What Keeps Your Board Awake at Nights
This article has been written by guest author Elyssa Davis, cybersecurity analyst.
Cyberattacks are at an all time high. As cyberattacks increase, so do class action lawsuits for data breach and privacy violations. Just as the moon does follow the sun, massive class action lawsuits will follow cyberattacks. Companies holding vast amount of sensitive consumer financial information, like banks, insurance companies, credit reporting agencies, social media platforms, and well-known e-commerce business are all at risk of being hit with the double whammy of a disruptive cyberattack followed by multi-billion (or so, multi-trillion) dollar class action lawsuits. Just being hit with one of these massive class action data breach lawsuits not only will keep the general counsel up at night, but the entire board of directors too. In boxing, these lawsuits would be the "KO" punch: few companies can survive both without significant loss of shareholders' value, trust and credibility. They will be down for the count.
One of the world's largest consumer credit reporting agencies Equifax is now facing a litigation docket festooned with over 30 data breach and privacy violation lawsuits filed by US state authorities and consumers barely within a week after disclosure of its cyberattack. One of which is a whopping class action lawsuit seeking over US$450 Billion. Could this be the end of Equifax and the beginning of a new era: the rise of massive class action data breach lawsuits?
This essay examines the biggest legal hurdles facing the defendants in the Equifax litigations: ability to prove present harm (otherwise known as "standing"), causation and certainty of damages. It argues that courts should balance the need to maintain traditional principles of civil litigation (such as the need to prove standing and causation) to prevent unfair judgments against the need to protect plaintiffs from new forms of harm caused by the rise of cyberattacks.
Equifax is one of the top three leading consumer credit reporting agency in the US, if not the world (the other being TransUnion and Experian) because it holds vital personal and financial information on hundreds of millions of Americans, Canadians and UK citizens. Its databanks holds extremely private personally identifiable information ("PII") on almost every Americans such as their Social Security Number, date of birth, current and previous addresses, credit card numbers (with issuing bank info), bank account numbers and other banking information, family information, and entire credit card, housing, car lease, mortgages and all other major debt transactions with corresponding payment history. It also records any delinquent payments or defaults.
Everyone in the cybersecurity business will tell you that it is only a matter of time for hackers to hack your business if they haven't already. A company usually does not violate any law for being hacked. A company gets into legal trouble on how it responds to a cyberattack. Nothing paints a bigger target for hackers than fat databases of PII like the ones maintained by Equifax.
The nightmare scenario became true for Equifax on July 29, 2017 when the hack was discovered. The records of over 55% of Americans over the age of 18 were compromised. Experts believe that hackers exploited a vulnerability in open-sourced Struts software used by Equifax to break in. Evidently, Equifax failed to install the latest patch. But it took about a month before Equifax publicly disclosed the fact that its information security systems have been compromised and that the PII for about 143 million consumers had been leaked into the dark web. If that wasn't bad enough, three of its top executives sold about US$1.8 million of their shares before the public announcement date. Unless they sold their shares as part of a Rule 10b5-1 plan (set up under the securities laws to make pre-determined share transactions at pre-determined time), they will likely be investigated for insider trading. Remember, litigation is all about getting sympathy from the jury. Plaintiffs attorneys will probably milk as much compassion from these suspected inside trading as possible to sell their case.
So what happens when such a treasure trove of PII gets hacked? The financial identities of at least 143 million consumers are at risk of being stolen, hijacked and compromised. With the detailed and extensive nature of PII stolen from Equifax, hackers are in a position to assume the digital identities of millions of consumers such as opening new credit cards and seeking personal loans. Massive class action lawsuits are not the only problems facing Equifax. US Congressional leaders have called for all three credit reporting agencies to testify, and noted that draft legislations will be introduced soon to ensure financial institutions use the strongest possible technology to protect consumer data. This is on top of the investigations to be launched by the US Consumer Financial Protection Bureau, the House Financial Services Committee, the House Energy and Commerce Committee, the Federal Bureau of Investigation, and at least five state attorneys general.
There is a Chinese saying: the number 7 should not laugh at the number 8. It means that someone who is similarly situated to a victim should not laugh at the latter. If you are a senior executive or board director for a major institution that stores millions of sensitive consumer records, be mindful that cyberattacks will happen and when they do happen, what are you going to do when your company is the headline news?
