Cybersecurity Risks for Companies and their Directors
The threat of commercial crime against companies is transforming. Technology has created new and innovative ways for fraudsters to exploit individuals and companies through cyber attacks. This new face of fraud can give rise to massive liability issues for a company and its directors following the theft of personal data held by the company.
In order to navigate this new terrain of litigation risks, companies and their directors should understand the evolving scope and nature of potential liability from a cyber attack.
Computer hacking is nothing new. The Hackers Handbook was published more than 30 years ago,1 and the U.S. Congress passed the Computer Fraud and Abuse Act shortly thereafter.2 The hacktivist group, Anonymous, was formed more than a decade ago.3 Five years later, Anonymous hacked the Church of Scientology and disseminated stolen private documents across the Internet.4
Over the last few years, however, there have been several large-scale cyber attacks on sophisticated corporations in both the United States and Canada, giving rise to significant civil and regulatory liability issues for those companies and their directors:
- In December 2013, a cyber attack on Target Corp. resulted in the exposure of personal and financial information of somewhere between 70 and 110 million customers.5 As a result of this breach, Target's profit fell by 46 percent in its fourth fiscal quarter of 2013 in the United States alone.6 Between lawsuits started by financial service-providers (such as Visa and MasterCard) and customers, Target ultimately spent over $110 million combined in civil settlements.7
- In December 2013, cyber-hackers gained unauthorized access to the data-systems of Excellus BlueCross BlueShield, a nonprofit independent licensee of the BlueCross Blue Shield Association.8 The personal health data of more than 10 million members and patients was compromised, which included names, birth dates, social security numbers, member identification numbers, financial account information and claims information. As of November 2015, at least 12 lawsuits had been filed against the Rochester-based health insurer, its parent company, Lifetime HealthCare, and other Lifetime subsidiaries.9
- In January 2014, news broke of an attack on American retailer Neiman Marcus, whereby its hackers obtained all debit and credit card information held by the company over a three-month period. Ultimately, 350,000 customers were affected by the hack. A class action against the company in the United States is pending.10
- In September 2014, the largest home-improvement retailer, The Home Depot, confirmed it had been the victim of a data hack, whereby more than 53 million email addresses and credit-card numbers were stolen from customers across the United States and Canada. The company has since confirmed it is facing "at least" 44 civil lawsuits in connection with the breach, in addition to a spate of regulatory investigations.11
- In November 2014, the notorious cyber-attack on Sony Pictures Entertainment Inc. wiped out the company's internal data centers and led to the cancellation of the theatrical release of "The Interview," a comedy about the fictional assassination of the North Korean leader, Kim Jong-un. Contracts, salary lists, film budgets, entire films and social security numbers were stolen. Sensitive personal emails were leaked. Sony ultimately agreed to pay up to $8 million to employees who alleged their personal data had been stolen.12
- In December 2014, the Ontario Information Privacy Commissioner issued an order against Rouge Valley Health System's Scarborough Centenary Hospital, finding that there had been two major privacy breaches regarding new mothers' personal health information, which were stolen from the hospital's maternity ward.13 The hospital now faces a $400 million class action suit brought on behalf of patients.14
- In February 2015, the American health insurer, Anthem Inc., was targeted by cyber-hackers, who compromised the personal and financial information of tens of millions of the company's customers and employees, including their names, social security numbers, birthdays, addresses, and income data. At least 26 lawsuits have since been commenced against Anthem.15
- In July 2015, a hacker-group called the Impact Team announced it had obtained the user-data of infidelity website Ashley Madison's 39 million members. When Toronto-based parent company, Avid Life Media, Inc. refused to shut down the website, the cyber-hackers exposed the usernames and credit-card transactions of Ashley Madison's executives, and thereafter, of its members. Avid Life now faces class action claims for over $750 million, in addition to pending regulatory investigations.16
These high-profile cyber attacks are warning signs that large scale data breaches pose very real threats to corporations and their directors. Data breaches should be viewed as an inevitable business risk for which companies must prepare. In order for companies and directors to understand the nature of the risks involved, it is instrumental for them to understand how they may be found liable.
Scope of Liability Arising from a Data Breaches
Depending on the nature of the attack, company and director liability could arise from: (1) claims by regulators; (2) claims by shareholders; (3) claims by victims; and/or (4) claims by banks and/or credit card issuers.
Within each category, liability may arise from the company's failure to take reasonable steps to prevent a data breach and/or its failure to adequately respond to the breach. Each area of exposure is summarized below.
