A change in emphasis in disputes over data security breaches is coming. To date, the focus has been on issues and potential damages arising from the breach itself and the subsequent loss of private, personal information. In light of recognized delays from both Equifax and Uber, combined with the confusing array of breach notification responsibilities, we believe 2018 will see a growing emphasis on disputes arising from a corporation’s delay in notifying the public, the affected individuals and regulatory bodies about the breach.
A Multitude of Disclosure Obligations
The fact is that determining an appropriate period of time within which a company should disclose a data breach, the theft of personal information or both is far from simple. Nearly every state has its own set of data security laws, but only some address disclosure requirements. Even within this subset, there can be conflicting requirements in different states. For example:
- What qualifies as stolen personal information triggering the disclosure obligation often differs from state to state;
- Some states dictate specific times within which to make disclosures while others are silent; and
- Some state laws discuss the role of law enforcement in making disclosure decisions while others do not.
In short, if you are a company that does business in multiple states and suffers a data breach, you might find it difficult to comply with all applicable state laws.
State laws are truly just the beginning of the assortment of competing interests as a growing list of regulators insert themselves into the mix. On Feb. 21, 2018, the SEC issued a “Statement and Guidance on Public Company Cybersecurity Disclosures,” updating a previous guidance issued in 2011. This new guidance raises the possibility that disclosures should be made earlier than existing state laws require. New York recently implemented its own regulations, requiring all “financial institutions” doing business in New York to report breaches, and attempted breaches, to state regulators within 72 hours. The regulations also require a written response plan to cybertheft that, presumably, will include self-imposed specifics related to public and regulatory notifications. While that may seem like enough confusion, international companies have the soon-to-be-implemented European General Data Protection Regulations. The GDPR, which will come into effect in May, generally requires notification within 72 hours of a breach. And this is just to name a few.
While there remain pleas for a federal law to create a uniform standard, such efforts face significant hurdles. Some argue federal proposals are too strict (including one bill proposing jail time for corporate officers who knew about and failed to properly disclose breaches of data security). Others complain a federal standard will be less imposing than the laws of many states and therefore should not be enacted. While a federal law may seem like a panacea, competing interests may make it more difficult to pass than some may hope.
Delay May Create Claims The legal risks arising from a delay in disclosing a data security breach are materially different from a claim relying on the breach itself. As a publicly traded company, Equifax’s stock traded for weeks based on imperfect public information. Moreover, certain executives sold stock during the intervening period, presumably for prices higher than they would have received, had the breach been disclosed. Delaying notice therefore, at a minimum, exposes the company to lawsuits, both derivative and directly under the federal and state securities laws. In fact, the U.S. Attorney’s Office in Atlanta announced on March 14 that the company’s chief information officer—one of the individuals who sold his stock in the interim period—was charged with insider trading.
In addition, Uber has been publicly discussed as a prime IPO candidate for years, which includes the yearlong period in which it did not disclose data security lapses. Certainly that information would be relevant to bankers and investors. Did the breach play a role in the timing of the IPO and, if so, were investors made aware? Again, the delay in disclosure opens the door to litigation. These are but a few of the issues raised by the delay in notifying the public and affected parties.
Simply put, the risks of a claim are enhanced in a situation where a company knows of a breach of its data security but delays disclosing the issue. The SEC, itself a victim of a breach, recognizes this. As noted, the SEC just issued updated guidance. That 2018 guidance makes specific note for both the need of “timely” disclosures and the need for publicly traded companies to protect against insider trading. Indeed, the SEC guidance seems to suggest that a publicly traded company may have to make multiple disclosures of a single breach event, updating shareholders as new information is learned.
Will Delay Claims Be More Successful?
Lawsuits seeking to recover damages arising from the actual data breach have, to date, experienced what can best be described as mixed results. There is a federal circuit split on whether individuals whose information is stolen suffered measurable damages such as to have standing to sue the corporation that was breached. Derivative actions have faced an even harder road, with the majority of such cases being dismissed due to the benefits of business judgment rules.
As noted, a claim arising from the delay in disclosing the breach is materially different. Certainly, any individual who traded in the corporation’s stock during the delay period may have a claim under state or federal securities laws. Public statements of corporations, both formal and less formal, will be subjected to scrutiny to see if the fact of an undisclosed breach becomes a materially false or misleading omission. Regulatory investigations are almost certain, with Equifax being subject to a congressional hearing while Uber is reportedly being investigated by governments around the globe.
Data security issues, by all accounts, are in the forefront of the mind of general counsel around the country. The risks—reputational, financial and otherwise—of suffering a data breach are enough to keep people awake at night. However, the risks associated with balancing the multiple concerns of when to disclose a significant data breach may be the bigger risk to a corporation’s bottom line. 2018 may serve to highlight that concern.
John C. Amabile is a commercial litigator in the Atlanta office of Parker Poe Adams & Bernstein. He has tried dozens of cases to judges, juries and arbitrators, representing clients in a range of industries that include real estate, logistics and technology.
Micheal L. Binns is a patent litigator in the Atlanta office of Parker Poe Adams & Bernstein. His experience includes the litigation, counseling and prosecution of all forms of intellectual property.