An Attorney's Perspective on Data Breaches


Joshua Kaplan, an attorney at the law firm of BravermanKaskey, provides an attorney's perspective
on how data breaches can impact a company.
Data Breach  Litigation & the Financial Impact
on Affected Businesses

Data breaches -- in which private information (e.g., social security numbers, account information, credit card numbers) is compromised through malicious attacks, mishandling, or otherwise -- are now the norm.  Any business that maintainsanyone's confidential information, particularly that of employees or customers, needs to be aware of the risk that the information will be exposed.  The question one must ask is not whether information will be subject to a data breach, but when.  And for businesses, that risk gives rise to a number of questions, all of which boil down to a basic concern: how big a mess will a breach create?

 
[T]he fantastic advances in the field of electronic communication constitute a great danger to the privacy of the individual.
— Chief Justice Earl Warren (1963)
 

What is the likely impact of a data breach from a litigation perspective?

When your business is involved in a data breach, of immediate concern is whether you will end up in court over it.  The recent experience of Horizon Blue Cross Blue Shield of New Jersey ("Horizon") is illustrative.  In November 2013, two unencrypted laptops containing the personal information of roughly 690,000 Horizon policy holders were stolen from the company's headquarters.[i]  Federal law governing healthcare industry required those computers to be encrypted, as did Horizon's company policy.  Horizon notified potentially affected members by letter and through a press release,[ii]and offered to cover credit monitoring and identity theft protection services.  Unsurprisingly, litigation followed.

Lawsuits by those affected directly by a data breach

Businesses may face greater risk in the federal courts than in state court, as demonstrated by a recent decision in the litigation surrounding the Horizon data breach.  The Third Circuit Court of Appeals held in 2011 that an individual whose personal information was disclosed in a data breach does not have standing - i.e., a legally recognized right - to sue a business for failing to protect that information if the only harm is the potential for misuse of that information.[i]  But that view appears to have shifted.

In a very recent decision, the Third Circuit held in In re Horizon Healthcare Services Data Breach Litigation that the Fair Credit Reporting Act ("FCRA"), a federal statute that applies to "consumer reporting agencies," "create[d] a remedy for the unauthorized transfer of personal information."[iv]  Accordingly, the Third Circuit held that the Horizon plaintiffs - policyholders whose information was on the two stolen laptops - had standing to sue for a violation of the FCRA "[e]ven without evidence that the Plaintiffs' information was in fact used improperly ...." 

Nevertheless, plaintiffs suing over a data breach have not had uniform success.  In Pennsylvania, for example, the Pennsylvania Superior Court recently held in Dittman v. UPMC that an employer cannot be held liable for negligence based on a failure to protect employees' personal information from a data breach.[v]  While the court left open the possibility that such a duty of care might exist if the employer had "encountered a specific threat of intrusion into its computer systems," it also noted that Pennsylvania's "economic loss doctrine" would prevent any such claim if the damages are strictly economic (i.e., not accompanied by physical injury or property damage).  This appears to foreclose any negligence claim under Pennsylvania law based on a data breach.  The Dittman court also held that there was no implied contract between UPMC (i.e., the University of Pittsburgh Medical Center) and its employees to protect their information.  In short, although plaintiffs have not found much success pursuing traditional tort claims, such as negligence, the FCRA and similar legislation that may emerge at the state and federal levels could afford plaintiffs new avenues to pursue claims against businesses that fail to protect against a data breach.

What is the bottom line?

Because the scope and circumstances of any particular data breach will vary from business to business, it is difficult to accurately predict how much such an event will cost a business.  However, the Ponemon Institute, an independent research organization, recently published its eleventh study, sponsored by IBM, of data breach costs for U.S. companies.  Among other findings, the study noted that (1) costs attributable to breaches are increasing (averaging $221 per lost record, inclusive of legal expenses) and (2) businesses in highly regulated industries (e.g., healthcare and financial services) face higher-than-average costs.[vi]   

Notably, the Ponemon Institute study also highlighted an unsurprising, but important, point: "having an incident response plan and team in place, extensive use of encryption, employee training, [Business Continuity Management] involvement and extensive use of data loss prevention technologies" can have the effect of mitigating data breach costs.  In short, taking a proactive approach to preventing and responding to a data breach is likely the best defense.

Government enforcement actions

Next month, we will take a closer look at how government enforcement actions, which often run parallel to private suits, can impact your bottom line.

 

----------------

[i] The number of records exposed in the Horizon data breach well exceeds the number in "typical" data breaches in the U.S.; the average is closer to 30,000.  See Ponemon Institute, 2016 Cost of Data Breach Study: United States, at 1 (June 2016) (available at http://www-03.ibm.com/security/data-breach/). 

[ii] Most states have reporting laws that prescribe what steps a business must take to protect affected individuals after a data breach.  See, e.g., N.J. Rev. Stat. §§ 56:8-161, et seq.; see also 73 Pa. Cons. Stat. §§ 2301, et seq. (Pennsylvania Breach of Personal Information Notification Act).  Neither statute confers a private cause of action, meaning that a state attorney general can sue for a violation of these laws, but individual breach victims cannot.

[iii]See Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011). 

[iv] 846 F.3d 625 (3d Cir. Jan. 20, 2017). 

[v] No. 97-WDA-2015, 2017 Pa. Super. LEXIS 13 (Pa. Super. Jan. 12, 2017); accord Enslin v. Coca-Cola Co., No. 14-cv-6476, 2017 U.S. Dist. LEXIS 49920 (E.D. Pa. Mar. 31, 2017).

[vi] See Ponemon Institute, 2016 Cost of Data Breach Study: United States, at 2, 5, 7.