In the wake of this year’s data breach rulings, it is now more imperative than ever that organizations understand that the exposure from a cyberbreach extends beyond a failure of their systems. For example, how the organization responds to a cyberbreach may now provide a basis for injuries sufficient to sustain class actions by impacted customers. And how an organization structures its data breach investigation may impact the discoverability of the investigation in subsequent litigation. Here is a summary of the years’ most enlightening rulings and the impact they could have on in-house counsel in the year to come.
Reasonable Data Security Needed to Avoid FTC Action
In August, the Third Circuit issued a highly anticipated decision in FTC v. Wyndham Worldwide Corp., affirming the FTC’s authority to regulate corporations’ cybersecurity practices and policies under the unfairness prong of Section 5 of the FTC Act. While there is concern that the Wyndham decision may give the FTC greater latitude with respect to aggressively pursuing organizations that are subjected to cyberbreaches and requiring organizations to undergo third-party security assessments, avoiding FTC action is typically not that difficult if an organization maintains reasonable security for consumer data.
Wyndham arose from three cybersecurity breaches in 2008 and 2009 in which hackers accessed Wyndham’s network and obtained credit card information from over 619,000 customers. This allegedly caused at least $10.6 million in fraud losses. As a result of these breaches, the FTC filed suit, claiming that Wyndham engaged in unfair and deceptive practices in violation of 15 U.S.C. §45(a). The FTC’s complaint did not allege that Wyndham had weak cybersecurity but rather that it essentially lacked any real cybersecurity, as Wyndham was hacked on three separate occasions.
The Third Circuit addressed the FTC Act of 1914, which prohibits “unfair methods of competition in commerce” and found there was no implication that Congress intended to exclude cybersecurity under §45(a). The court was unpersuaded by Wyndham’s argument that if the FTC’s unfairness authority extended to it, then the agency would also have the ability to sue supermarkets that “are sloppy about sweeping up banana peels.” The court found that if Wyndham were a supermarket, leaving so many banana peels on its floors that 619,000 of its customers fell would hardly suggest that it should be immune from liability under §45(a).
Focusing on whether the FTC failed to give fair notice of the cybersecurity standards that businesses are required to follow, the court found that after at least the second time it was hacked, Wyndham was on notice of the possibility that a court could find its practices failed to satisfy §45(a). The court also noted that Wyndham had sources available to it to better understand appropriate cybersecurity practices, specifically, a 2007 FTC-issued guidebook entitled Protecting Personal Information: A Guide for Business, in which the agency provided a checklist of practices that constitute a “sound data security plan.”
In the wake of Wyndham, ensuring that an organization’s security is consistent with reasonable industry standards will help avoid FTC action. Since the early 2000s, the FTC has pursued more than 50 cases, largely where businesses utterly failed to establish secure systems. Interestingly, only Wyndham and one other organization, which is currently winding down, refused to sign consent decrees with the FTC. Learning from this, a pragmatic strategy if faced with an FTC action would be to work with counsel to obtain a favorable settlement.
Class Certification Thresholds Lowered
This year, courts dealt with two issues plaintiff’s face in obtaining class certification: One federal court certified the first class in a data breach action against Target, while another relaxed the standing requirements in an action against Neiman Marcus.
First data breach action class certified: In September, a federal court for the District of Minnesota certified the class of financial institutions under federal rule 23(b)(3) that alleged claims against Target for losses resulting from the massive 2013 holiday season data breach. The class was defined as all entities in the U.S. that issued payment cards compromised in the payment card data breach that was publically disclosed by Target on December 19, 2013.
This marks the first time a class has been certified by a federal court in a data breach action.
Previously, in April 2014, the court consolidated 33 lawsuits against Target, spanning 18 districts. The case was divided into numerous tracks: for consumers, shareholders and financial institutions. The consumer class reached a preliminarily settlement in March 2015, and pending approval, Target has agreed to pay $10,000,000 to those consumers whose credit or debit card information and/or personal information was compromised as a result of the breach.
The class certification is a huge milestone in data breach litigation, signaling that the threat of class action litigation stemming from a data breach is no longer confined to affected consumers – affected organizations may also align to form a class. Unlike many consumer contracts where judicial remedies, like class actions, can be contracted away, many data breach situations involve harm caused to organizations that are not in contractual privity with the entity that suffered the data breach. Given the court’s analysis, this decision will undoubtedly serve as a model for businesses harmed by a data breach to seeking class certification. It may even make it easier for organizations to meet rule 23’s certification requirements than it would be for a traditional putative consumer class. Organizations that maintain credit card and other personal information should heed the increased litigation risk in light of the newfound viability of a nonconsumer class.
