Understanding the Swinging Pendulum That is Data Breach Law
In today’s technology-driven economy, organizations of all sizes are exposed to increasingly complex computer security risks. The evolving sophistication of the hacking community only increases the likelihood of a targeted cyber-attack and forces companies to recognize the importance of protecting this valuable data. Additionally, human error accounts for a large percentage of compromised data due to lost laptops, smartphones and/or inadvertent disclosure of sensitive personal and/or corporate confidential information. Companies in all industries face a heightened scrutiny in the regulatory realm due to enhanced enforcement by governmental entities. In addition, nearly every state in the country maintains data breach laws requiring timely notification of individuals whose information may have been compromised as well as adherence to the standards imposed by the Payment Card Industry (PCI) for those companies accepting credit cards. Just one security failure or privacy security could lead to intense regulatory scrutiny and costly civil litigation.
We read about data breaches affecting millions of individuals on almost a weekly basis. What is the future of ligation regarding these breaches?
The main hurdles Plaintiffs must overcome are standing and damages. Generally, for a case to survive a motion to dismiss there must be evidence that information was actually exploited or compromised. One example is posting the information of the victims in a public forum. Some Plaintiffs’ attorneys try to argue that when customers pay for services, there is an implied promise that the defendant would use some of that money to implement cybersecurity precautions and as such, plaintiffs should get a portion of that money back. The Courts have been somewhat split on the standing/damages issue but have usually taken a pro-defendant stance. However, it is very fluid. The most compelling case is when there was a data breach, the company knew there was malware on the system and they did not act or they were late to know and to notify. Was there a plan in place? Were they diligent? Are they now working to prevent a breach in future? The bank breaches are more compelling than a retail breach because it is more important to the individuals since it involves their money. The wild card in litigation will be statutory damages as those amounts could far exceed any other damages. Presently, Plaintiffs need a consequent. However, at the end of the day, that does not eliminate the fundamental problem (the breach) and might the courts start to embrace that there is standing?
In 2010, an opinion by the US Court of Appeals for the Ninth Circuit was thought to be precedent setting. In Krottner v. Starbucks Corp. (No. 09-35823), the court reviewed a district court order ruling that Plaintiffs whose personal information was stolen- but not yet misused- had suffered an “injury” sufficient to constitute standing under Article III of the United States Constitution. The pivotal importance of this opinion was that a claim for damages due to lost personal information had to overcome actual proof of actual harm or imminent threat of harm.
In Krottner, Plaintiffs were current and former Starbucks employees who claimed their personal information was compromised when a laptop containing their names, addresses, and social security numbers was stolen from a Starbucks location. Two separate lawsuits were filed and in each, Plaintiffs brought claims under Washington state law against Starbucks for negligence and breach of implied contract. Plaintiffs’ causes of action were largely based on the threat of an increased risk of future identity theft as compared to actual harm suffered. Starbucks countered this argument indicating that in order to have standing, Plaintiffs must adequately allege an “injury-in-fact.”
The Court of Appeals affirmed the District Court’s ruling and held that Plaintiffs did have standing because “an increased risk of identity theft constitutes sufficient injury-in-fact.” Ultimately, the Court concluded that Plaintiffs had alleged a credible threat of real and immediate harm emanating from the theft of a laptop containing their unencrypted personal data. While the Court of Appeals ruled that Plaintiffs had standing to bring their lawsuit, it also affirmed the District Court’s holding that they failed to adequately state a claim under Washington state law. As such, both of the District Court cases were eventually dismissed. Notwithstanding the dismissals, the importance of this ruling was quite significant in illustrating the courts willingness to uphold the “injury-in-fact” requirement given only a future threat of credible harm.
