In the age of Facebook, smartphone apps, and digital cookies, it is easy to take for granted the extraordinary amounts of personal information that consumers share with private entities. For certain industries – technology, retail and banking, to name a few – electronic storage of customer information is at the core of their business. The storage and use of personal information has only increased with the advent of cloud computing and the proliferation of massive off-site data centers. From a legal perspective, however, the enhanced efficiency and convenience gained from the electronic storage of customer information comes with a cost. As the growing list of firms impacted by data breaches and cyber attacks (most recently Saudi Aramco, Barnes & Noble, and Chevron) reminds us, the advantages and efficiencies of online commerce are not without risk.
A company victimized by a data breach typically faces at least three sources of potential liability:
- Lawsuits by consumers whose credit card numbers and other personal data are often the targets of attack,
- Investigations by state attorneys general and other state agencies for potential noncompliance with consumer privacy laws and
- Fines levied by credit card brands should customer credit card information have been exposed.
Perhaps the most obvious source of liability that a company faces following an information breach is from the company’s customers whose personal data was the primary target of an attack. Until recently, companies could be fairly confident that data breach lawsuits brought by customers would be dismissed. The courts were reliably unwilling to recognize that the mere exposure of personal information was a cognizable “injury in fact” without a showing of “actual harm” such as monetary losses. Courts would consistently construe a plaintiffs’ increased risk of identity theft or credit card theft as too “future-oriented, hypothetical and conjectural” to be legally compensable. Recent federal case law on the issue, however, has indicated a potential reversal of this posture.
A prime example of the shift toward a more consumer-friendly outlook is an October 2012 decision from the Southern District of California in the Matter of Sony Gaming Networks. This holding could potentially make it easier for consumer victims of data theft to establish the requisite “injury in fact” required to pursue claims against retailers and other network owners in federal court. The Sony court found that the plaintiffs – users of Sony’s online gaming network whose personal data was exposed during a cyber breach – successfully established standing to sue by showing that the disclosure of personal information raised a cognizable risk of “future harm,” even though they had not yet experienced any monetary losses. The court also found that the plaintiffs’ injuries were traceable to the defendant’s conduct, citing Sony’s failure to upgrade its network security following prior breaches of its network.
Although the court’s recognition of “standing” represented a coup for privacy advocates, the court nevertheless dismissed the case on the basis that California prohibits negligence claims for money damages that are not accompanied by allegations of personal injury or property damage. The court did allow the plaintiffs leave to amend their complaint to address the “economic loss” doctrine by showing either the existence of a “special relationship” between the parties or the presence of viable common law claims, such as fraud or misrepresentation.
The Sony court’s decision on “standing” comes in the wake of several federal cases recognizing the loss of personal data as a viable “injury” that is worthy of legal relief. For instance, the Sony decision embraced the Ninth Circuit’s 2009 holding in Krotter vs. Starbucks, where the court found that the loss of a company laptop carrying employee names, addresses and social security numbers increased the employees’ risk of identity theft and thus constituted an “injury in fact.”
In Andersen vs. Hannaford Bros. Co., the First Circuit recognized that post-breach expenditures on preventive measures like identity theft insurance, credit monitoring and new credit cards was also deserving of relief. The court held that these “mitigation damages” were compensable since they were “reasonable steps” taken by data theft victims to minimize potential losses. The Hannaford suit stemmed from the disclosure of more than four million customer records during a three-month hacking operation.
Data Breach Enforcement Actions
Beyond facing civil liability from impacted customers, companies that lose sensitive data to computer hackers may also find themselves subject to burdensome regulatory requirements and/or intrusive state enforcement actions.
Nearly all U.S. states have passed some form of “breach notification” law that requires businesses and public agencies to notify state residents whenever personal information is disclosed to an “unauthorized person.” While each state’s law requires that consumers be notified whenever their personal data is compromised, the type of information protected and the process by which consumers are contacted varies from state-to-state. New York’s statutory scheme, for example, is one of the strictest. It requires that affected consumers be informed of the categories of personal information likely to have been acquired and establishes when law enforcement and credit reporting agencies also must be notified.
Several states also authorize their attorneys general and other regulatory agencies to investigate an organization’s data security practices in the wake of a large-scale breach. The hacked entity must provide a full accounting of how the breach occurred and submit to a review of its security practices. A finding that a company failed to maintain “reasonable” security to protect stored customer data will likely result in fines and, of course, very negative publicity. In one of the most notable cases, 41 state attorneys general reached a $9.3 million settlement with TJX Company – the parent of retailers Marshalls, Home Goods and T.J. Maxx – stemming from the cyber theft of over 90 million credit card numbers used at TJX stores. Of course, the state settlement paled in comparison to the millions needed by TJX to settle VISA and MasterCard’s claims for fraudulent charges to stolen cards (see Point III below).
In the already regulated realm of personal health information, the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed in 2009, now empowers state officials to bring civil enforcement suits for violations of HIPAA privacy and security rules. In addition to similar investigatory powers available for credit card breaches, HITECH also gives states the authority to levy fines against healthcare providers found to be out of compliance. The law’s aim is to improve the handling and storage of all patient medical records, not just those that are in electronic form. For example, in July, Massachusetts Attorney General Martha Coakley announced a $750,000 settlement with a hospital that lost two boxes of unencrypted data tapes containing 800,000 patient records that were scheduled to be erased.
PCI-DSS Standards Enforcement
Companies victimized by a data breach may also face liability from credit card companies that require businesses that accept their cards to adhere to prescribed security standards. Often a business is not even aware that it has been hacked until it is notified by Visa, MasterCard or another credit card company of a suspected breach. Credit card brands rely on computer algorithms to regularly analyze the purchase histories of fraudulently used cards. These algorithms search for a common point of purchase (CPP) shared by the cards prior to the time fraudulent activity began in an attempt to pinpoint a business that may have been the target of a data breach. When a CPP study reveals that a business may have been hacked, the card brand will notify the business of the suspected breach and request further information on the business’s network security.
Following this initial notification, the card brand will typically require a full forensic investigation by a Qualified Incident Response Assessor (QIRA) who investigates the source of the breach and the business’s compliance with Payment Card Industry Data Security Standard (PCI-DSS) network security standards. Should the business be found not in compliance, the card brand may fine the business and hold it responsible for the cost of reissuing cards to customers and the cost of any fraudulent purchases made with the exposed cards.
The cost of the forensic investigation and any resultant fines typically reaches into the tens of thousands of dollars. The cost of fraudulent activity and reissuing of exposed cards can easily reach into the millions. Following the 2007 data breach of TJX Companies, Inc., TJX settled Visa and MasterCard claims against it for $40.9 million and $24 million respectively.
To avoid such potential liabilities, businesses should ensure their networks’ continuing compliance with PCI-DSS requirements. In the event a business becomes the target of a credit card brand CPP study or PCI-DSS compliance investigation, it should seek out legal counsel to intervene in the investigation and negotiate with the card brand to minimize or contest any determination of liability.
If you have any questions, please contact Neal L. Slifkin at (585) 419-8636 / email@example.com, Laura W. Smalley at (585) 419-8736 / firstname.lastname@example.org, or the Harris Beach attorney with whom you usually work.
This alert does not purport to be a substitute for advice of counsel on specific matters.
Harris Beach has offices throughout New York state including Albany, Buffalo, Ithaca, New York City, Niagara Falls, Rochester, Saratoga Springs, Syracuse, Uniondale, White Plains and Yonkers, as well as Newark, New Jersey and New Haven, Connecticut.