Standing requirements satisfied by future harm: Before addressing class certification requirements under federal rule 23, class plaintiffs must establish standing. This years’ July decision from the Seventh Circuit in Remijas makes it easier for victims of data breaches to have their day in court. The Seventh Circuit’s precedential ruling expanded the types of alleged injury that can satisfy Article III standing requirements in cases resulting from data breaches. This represents a major shift in how an organization should craft its litigation strategy in defending against a data breach lawsuit, as the Remijas decision severally weakens the ability to obtain dismissal of such actions under 12(b)(1) for lack of standing and 12(b)(6) for lack of injury.
Remijas arose from the 2013 Neiman Marcus consumer credit card database breach, in which hackers obtained close to 350,000 credit card numbers. Nine days after learning of the breach, Neiman Marcus notified both the public, generally, and affected consumers, individually. The retailer admitted that at least 9,200 cards had been used fraudulently. To mitigate the damage done by the breach, Neiman Marcus offered a year of free credit monitoring and identity theft protection to all customers who had shopped at a Neiman Marcus store between January 2013 and January 2014.
Subsequently, plaintiffs filed multiple class action lawsuits, claiming that the high-end retailer failed to protect customer data and debit card information that was stolen by the hackers. While the district judge initially dismissed the claims, finding the plaintiffs’ alleged injuries were insufficient to allow for standing, the Seventh Circuit reversed.
The Seventh Circuit found that the plaintiffs had asserted injuries-in-fact through time and money spent on protecting against future harm. With respect to Neiman Marcus’s mitigation efforts of offering free credit monitoring, the court found that this was an admission by Neiman Marcus that the plaintiffs were in fact all affected by the breach. According to the court, “[It] is unlikely that [Nieman Marcus’s mitigation efforts were] because the risk ... can be safely disregarded.”
After Remijas, organizations should be aware that injuries associated with resolving fraudulent charges and protecting oneself against future identity theft – such as time and money spent on credit monitoring service – may now be sufficient for standing in data breach cases.
Attorney-Client Privilege Protected in Data Breach Investigations
The Target case yielded yet another ruling in October that impacts the discoverability of data breach investigations. The ruling solidifies the fact that organizations should carefully structure postbreach investigations to claim attorney-client privilege over the investigation and any resulting documents.
The district court in Minnesota denied the class of banks’ motion that Target produce documents generated during its internal investigation of the massive data breach. Target had set up a two-tracked investigation to respond to the breach. The first track consisted of a nonprivileged investigation by Verizon on behalf of numerous credit card companies, so Target could understand and appropriately respond to the breach. The second track involved a probe by a separate team from Verizon in conjunction with Target’s internal task force.
The district court found that that the second track and the work conducted by Target’s internal task force was aimed at aiding Target’s in-house counsel to provide proper legal advice with respect to the breach and thus privileged.
This latest ruling highlights that when organizations respond to a data breach, they should structure their breach response investigation artfully to ensure all aspects of the investigation (and the documents created as a result) maintain the attorney-client privilege. As soon as a breach occurs, organizations should engage legal counsel to develop a strategy to deal with the various risks. Counsel should identify documents, as well as communicate to employees, that each data breach investigation is meant to be legally privileged because the investigation is in anticipation of litigation and directed by counsel.
With respect to the data-breach investigation itself, organizations might want to follow a bifurcated approach, similar to that used by Target, to maintain the work-product privilege. An organization’s internal counsel should instinctively retain a forensics or security firm postbreach to conduct a forensic investigation of the cyberattack in the ordinary course. Organizations should be cognizant that this investigation, and the reports and documents created, are likely discoverable, as they would be created as a by-product of a routine investigation.
By having the organization’s outside counsel hire a separate forensics team, however, the work-product privilege can be preserved. This separate forensic team should be engaged to provide consulting and technical services – pursuant to a carefully drafted engagement letter – for the purpose of assisting internal and outside counsel in rendering legal advice to the organization about the cyberattack and the forensic investigation report. Structuring it this way is essential because were in-house counsel to hire this forensics team, privilege might not attach. The work-product privilege would also attach to the forensic team’s work under counsel’s direction.
By dual tracking an investigation, information relevant to how the breach occurred and the response taken can be discovered in litigation, while the organization’s legal advice and strategy remains privileged.
The views and opinions expressed in this article are those of the author and do not necessarily reflect those of Sills Cummis & Gross.
The citations to cases discussed herein are:
FTC v. Wyndham Worldwide Corp., 2015 U.S. App. LEXIS 14839 (3d Cir. N.J. Aug. 24, 2015)
In Re: Target Corporation Customer Data Security Breach Litigation, No. 0:14-md-02522-PAM (D. Minn. Sept. 2015)
Remijas v. Neiman Marcus Group, LLC, 2015 U.S. App. LEXIS 12487, *18 (7th Cir. 2015)
In re: Target Corp. Customer Data Security Breach Litigation, No. 0:14-md-02522 (D. Minn. Oct. 23, 2015).
Nicole Joy Leibman, Attorney with Sills Cummis & Gross P.C. [email protected]
Published November 30, 2015.