In the wake of the recent hack of Sony Pictures Entertainment, the news media has cast Sony in a somewhat sympathetic light as the helpless victim of a cyberterrorist attack, and gone on to focus the news debate on a free speech question as to whether Sony was justified in pulling the release of “The Interview.” (See Alexandria Petri, Update: Sony has now pulled ‘The Interview’ from theatres, The Washington Post (Dec. 17, 2014); Amy Nicholson, Pulling The Interview Is the End of Free Speech in Hollywood (Dec. 17, 2014)).
But there is another side to this story. Joshua Kopstein points out in a recent report for Al Jazeera Americathat we should not cast Sony in a sympathetic light in the wake of its recent data breach. Instead, Kopstein suggests that Sony is culpable of negligence or worse for allowing the security breach to occur in the first place.
Keeping Kopstein’s arguments in mind, it is important to note that, while the media may at times take a sympathetic view against companies that are victims of cyber hacks, law enforcement officials and legislators presently do not. Instead, both lawmakers and law enforcement officials currently respond to news of data breaches with punitive measures by holding such companies legally responsible for damages wrought by such attacks. In a recent roundtable discussion, for example, the FCC’s Enforcement Bureau Chief, Travis LeBlanc, indicated that the FCC would continue to work in cooperation with state attorneys general and the Federal Trade Commission to go after companies that fail to keep the data security promises they make to the public in their privacy notices and policies. Indeed, the past year has yielded numerous examples of government agencies, including state Attorneys General and the Federal Trade Commission, as well as private litigants, holding companies liable for damages caused by security breaches.
The California Attorney General’s Office
The State of California takes data breaches seriously. Under Section 1798.82(a) of the California Civil Code, a business that is the target of a security breach must notify any California resident that his or her information was acquired, or reasonably believed to have been acquired, by an unauthorized person. The law further requires that a business report a security breach to the California Attorney General’s Office if more than 500 California residents were subject to the breach.
The California Attorney General actively enforced the state’s data breach reporting law this past year by filing a complaint against Kaiser Foundation Health Plan, Inc. for failure to report a December 2011 security breach in a timely fashion. The Attorney General alleged that the healthcare provider did not report the occurrence of the breach until March 2012, although Kaiser had sufficient information regarding the breach between December 2011 and February to begin notifying affected California residents. Ultimately this February, the Attorney General was able to secure a settlement from Kaiser in the amount of $150,000 for violation of California’s breach notification law.
The California Attorney General’s action against Kaiser demonstrates that the Office will use any means at its disposal to hold such companies accountable for the damages arising from a failure to implement adequate security measures.
The Federal Trade Commission
The Federal Trade Commission has taken a very active role in holding companies liable for data breaches that they incur. Over the past several years, the agency has successfully settled over 70 cases where a company’s failure to reasonably safeguard consumer information was considered an unfair business practice under Section 5 of the FTC Act, as well as the Commission’s 50 other settlements with businesses that failed to provide adequate consumer data protection under other data security laws. In addition, the FTC is currently investigating Target for the security breach the company faced earlier this year.
Despite the agency’s success in recent years, in March 2014, FTC Chairwoman Edith Ramirez proposed to Congress three areas in which Congress could legislate to bolster the FTC’s ability to investigate and prosecute data security violations. The Chairwoman stated that Congress must:
- Consolidate data breach notification laws on the federal level in order to streamline compliance rules and regulations while ensuring consumer protection.
- Grant the FTC authority to seek civil penalties against all data security and breach violators, including non-profit entities to ensure that all entities that collect and maintain sensitive information about consumers are within the agency’s jurisdiction.
- Grant the FTC rulemaking authority under the Administrative Procedure Act to implement new data security regulations in order for the agency to keep up with technological innovation.
If Congress follows the Chairwoman’s proposals, and passes sweeping legislation that consolidates the administration of data security and breach notification laws in the FTC, businesses not previously subject to any data security obligations will be subject to a potentially more stringent and robust regulatory regime on the federal level.
This past year has also seen a rapid increase in the number of private litigation actions against companies for failure to prevent data breaches. One reason for this is courts are increasingly willing to find that affected consumers have standing to sue companies for failure to take adequate precautions to prevent a security breach.
A recent example of such a decision was the December 20th’s decision of a U.S. District Judge to reject Target’s motion to dismiss a class action lawsuit filed by consumers affected by the company’s December 2013 data breach. Although Target claimed that plaintiff-consumers lacked standing to raise any of their claims because they did not suffer any injury, Judge Paul Magnuson rejected Target’s argument stating:
“But plaintiffs have alleged injury . . . Target ignores much of what is pled, instead contending that because some plaintiffs do not allege that their expenses were unreimbursed or say whether they or their bank closed their accounts, plaintiffs have insufficiently alleged injury.”
Finding injury to the consumer-plaintiffs, Magnuson pointed to the impact of the breach on consumers, including: unlawful charges on their debit or credit cards; restricted or blocked access to bank accounts; inability to pay bills; and various card fees.
Judge Magnuson’s finding of standing in the Target litigation is in direct contrast with courts’ treatment of standing in data breach lawsuits in recent years, and may signal an increased tolerance by courts – and increased risk for companies and other stewards of consumer data – of class action lawsuits against companies that have experienced data breaches.
Although Sony claims that it could not have done anything to prevent its recent data hack, Kopstein points out that Sony’s demands that journalists stop reporting on the leaked emails demonstrates a potential lack of acceptance of responsibility for the breach by Sony’s executives. Instead, companies must realize, in the current legal environment, that they are liable on the state and federal level for failure to prevent such security breaches. Furthermore, companies need to examine their data security measures, the promises they make about these protections, and whether any changes in their business practices or data collection could expose them to greater risk of harm to business or reputation in the event of a breach.
If you have any questions regarding your company’s responsibilities arising from a security breach, or any other question regarding data security compliance, please contact Linda McReynolds at email@example.com.