As recent events have made abundantly clear, threats to corporate cybersecurity are an issue that companies, their boards and their managers cannot afford to ignore. Cyberattacks and other threats to data security are alarmingly common. In its ''2014 Data Breach Investigations Report,'' Verizon confirmed there were more than 63,000 cybersecurity incidents in 2013, resulting in more than 1,300 confirmed data breaches.1 The Ponemon Institute, a data security research firm, estimates that cybercrime costs more than $113 billion a year worldwide and that the average cost to a company of a data breach is $3.5 million.2 More and more business systems are networked, and so long as the Internet continues to play an expanding role in commerce, both the motive and opportunities for cybercrime will expand alongside it.
The highly publicized data theft suffered by Target in November 2013 is just one example of the tremendous costs that a cyberattack can inflict on a company's bottom line, as well as its reputation. More than 110 million customer records were stolen in that attack, including the data from more than 40 million credit and debit cards.3 And although Target's data breach is remarkable for its size, it is otherwise typical of an increasingly common threat and serves as a useful illustration of the variety of costs that a data breach can inflict on a business and its leaders. Target has spent $87 million on data breach-related expenses through May 2014, and these costs are ongoing.4 They include internal investigation costs, additional call center staffing, legal and professional fees, and compensation to payment card networks for fraud losses. But these direct costs do not represent the totality of the risks that data breaches pose to companies. This article explores some of the many risks that directors and officers must consider in planning for and responding to a cyberattack.
Companies face serious reputational risk in the wake of a data breach, which could create significant economic loss. For example, after announcing its recent breach, Target experienced a 46 percent drop in net profit during the holiday shopping period. And although consumers have largely returned to Target's stores, some companies may not easily regain their customers' trust. During an SEC roundtable on cybersecurity in March, one panelist opined that a single incident of customer loss due to data intrusion would probably bring down an investment manager or securities broker-dealer because the loss of customer confidence in the financial services industry could be irreparable.5
Significant data breaches almost inevitably will be met with litigation, which often becomes a drawn-out and expensive distraction from a company's day-to-day operations. In its year-end report, Target disclosed that more than 80 actions have been filed in courts nationwide. Sony similarly faced almost 60 lawsuits after a 2011 cyberattack on its PlayStation network.6 Reviewing even a small number of these lawsuits demonstrates the multiplicity of legal claims that a company may face after a data breach. A sampling of the various types of litigation risks are described briefly below.
Direct Consumer Economic Loss
Companies may face litigation seeking to recoup direct economic losses sustained by the customers or individuals whose data is breached. In Target's case, the bulk of the losses from fraudulent use of the stolen payment card information have fallen on the issuers of those cards, and as losses have mounted, a number of banks and card issuers have sued to recoup their costs. One such complaint alleges that it has cost banks more than $172 million just to re-issue stolen payment cards and cites an analysis by the investment bank Jefferies estimating that the total losses from the data theft may total more than $1 billion.7
Violation of Data Privacy Laws
Even in data breaches that do not involve banking or credit card information, or where there are no fraud losses, there can still be substantial exposure to litigation by individuals whose personal information was compromised. In Target's case, dozens of lawsuits have been brought on behalf of consumers, seeking damages for negligence and for violations of state data privacy laws.8 Forty-six states, plus the District of Columbia, have passed data privacy laws requiring entities sustaining a data breach to promptly notify any individual whose personal information was, or was reasonably believed to have been, compromised.
Although the precise details of these statutes vary from state to state, the majority of these notification laws provide for a private right of action. Additionally, many state attorneys general have been aggressive in their efforts to enforce data breach notification laws. In one recent instance, Kaiser Permanente agreed to pay $150,000 and to submit to an injunction to settle a lawsuit brought by the California attorney general after Kaiser allegedly delayed notifying employees of a data breach for more than two months while it conducted a forensic analysis to determine the scope of the breach.9 The injunction requires Kaiser to provide notification of any future breaches on a rolling basis, to make this notification ''as soon as reasonably possible after identifying a portion of the total individuals affected by a breach, even if Kaiser's investigation of the breach is ongoing,'' and to ''continue to notify individuals as soon as they are identified, throughout and until completion of Kaiser's investigation of the breach.''10 This language may indicate that the California AG will interpret the statutory requirement that notification be made ''without unreasonable delay'' strictly in future cases, and as California has been a leader in this area, other states may follow its lead in construing their own data breach notification statutes.