1. Regulatory Investigations/Proceedings
The Office of the Privacy Commissioner of Canada
The Personal Information Protection and Electronic Documents Act17 (PIPEDA or the Act) functions to regulate "commercial organizations" that collect, use, or disclose "personal information".18
PIPEDA came into force on January 1, 2000, and was most recently amended on June 18, 2015, by the Digital Privacy Act (certain provisions of which have not yet come into force).19 The Act is overseen and implemented by the Office of the Privacy Commissioner of Canada.
PIPEDA's main objective is to safeguard individual privacy rights and minimize the unauthorized use or abuse of personal information (including financial information), by governing the conduct of commercial organizations. Organizations governed by PIPEDA are required to manage, protect and safeguard the personal information.20 Under the Act, organizations must, among other things:
- only use or disclose personal information for the purpose for which it was collected;
- only keep personal information as long as necessary to satisfy the purpose for which it was collected;
- implement guidelines and procedures for the retention and destruction of personal information; and
- protect personal information from unauthorized access, disclosure, copying, use, or modification.
Under the new provisions of the Digital Privacy Act, commercial organizations will also be required to:21
- notify individuals and organizations of breaches that create a "real risk of significant harm", and report such breaches to the Commissioner;
- keep and maintain a record of every breach of security safeguards involving personal information under their control.
Under these new provisions, organizations that knowingly fail to report a breach to the Commissioner, or fail to notify individuals as required, could face fines of up to $100,000 per breach – which may mean $100,000 multiplied by the number of individuals whose information has been compromised.
The Commissioner may initiate proceedings against commercial organizations before the Federal Court. If the Federal Court finds an organization non-compliant, it can:
- order the offending organization to take corrective measures;
- publish a notice of their corrective measures; and/or
- award damages to complainants.
Competition Bureau – Regulation of Unfair or Deceptive Practices
Considering the sanctions imposed by the Federal Trade Commission (FTC) in the United States, there is a prospect that organizations in Canada could face regulatory claims brought by the Competition Bureau. In the United States, the FTC has brought more than 50 enforcement actions against American companies for failing to adequately safeguard the personal information of consumers. The FTC has levied fines of up to $22.5 million (on Google Inc., for the 2012 data breach).22 The FTC has been pushing for greater authority to regulate the cybersecurity practices of companies based on its legal mandate to regulate unfair and deceptive practices.23
In Canada, the Competition Bureau investigates and oversees complaints of unfair or deceptive practices and enforces the provisions of the Competition Act.26 If the Competition Bureau finds a company non-compliant, it can initiate enforcement proceedings before the Competition Tribunal or before a civil court. Upon application by the Commissioner of Competition, the court can order a corporation with unfair or deceptive practices to pay an administrate penalty of up to $10 million and, for each subsequent order against that corporation, an amount of up to $15 million.27
To date, there have not been any reported attempts by the Competition Bureau to regulate cyber security matters based on its authority to regulate unfair or deceptive practices. However, given the approach by the FTC, the risk should not be ruled out.
If an organization subject to a data breach is a reporting issuer, it could potentially face regulatory prosecutions brought by securities commissions, including the Ontario Securities Commission (OSC).
In Ontario, the OSC administers and enforces the Ontario Securities Act.28 The OSC's stated mandate is to "provide protection to investors from unfair, improper or fraudulent practices and to foster fair and efficient capital markets and confidence in capital markets".29 Section 122(1)(a) of the Securities Act, for instance, makes it an offense for an organization to make "misleading or untrue" statements to the public, or to fail to disclose a fact "that is required to be stated or that is necessary to make the statement not misleading".30
Under this provision, a data hack could conceivably expose a company to large regulatory penalties. For example, if a reporting issuer promised to safeguard its customers' data using industry-standard practices, but then failed to live up to its representations, the OSC could technically initiate investigations or proceedings under section 122(1)(a). Under the Securities Act, the OSC is empowered to seek fines of up to $5 million for contraventions of Ontario securities law – including contraventions of section 122(1)(a).31
2. Claims by Shareholders
In connection with a data breach, a company's shareholders could potentially bring an action against the corporation itself or against its directors (through a derivative claim, or depending on the case, a direct claim for oppression). To date, there have not been any shareholder actions litigated in Canada arising from a cyber breach. However, the litigation faced by companies and principals in the United States may be instructive.
