2015 seemed to be the year of the data breach. According to the predictions of cybersecurity experts at Raytheon|Websense, we could see an increase in cyber breaches in 2016, with U.S. presidential election cyber-antics; cybercriminals pickpocketing phone wallets; and an increase in vulnerabilities from the aging Internet, among other security challenges.
In addition to an increase in data breaches, privacy attorneys expect that large-scale breaches, along with companies' handling of personal information, will cause a large wave of cybersecurity litigation moving forward, even as the heightened publicity of some attacks hasn't yet translated into a larger number of suits or more successful results for plaintiffs in class actions.
Inside Counsel recently sat down with Michael Whitener of VLP Law Group to discuss the double risk companies will face in 2016 of an increase in cyber breaches and potential litigation.
“When Willie Sutton was asked why he robs banks, he famously replied, ‘Because that’s where the money is,’” said Whitener. “Today, the money is in the vast amounts of data being collected, both personal and corporate, so naturally this data is targeted by modern-day criminals.”
While robbing a bank in Willie Sutton’s day involved a lot of personal risk, modern cyber-criminals can commit crimes from behind their laptops and then cover their tracks. There has also been a rise in data hacks motivated by a desire to inflict reputational damage on a company rather than for financial gain – witness the Ashley Madison hack.
In just a short period of time, there are already cyber breaches that have happened in 2016. In fact, the FBI has alerted Time Warner Cable that 320,000 customers' email passwords may have been compromised by a phishing attack. TWC responded that it “has found no evidence of a breach in its systems that operate and secure email accounts for our customers.” In another example, Hyatt Hotels is reaching out to victims of a data breach that occurred in more than 250 of its properties in 50 countries. An investigation identified signs of unauthorized access to payment card data from cards used at certain Hyatt-managed locations, primarily at restaurants, between Aug. 13, 2015, and Dec. 8, 2015, according to Hyatt Hotels.
So, why do privacy attorneys expect that large-scale breaches will fuel a larger wave of cybersecurity litigation moving forward? According to Whitener, because the risk of data breaches has become so well publicized, no company has an excuse for not taking every reasonable measure to protect the data it collects. So, when there’s a breach, inevitably there will follow an assessment of why the breach occurred, how quickly the breach was remedied, and what the damages are, he said.
“We are now seeing litigation aimed not just at faulty security protocols that may have allowed a breach to occur in the first place, but also failure to immediately take action to remedy the breach,” he explained.
For instance, the recent suit by Affinity Gaming against cybersecurity firm Trustwave, argued that Trustwave failed to contain a breach it was hired to stop. The heightened publicity of some attacks has not yet translated into a larger number of suits or more successful results for plaintiffs in class action. “The challenge with bringing class actions is meeting the legal requirements for certifying the class of plaintiffs,” he said.
In particular, the Supreme Court’s Clapper decision in 2013 is cited by defense lawyers for the proposition that the mere risk of future injury from a data breach is not an “injury in fact” as required under class action law. Following the Target data breach involving credit card information in 2013, a class certification was granted, but on the basis that the banks bringing the class action had suffered actual injury by incurring various expenses stemming from the breach.
“The battle over whether data breaches justify class action claims will no doubt intensify in 2016,” said Whitener. “Keep in mind, however, that data breach claims are often settled before the case reaches the contested class certification phase, so the number of class actions successfully brought isn’t the sole measurement of successful claims.”
In the next five years, he suspects we’ll see more huge data breaches, more suits for damages, and more legislation at the state, national and international level expanding the rights of individuals to bring claims when their personal data is compromised. With the advent of the “Internet of Things” era, there will be more data collection, transfer, storage and processing than ever before, and more opportunities for criminals to seize and monetize that data.
Additionally, we will see a continuing arms race between companies and their service providers to establish effective firewalls and other cybersecurity solutions against data breaches, and cyber criminals using ever bolder and more sophisticated techniques for getting around those security mechanisms.
He added, “I’m sure we’ll see more and more companies treating privacy and data security as competitive advantages rather than purely a defensive play, so they’ll be promoting their superior technologies and practices for keeping data secure.”