Federal regulators are increasingly active in policing businesses' cybersecurity efforts. In 2010, the FTC promulgated the ''Red Flags Rule'' that requires a wide variety of companies to implement identity theft protection programs to detect and mitigate data breaches11, and Federal Trade Commission Chairman Edith Ramirez has been vocal in asking Congress to give the FTC specific rulemaking authority to allow it to better address cybersecurity threats.12 Even without specific statutory authority related to cybersecurity, the FTC has brought and settled almost 50 cases claiming that companies' data security practices constituted unfair or deceptive trade practices.13 For example, the FTC recently settled with Snapchat over allegations that the company was making misleading representations about its privacy practices. The consent agreement with Snapchat will require it to operate under the supervision of an independent privacy monitor for 20 years.14 Although the FTC has stepped into a lead role in cybersecurity enforcement, it is not the only federal regulator that has taken up the issue. The SEC, for example, has promulgated rules advising public companies to make disclosures regarding their data security efforts and has indicated that it is contemplating further cybersecurity rulemaking.15
The Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act protect the privacy of individuals' personal health information and require patient notification in case of data breach. These rules can be enforced not just against healthcare providers, but in many cases against their vendors, consultants, accountants and contractors—many of whom may not realize the legal risks they face for noncompliance. Civil penalties for willful neglect under the statute can be as high as $1.5 million per violation in cases of repeated or uncorrected violations.16 Even unknowing, good faith violations can result in fines from $100 to $50,000 per occurrence. In one recent settlement, a health plan paid more than $1.2 million in penalties after it returned several photocopiers to a leasing agent without erasing data contained on the copier hard drives.17 And in May 2014, two New York hospitals that operated a shared data network jointly agreed to pay a record-setting $4.8 million fine after private health information was accidentally made accessible to Internet search engines.18
Potential Tort Liability for Regulatory Non-Compliance
Although the federal healthcare statutes don't directly provide for a private right of action, some states have determined that failure to adhere to HIPAA and HITECH constitutes the common law tort of negligence.19 These potential tort claims pose a real risk of economic loss. For instance, in February 2014, a federal court in Florida gave final approval to a settlement in a first-of-its-kind class action that will compensate class members whose personal information was compromised, but who did not experience any fraud losses or identity theft, as ''reimbursements for data security that they paid for but allegedly did not receive.''20 The settlement required the defendant, AvMed, to pay $3 million into a fund to be used to compensate the class members. Significantly, AvMed initially won a dismissal of the case that the U.S. Court of Appeals for the Eleventh Circuit overturned, finding that the insurance premiums paid by class members included payment for data security that was not received.21 The inability to prove specific damages has often been an obstacle in claims by individuals whose personal information was compromised, but who suffered no fraud loss. These types of claims may enjoy a renewed vitality as plaintiffs' lawyers take note of the AvMed decision.
Shareholder Litigation Risk
As SEC Commissioner Luis Aguilar recently warned, ''boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.''22 Derivative lawsuits against directors are increasingly common after data breaches. In the wake of a large data theft of more than 130 million credit card records, Heartland Payment Systems's directors and officers faced a derivative complaint that alleged the directors misled shareholders about the breach in SEC filings and on investor calls.23 Similarly, derivative lawsuits have been filed against the directors and officers of Target, alleging that they breached their fiduciary duties in failing to take reasonable steps to maintain customers' personal and financial information. In light of U.S. Senate and media reports claiming that Target had warning signs that its systems had been infiltrated, yet failed to heed them, the defendants in these derivative lawsuits may be facing protracted and expensive litigation.24
The trend of shareholder litigation relating to cybersecurity is likely to continue, as the SEC has demonstrated that it views cybersecurity as a material corporate governance concern. In 2011, the agency issued staff guidance encouraging companies to make fuller disclosures of cybersecurity risks,25 and at a roundtable in March, commissioners made clear that they were contemplating further rulemaking.26 Commissioner Aguilar has expressed the view that there is a gap between ''the magnitude of the exposure presented by cyber-risks and the steps, or lack thereof, that many corporate boards have taken to address these risks.''27
Companies' exposure to legal costs related to data security can be compounded by unforeseen indemnity and insurance complications if corporate leaders are not proactive. Many businesses have been denied insurance coverage for damages and legal defense costs after a data breach, as most general commercial liability policies only cover losses to tangible property. For example, after Sony sustained a massive data theft from its PlayStation network, Sony's insurer filed for—and won—a declaratory judgment holding that it had no duty to defend against the more than 50 related lawsuits, nor any duty to indemnify Sony for its losses, which Sony estimated at more than $171 million before defense costs. The court found that Sony's loss did not involve tangible property and therefore was not covered under the policy's property loss provision, and that Sony had not itself published the information and therefore was not entitled to coverage under its advertising injury policy.28 The threat of cybersecurity risks and the uncertainty of coverage from traditional insurance policies has created a growing market for new cybersecurity insurance policies for businesses.
