Companies suffering a data breach have a lot to worry about. High on that list is Norman Siegel, a founding member of Stueve Siegel Hanson LLP. Siegel is a prominent data breach plaintiffs’ lawyer – he helped lead the team representing consumers in the consolidated Target data breach lawsuits, and currently serves as lead counsel representing consumers in the pending Home Depot data breach litigation. He also is co-chair of the Privacy and Data Breach Litigation Group of the American Association for Justice.
I recently asked Siegel for his thoughts on the current landscape of data breach consumer litigation. Here is what he shared.
- What does your crystal ball tell you about the future of consumer breach litigation — passing fad, or significant trend?
Significant trend. Over the last several years, a sophisticated worldwide market for stolen personal and financial information of U.S. residents has emerged. This data sells well because it can be used to perpetrate other frauds and is extremely lucrative for data thieves.
Because data theft is still viewed as “low-risk” crime (perpetrators are difficult to track and oftentimes reside in a country where there is no risk of extradition to the United States), cyber-thieves are incentivized to come up with innovative ways to obtain consumer information and meet market demands.
For years, major companies neglected to invest in data security because it was not a priority or the risks were not as apparent as they are today. Until companies start recognizing these risks and making data security a priority, cyber-thieves will continue to exploit inadequate data security and consumer data breach litigation will continue trending upward.
- What makes such claims challenging for a consumer class? Hasn’t the standing requirement of actual harm under Clapper been a significant obstacle for plaintiffs?
The lesson of Clapper is that plaintiffs must allege harm in the Complaint. As we explained in a recent Trial magazine article, taking great care in alleging harm on the front end has largely blunted attacks to the Complaint under Clapper. Target may be the best and latest example, but it’s certainly not an aberration. There’s little doubt that judges are much more aware of the effects of a data breach, and very likely have been a victim (or have had a family members as victims) of a data breach. These dynamics make it much less likely that these cases will be dismissed on Clapper grounds.
- It seems as if the first consumer lawsuits are being filed within 24-48 hours of the public announcement of a mega breach. Do you think federal court consolidation will remain commonplace?
This is client driven. As consumers become more informed about data privacy and the harm they can suffer from a data breach, they are much more likely to contact a lawyer and seek to protect their rights.
When multiple cases are filed, the Judicial Panel on Multidistrict Litigation typically will coordinate the cases before a single federal court. The JPML has typically coordinated these cases in the defendant’s home jurisdiction, but recently sent the Anthem data breach case to the Northern District of California despite the fact that Anthem is located in Indianapolis.
- Is cyber insurance beginning to have an impact on how you frame your legal theories, or on how the defense is handled?
From the plaintiffs’ perspective, cyber insurance has little to no impact on how legal theories are alleged. In many cases, response expenses and defendant’s attorneys’ fees have significantly exhausted the policy by the time the litigation is underway.
While insurance may have some impact on how defense counsel chooses to litigate the case, we have not identified any major differences in strategy depending on whether the defendant has cyber insurance.
- What are the most common shortcomings you see in companies’ data security posture?
These are surprisingly consistent in the cases we’ve seen and typically fall into three categories:
- Refusal to invest in upgrading computer security systems on a regular basis, including refusal to purchase and upgrade antivirus and malware detection software;
- Refusal to conduct regular independent audits by third-party vendors and implement any recommendations; and
- Understaffing IT security personnel with expertise in data security and security breach prevention.
- Same question for after companies detect a breach — what are the most common failures you see in companies’ breach responses?
The biggest problem we see is the lack of timely and truthful notification to the affected individuals about the breach. In almost every case, the company tries to downplay the severity of the incident and tout the sophistication of the cyber-thieves rather than simply provide the affected individuals with the facts they need to prevent further harm. This includes explaining: (a) what happened; (b) who was affected; (c) what information was compromised; (d) whether evidence of misuse has already occurred; (e) whether the company’s systems are still at risk; and (e) best courses of action to take to minimize future harm.
- When representing consumers affected by a data breach, how do you go about establishing what reasonable security looks like?
Ultimately, a legal standard for reasonable security will need to be defined as part of national legislation. But this is really beside the point. Cyber-thieves do not target companies that have reasonable security in place; they identify and attack the easy targets. In most cases where a major security breach occurred, there is evidence establishing not only that the company’s security systems were woefully inadequate, but also that the company knew about it and did not believe the risk of a security breach was worth the cost of upgrades.
- What do you usually look for or rely on to help you establish what constitutes reasonable security?
Even without legislation there are some objective benchmarks for reasonableness. For example, any retailer that wants to accept major credit cards is obligated to comply with the Payment Card Industry Data Security Standards (PCI-DSS) to protect customer and payment card information.
In most cases, a data security expert can point to obvious deficiencies in data security, whether it is lack of encryption with payment card data or the failure to implement multi-factor authentication measures in order to gain access to a secure network. These types of vulnerabilities are easily detected (and correctable) if the company conducts regular data security audits.
- Do you think that the standards for what constitutes reasonable security will rise going forward? If so, what will be the driver: new laws and regulations, or regulatory enforcement, or civil lawsuits, or shareholder pressures, or general consumer expectations?
To answer that question I think we need to understand why data security is inadequate now. Until very recently, the pushback on better technology – harder to breach credit cards with chips versus magnetic strips for example – has largely come from the retail community, which didn’t want to pay for the improved technology. But as the financial toll of data breaches continues to escalate, stakeholders on all sides of the issue will drive better security. Ultimately, it may take legislation. And most lawyers on the plaintiff’s side of these cases would welcome national legislation that provided a fixed standard so everyone knows the rules of the road – and is obligated to follow it.