Over the next few weeks, we will endeavor to use these pages to share our perspectives on the burgeoning area of Privacy and Cyber Security Litigation (PCS Litigation). In particular, we will focus on steps you can take to both anticipate such litigation, and how you can effectively respond to such litigation should it land on your doorstep, regardless. At the end of the day, we hope to provide you with some guidance on how to navigate this fast-moving and quickly-evolving area of the law.
In order to prepare for PCS Litigation, one must first identify and understand the liability standards that would be utilized in a putative lawsuit. The triggering event in PCS Litigation is almost always a data breach: An unauthorized user accesses and collects information to which it is not legally entitled, usually through a computer network, a laptop or USB drive. A data breach can trigger any number of lawsuits, the nature of which depends on what was taken and by whom. Each, however, will have its own “standard of care” by which the breached company’s conduct will be judged. Below are just a few. Keeping these developing standards of care in mind is a great starting point for any cyber security preparedness effort.
The most basic cause of action for a data breach is negligence. Ordinarily this occurs when a company allows private customer data fall into the wrong hands. One high-profile example can be seen in the slew of lawsuits alleging that Target Corporation negligently stored consumer credit card information, such that third-party hackers were able to steal millions of records. In a negligence action, the breached company’s conduct will be assessed against a duty of care that would be taken by a reasonable person in similar circumstances. Thus, the exact standard will depend on the sensitivity of the data that was stolen, laws or regulations regarding the precautions to be taken in storing such data, and the practices commonly used in the industry. One particular potential source for standards of care may come from the National Institute of Standards and Technology (NIST) and The Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) Bulletins.
Another common cause of action is misappropriation of trade secrets. Data breaches of this sort are occurring with greater frequency, as competing businesses (and countries) seek to gain an advantage in an increasingly competitive global marketplace. In a trade-secrets claim, the breached company’s conduct will be scrutinized to see if it took steps that were reasonable under the circumstances to preserve the secrecy of the information that was stolen. Again, what constitutes “reasonable steps” is a highly contextual inquiry, and will depend on the nature of the information at issue, as well as the means reasonably available for protecting it. A good potential source on this topic is court decisions that have addressed the reasonable-steps issue in one’s specific industry, or with respect to a specific class of data.
Finally, a growing amount of PCS litigation is being generated by the Federal Trade Commission (FTC), under the auspices of its consumer-protection mandate. Pursuant to Section 5 of the FTC Act, the FTC has initiated dozens of cases against companies that have allegedly either violated consumer’s privacy rights, or misled consumers by failing to adequately protect consumer information. The FTC’s data-privacy enforcement efforts are based on the FTC Act’s prohibition against “unfair and deceptive acts and practices in or affecting commerce.” The FTC generally alleges that a company made certain promises or guarantees regarding the protection of consumer information, and then failed to follow through. Thus, the standard in these cases is somewhat easier to assess than those above because it is tied to a company’s own words and statements. In essence, a company must actually live up to the statements it makes and the assurances it gives about protecting consumer’s private information. The takeaway: A company should choose its words carefully.
There are certainly other causes of action that could be explored, HIPAA being a prime example, but the message is consistent across them all: Anticipation of litigation begins with appreciating the types of legal action one might encounter and the issues that will arise should legal action materialize. In PCS litigation, the central issues will often focus on the type of data at issue, the “reasonableness” of steps taken to protect that data, and any assurances that may have been given about the steps taken to protect data. Thus, in preparing for tomorrow, it is important to bear these things in mind today.