Companies that experience a data breach may be exposed to more than merely bad publicity. A company whose data (such as customer social security numbers or credit card and bank account numbers) has been compromised may be required to comply with a complicated legal regime, often requiring notice to affected individuals. Moreover, that company may also face potential class-action litigation, against which allegations that the company was negligent in securing confidential information must be defended. While large companies like TJX Companies, Sony, LinkedIn, and most recently Yahoo!, have experienced breaches, smaller companies, too, may be targeted by hackers. The first step for a company holding any type of sensitive consumer data is consultation with security experts to effect necessary security precautions. However, if a company’s server or database is compromised, there are prudent steps that may be taken in response. This article addresses two legal issues that may confront companies that have suffered a breach: (1) the various notification requirements that may arise, and (2) the potential class action lawsuits that may follow.
Data Breaches: A Very Real Risk
Data breaches are a risk of doing business for all companies. In March 2007, TJX Companies, Inc., which includes the retail chains T.J. Maxx and Marshalls, revealed that hackers had gained access to the company’s computer system and stolen customer information over the course of 2005 and 2006, including 45.6 million credit and debit card numbers. See Jaikumar Vijayan, TJX data breach: At 45.6M card numbers, it’s the biggest ever, ComputerWorld, Mar. 29, 2007, available at https://www.computerworld.com. In April 2011, Sony, the Japanese electronics company, reported that hackers breached its PlayStation Network and stole the names, addresses and possibly credit card data belonging to 77 million user accounts. See Liana B. Baker & Jim Finkle, Sony PlayStation suffers massive data breach, Reuters, Apr. 26, 2011, available at http://www.reuters.com. Recently, in June 2012, hackers breached the social networking site LinkedIn and stole more than six million users’ passwords. See Nicole Perlroth, Lax Security at LinkedIn Is Laid Bare, N.Y. Times, June 10, 2012, available at http://www.nytimes.com. And, in July 2012, hackers breached the popular email providers Google, Yahoo!, and others’ data, exposing almost half-a-million login credentials. See Yahoo Breach Extends Beyond Yahoo to Gmail, Hotmail, AOL Users, N.Y. Times, July 12, 2012, available at http://www.nytimes.com. A 2011 study calculated that, over the 662 reported security breaches the previous year, the average data breach costs a company $2.4 million to remedy. See Cyber Liability & Data Breach Insurance Claims: A Study of Actual Payouts for Covered Data Breaches, NetDiligence (June 2011), netdiligence.com/files/CyberLiability-0711sh.pdf.
When a company does suffer a breach, the natural question is: what next? The answer may be notification.
Navigating the Notification Regime
Companies in a few specific industries must comport with the notification requirements of federal statutes. Financial firms and health care companies must adhere to the reporting requirements of, respectively, the federal Gramm-Leach Bliley Act, 15 U.S.C.A. §§ 6801-6809 (West 2010) (“GLBA”), and the Health Information Technology for Economic and Clinical Health Act, 42 U.S.C.A. § 17932 (West 2010) (“HITECH Act”), which addresses the disclosure of confidential health information and encompasses an even more complicated reporting regime, beyond the purview of this article.
The GLBA, for example, requires companies defined under the law as “financial institutions” to ensure the security of customers’ personal information. Financial institutions are defined as businesses that are engaged in certain “financial activities” such as traditional banking, lending, and insurance functions, along with other financial activities. See Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, 70 Fed. Reg. 15736, 15738 (Mar. 29, 2005) (the “GLBA Guidelines”); 15 U.S.C.A. §§ 6805, 6809. The GLBA Guidelines state that when a financial institution becomes aware of a breach, the institution should conduct a reasonable investigation to determine if the information has been, or will likely be, misused. GLBA Guidelines at 15738-39, 15752. If the institution determines that misuse has occurred or is reasonably possible, the institution should notify the affected customers. Id. at 15739, 15752. An institution may limit the notification if it can determine which customers’ information have been improperly accessed. Id. at 15739-40, 15743, 15752. The GLBA Guidelines also address the information to be included in any notification given to customers. Id. at 15739, 15752-53.
