be evidence
that information was actually exploited or compromised. One example is
posting the information of the victims in a public forum. Some Plaintiffs’
attorneys try to argue that when customers pay for services, there is an
implied promise that the defendant would use some of that money to
implement cybersecurity precautions and as such, plaintiffs should get a
portion of that money back. The Courts have been somewhat split on the
standing/damages issue but have usually taken a pro-defendant stance.
However, it is very fluid. The most compelling case is when there was a
data breach, the company knew there was malware on the system and they did
not act or they were late to know and to notify. Was there a plan in place?
Were they diligent? Are they now working to prevent a breach in future? The
bank breaches are more compelling than a retail breach because it is more
important to the individuals since it involves their money. The wild card
in litigation will be statutory damages as those amounts could far exceed
any other damages. Presently, Plaintiffs need a consequent. However, at the
end of the day, that does not eliminate the fundamental problem (the
breach) and might the courts start to embrace that there is standing?

In 2010, an opinion by the US Court of Appeals for the Ninth Circuit was
thought to be precedent setting. In Krottner v. Starbucks Corp. (No.
09-35823), the court reviewed a district court order ruling that Plaintiffs
whose personal information was stolen- but not yet misused- had suffered an
“injury” sufficient to constitute standing under Article III of the United
States Constitution. The pivotal importance of this opinion was that a
claim for damages due to lost personal information had to overcome actual
proof of actual harm or imminent threat of harm.

In Krottner, Plaintiffs were current and former Starbucks employees who
claimed their personal information was compromised when a laptop containing
their names, addresses, and social security numbers was stolen from a
Starbucks location. Two separate lawsuits were filed and in each,
Plaintiffs brought claims under Washington state law against Starbucks for
negligence and breach of implied contract. Plaintiffs’ causes of action
were largely based on the threat of an increased risk of future identity
theft as compared to actual harm suffered. Starbucks countered this
argument indicating that in order to have standing, Plaintiffs must
adequately allege an “injury-in-fact.”

The Court of Appeals affirmed the District Court’s ruling and held that
Plaintiffs did have standing because “an increased risk of identity theft
constitutes sufficient injury-in-fact.” Ultimately, the Court concluded
that Plaintiffs had alleged a credible threat of real and immediate harm
emanating from the theft of a laptop containing their unencrypted personal
data. While the Court of Appeals ruled that Plaintiffs had standing to
bring their lawsuit, it also affirmed the District Court’s holding that
they failed to adequately state a claim under Washington state law. As
such, both of the District Court cases were eventually dismissed.
Notwithstanding the dismissals, the importance of this ruling was quite
significant in illustrating the courts willingness to uphold the
“injury-in-fact” requirement given only a future threat of credible harm.

In a later decision issued by the Supreme Court in 2013, the Court took an
entirely contrary view to that in Krottner. Specifically, in Clapper v.
Amnesty International (No. 10-1025), the court, albeit by a narrow
majority, held that mere assertions of reasonable likelihood of potential
future injury, or harm or costs incurred to avoid potential threatened
injury are insufficient to establish standing by plaintiffs in Federal
Court. In Clapper, the Plaintiffs, attorneys and human rights, legal, and
media organizations whose work required them to communicate with foreign
nationals, challenged the constitutionality of Section 1881a of the Foreign
Intelligence Surveillance Act. The Act at issue was signed into law after
September 11, 2001 authorizing the government to regulate certain
governmental electronic surveillance of communications for foreign
intelligence purposes. The Act was subsequently amended in 2008 to provide
that the government may intercept electronic communications of foreign
nationals without establishing probable cause.

The majority opinion found that “respondents lacked standing because they
could not manufacture standing by incurring costs in anticipation of
non-imminent harm.” Although not a data-breach case, this decision was
significant in the continuously developing data-breach case law as it was
used by defense counsel to oppose data breach class actions by arguing that
there must be actual damages i.e., “crisis-response” or pre-breach costs or
imminent harm.

As further evidence of the unsettled legal landscape in this realm, a
recent decision handed down by Judge Lucy H. Koh of the Northern District
of California in In re Adobe Sys., Inc. Privacy Litig., No. 13-CV-05226-LHK
(N.D. Cal. Sept. 4, 2010), found that Plaintiffs in a consolidated class
action had standing to sue, despite Plaintiffs’ failure to allege actual
improper use of stolen personal information. This holding is quite
significant as it again shows the standing debate is far from settled.

Specifically, in July of 2013, hackers allegedly targeted Adobe’s servers
and spent several weeks undetected, removing customer names, login IDs,
passwords, credit and debit card numbers, expiration dates, and mailing and
e-mailing addresses. Plaintiffs alleged violations of the California Civil
Code in their Complaint and sought injunctive and declaratory relief.

Based upon defendants’ arguments in Clapper, Adobe moved to dismiss
Plaintiffs’ claims asserting that plaintiffs in data breach litigation must
assert “certainly impending” injuries and again, relying on Clapper, that
possible future injuries are insufficient. Judge Koh disagreed, finding
that Clapper did not change the established standing in Krottner and, even
if Krottner was no longer good law, the harm threatened by the Adobe breach
was certainly sufficient and imminent to satisfy Clapper. Further, the
court reasoned that requiring plaintiffs to wait until they actually suffer
identity theft of potential credit or debit card fraud in order to
establish standing would be counter to the well-established principle that
harm does not need to have already occurred or be “literally certain” to
constitute injury. In addition, the court noted that requiring Plaintiffs
to wait for a threatened harm to materialize in order to bring a lawsuit
would pose an unique standing issue due to the potential duration of time
that passes between a data breach and actual identity theft; the more
opportunity a defendant has to argue that the theft is not related to its
breach.

With the changing legal and regulatory landscape, companies of all sizes
cannot afford the risk of being unprepared for a data breach and as such,
essential preparedness should include consider either risk mitigation or
risk transference. Today’s cyber security insurance primarily addresses
first-party and third-party risks. First-party coverage includes loss of
business income resulting from a data breach, the cost of repairing and
restoring computer systems if there is a virus that destroys business
software and data, costs associated with forensic analysis and crisis
management to respond to a data breach incident. Third-party risks include
data breach incidents that result in unauthorized access to information or
personally identifiable, non-public information like bank account number,
credit card numbers or Social Security numbers as well as third-party
corporate confidential information.

Currently, there are specialized suites of cyber security that offer a
variety of protections and services such as business interruption insurance
that covers direct losses from a cyber-attack and post-breach responses
including hiring forensic experts and the use of credit-monitoring
services. One of the latest innovations from insurers is a broadened
business interruption trigger that may provide coverage for loss of income
if an insured’s system suffers an outage due to a failure of technology or
failure of computer security. And, coverage for risks associated with any
business process that a company may outsource such as cloud computing.
Coverage is now available for losses suffered from the failure of any of an
insured’s critical vendor.

As cyber and technology risks continue to evolve, cyber insurance coverage
will as well. Insurance companies are continuing to accumulate more
actuarial data, based on the loss history of various industries, each
corporate customer’s use of technology and the corporation’s own level of
security.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!