Data breaches: legal limitation
Not a month goes by that the media isn’t reporting another major data security breach, typically involving customer credit card data. Data breaches are spiking and affecting millions of retail customers. In the most highly publicized case, credit card information for more than 110 million Target customers – which included names, mailing addresses, phone numbers and email addresses – was stolen by hackers. That cyber-theft was followed by attacks on the personal data of 1.1 million Neiman Marcus clients, 2.6 million customers of Michaels Stores, and others.
Once a data breach has occurred, companies can take certain steps to contend with legal damages and try to minimize them. But most experts say boards must anticipate the inevitability of hacking and prepare a strategic plan before it happens.
Before exploring how to limit the legal consequences of an actual incident, companies must first ‘plug the hole’ and figure out the extent of the damage in order to determine their legal exposure, explains Brian Henchey, a partner at Dallas-based law firm Baker Botts. Conducting a forensic analysis reveals whether the data loss includes customers’ financial or health data and what kind of liability the company faces. Determining who’s at fault – the company or a third-party vendor – also plays a role in assessing legal damage, he says.
The reality is that most firms will likely face data security losses at some point. ‘This type of risk is almost omnipresent,’ Henchey points out. ‘You can be the best in the world at cyber-security and still get hacked.’
Preparing in advance for the inevitable intrusion is the most propitious way to operate. ‘Get your house in order,’ Henchey advises. Perform regular risk assessments and security compliance audits. What are the major risks the company faces regarding cyber-security? Are the gaps closed? Are all third-party vendors committed to cyber-security? Is there an organizational plan in place that outlines the specific roles legal, audit, IT and PR play if there is a security breach?
Individual and class-action lawsuits
Companies whose systems have been infiltrated face legal suits from two types of consumer claimants, says Nicholas Deenis, a Malvern, PA-based partner at the law firm Stradley Ronon Stevens & Young. Both individual suits and class-action suits claim the theft of personal data contributed to personal financial losses. Some plaintiffs may say the loss of data led to fraudulent charges on their credit cards. Given that, in most cases, credit card issuers are legally obliged to cover fraudulent claims, it’s often the future potential damage on which claimants base their suits. If these funds are not reimbursed, those claimants have a legitimate claim, Deenis says.
If the person’s identity has been stolen because of the theft of personal information, the filer must stipulate exactly what has been lost and what damage has been suffered. ‘There are many cases that, in fact, have been filed where the court has found no loss or damage and dismissed them,’ Deenis notes, adding that just having a phone number or email address stolen is not sufficient grounds for a suit.
But where fraudulent charges are not reimbursed, a legitimate claim arises. Offering the claimant free identity-theft protection or credit monitoring often isn’t enough to forestall the legal suit. ‘Credit monitoring is not a way to fix a potential loss of personal information,’ Deenis explains.
Attorneys invariably look for opportune targets to sue. ‘It is strategically wise for plaintiffs’ attorneys to target defendants that have the ability to pay a judgment and whose disposition in the case increases the probability that they will settle,’ notes David Thaw, a fellow at the Information Society Project at Yale Law School who is joining the University of Pittsburgh Law School in the fall. Avoiding negative PR will be another reason to settle, he adds.
An additional strategy for minimizing damage to the firm that has been hacked is to ‘shift the blame, or what attorneys call contributory negligence,’ Thaw asserts. What that means is
demonstrating that the company took every reasonable step to ensure computer security but a third-party vendor was to
blame for the hackers’ ability to
infiltrate the system.
Moreover, when lawsuits cite a litany of damages, one line of defense for the company is to say ‘show me the monetary damages,’ Thaw continues. It can be difficult to prove, for example, that identity theft derived from a singular data breach.
What may be of greater concern to companies are legal suits initiated by banks and credit card issuers, seeking reimbursement for losses they suffered for reissuing cards to affected customers and reimbursing customers for fraudulent charges, Deenis says. Several banks and credit card companies have filed suits against Target seeking substantial damages for their costs.
