Lawsuits following data breaches—and other cyber events—are likely to continue in 2016 and beyond.
In recent years, there have been a succession of suits following breaches—and it is clear they can come from many sources.
One source of privacy-related litigation is financial institutions, like banks, which can sue retailers to try to recover losses from breaches.
The Target data breach provides a good example. In 2015, Target settled for about $67 million in connection with Visa and more recently settled in connection with MasterCard for about $39 million. Banks filed lawsuits in connection with the losses, which were a result of the 2013 massive breach.
The Target breach also led to a lawsuit from shareholders. This kind of derivative lawsuit—which can name members of the boards of directors for failing to live up to their fiduciary duties to protect sensitive data—is another source of litigation.
So too are employees. For instance, there are multiple lawsuits from employees in response to the massive data breach involving the U.S. Office of Personnel Management. Individual government workers, as well as two large unions—the American Federation of Government Employees and the National Treasury Employees Union—sued the government for the breach that likely impacted personal information from over an estimated 21 million people.
Regulators or other government officials are still another source of litigation. For instance, despite a challenge from Wyndham Worldwide Corp., the U.S. Court of Appeals for the Third Circuit recently sided with the FTC in FTC v. Wyndham Worldwide Corp., and validated the FTC's authority when it comes to actions regarding privacy as an unfair or deceptive practice by a company. State attorneys general can also file actions against companies following a breach.
James DeGraw, an attorney at Ropes & Gray, says there also could be litigation with one company suing another, especially as more companies outsource their data-related services. Some of these cases could relate to cloud storage.
A new twist in class actions, like a recent one involving Twitter, is where settlements may pay attorney's fees and then a good part gets donated to advocacy organizations or legal organizations related to privacy—rather than people who may have been harmed. It is allowed under the cy-près doctrine and basically translates from the French to be “as near as possible.”
Yet perhaps the most obvious source of lawsuits for data breach and privacy violations are consumers.
One pressing question is: whether they have standing to bring class actions not only for actual harm, but for harm that is likely to happen in the future? Based on a recent ruling from a case involving Neiman Marcus, which experienced a massive breach, standing is given to those who expect to see future harm. The U.S. Court of Appeals in Remijas v. The Neiman Marcus Group addressed the issue of standing and whether customers impacted by a data breach are likely to be injured despite that they did not yet experience identity theft or other kinds of fraud. It offers a view on standing different from what was decided in Clapper v. Amnesty International. And it increases the chances that consumers will file litigation after breaches, attorneys say.
Similarly, now before the U.S. Supreme Court is Spokeo v. Robins, which relates to the Fair Credit Reporting Act (FCRA) and the ruling could impact who may have standing to sue in privacy-related cases. The Spokeo website allegedly had inaccurate information about Thomas Robins—a claimed violation of the FCRA, so he filed a lawsuit.
This case is unique from a lot of the other current privacy and breach cases.
“The data breach issue is somewhat different,” explains Alan Butler, senior counsel at the Electronic Privacy Information Center, which submitted an amicus brief in support of Robins in the case.
Instead, Spokeo relates to—among other things—failure to follow federal privacy law.
But Butler confirms that Spokeo could impact the data breach cases and there could be a “wide ranging potential spillover.” It all depends on how the Supreme Court chooses to rule.
Similarly, DeGraw says the Spokeo case “may provide some guidance” on the other cases.
Looking ahead, based on how the justices rule on Spokeo, the Supreme Court may even choose to hear a data breach case in the future, according to Butler.
But for now—there are many plaintiffs and possible plaintiffs who want to bring privacy-related litigation.
“More players are added all of the time,” says Ann Killilea, an attorney with McDermott Will & Emery, who formerly worked on privacy and data protection issues as an in-house lawyer with an outsourcing business affiliated with HP. “Privacy litigation is increasing…. It is with us to stay.”
Moreover, rules are changing as technology and threats continue to evolve. Killelia compares it to a snowball rolling down a hill, “getting ever and ever bigger.”
On the horizon is more machine to machine communications with the predicted popularity of the Internet of Things, as well as more use of wearable technology. Companies also have risk from their relationships with vendors. “Vendors are the weak link here in the data supply chain,” Killilea says.
For in-house counsel, it means they need to bring these lessons from the changing regulatory environment into their enterprise's privacy program.
“It's really important for us … to embed the learnings from litigation—but also to build the best compliance and best practices for the company,” Killilea says.
Companies, in turn, need to protect themselves through risk assessments, employee training, technical safeguards, data protection programs, relevant polices and best defensible practices, she says.
Expect that a legal action will follow a cyber incident, such as a breach, too.
“We can count on a challenge…,” she cautions. “Somebody is going to challenge that practice.”
But much like with the Sarbanes-Oxley Act, companies need to incorporate lessons learned into their “corporate environments,” according to Killilea.
With the start of 2016, DeGraw further urges that general counsel continue to keep an eye out on the FTC when it comes to privacy issues, especially on the kinds of enforcement actions they bring and the terms of settlements. The future Spokeo ruling is important, too. And European officials are likely to offer new rules on privacy, too—which may impact businesses in the United States.
It is notable that one phrase being seen in some regulatory guidance is “reasonable security practices,” he says. It could be seen even more.
DeGraw also urges general counsel to consider cyber insurance—and place it on “top of the list” of recommended steps. He explains that if a company has a data breach, it could include a “catastrophic event.”
“The scope of potential damages can be quite high,” he adds. So even if companies self-insure for smaller claims, he says there could be another layer to protect against catastrophic loss. Cover both data loss issues and errors and omissions related to data handling, he advises.
But Killilea says those companies examining cyber insurance need to spend a lot of time going over what is covered and not covered in policies. Involve their risk management team in the policy review. Killilea cautions that each policy can be different from the others. There can be gaps in coverage, and look to see what is covered both in investigations of breaches, call centers or notifications, as well as claims or class actions.
“Sit down and do this analytically,” she warns. “Don't purchase … off the shelf and think you’re OK.”