Like asbestos in the 20th century, electronically stored confidential information is everywhere in the 21st century. Nearly all companies store data in their computer systems relating to customers, employees, contractors and other third parties. Yet too many companies do too little to protect themselves from liability to those third parties when information is compromised through cyber attacks or negligence.
Data security breaches lead the news on an almost daily basis. In 2011 alone, entities from the profit, nonprofit and government sectors have come under intense attack by hackers, including the high-profile cases of PBS, Citigroup, ADP, Sony, Lockheed Martin, Google, the IMF and the U.S. Senate, with the Federal Reserve recently declared a future target by hackers. The cat-and-mouse game played by those looking to breach systems and those looking to protect systems is increasingly being won by the hackers. Simply put, no matter how sophisticated the IT department, no company is exempt from the danger of being hacked.
Of course, massive data breaches - sometimes involving millions of pieces of information when banks and major corporations are targeted - leave plaintiffs' lawyers salivating. Some see it as the perfect opportunity to build a multibillion-dollar legal industry on the representation of victims of identity theft and invasion of privacy in class actions.
So far, most consumer class actions filed over data breaches have ended at the "motion to dismiss" phase. Federal courts generally have applied an "actual harm" standard. This standard has evolved as a stringent one, with courts concluding that the mere theft of data does not establish liability because resulting harm is only speculative until it happens. Courts have gone so far as to characterize consequential damages like overdraft fees, new card fees, loss of reward points, increased identity theft insurance premiums, temporary lack of access to accounts and funds and the time lost in fixing a personal identity theft as too remote to justify recovery.
Standards for ‘harm’ are changing
No matter how high the bar has been set by courts, however, companies cannot afford to be lulled into a false sense of security. Let the asbestos industry be a lesson. It took many years for the plaintiffs' bar to get courts to recognize asbestos claims as actionable, but those lawyers were nothing if not persistent. Finally, one judge allowed an asbestos claim to proceed, and the rest is history - an industry was born.
The same will happen with cyber liability. In fact, the camel's nose is already under the tent. A handful of recent federal court decisions have started chipping away at the "actual harm" standard. In December, the Ninth Circuit Court of Appeals held that Starbucks employees had standing to sue Starbucks for its loss of their personal data because they faced a "credible threat of harm" that was "both real and immediate, not conjectural." Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010). Although the court ultimately found that the employees failed to state an actionable claim under their state's laws, the fact that the court found standing based on potential future harm is a radical departure from the previously prevailing body of cyber law. In April 2011, a federal judge in California went a step further, allowing discovery on certain of a plaintiff's claims despite acknowledging the likelihood that discovery will reveal the absence of actual harm. Claridge v. RockYou, Inc., 2011 WL 1361588 (N.D. Cal.). This is a potentially landmark decision because, for class actions, the process of discovery alone often leads to settlements because of its extraordinary expense and negative impact on a company's resources.
Cyber statutes are on the rise
As if the fast-approaching train of successful consumer class actions is not cause enough for alarm, more existing federal and state statutes are being applied in the cyber context, with new cyber statutes being legislated as well. These statutes include breach notification statutes (which vary widely from state to state), the Federal Trade Commission (FTC) Act, HIPAA, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, the Sarbanes-Oxley Act and consumer protection statutes. To date, many statutes do not provide for private causes of action, but it is possible this will change as cyber attacks continue to increase in sophistication and severity. Also, it is likely that consumer protection statutes, which ordinarily do provide for private causes of action, will become a focus for consumer class action cyber claims. Regardless, government agencies, especially the FTC, have begun aggressively enforcing statutes. Government investigations and settlements often last several years and cost millions in legal fees and settlements.
The moral of this story is that burying the corporate head in the sand is not a sustainable approach to third-party cyber liability exposure. Although it is unlikely that cyber litigation will ever match the severity of asbestos litigation, the risk of breaches and the risk of resulting liability to third parties are increasing at breakneck speed, and cyber litigation will almost certainly become an industry unto itself. One critically important component of every company's cyber risk management program is cyber risk insurance. Many good policy options have become available over the past few years, so ask your broker to assist in placing this insurance. Because cyber risk policies are not standardized and vary widely, it is also prudent to consult an insurance policyholder attorney to ensure your company is getting adequate coverage for its risk profile.