The obligations of financial firms and health care companies who experience data breaches are not limited to reporting requirements under federal law. All companies, including these, must contend with the data breach notification statutes of 46 states, plus the District of Columbia, Puerto Rico, and the Virgin Islands. See 15 U.S.C.A. § 6807. Notably, these statutes focus on the residence of the individual whose information was compromised. Therefore, many companies, especially ones who conduct business online, may be required to comply simultaneously with the notification statutes of nearly all states.
The California Model
In 2003, California led the way in implementing the first state data breach notification statute, which then served as a model for other states, albeit with certain critical differences. See Cal. Civ. Code § 1798.82(a) (West 2012). As the model, it is helpful to examine the statute in greater detail and see how subsequent state statutes embraced or diverged from California’s example.
Generally, the California statute requires that companies notify California consumers if personal information maintained in their computerized data files has been compromised by unauthorized access. Specifically, companies that conduct business in California, even if from abroad, must notify California consumers when their names are obtained without authorization from a server or database along with other personal information such as their Social Security number, driver’s license number, account number, credit or debit card number, security code or password for accessing their financial account, medical information, or health insurance information. Id. § 1798.82(a), (h).
Under the statute, a data breach is defined as “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.” Id. § 1798.82(g). In effect, California has a strict liability regime where any unauthorized acquisition requires notification, regardless of whether there is an injury to the consumer. Id. § 1798.82(b). California does, however, provide an encrypted data safe harbor, meaning that notification is not required if the compromised information was encrypted. Id. § 1798.82(a). Moreover, California does not require notification if the information illegally obtained is publically available. Id. § 1798.82(i)(1).
If a company’s consumer information has been compromised, the company must notify the affected consumers “in the most expedient time possible and without unreasonable delay.” Id. § 1798.82(a). Notice can be by mail or electronic. However, the statute provides exceptions if actual notice would be too expensive, unwieldy, or simply impossible. If the company can demonstrate that the cost of providing notice would exceed $250,000, that the number of affected individuals exceeds 500,000, or that the company does not have sufficient contact information, then the company can instead provide email notice, conspicuous posting of the notice on the company’s website, or place the notification in major statewide media. Id. § 1798.82(f), (j)(3). Importantly, California’s statute encourages, but does not explicitly require, companies that experience a data breach to conduct internal investigations. Id. § 1798.82(a), (d)(2)(E).
New York’s Notification Statute
Though New York’s data breach notification statute shares many characteristics with California’s statue, it differs in several important respects. While California enumerates what specific data constitute protected information, New York maintains an expansive, generalized definition. The statute defines “private information” broadly as “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person” in combination with the person’s social security number, driver’s license number or other identification card number, or account, credit or debit card number along with the access code or password. N.Y. Gen. Bus. Law § 899-aa(l)(a)-(b) (McKinney 2011).
New York also diverges from California in defining what constitutes a breach that requires notification. Where California has a near strict-liability regime, New York’s statute is unique in including a non-exhaustive list of factors that may be used to determine if the information has been acquired without authorization — although, in the end, the factors (and the indication that the list is non-exhaustive) may lead to the same near strict-liability result as the California statute, requiring notification of any “breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization.” Id. § 899-aa(2) (emphasis added). These factors include indications that (1) the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing information, (2) the information has been downloaded or copied, or (3) the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported. Id. § 899-aa(1)(c).
Like California’s, New York’s statute permits electronic notice. Id. § 899-aa(5). New York’s statute also explicitly allows telephone notice. Id. New York’s statute, too, has an encrypted data safe harbor and exempts publically available information. Id. § 899-aa(1)(b). The timing of a company’s disclosure of a breach may take into account “measures necessary to determine the scope of the breach and restore the reasonable integrity of the system,” thereby encouraging, but not mandating, companies that experience a data breach to conduct investigations. Id. § 899-aa(2).
Penalties for Violations of Notification Statutes
A company may face penalties if it fails to comply with the applicable notification statutes. These penalties, too, differ among the states. Several states, including California, have an express private right of action under their respective statutes. Cal. Civ. Code § 1798.84 (West 2012). Others, like New York’s, enable the Attorney General to seek actual damages and injunctive relief, but not to the exclusion of “any other lawful remedy available” – implying, if not explicitly allowing, a private right of action. N.Y. Gen. Bus. Law § 899-aa(6)(a)-(b). Some states increase the penalty if the violation was knowing or reckless. For example, if a court determines that a company violated New York’s notification statute knowingly or recklessly, the company may be liable for the greater of either $5,000 or up to $10 per failed notification, so long as the latter does not exceed $150,000. Id. § 899-aa(6).
