Nearly a decade ago, identity thieves posed as customers to steal more than 160,000 consumer records from data broker ChoicePoint.
If the incident were to happen today, it likely would be met with a passing yawn, common hacker play that is nothing more than just another headline, only to replaced by tomorrow's breach, that one by the next day's. But the ChoicePoint heist remains a landmark incident, mostly because it was the first big breach required to be publicly reported, thanks to a pioneering notification law passed in 2003 in California, known as SB-1386.
After the information theft was announced in 2005, ChoicePoint, acquired three years later by Reed Elsevier, settled with the Federal Trade Commission, as well as 44 states. In total, it paid out some $45 million as a result of the breach, and in the process, effectively created a new source of liability for organizations nationwide, one which has sped forward at lightning rates.
"I think it's an arguable virtual certainty that you're going to be breached," said Jason Weinstein, a Washington, D.C.-based partner at Steptoe & Johnson law firm, which represents corporate clients, in a recent interview with SCMagazine.com. "And if you're breached, it's an absolute certainty you're going to get sued."
That's not to say all of the cases will be successful in court, either through settlements or outright wins. But while there are no state or federal laws and statutes that specifically address illegality related to data breaches, plaintiff's attorneys are remaining steadfast in their attempt to establish working theories of liability and carve out new ground for legal standing.
"Plaintiffs are trying everything they can," said Sasha Romanosky, an associate policy researcher at Rand Corp. who recently obtained his Ph.D. from Carnegie Mellon University in Pittsburgh. "They sue for common law (derived from judicial precedent rather than statute) because there's no single law. There's huge variations in what they're suing for."
Edmund Normand, a civil trial lawyer based in Florida who currently is involved in about a half-dozen lawsuits filed on behalf of data breach victims, said he's finding that state and federal courts are recognizing the potential fallout that could result from breaches and are calling on organizations to step up their protections.
"Now, more than ever, the damage from these data breaches is astounding and limitless," Normand told SCMagazine.com. "And it may not happen today, but you're at risk to worldwide exploitation over decades."
Seeing what sticks
But therein lies the rub. Attorneys representing victims of a data breach – typically customers or employees – generally have met resistance from courts due to their failure to show actual harm (identity theft, fraud, etc.) that is directly linked to the breach in question, Weinstein, who is a former deputy assistant attorney general for the U.S. Department of Justice, told SCMagazine.com.
For example, in 2009, a federal judge dismissed a Missouri man's lawsuit against pharmacy benefit management firm Express Scripts, which sustained a data breach that exposed sensitive customer data. The case was tossed by U.S. Magistrate Judge Frederick Buckles because the claimant, John Amburgy, could not prove that his information was actually used fraudulently.
As a result, lawyers representing plaintiffs increasingly have turned to the legal argument that their clients are at risk to future harm due to the breach.
And they've found moderate success. In 2011, an appeals court in Boston ruled that a lawsuit could continue against grocery chain Hannaford Bros., which was compromised of more than four million credit and debit card numbers in late 2007. A three-judge panel determined that fees paid by consumers for identity theft insurance and new cards, taken as a proactive measure following the breach, could constitute as financial damages. (Ultimately, however, the case failed to win class-action status).
But a U.S. Supreme Court decision handed down in February of this year in the case of [National Intelligence Director James] Clapper v. Amnesty International may limit plaintiffs' abilities to establish standing based on the possibility of future harm.
In that case, the high court held (PDF) that Amnesty International, an international human rights group, lacked standing to challenge the FISA Amendments Act of 2008, which permits the U.S. government to use electronic surveillance to collect intelligence about suspected foreign terrorists, without the need for a warrant. Amnesty and others, including journalists, had argued they had standing based on a reasonable fear that the government would monitor some of their communications if they should ever contact these foreign targets.
The 5-to-4 ruling from the Supreme Court likely will have ramifications for future data breach lawsuits, Weinstein said.
"[The] Clapper [case] suggests that plaintiffs in privacy cases cannot establish standing either by claiming that a breach or other privacy violation resulted in increased risk of identity theft or by incurring costs to prevent possible future identity theft, such as obtaining credit reports or engaging credit monitoring services," Weinstein wrote in a recent blog post. "At a minimum, Clapper calls into question the viability of relying on prior decisions finding standing based solely on increased risk of potential future identity theft."
Consequently, more plaintiffs will look toward state and federal statutes, such as consumer protection laws, to establish standing and ensure their cases can proceed, Weinstein predicted.
But Normand said conflating the Clapper verdict with data privacy actions is like "comparing apples to oranges."