For example, when the Jim Thorpe Neighborhood Bank filed a class-action suit against Target in a Minnesota state court in January 2014, it claimed ‘customer account data flooded the black market and continues to this day.’ The security breach occurred due to ‘Target’s failure to heed warning signs and take appropriate steps to secure its systems.’ Therefore, the Jim Thorpe Bank needed to ‘close and open new cardholder accounts, reissue credit and debit cards, monitor customer transactions, and/or pay unauthorized charges to cardholder accounts.’
After a breach has occurred, it can be difficult to mitigate the legal repercussions, says Michael Overly, a Los Angeles-based partner with Foley & Lardner who specializes in security issues. Indeed, Overly says many firms are taking steps that exacerbate the situation rather than minimize any potential damages. For example, too many companies don’t carry out a thorough investigation to nail down exactly what the ‘nature and breadth of the breach is,’ he explains.
The most common mistake many companies make in data security cases is responding slowly to the theft of customers’ personal data. ‘The longer you delay, the harder it is to reconstruct what happened,’ Overly warns.
Often it’s not a single breach that takes place, but a series of invasions of personal material over a sustained period, as with Target. After the initial breach at Target, the problems escalated. Had the issue been addressed fully early on, the data loss could have been curtailed. Too often denial is a firm’s initial response, which delays dealing with the problem and restricting it.
Companies have tried to minimize consumer wrath by offering discount coupons for a limited time, free identity-theft prevention and credit monitoring, as Target did, notes Peter Henning, co-author of the book Securities crimes and a law professor at Wayne State University. But all these gestures may not reduce the risk of legal exposure, he adds.
Philip Smith, senior vice president of government solutions at Chicago-based information security and compliance company Trustwave, says most often firms are sued for negligence: security weaknesses enable hackers to steal information, and merchants are ultimately responsible for protecting credit card data.
A stitch in time
Responding quickly to allay customer concerns can also alleviate some of the negative PR. For example, when Overly represented a healthcare provider, it confirmed that patient data had been accessed without authorization. But it hadn’t yet determined the full extent of the damage and whether that data had been lifted from the servers and was used for any nefarious purposes.
Senior management had to choose whether to alert customers affected by the breach or wait until a full investigation had been conducted. It decided that early notification would be most beneficial for its clients and notified them of the breach via email and mail. Overly says responding quickly to a client’s stolen material limits not only potential financial damages, but also legal and reputational problems.
Many firms are reluctant to notify customers before doing extensive due diligence, however. Henning says Target and Neiman Marcus were slow to respond and slow to inform customers, and those delays exacerbated an already difficult situation and triggered pretty negative PR. ‘They treated it like an internal problem,’ he says.
A matter of governance
Moreover, shareholders have a right to know of any major issue that affects the material performance of a company. ‘The damage to your business reputation and your ability to operate can be so significant,’ Henning says, ‘that it goes beyond the question: Is it material?’
Legally, Deenis notes that companies have until the next quarter’s earnings report to notify shareholders about data breaches and losses. For example, Target’s data breach occurred in December 2013, but it waited to explain the business impact until its 10K was due in March 2014.
A Target spokesperson told Bloomberg News that ‘Target will fully comply with the SEC’s rules in that report, including an update to the material risks related to cyber-security and cyber-incidents, as well as a discussion of the financial impact of the data breach, to the extent known.’ Nonetheless, the delay caused US Senator John Rockefeller to question why the company ‘has not yet reported the massive data breach [it] recently suffered to the SEC’.
Directors can take a proactive role and try to convince their companies to take security breaches more seriously, try to prevent them, and set up policies that contribute to minimizing any legal damage. Boards can request detailed reports on what security measures are being taken to prevent cyber-crime. In industries such as healthcare and financial services, boards are mandating that policies be created to limit damage, Overly suggests. For example, when any data is shared with a third party, client data must be protected in order for the agreement to be signed.
The most effective way to manage any losses is ‘to be as proactive as possible,’ Overly points out. The more transparent companies are in disclosing what has occurred and the potential effect on customers, the better. When firms withhold information about data breaches, customers think they’re hiding something and feel uneasy.
‘It’s all in the communication,’ Overly explains. ‘That’s why companies are hiring consultants to do forensic examination and PR staff to make sure communication is handled properly.'