Divergences among the States over Notification
A perusal of the other notification statutes reveals that, while the states modeled their respective statutes after California’s, the statutes, like New York’s, contain differences, some nuanced and some distinct. See, e.g., Iowa Code Ann. § 715C.1(11)(e) (West 2012) (does not limit the statute’s scope only to computerized or digital information, but also applies to biometric data like fingerprint or retina images); Neb. Rev. Stat. § 87-802(5)(e) (2010) (same); Kan. Stat. Ann. § 50-7a02(a) (West 2012) (rejecting California’s strict liability regime and defining breach in reference to the risk of harm to the affected consumers).
Indeed, there are many nuanced distinctions across the multiple state, commonwealth, and territories’ notification statutes, and it is prudent for a company that has experienced a breach (or would like to set up protocols in advance of a data breach) to consult with legal counsel and security experts to determine the precise requirements of notification in the jurisdictions reached or serviced by its business.
Negligence Claims in the Wake of Data Breaches
Even if a company fully complies with the applicable state notification statutes after suffering a breach, a class action lawsuit on behalf of those individuals affected may be brought, alleging that the company was negligent in securing its confidential information. However, nearly all the class action suits that have been brought against companies in the wake of data breaches have failed. Typically, plaintiffs have had difficulty establishing standing and/or that the breaches caused actual injuries. With few exceptions, even where plaintiffs have established standing, courts have dismissed such suits because the alleged damages were too speculative.
For example, in Pisciotta v. Old National Bancorp, the Seventh Circuit upheld the district court’s dismissal of the plaintiffs’ negligence claim in a data breach case. 499 F.3d 629, 635 (7th Cir. 2007). Old National Bancorp operated a marketing website on which individuals seeking banking services could fill out online applications for accounts, loans, and other banking services. The online application required customers to disclose personal information. The bank’s website was subsequently hacked, compromising the customers’ names, addresses, Social Security numbers, driver’s license numbers, dates of birth, and other financial information. Bancorp’s customers who had used the website sued, alleging that the bank was negligent in securing their personal information. Though the court found the plaintiffs’ allegations sufficient to confer standing in federal court, the court ultimately dismissed the suit for failure to state a claim, finding that, without more tangible harm, the plaintiffs’ allegations of increased risk of future identity theft were not compensable damages under applicable state law. Id. at 639-40.
Similarly, in Krottner v. Starbucks Corp., the Ninth Circuit upheld the district court’s dismissal of the plaintiffs’ negligence claim in the wake of a data breach. 406 Fed. Appx. 129 (9th Cir. 2010). The plaintiffs were former Starbucks employees whose names, addresses, and Social Security numbers were stored on a laptop that was stolen from Starbucks. The plaintiffs alleged that the breach increased their risk of future harm, which the court held was insufficient to plead damages under the controlling Washington statute and dismissed the complaint. Id. at 131 (Washington law required “[a]ctual loss or damage . . . mere danger of future harm, unaccompanied by present damage, will not support a negligence action” (citation omitted)).
An identical outcome was reached in Caudle v. Towers, Perrin, Forster & Crosby, Inc., a Southern District of New York litigation. 580 F. Supp. 2d 273 (S.D.N.Y. 2008). The named and putative class plaintiffs sought recovery from defendant, a pension and benefit consultant to their employer, for costs incurred for multi-year credit monitoring and identity theft insurance after notification that laptops containing personal information, including social security numbers, of thousands of employees had been stolen from the defendant’s offices. Id. at 275. The laptops had been password protected. Id. Although the court held plaintiff had established standing, the allegations of possible future harm were deemed insufficient to state a claim. New York “[c]ourts have uniformly ruled that the time and expense of credit monitoring to combat an increased risk of future identity theft is not, in itself, an injury that the law is prepared to remedy.” Id. at 284 (citation omitted). See also Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (where hacker breached the company’s payroll system and gained access to the confidential information of 27,000 employees at 1,900 of the company’s clients, including their names, birthdates, Social Security numbers, and bank account numbers, court found the plaintiffs’ allegations of injuries were too speculative to confer standing, because the complaint did not allege that the hacker (1) read, copied, and understood the information, (2) intended to illegally misuse the information, or (3) was able to make unauthorized transactions in the affected individuals’ names).
