One Liberty Place
1650 Market Street
Philadelphia, PA 19103
A look at data breach litigation and the financial impact on affected businesses
“[T]he fantastic advances in the field of electronic communication constitute a great danger to the privacy of the individual . . . .”
—Chief Justice Earl Warren (1963)
Data breaches—in which private information (e.g., social security numbers, account information, or credit card numbers) is compromised through malicious attacks, mishandling, or otherwise—are now the norm. Any business that maintains anyone’s confidential information, particularly that of employees or customers, needs to be aware of the risk that the information will be exposed. The question one must ask is not whether information will be subject to a data breach, but when. And for businesses, that risk gives rise to a number of questions, all of which boil down to a basic concern: how big a mess will a breach create?
Litigating against the government
In last month’s newsletter, I highlighted the recent experience of Horizon Blue Cross Blue Shield of New Jersey (“Horizon”), which was embroiled in litigation following a data breach at the company’s headquarters. A very recent decision of the Third Circuit held that class action plaintiffs had standing (i.e., had a legally recognized right) to sue Horizon under the Fair Credit Reporting Act. However, that decision, which hinges the court’s interpretation of a specific statute, runs counter to many other state and federal court decisions limiting private lawsuits stemming from a data breach.
While private lawsuits have faced hurdles, lawsuits filed by state authorities to enforce data security laws have gained significant traction. Once again, Horizon’s experience is helpful to understanding the scope of this issue. In February 2017, Horizon settled claims brought by the New Jersey Attorney General related to the data breach. The attorney general alleged that Horizon violated state and federal standards governing businesses in the healthcare field. Horizon agreed to pay a $1.1 million fine and improve security practices.
Enforcement actions are also on the rise at the federal level. The Federal Trade Commission (the “FTC”) has broad authority under Section 5 of the FTC Act, 15 U.S.C. § 45, to combat “[u]nfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce . . . .” It has used this authority in data breach cases to compel more robust security practices and, often, hefty monetary penalties. Such cases include the landmark ruling in FTC v. Wyndham Worldwide Corp., which established the breadth of the FTC’s authority to use Section 5 in the data security context, as well as the high-profile Ashley Madison dating site breach (settlement with FTC and state authorities for $1.6 million). Moreover, as with the Horizon case, industry-specific laws and regulations at the federal level may subject a business to additional liability.
Minimizing the impact on your business
Because the scope and circumstances of any particular data breach will vary from business to business, it is difficult to accurately predict the impact of such an event. The Ponemon Institute, an independent research organization, recently published its eleventh study of data breach costs for U.S. companies. Among other findings, the study noted that (1) costs attributable to breaches are increasing
(averaging $221 per lost record, inclusive of legal expenses) and (2) businesses in highly regulated industries (e.g., healthcare and financial services) face higher-than-average costs.
The Ponemon Institute study also highlighted an important point: “having an incident response plan and team in place, extensive use of encryption, employee training, [Business Continuity Management] involvement and extensive use of data loss prevention technologies” can have the effect of mitigating data breach costs. This is consistent with the advice given by government agencies themselves. As the FTC has suggested, a company does not have to bankrupt itself in the name of data security: “The touchstone of the FTC’s approach to data security is reasonableness: a company’s data security measures must be reasonable in light of the sensitivity and volume of consumer information it holds, the size and complexity of its data operations, and the cost of available tools to improve security and reduce vulnerabilities.” In short, be proactive, and be prepared to respond.
Braverman Kaskey, P.C. is a Center City Philadelphia law firm that concentrates its practice on commercial litigation and business matters.
Joshua Kaplan is an associate in the firm’s complex commercial litigation practice. He is licensed to practice in Pennsylvania and New Jersey.
This article is not intended to provide legal advice. Readers should not act or rely upon this article without seeking specific legal advice on matters that concern them.
Copyright © 2017 Braverman Kaskey, P.C.
i. See In re Horizon Healthcare Services Data Breach Litigation, 846 F.3d 625 (3d Cir. 2017).
ii. Most states have reporting laws that prescribe what steps a business must take to protect affected individuals after a data breach. See, e.g., N.J. Rev. Stat. §§ 56:8-161, et seq.; see also 73 Pa. Cons. Stat. §§ 2301, et seq. (Pennsylvania Breach of Personal Information Notification Act). Neither of these statutes confers a private cause of action, meaning that a state attorney general can sue for a violation of these laws, but individual breach victims cannot.
iii. See Press Release, State of New Jersey Office of the Attorney General, Horizon Blue Cross/Blue Shield of New Jersey Agrees to Pay $1.1 Million, Tighten Data Security to Settle Allegations of Privacy Lapses Concerning Personal Information of Policyholders (Feb. 17, 2017) (available at http://nj.gov/oag/newsreleases17/pr20170217a.html).
iv. 10 F. Supp. 3d 602 (D.N.J. 2014), aff’d 799 F.3d 236 (3d Cir. 2015).
v. See Ponemon Institute, 2016 Cost of Data Breach Study: United States, at 2, 5, 7.
vi. Federal Trade Commission, “Data Security” (available at https://www.ftc.gov/datasecurity).