In connection with the Target data breach, Target's shareholders filed at least four derivative action suits, which were consolidated and brought before the District Court of Minnesota in 2014.32 The shareholders alleged that, among other things, Target's directors and officers failed to "maintain proper internal controls" or take adequate steps to prevent the attack. They also alleged that Target failed to properly notify customers about the scope of the breach after it occurred. The shareholders sought damages arising from, among other things, amounts incurred by Target from defending the various class action suits and regulatory investigations.33
In connection with the Wyndham data breaches referenced above,34 Wyndham shareholders sued the company's directors and officers (through a derivative suit) for failing to take reasonable steps to maintain their customers' personal and financial information in a secure manner, and for failing to disclose the breaches to shareholders in a timely manner.35 The action was dismissed on factual grounds. Specifically, the court noted that the board of directors had met before the breach on numerous occasions to discuss and implement cybersecurity procedures, and had held 14 quarterly meetings after the breach to discuss the response to the attack, including the adoption of security enhancements.36 While the outcome was a good one for the company and its directors, this case highlights the risks that companies and directors may face in similar circumstances.
3. Claims by Victims
Victims of a cyber breach whose data has been compromised or misappropriated are likely litigants against companies and their directors. The high profile data breaches in Canada and the United States demonstrate the scope, scale and magnitude of potential attacks. There could be millions of individual victims whose personal or financial information is exposed.
In seeking damages against a company, a victim does not need to prove specific damages arising from the data breach. The Ontario Court of Appeal has held that intrusion upon seclusion is a tort for which damages may be awarded up to $20,000.37 Given the potential number of customers/employees whose data could be compromised from a cyber attack, this exposure can be significant. In addition to the tort of intrusion upon seclusion, there are potential damages that arise from a cyber attack, such as costs associated with identity theft.
In Canada, high profile cases involving claims by victims include:
- Ashley Madison: A $760-million class action has been commenced in Ontario against Avid Life Media.38 The plaintiffs claim damages for, among other things, costs incurred to prevent identity theft, increased risk of identity theft, mental distress, emotional upset, anguish, anxiety and depression, lost time, inconvenience, and frustration.
- Bank of Nova Scotia: A class action was commenced asserting unspecified damages against the Bank of Nova Scotia by customers whose confidential information was breached by a bank employee. The plaintiff class claims damages for, among other things, intrusion upon seclusion, inconvenience, discomfort, distress and aggravation. In the alternative, the plaintiff class seeks damages pursuant to the doctrine of waiver of tort, which are calculated by requiring the Bank to disgorge its profits during the relevant period of time. The action was certified as a class action in 2014. Leave to appeal from that decision was dismissed later that year.39
- Target: A class action is pending against Target in Quebec for compensable damages. While the action was initially dismissed on jurisdictional grounds, it was reinstated by the Quebec Court of Appeal.40 The representative plaintiff has sought damages for fear, stress, inconvenience and loss of time due to the necessity of monitoring more closely his monthly statements of accounts. In the United States, there were more than 80 class actions instituted as a result of the Target data breach.41
4. Claims by Credit Card Issuers/Banks
A cyber attack may also give rise to claims by networks such as Visa or MasterCard or related financial institutions in connection with the costs incurred by those financial institutions for the cost of replacing credit cards and reimbursing fraudulent transactions.
A 2007 data breach involving TJX Companies stores – brands like T.J. Maxx and Marshalls – involved the compromise of at least 46 million customers' information. In the face of claims by Visa, TJX agreed to fund up to $40.9 million42 for payments to certain financial institutions. TJX also settled with MasterCard for approximately $20 million.43
While the risk of a cyber attack and the corresponding claims for damages cannot be eliminated, it can be managed.
Companies should prepare and implement a data breach plan that includes steps for resisting and responding to cyber attacks. Directors should be engaged with this process. In the aftermath of an attack, there is no time to waste on last-minute plans.
A central component of the response plan should involve immediate consultation with counsel regarding a number of critical matters such as:
- whether the law requires notice to be given to third parties of the breach and if not required, whether it is advisable to do so in any event;
- the content of the notice so that required information is included and because the content of the notice could later be used against the company in litigation by those individuals whose information has been compromised;
- whether a press release should be issued and regarding the content of the press release;
- an internal investigation to determine how the breach occurred so that steps can be taken to contain the breach and rectify the weakness in the system. The investigation should be overseen by external counsel so that solicitor/client privilege remains over the investigation report and witness statements;
- what steps are necessary to contain the effects of the breach and to prevent any further breach; and
- cross-border implications of the data breach.
Companies and their directors should consult with counsel on a routine basis in order to ensure that their data breach plan factors in the evolving legal requirements or standards expected of companies.
Further, in the event of an attack, it is imperative for companies to consult with counsel as soon as possible, in order to avoid any legal missteps that could result in increased litigation claims and/or greater financial consequences.