Data breaches are not new. Many high-profile companies have been hacked and lost consumer PII such as Wendy's, Target, Wyndham hotels, Yahoo! and Home Depot. But the nature of the PII lost and sheer amount stolen distinguishes the current Equifax litigations because most of the PII contain important financial information. Coupled that with a long delay in making the hack public and insider executives dumping shares before the news was publicly disclosed, then we have all the makings of a solid data breach and privacy lawsuit. Or do we?
2) Stumbling Blocks in Data Breach & Privacy Lawsuits
There are three major obstacles in winning data breach and privacy lawsuits: (A) showing standing (or the right to even bring a case in court), (B) causation and (C) speculative nature of damages.
2A) Where is the injury?
All data breach lawsuits share a common fact pattern: consumer PII has been compromised but the consumer has not been the victim of identity theft and has not incurred a financial loss. Consumers who have been trying to sue for data breach and privacy violations (whether under breach of contract, negligence, invasion of privacy or statutory cause of actions) have been getting their cases thrown out by some courts because they could not satisfy one of the basic prerequisites of any lawsuit: showing they have the right to be heard by the court.
Every court requires some sort of injury to have been suffered by the plaintiff before he/she is allowed to bring suit so as not to waste the court's time on speculative actions. For example, all US federal courts require the plaintiff to show injury because the US Constitution limits the judicial power of the federal courts to actual "cases and controversies" (See U.S. Const. art. III, § 2, cl. 1).
In the data breach and privacy context, the biggest concern is the risk that a consumer's identity may be stoled and be wrongfully used such as applying for credit cards without the consumer's consent. But suing for the increased risk of identity theft without more is particularly difficult because the plaintiff is hard pressed to show actual injury. For example, In re SAIC Corp., 45 F. Supp. 3d 14 (D.D.C. 2014) held that the increased risk of harm [from identity theft] alone does not confer standing and that:
"[t]he degree by which the risk of harm has increased is irrelevant – instead, the question is whether the harm is certainly impending... ‘objectively reasonable likelihood’ of harm is not enough to create standing, even if it is enough to engender some anxiety . . . Plaintiffs thus do not have standing based on risk alone, even if their fears are rational. ”
Courts in different federal circuits apply and interpret the legal standard for showing injury very differently. The leading case is Spokeo Inc. v Robins (November 2015), in which the US Supreme Court held that to establish standing, a plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable decision. In order to meet this injury in fact requirement, a plaintiff must show three things:
that he/she suffered “an invasion of a legally protected interest”
that is “concrete and particularized” and
“actual or imminent, not conjectural or hypothetical.”
The Court also held that even if a plaintiff is suing under a federal statute but has not otherwise suffered harm, he/she must still show injury in fact. Plaintiff sued Spokeo Inc. a consumer reporting agency under the federal Fair Credit Reporting Ac for mis-reporting some of his private information even though he had not yet suffered harm. Because plaintiff did not show injury, his case was sent back down to the lower courts. Regarding the need to show concrete harm, the Supreme Court noted that "[i]t is difficult to imagine how the dissemination of an incorrect zip code, without more, could work any concrete harm." The Court left open the possibility of future harm satisfying the injury requirement. The Court explained that both tangible and intangible harms count and that future harms can count, too, so long as there is a material risk of something negative happening in the future.
The lower courts have been interpreting the Article III injury requirement strictly. For example, in the recent case of Whalen v. Michaels Stores (May 2017) the US Court of Appeals for the Second Circuit dismissed a data breach class action against Michaels Stores because it failed to show the requisite injury in fact. The court said that the injury was neither concrete or particularized because the putative plaintiff was not asked to pay (or did not pay) any fraudulent charges. The court also refused to find the risk of future identity theft as being sufficiently concrete because the plaintiff had cancelled the exposed credit card and no other information needed for identity fraud was stolen in the breach. Finally, the court held that spending considerable time and expense of monitoring financial accounts without more does not establish injury in fact.
In re Barnes & Nobles Pin Pad Litigation (June 2017) saw a similar situation. Here, the Northern District of Illinois dismissed a class action lawsuit against Barnes & Nobles after “skimmers” had tampered with PIN pad terminals in 63 of its stores and exposed payment card information. The court refused to recognize as legally addressable injuries:
loss of PII value,
expended time spent with bank and police employees,
usage of personal cell phone minutes,
inability to use payment cards during the replacement period; and
the cost of credit monitoring services.