In a later decision issued by the Supreme Court in 2013, the Court took an entirely contrary view to that in Krottner. Specifically, in Clapper v. Amnesty International (No. 10-1025), the court, albeit by a narrow majority, held that mere assertions of reasonable likelihood of potential future injury, or harm or costs incurred to avoid potential threatened injury are insufficient to establish standing by plaintiffs in Federal Court. In Clapper, the Plaintiffs, attorneys and human rights, legal, and media organizations whose work required them to communicate with foreign nationals, challenged the constitutionality of Section 1881a of the Foreign Intelligence Surveillance Act. The Act at issue was signed into law after September 11, 2001 authorizing the government to regulate certain governmental electronic surveillance of communications for foreign intelligence purposes. The Act was subsequently amended in 2008 to provide that the government may intercept electronic communications of foreign nationals without establishing probable cause.
The majority opinion found that “respondents lacked standing because they could not manufacture standing by incurring costs in anticipation of non-imminent harm.” Although not a data-breach case, this decision was significant in the continuously developing data-breach case law as it was used by defense counsel to oppose data breach class actions by arguing that there must be actual damages i.e., “crisis-response” or pre-breach costs or imminent harm.
As further evidence of the unsettled legal landscape in this realm, a recent decision handed down by Judge Lucy H. Koh of the Northern District of California in In re Adobe Sys., Inc. Privacy Litig., No. 13-CV-05226-LHK (N.D. Cal. Sept. 4, 2010), found that Plaintiffs in a consolidated class action had standing to sue, despite Plaintiffs’ failure to allege actual improper use of stolen personal information. This holding is quite significant as it again shows the standing debate is far from settled.
Specifically, in July of 2013, hackers allegedly targeted Adobe’s servers and spent several weeks undetected, removing customer names, login IDs, passwords, credit and debit card numbers, expiration dates, and mailing and e-mailing addresses. Plaintiffs alleged violations of the California Civil Code in their Complaint and sought injunctive and declaratory relief.
Based upon defendants’ arguments in Clapper, Adobe moved to dismiss Plaintiffs’ claims asserting that plaintiffs in data breach litigation must assert “certainly impending” injuries and again, relying on Clapper, that possible future injuries are insufficient. Judge Koh disagreed, finding that Clapper did not change the established standing in Krottner and, even if Krottner was no longer good law, the harm threatened by the Adobe breach was certainly sufficient and imminent to satisfy Clapper. Further, the court reasoned that requiring plaintiffs to wait until they actually suffer identity theft of potential credit or debit card fraud in order to establish standing would be counter to the well-established principle that harm does not need to have already occurred or be “literally certain” to constitute injury. In addition, the court noted that requiring Plaintiffs to wait for a threatened harm to materialize in order to bring a lawsuit would pose an unique standing issue due to the potential duration of time that passes between a data breach and actual identity theft; the more opportunity a defendant has to argue that the theft is not related to its breach.
With the changing legal and regulatory landscape, companies of all sizes cannot afford the risk of being unprepared for a data breach and as such, essential preparedness should include consider either risk mitigation or risk transference. Today’s cyber security insurance primarily addresses first-party and third-party risks. First-party coverage includes loss of business income resulting from a data breach, the cost of repairing and restoring computer systems if there is a virus that destroys business software and data, costs associated with forensic analysis and crisis management to respond to a data breach incident. Third-party risks include data breach incidents that result in unauthorized access to information or personally identifiable, non-public information like bank account number, credit card numbers or Social Security numbers as well as third-party corporate confidential information.
Currently, there are specialized suites of cyber security that offer a variety of protections and services such as business interruption insurance that covers direct losses from a cyber-attack and post-breach responses including hiring forensic experts and the use of credit-monitoring services. One of the latest innovations from insurers is a broadened business interruption trigger that may provide coverage for loss of income if an insured’s system suffers an outage due to a failure of technology or failure of computer security. And, coverage for risks associated with any business process that a company may outsource such as cloud computing. Coverage is now available for losses suffered from the failure of any of an insured’s critical vendor.
As cyber and technology risks continue to evolve, cyber insurance coverage will as well. Insurance companies are continuing to accumulate more actuarial data, based on the loss history of various industries, each corporate customer’s use of technology and the corporation’s own level of security.
Elissa Doroff is an underwriting and product manager in XL Group’s Cyber and Technology Group and Jeremy Gittler manages XL Group’s Cyber and Technology claims.