He said he has found the most success in forcing data breach settlements by claiming the defendant was negligent and breached its contract with the customer, leading to a legal term known as "unjust enrichment." In the case of Clapper v. Amnesty International, the plaintiffs never entered into a contract with the U.S. government to protect their data, unlike many victims of breaches, who did business with companies that promised to follow industry best practices and other laws.
"When I entrust my data with someone for whom I'm doing a purchase with, and they promise to protect that data, that's part of the bargain," Normand said. "And if they choose not to protect that information or save money or skimp on some of their security procedures, they've made an extra profit over the companies that didn't do that."
There is precedent to support Normand's viewpoint.
About a year ago, the 11th U.S. Circuit Court of Appeals in Atlanta, in a 2-to-1 decision (PDF), sided in an unprecedented fashion with claimants' allegations of unjust enrichment in a breach involving Florida health insurer AvMed, from which two unencrypted laptops, containing the personal information of 1.2 million customers, were stolen. Among its decisions, the court held that the premiums AvMed members pay to the company includes an expectation for the protection of personal information.
"That type of theory demonstrates that there is almost no limit to the creativity of the class-action plaintiffs' bar, which is looking for new ways to make privacy suits viable," Weinstein said. "And it underscores why companies should be thinking about their litigation risks even before a breach occurs, and certainly from the moment a breach occurs."
Who's getting sued?
Some judicial jurisdictions have been friendlier to plaintiffs than others. Still, all organizations, no matter where they conduct business or where their customers are located, should be on guard and expect to be sued following a data-loss incident, experts interviewed for this story said. Thus, making certain one's ducks are in a row is critical.
"Data privacy class actions – whether stemming from data breaches or from a company's own data-collection practices – have become a kind of ambulance-chasing for the 21st century, with class-action lawyers scouring the web for reports of data breaches and alleged privacy violations and then racing to the courthouse to file complaints," Weinstein wrote in his blog. "As a result, companies have been forced to spend millions of dollars defending these suits."
Romanosky, who along with two other researchers, recently examined 230 federal cases involving data breach lawsuits. They tried to pinpoint the likeliest scenarios under which organizations would face lawsuits following the compromise of sensitive data.
They determined that the larger the outfit, the more likely they'll be slapped with a lawsuit. And if they are sued, it's most commonly going to happen if they were allegedly careless with the information or released it without authorized disclosure, rather than if they were the victim of a cyber attack.
And they might be more immune to a suit if they are open and transparent about what happened, and promise affected individuals free credit monitoring services, Romanosky told SCMagazine.com.
But once faced with a legal complaint, companies tend to want to sweep the matter under the rug, even if it means paying out millions for a settlement. Romanosky said he studied settlements that reached as high as $7 million.
"It's kind of saying that companies are settling too quickly," Romanosky said. "They don't actually think the plaintiff is going to win. They just want everything to go away."
Normally settlements, particularly in class-action suits, are meant more for effect and vindication than payout. Claimants, other than the few people who are named in the suit, typically walk away with little money, usually just a few dollars. The lawyers, of course, make much more.
At least one corporation, Wyndham Hotels and Resorts, is fighting back against the Federal Trade Commission, objecting to the FTC's right to enforce "unfair or deceptive acts or practices" related to data security.
So what can companies do to prepare for the reputational and costly side effects of litigation? First, Weinstein said, they should ensure their actual privacy practices match their written promises. "Do what you say," he said. "Say what you do."
Next, they should conduct a "top-to-bottom view" of their information governance, which includes acquiring cyber insurance and reviewing the policy to be certain it is adequate.
"A lot of these policies were written before anyone knew what a data breach was," Weinstein said.
In addition, organizations should ensure their partners have implemented security and compliance practices on par with theirs. Finally, set up a comprehensive incident response plan.
"All things being equal, it makes you less likely for a breach," Weinstein said. "If there is a breach, it allows you to contain the damage more quickly. And if the regulators do come after you, it makes you much more likely to prevail."
Businesses can take a lesson from St. Louis-headquartered Schnucks, a Midwestern supermarket chain whose systems were hacked last winter to to the tune of 2.4 million credit card numbers. After the attack became public, Chris Koster, the Missouri attorney general, ran to Schnucks' defense, reportedly saying the company didn't violate any state data protection laws. Instead, he said, the supermarket was itself a victim.
But despite earning the backing of the state's top law enforcement officer, not only is Schnucks still facing multiple lawsuits, but its insurer, Liberty Mutual, is arguing in court that its policy does not cover the company against legal costs arising from the breach.
The situation gives rise to an interesting dichotomy, further proof that the legal landscape surrounding data breaches will remain muddied for the foreseeable future.
"Even if [Schnucks] weren't at fault, they're still legally responsible," Weinstein said.