These days, conversations about enterprise risk are often dominated by the topic of cybersecurity. One aspect of this risk involves potential civil liability for cybersecurity problems, especially where personally identifiable information (PII) is exposed. The Sedona Conference, long considered a bellwether of e-discovery thought leadership, has set its sights on cyber liability. At a recent Sedona Conference dialogue bringing together a diverse group of judges, law enforcement officers, prosecutors, regulators, corporate counsel, cybersecurity consultants, plaintiff and defense lawyers (and probably others), several theories of cyber liability were discussed.
Data breach notification laws provide a rich source of potential claims where cybersecurity is breached. At last count, 46 states have enacted such laws, and these laws are based on varying definitions of PII. In addition, federal laws aimed at certain industries provide other definitions of PII. Examples of data elements included under the definitions of PII under these laws include social security numbers, driver’s license numbers and account numbers. Many times, companies have been sued for alleged failures to disclose required information about security breaches in a timely manner. However, because the definition of PII varies among state and federal laws, business enterprises face vexing challenges in assessing the scope of their legal obligations and in developing appropriate security safeguards for different data and systems in light of those obligations.
Creative lawyers have also attempted to use other statutes as the basis for cyber breach-related claims. They have argued that when consumer credit data held by a consumer credit agency is disclosed through cyber breach, that agency has “furnished” such data to a third party in violation of the Fair Credit Reporting Act. Courts have rejected this theory, viewing the data as having been stolen and not furnished. It has been suggested that the Stored Communications Act might provide a basis for civil liability in the right cyber breach scenario, but this theory has not been validated.
Unfortunately, cybersecurity claims based on alleged statutory violations may be among the more well-delineated of the theories of liability that have been applied in situations where PII is compromised. The application of common law negligence claims to cyber breaches adds another dimension of complete uncertainty to evaluating whether cybersecurity defenses pass the “reasonableness” test. In addition, breach of contract (express and implied) may prove to be a viable claim where PII is exposed through cybersecurity breaches. Many user agreements contain a general promise that “standard” security measures will be applied to customer provided data. If a company receives and stores customer PII, this could potentially create an implied duty to protect it with “reasonable” security measures.
Business enterprises and others holding valuable data are caught in an unremitting barrage of cyber assault. While many of the attacks may be perpetrated by sophisticated actors like nation-states and international organized crime, at the same time barriers to entry for cyber criminals continue to lower, as user friendly tools for hacking proliferate on the Internet. As if the challenges of defending valuable data under conditions of active cyber warfare were not enough, enterprises suffering successful attacks that compromise PII or other third party data may face civil liability based on a variety of statutory and common law claims.
While many of these types of lawsuits to date have been unsuccessful, the stakes continue to increase as data becomes the lifeblood of so many kinds of businesses. The pace of developments in cyber warfare and corresponding cybersecurity will necessarily make legal standards of reasonableness or fairness fast-moving targets. The absence of “safe harbors” for specific security measures is inevitable. Accordingly, civil liability for cyber breaches is not a risk that can be eliminated by, for example, implementing advanced encryption protocols or network intrusion detection systems. However, awareness of the evolving application of statutory and common law to cybersecurity as one element in evaluating security programs and architecture is essential to responsibly addressing enterprise risk.
The views expressed are those of the author and do not necessarily represent the views of Ernst & Young LLP.