Companies Can Take Proactive Steps To Limit Liability Exposure for Data Breaches

Bloomberg BNA’s Corporate Law & Accountability Report is available on the Corporate Law Resource Center. This news service keeps corporate practitioners informed of legal developments of...

By Yin Wilczek

May 22 — Despite ongoing shareholder lawsuits and the mounting regulatory concern over cybersecurity and data breaches, there is as yet no definition of what constitutes “reasonable” security, an attorney said May 21.

Nonetheless, there are steps companies proactively can take to protect themselves from lawsuits or enforcement actions or to ensure they are resolved more quickly, said Dominique Shelton, a partner in Alston & Bird LLP's Los Angeles office.

“It's not the wild west,” Shelton said. “There is guidance out there,” based on shareholder derivative lawsuits, consumer class actions, and regulatory actions brought by the Federal Trade Commission, the Securities and Exchange Commission and other regulators, that boards and senior management should heed.

“That being said, that's not the most perfect world for companies to be in” because it lacks certainty, Shelton added. However, “that is the environment we're in right now.”

Shelton spoke on a cyber liability panel at Georgetown University Law Center's cybersecurity conference, which Bloomberg BNA co-sponsored.

More Common 

Data breaches are increasingly prevalent, and companies in a diverse range of industries—including Target Corp., JPMorgan Chase & Co., Anthem Inc. and Home Depot Inc.—have experienced recent incidents.

Ongoing high-profile lawsuits over data breaches include the class action against Target and Wyndham Hotels & Resorts LLC's challenge of an FTC enforcement action before the U.S. Court of Appeals for the Third Circuit. 

Shelton noted that any company that operates a website, uses mobile software applications or employs social media for advertising is vulnerable on two levels—privacy and security. She also noted that the two are “becoming increasingly interrelated,” adding that the FTC has announced its interest in pursuing “hybrid cases” that will “take a hard look at privacy violations and cybersecurity best practices.”

In thinking through their cyber liability issues, companies should look beyond data breach notification because regulators other than the FTC are becoming very interested in the area, especially with respect to mobile apps, Shelton warned. As an example, she cited the Food and Drug Administration's cybersecurity requirements for mobile medical apps.

Among other civil lawsuits, Shelton noted that consumers are bringing putative class actions under a relatively old statute—the 1988 Video Privacy Protection Act—against companies that run videos on their websites or that use mobile apps. There were 12 such lawsuits filed in 2014, she said.

Big Data 

The advent of big data and data analytics brings new complications, Shelton added.

Although big data, unique identifiers and cookies are not part of any breach notification statute in the U.S., a company's failure to secure the data it collects can have liability implications, Shelton said. She noted that consumers are bringing putative class actions involving big data based on the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act and other statutes. About 208 putative class actions have been filed in the past 19 months over the collection of behavioral data, she said.

Co-panelist Hilary Hageman, vice president and deputy general counsel at CACI International Inc., said federal contractors may have it even harder in terms of liability exposure.

Federal contractors handle very sensitive information, Hageman noted. At the same time, they face a “whole patchwork or panoply of regulations” in terms of protecting that information, depending on which federal agency with which they deal, she said.

“Making sure that we comply is extremely daunting,” Hageman said. She added that federal contractors could suffer severe economic consequences, including debarment, as well as reputational harm if they fail to comply.

Meanwhile, co-panelist Christopher Dore, a Chicago-based partner at plaintiffs' firm Edelson PC, said his law firm brings data breach lawsuits where there is “obvious liability.”

Companies are not expected to have perfect data security, Dore said. “What we look for are obvious problems” that “in the mid-90s would have been shocking but now in 2015 are appalling.” These include failing to encrypt sensitive data or not knowing that your system was hacked a year and a half ago, he said.

Limiting Exposure 

Among other recommendations for reducing liability exposure, Shelton noted that there are “some norms” starting to develop in the business community around consumer disclosures. She cited, as an example, the FTC's mobile disclosure guidance. “I encourage people to look at those because the guidance might avoid some of the lawsuits” that plaintiffs' firms are interested in pursuing, she said.

Shelton also noted that the FTC, the California attorney general and a European Union working group have suggested that companies develop checklists of what information they're collecting for their mobile apps. The checklist should include the reason for the collection, who the information will be shared with and how it is protected, she said. “Those are good documents to keep in your file so that you at least have a rationale for why” that data is being stored and how it's being secured.

Moreover, Shelton noted that after a review of the FTC's 54 data breach cases, her law firm has identified 33 inadequate practices faulted by the agency. Companies should be aware of those practices in building their comprehensive information security programs, she said.

More generally, Hageman suggested that companies look to the U.S. Sentencing Guidelines for basic cyber “hygiene” measures that “don't cost a lot.” These include:

• setting the right tone at the top;

• making sure senior executives take data protection seriously;

• adequate training for employees;

• periodic monitoring of technology; and

• regulator internal and external audits to ensure procedures and safeguards are effective.

 

Recommendations for the Board 

Hageman also had some recommendations for boards. She said boards should:

• ensure they have one or two directors who are “very IT savvy”;

• hold regular meetings to discuss IT security issues, and hold special meetings where warranted;

• consider whether to create a special committee that deals specifically with IT security issues if this is a particular concern for the company;

• investigate immediately any cybersecurity issues that are brought to their attention; and

• review their charters regularly to ensure they have the “latest bells and whistles” and appropriate measures for evaluating and addressing cyber risks.

 

Dore noted that the preventive measures suggested by Shelton and Hageman will be the subject of answers sought by plaintiffs at the discovery stage. He added that no private data breach lawsuit has yet reached this litigation phase. “We will be asking these exact questions” about companies' internal procedures, he said. “Showing that you did everything in your power is going to be persuasive either to us or to the court.”

Shelton also encouraged companies to bring in plaintiffs' attorneys to speak about the data breach cases that they bring. “To hear from the horse's mouth about the way plaintiffs' counsel would look at the matter would be helpful,” she said. She added that companies should protect themselves during these discussions. “Obviously they have to be done under privilege through outside counsel,” she said.

To contact the reporter on this story: Yin Wilczek in Washington at ywilczek@bna.com

To contact the editor responsible for this story: Ryan Tuck at rtuck@bna.com