Business Partner and Vendor Risk
Companies also need to meticulously examine their relationships with both customers and vendors for ways in which those relationships may be creating cybersecurity exposure. In recent speeches, U.S. Comptroller of the Currency Thomas J. Curry has expressed concerns about vendor and contractor risks in the financial sector, noting that banks increasingly rely on third-party vendors who have access to large amounts of sensitive data and that even well-established banks have encountered problems resulting from underestimating the risk in third-party relationships.29 As another example, Stanford Hospital agreed to pay roughly $750,000 toward a $4.1 million settlement in a class action brought after patient information ended up on a public website after passing through a series of interconnected vendors and affiliates.30 The information was provided to a marketing consultant that was engaged by a billing contractor that in turn provided services to Stanford.
Proactive Management Required
Data breaches have become so frequent that only the largest incidents draw much media attention. However, no business with a digital presence is immune to cybersecurity risks. Companies, large and small, need to be proactive and aggressive in confronting these threats. Companies need to take appropriate measures to minimize the risks that their data is compromised. This should include not only physical and cryptographic security measures, but also an accurate and complete assessment of data systems to identify and correct potential security weaknesses.
Companies also must consider what information they collect, how it is used, and whether they are creating unnecessary risk by over-collecting data or storing stale data beyond its useful life. Companies also need to have a considered and practiced action plan to handle the aftermath of a data breach.
After a data breach, litigation risks, regulatory mandates and reputational concerns may all pull in different directions, with internal stakeholders competing for control. A well-orchestrated response plan that accounts for these competing concerns, as well as the early involvement of technical experts and legal counsel, may provide the best opportunity to minimize the legal and business costs of a data breach.
Originally published in Corporate Accountability Report, 12 CARE 30, 07/25/2014 by The Bureau of National Affairs, Inc.
1. Verizon, 2014 Data Breach Investigations Report, http://www.verizonenterprise.com/DBIR.
2. PONEMON INST., 2013 COST OF DATA BREACH STUDY: GLOBAL ANALYSIS (May 2013), available at https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf.
3. Elizabeth A. Harris and Nicole Perlroth, For Target, the Breach Numbers Grow, N.Y. TIMES B1, Jan. 11 2014.
4. See Target Securities and Exchange Commission Form 10-K dated Mar. 14, 2014 and Form 8-K dated May 21, 2014.
5. U.S. Sec. & Exch. Comm'n, Cybersecurity Roundtable Transcript (Mar. 26, 2014), available at http://www.sec.gov/spotlight/cybersecurity-roundtable/cybersecurity-roundtable-transcript.txt.
6. E.g., In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 903 F. Supp. 2d 942 (S.D. Cal. 2012).
7. Trustmark Nat'l Bank v. Target Corp., No. 1:14-cv-02069 (N.D. Ill, filed Mar. 24 2014).
8. E.g., Mancias v. Target Corp., No. 3:14-cv-00212 (N.D. Cal., filed Jan. 14, 2014).
9. Complaint, People v. Kaiser Found. Health Plan, No. RG14711370 (Super. Ct. Alameda Co., filed Jan. 24, 2014).
11. 16 C.F.R. 681.