First Circuit Allows Claim to Proceed: A Revolution or an Aberration?
Last year, in Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir. 2011), the First Circuit seemed to upend this consensus. However, the facts of this case are unique enough that the court’s decision may prove to have narrow application. In Anderson, hackers stole millions of credit and debit card numbers, expiration dates, and security codes from the consumers of Hannaford, a national grocery store chain. The plaintiffs alleged that thousands of unauthorized charges were made to their accounts as a result of the breach, and that Hannaford was aware of this fraud. Id. at 164. The First Circuit, in reversing the district court’s dismissal, found that, under Maine law, the plaintiffs may recover costs incurred during reasonable efforts to mitigate damages caused by another’s negligence. Id. at 162. The First Circuit emphasized that, in this particular case, actual fraud occurred and thus found it reasonable that the affected individuals would purchase credit insurance or obtain new credit cards and pay the associated fees. Therefore, the court concluded that the plaintiffs’ claims for the costs of the identity theft insurance and replacement card fees involved actual financial losses that were foreseeable by the company and therefore might be recoverable as mitigation damages. Id. at 166.
The facts of Anderson, however, differ from those of Pisciotta, Krottner, and Reilly. In Anderson, the plaintiffs established that (1) actual fraud occurred and (2) the hackers “used that data to ring up thousands of charges to customer accounts, including the accounts of many of the plaintiffs.” Id. at 165. In Pisciotta, Krottner, and Caudle, by contrast, the plaintiffs did not plead that any actual fraud resulted from the data breaches.
The Costs of Settlement
To avoid protracted and expensive discovery along with ongoing negative publicity, some companies have entered into costly settlements. For example, after hackers stole customer information from TJX Companies in 2007, the company quickly entered into a settlement agreement with the affected consumers. In the settlement, TJX Companies agreed to provide a certain number of affected consumers with three years of credit monitoring, compensate affected consumers who could show actual losses resulting from the breach, and pay $6.5 million in attorney fees. In approving the settlement, a court estimated that the terms would cost the company $200 million. See In re TJX Cos. Retail Sec. Breach Litig., 584 F. Supp. 2d 395, 401 (D. Mass. 2008). Additionally, in order for the company to protect itself from further liability, TJX Companies and a group of 41 state attorneys general preemptively agreed to settle all civil claims that might arise from the breach. TJX Companies agreed to pay $9.75 million to the states, which was directed towards the implementation of a multi-state comprehensive information security program. See Jaikumar Vijayan, TJX reaches $9.75 million breach settlement with 41 states, ComputerWorld, June 24, 2009, available at http://www.computerworld.com.
Although courts have, on balance, tended to dismiss consumer claims against companies arising from data breaches, companies should not underestimate the seriousness of these claims outright. The First Circuit’s recent decision in Anderson potentially opens the door for other courts to expand the scope of liability in data breach cases, or at the very least provides plaintiffs with potential guidance on drafting a pleading and framing damages in a way that could survive a motion to dismiss. Furthermore, even where a claim is ultimately meritless, plaintiffs still have considerable leverage given the costs and disruption of discovery.
The internet is a tremendous resource for companies to grow their businesses and reach new markets; however, it also provides opportunities for hackers to subvert companies’ security systems and steal consumer, client, and/or employee information. This is a reason, in itself, to secure data through encryption and other safeguards. A security breach calls for a prompt response, often including an investigation to ascertain the source and scope of the breach and consultation with counsel to determine potential responsive actions. Depending on the results of the investigation and applicable state laws, a company may need to notify certain affected consumers. Data breach response is a complicated and cumbersome process in which the manner of notification is both a legal and business decision. And while courts have largely dismissed consumer class actions for failure to plead compensable damages, recent case law from the First Circuit is cause for further analysis and caution. Thus, it would be prudent to consult with counsel in advance of a data breach – but most certainly in the event of one.
Summer Associates Daniel Lennard, David Mayo, Anna Schoenfelder, and Alexander Traum.