In Today’s World, Companies Face Large Exposure from a Wide Variety of Possible Data Breaches

As the world becomes more interconnected, data breaches and cyber-attacks are increasingly becoming an unfortunate reality for many organizations. The stakes are high: a data security breach can disrupt a company’s operations, damage the business’s reputation, cause its stock price to fall, lead to the loss of business, and attract government investigations, agency action, and class action lawsuits. Complicating matters is the fact that a patchwork of state and federal laws can apply to the same data security breach incident.

Many states have enacted data security laws that differ depending on the type of protected data. For example, California has enacted the Confidentiality of Medical Information Act, governing the dissemination of personal medical information from a healthcare provider or contractor, while Massachusetts has enacted a general data privacy statute and accompanying regulation. On the federal level, laws address the privacy of healthcare data (HIPPA and HITECH), financial data (Gramm-Leach-Bliley Act), and credit information (Fair Credit Reporting Act), among others. Many states have also implemented data breach notification laws requiring companies affected by a breach to notify consumers and (in some states) applicable state authorities of the breach. Similarly, the U.S. Department of Health and Human Services (“HHS”) requires that a breach of protected health information (“PHI”) be reported to the affected individuals, the HHS, and even the media, depending on the scope of the breach.

Consequences can be dire for those companies affected by a data breach, who face legal action from consumers, state attorney generals, and federal agencies. One demonstrative example is found in Health Net of Connecticut. In May 2009, Health Net discovered that it had lost a computer hard drive containing the PHI of 500,000 Connecticut residents. Health Net was sued in January 2010 by the Connecticut Attorney General, for violations of HIPPA, the Connecticut data breach law and the Connecticut Unfair Trade Practice Act. This suit was settled after Health Net agreed to pay $250,000 in penalties and implement a corrective action plan. However, this was not the end of Health Net’s legal exposure. The Connecticut Insurance Department and Health Net settled a separate enforcement action commenced against Health Net arising out of the same data security breach incident. Under the terms of this settlement, Health Net agreed to pay $350,000 in penalties and to supply two years of credit monitoring protection to those affected by the data breach. Shortly after, in January 2011, Health Net settled a suit brought by the Vermont Attorney General arising out of the same incident, which had also affected 525 Vermont residents. That litigation alleged violations of HIPPA, Vermont’s Security Breach Notice Act, and Vermont’s Consumer Fraud Act. Under the terms of this settlement, Health Net paid $55,000 in penalties and agreed to submit to a data security audit and to file reports with the State of Vermont for two years.

Litigation expands far beyond the healthcare context. Companies having a serious data breach have been sued on numerous causes of action. Some of the most common allegations are of negligence, breach of fiduciary duty and breach of contract. Negligence is usually defined in terms of a failure to use reasonable care or doing something a reasonably prudent person or company would not do. Plaintiffs may also claim that federal privacy laws, such as the ones contained in HIPAA, and state consumer protection laws create fiduciary duties that are breached when data is lost or stolen.

Such suits are increasingly common. Several months ago, three class actions were filed against MAPCO Express, a southern convenience store chain, based on a hacking incident involving the compromise of its customers’ credit and debit card information. And in Johansson-Dohrmann v. CBR Systems, Inc., No. 3:12-cv-01115 (S.D. Cal., filed May 7, 2012), a case that arose from a December 2010 vehicle theft of a CBR employee in which a laptop and other devices containing CBR’s clients’ names, social security numbers, and credit card information was stolen, CBR reached a settlement that could reach $115 million. CBR was also sued by the Federal Trade Commission for this incident, who charged that CBR failed to use reasonable and appropriate procedures for handling customers’ personal information, making its privacy policy claim deceptive under the FTC Act. CBR settled the FTC action in January 2013 and agreed to establish and maintain a comprehensive information security program, submit to security audits by an independent auditor every other year for the next 20 years, and to avoid misinforming the public regarding its data security.

In today’s world, it is almost a certainty that a company will become a victim of a data breach. All organizations would be prudent to take efforts geared towards increasing cybersecurity and prevention of data breaches. Fortunately, many of these incidents can be mitigated or prevented by implementing and following appropriate security procedures. The ultimate success or failure to enact such procedures may make a significant impact on a company’s bottom line.

Kevin G. Walsh and Michael R. McDonald, Directors in the Business & Commercial Litigation Department, contributed to this post.
Print