12. Prepared Statement of The Federal Trade Commission on Protecting Personal Consumer Information from Cyber Attacks and Data Breaches, testimony before Senate Committee on Commerce, Science, and Transportation (Mar. 26, 2014), available at http://www.ftc.gov/system/files/documents/public_statements/293861/140326datasecurity.pdf
13. The FTC's authority to regulate data security was upheld by the U.S. District Court for the District of New Jersey, after hotel franchiser Wyndham Worldwide challenged its authority to do so in an action related to a string of three data losses Wyndam sustained inside of two years, which resulted in more than $10 million in fraudulent credit card losses. FTC v. Wyndham Worldwide Corp., No. 2:13-cv-01887 (D.N.J, unpublished opinion 6/23/14).
14. The consent order remains subject to final approval by the Commission as of May 12, 2014. See Fed. Trade Comm'n, Snapchat Settles FTC Charges That Promises of Disappearing Messages Were False, available at http://www.ftc.gov/news-events/press-releases/2014/05/snapchat-settles-ftc-charges-promises-disappearing-messages-were.
15. U.S. Sec. & Exch. Comm'n, CF Disclosure Guidance, Topic No. 2: Cybersecurity (Oct. 13, 2011), available at http:// www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm; U.S. Sec. & Exch. Comm'n, Cybersecurity Roundtable Transcript, supra note 5.
16. 42 U.S.C. § 1320d-5.
17. U.S. Dep't of Health & Human Svcs., HHS settles with health plan in photocopier breach case (Aug. 14, 2013), available at http://www.hhs.gov/news/press/2013pres/08/20130814a.html.
18. U.S. Dep't of Health & Human Svcs., Data breach results in $4.8 million HIPAA settlements (May 7, 2014), available at http://www.hhs.gov/news/press/2014pres/05/20140507b.html.
19. E.g., R.K. v. St. Mary's Med. Ctr., Inc., No 11-0924 (W. Va. Nov. 15, 2012).
20. Curry v. Avmed Inc., No. 10-cv-24513-JLK (S.D. Fla. Feb. 28, 2014).
21. Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012).
22. Speech, Luis A. Aguilar, Commissioner, U.S. Sec. & Exch. Comm'n, Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus (June 10, 2014), available at http://www.sec.gov/News/Speech/Detail/Speech/1370542057946#.U8VmTnPD-Uk.
23. In re Heartland Payment Sys., Inc. Sec. Litig., No. CIV- 09-1043, (D.N.J., Dec. 7, 2009).
24. Elizabeth A. Harris, Target Had Chance to Stop Breach, Senators Say, N.Y. TIMES, Mar. 27, 2014, at B10; Michael Riley et al., Missed Alarms and 40 million Stolen Credit Card Numbers: How Target Blew It, BLOOMBERG BUSINESSWEEK, available at www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data.
25. U.S. Sec. & Exch. Comm'n, CF Disclosure Guidance, Topic No. 2: Cybersecurity (Oct. 13, 2011), available at http:// www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.
26. U.S. Sec. & Exch. Comm'n, Cybersecurity Roundtable Transcript (Mar. 26, 2014), http://www.sec.gov/spotlight/cybersecurity-roundtable/cybersecurity-roundtable-transcript.txt.
27. Speech, Luis A. Aguilar, Commissioner, U.S. Sec. & Exch. Comm'n, Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus (June 10, 2014), available at http://www.sec.gov/News/Speech/Detail/Speech/1370542057946#.U8VmTnPD-Uk.
28. Zurich Am. Ins. Co. v. Sony Corp of Am., No. 651982/ 2011 (Sup. Ct. N.Y. Cnty). On Apr. 9, 2014, Sony appealed the ruling; the appeal remains pending.
29. Thomas J. Curry, U.S. Comptroller of the Currency, Remarks before the CES Government (Apr. 16, 2014), available at http://www.occ.gov/news-issuances/speeches/2014/pub-speech-2014-59.pdf; Remarks before the New England Council (May 16, 2014), available at http://www.occ.gov/news-issuances/speeches/2014/pub-speech-2014-73.pdf.
30. Kevin Sack, How Did Data About Patients Land on Web? Don't Even Ask, N.Y. TIMES, Oct. 6, 2011, at A20; Marianne Kolbasuk McGee, DATA BREACH TODAY, Stanford Breach Lawsuit Settled (Mar. 24, 2014), http://www.databreachtoday.com/stanford-breach-lawsuit-settled-a-6670.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.