On July 5, 2017 U.S. District Court for Northern Illinois threw out a class action lawsuit against toy maker VTech. Plaintiffs alleged that VTech did not protect parents' and childrens' personal data from a hacker. The court ruled that plaintiffs failed to show how the security breach harmed them. It noted that "[p]laintiffs fail to make the connection between the data breach they allege and the identify theft they fear. Specifically, plaintiffs do not explain how the stolen data would be used to perpetrate identify theft".
Yet the law on standing varies throughout the different federal circuits. It is very likely that the US Supreme Court will decide this issue again and attempt to unify judicial opinions on this important legal issue since cyberattacks are rising and businesses need relative certainty in order to face the concomitant rise in class action data breach lawsuits.
So what are some of the key takeaways from these cases that may be useful the next time your company is sued for data breach?
First, plaintiffs are not required to show some tangible harm before being allowed to bring suit because the Supreme Court in Spokeo rejected such a requirement. (The defendant in Spokeo asked the court to adopt what they called a 'real-world injury' test which was rejected.) Requiring real world injury would put a chilling effect on bona fide data breach and privacy litigation because all forms of harm resulting from say an invasion of online privacy are intangible harm.
Second, if a data breach defendant offered a credit monitoring service, then plaintiff may use such fact to prove actual harm. In Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 694 (7th Cir. 2015), the Seventh Circuit interpreted an offer of credit monitoring in a credit card breach as a sign that the risk of identity threat was real, not “ephemeral” and, therefore, qualified as a concrete injury. Equifax also offered credit monitoring services to its customers which may be used in the current litigations. Since the law of each federal circuit differs, be sure to check if offering credit monitoring services would undercut your company's position in court.
Third, the cases that have dismissed class actions cited above do not involve financial information that would enable identity theft such as Social Security Numbers and credit cards numbers being stolen. In contrast, Equifax does. Therefore, the Equifax litigants could show injury in fact by stressing the extremely sensitive nature of the stolen PII enables actual identity theft. But just because stolen PII could enable identity theft does not mean that the harm ensuing from such identity theft was actually caused by the defendant.
2B) Causation Problem
In addition to showing actual harm, the class action plaintiff must also show causation. Every civil case requires the plaintiff to prove that the defendant's action or inaction caused his/her harm. The requirement to show causation is fundamental to the need to ensure fair judgments. Data breach and privacy class action suits presents unique challenges for proving causation for two reasons.
First, many consumers have had their PII compromised more than once. I have many friends who had to change their credit cards multiple times every 3-5 years because their credit card numbers keep getting compromised. Having multiple compromises underpin the problem of trying to ascertain which entity should be held liable in a given lawsuit (assuming that the plaintiffs have not named every potential hacker as a defendant). The burden is on the plaintiff to prove the defendant's data breach caused his/her loss. As the case In re SAIC Corp., 45 F. Supp. 3d 14 (D.D.C. 2014) has shown, plaintiffs cannot show causation merely by alleging that unauthorized charges were made to plaintiffs’ credit and debit cards following defendant's data breach to show causation. Unauthorized charges without more does not equal causation., Plaintiffs would need to show that he/she received specific letter(s) in the mail from a credit card company thanking him/her for applying for a loan, which would be acceptable evidence of causation.
Second, cyberattacks are notoriously difficult to stop completely. One could even go as far as to say that it is quite impossible to prevent a cyberattack even with the best cybersecurity precautions. Information security vulnerabilities will remain whether caused by human or technical imperfections. Equifax will likely argue it did not cause the data breach because it (presumably) had implemented information security industry best practices to prevent a data breach. Such an argument requires Equifax to produce documentation, logs, expert witnesses and other evidence about the strength and robustness of its cybersecurity program. (Given the sensitive nature of these documents, Equifax would be advised to redact them from the public court record with leave of the judge. Never show the public your detailed cyber-defense plans.) By showing that defendant has taken all reasonable precautions against a cyberattack and implemented an effective incident response plan, it will be difficult for plaintiffs to attribute causation of their loss to the defendant.
2C) Speculative Loss
Even assuming causation and liability can be established, the class action plaintiffs will encounter difficulties in proving their damages or loss with reasonable certainty. Intangible harms are by nature hard to quantify. For defense attorneys, casting doubt on the certainty of plaintiff’s damages theory or calculation may mitigate or avoid a damages award, even where the other elements of the cause of action have been satisfied.
Potential defendants should also consider incorporating contractual terms that disclaim liability for data breaches. In Silverpop Systems Inc., v. Leading Market Technologies, Inc. (Jan. 2016), the 11th Circuit Court of Appeals held that a contracting party who allowed a valuable trade secret to be hacked is not liable to pay the owner of such trade secret for any lost value arising from its compromise. The parties in this case had a contractual provision disclaiming any liability for damages deemed too remote. Therefore, potential defendants of class action data breach lawsuits should review the terms of their applicable service agreements to see whether they need to adopt a similar disclaimer clause.
3) The Politics of Data Breach Litigations
Assuming that a corporate defendant has undertaken all reasonable efforts to design, implement and audit a robust cybersecurity policy, it is questionable whether society ought to shift the risk of data breach losses to the corporate defendant. Sure they make money from their services by collecting PII and providing an essential function in society. But if they have done everything reasonably possible to secure the PII stored on their databanks, then why should they be the ones to bear the full brunt of the loss, which can potentially be bankrupting. Remember the US$450 Billion lawsuit (one of over 30 other court actions) facing Equifax. No company in the world would be able to survive the financial burdens caused by a court judgment for even half or third of that amount for something that third party hackers did. Today they hack Equifax. When tomorrow, they hack Goldman Sachs or JP Morgan (profitable banks presumably with sophisticated cyber-controls), class action plaintiffs could conceivably be suing for multi-Trillions US dollar class action lawsuits. The class action logic is that since investment banks make more money than Equifax and present even bigger targets, then damages claimed in class actions ought to be correspondingly increased. Sure, banks are not the most sympathetic of defendants, but justice is blind and there is something wrong in bankrupting legitimate businesses that made a bona fide effort in protecting consumer PII from being compromised in data breaches.
Yet, consumers also need to be permitted to seek redress for legitimate harms even when novel under the law. Modern courts are hesitant in granting expanded access for plaintiffs to sue for intangible harms such as the increased risk of identity theft. This reluctance is similar to the reluctance that early common law judges shown to tort cases on causing emotional harm without accompanying physical harm. In early common law, as in the seminal English case of Victorian Railways Commissioners v. Coultas (1888), courts were hesitant in awarding damages for pure emotional harm because there was no way to verify the authenticity of such claims. Modern psychology was still undeveloped because at the time of that decision, Sigmund Freud was in his early thirties. Also at the time, Bedlam Hospital in London charged spectators a penny to observe the mentally ill patients housed there. Because there was a gross misunderstanding about the human psychology, the courts did not understand emotional harms well enough to compensate it under the law. As one legal scholar puts it the early courts were:
"wary of opening the floodgates to fraudulent, frivolous, and perhaps even marginal lawsuits. Harms of an emotional nature...were viewed as subjective and difficult to categorize or to assign damages. Concerns stemmed from a lack of precedent, a fear of frivolous litigation, and from a difficulty in measuring emotional harm physically and financially."
The same could be said about how modern courts view harms created by emerging technologies. It is axiomatic that the law will lag behind technological changes. We are only now beginning to comprehend the true magnitude of the types of harms being posed to society by cybersecurity attack vectors. Industries are now only beginning to adopt blockchain technology to help securely send and store personal data. This may one day reduce the risks of data breach litigations because consumers and not third party intermediaries would control the fate of their own personal data.
The courts are struggling to balance the need to control the floodgates of litigation against the need to protect plaintiffs from new forms of harm caused by the rise of cyberattacks that are not familiar under law.
One way to achieve such balance is through using legal concepts like "standing", "causation" and "speculative" losses as surrogates to decide the fundamental question in cases of enormous social import: whether it is fair to make defendant liable for an emerging and novel harm. If courts do not feel it is just to impose the loss on a defendant, they are able to exonerate it either by holding that there was no proper standing, causation or certainty of damages. As judges become more proficient in cybersecurity and its harms and industries become more accustomed to securing data via blockchain technology, the courts can gradually control the floodgates of class action data breach lawsuits in a measured manner. The wheels of justice need to turn slowly even in the face of the disruptive nature of emerging technologies so as to cushion the social-economic effects of novel legal issues.
#cybersecurity #databreach #privacy