Data breaches: legal limitation

Not a month goes by that the media isn’t reporting another major data security breach, typically involving 
customer credit card data. Data breaches are spiking and affecting millions of retail customers. In the most highly publicized 
case, credit card information for more than 110 million Target customers – which included names, mailing addresses, phone numbers and email addresses – was stolen by hackers. That cyber-theft was followed by attacks on the personal data 
of 1.1 million Neiman Marcus 
clients, 2.6 million customers of Michaels Stores, and others.

Once a data breach has occurred, companies can take 
certain steps to contend with legal damages and try to minimize them. But most experts say boards must anticipate the 
inevitability of hacking and prepare a strategic plan before it happens.

Before exploring how to limit the legal consequences of an actual incident, companies must first ‘plug the hole’ and figure out the extent of the damage in order to determine their legal exposure, explains Brian Henchey, a partner at Dallas-based law firm Baker Botts. Conducting a forensic 
analysis reveals whether the data loss includes customers’ financial or health data and what kind of liability the company faces. Determining who’s at fault – the company or a third-party vendor – also plays a role in assessing legal damage, he says.

The reality is that most firms will likely face data security losses at some point. ‘This type of risk is almost omnipresent,’ Henchey points out. ‘You can be the best in the world at cyber-security and still get hacked.’

Preparing in advance for the inevitable intrusion is the most propitious way to operate. ‘Get your house in order,’ Henchey advises. Perform regular risk assessments and security compliance audits. What are the major risks the 
company faces regarding cyber-security? Are the gaps closed? Are all third-party vendors committed to cyber-security? Is there an organizational plan in place that outlines the specific roles legal, audit, IT and PR play if there is a security breach?

Individual and class-action lawsuits

Companies whose systems have been infiltrated face legal suits from two types of consumer claimants, says Nicholas Deenis, a Malvern, PA-based partner at the law firm Stradley Ronon Stevens & Young. Both individual suits and class-action suits 
claim the theft of personal data contributed to personal financial losses. Some plaintiffs may say the loss of data led to fraudulent charges on their credit cards. Given that, in most cases, credit card issuers are legally obliged to cover fraudulent claims, it’s often the future potential damage on which claimants base their suits. If these funds are not reimbursed, those claimants have a legitimate claim, Deenis says.

If the person’s identity has been stolen because of the theft of personal information, the filer must stipulate exactly what has been lost and what damage has been suffered. ‘There are many cases that, in fact, have been filed where the court has found no loss or damage and dismissed them,’ Deenis notes, adding that just having a phone number or email address stolen is not sufficient grounds for a suit.

But where fraudulent charges are not reimbursed, a legitimate claim arises. Offering the claimant free identity-theft protection or credit monitoring often isn’t enough to forestall the legal suit. ‘Credit monitoring is not a way to fix a potential loss of personal information,’ Deenis explains.

Attorneys invariably look for opportune targets to sue. ‘It is strategically wise for plaintiffs’ attorneys to target defendants that have the ability to pay a judgment and whose disposition in the case increases the 
probability that they will settle,’ notes David Thaw, a fellow at the Information Society Project at Yale Law School who is joining the University of Pittsburgh Law School in the fall. Avoiding 
negative PR will be another 
reason to settle, he adds.

An additional strategy for minimizing damage to the firm that has been hacked is to ‘shift the blame, or what attorneys call contributory negligence,’ Thaw asserts. What that means is 
demonstrating that the company took every reasonable step to ensure computer security but a third-party vendor was to 
blame for the hackers’ ability to 
infiltrate the system.
Moreover, when lawsuits cite a litany of damages, one line of defense for the company is to say ‘show me the monetary damages,’ Thaw continues. It can be 
difficult to prove, for example, that identity theft derived from a singular data breach.

On Target

What may be of greater concern to companies are legal suits initiated by banks and credit card issuers, seeking reimbursement for losses they suffered for reissuing cards to affected customers and 
reimbursing customers for 
fraudulent charges, Deenis says. Several banks and credit card companies have filed suits against Target seeking substantial 
damages for their costs.

For example, when the Jim Thorpe Neighborhood Bank filed a class-action suit against Target in a Minnesota state court in January 2014, it claimed ‘customer account data flooded the black market and continues to this day.’ The security breach occurred due to ‘Target’s failure to heed warning signs and take appropriate steps to secure its systems.’ Therefore, the Jim Thorpe Bank needed to ‘close and open new cardholder accounts, reissue 
credit and debit cards, monitor customer transactions, and/or 
pay unauthorized charges to cardholder accounts.’

Slow response

After a breach has occurred, it can be difficult to mitigate the legal repercussions, says Michael Overly, a Los Angeles-based 
partner with Foley & Lardner who specializes in security issues. Indeed, Overly says many firms are taking steps that exacerbate the situation rather than 
minimize any potential damages. For example, too many companies don’t carry out a thorough 
investigation to nail down exactly what the ‘nature and breadth of the breach is,’ he explains.

The most common mistake many companies make in data security cases is responding slowly to the theft of customers’ personal data. ‘The longer you delay, the harder it is to reconstruct what happened,’ Overly warns.

Often it’s not a single breach that takes place, but a series of invasions of personal material over a sustained period, as with Target. After the initial breach at Target, the problems escalated. Had the issue been addressed fully early on, the data loss could have been curtailed. Too often denial is a firm’s initial response, which delays dealing with the problem and restricting it.

Companies have tried to 
minimize consumer wrath by offering discount coupons for a limited time, free identity-theft prevention and credit monitoring, as Target did, notes Peter Henning, co-author of the book Securities crimes and a law professor at Wayne State University. But all these gestures may not reduce the risk of legal exposure, he adds.

Philip Smith, senior vice 
president of government solutions at Chicago-based information security and compliance company Trustwave, says most often firms are sued for negligence: security weaknesses enable hackers to steal information, and merchants are ultimately responsible for protecting credit card data.

A stitch in time

Responding quickly to allay 
customer concerns can also 
alleviate some of the negative PR. For example, when Overly 
represented a healthcare provider, it confirmed that patient data had been accessed without authorization. But it hadn’t yet determined the full extent of the damage and whether that data had been lifted from the servers and was used for any nefarious purposes.

Senior management had to choose whether to alert customers affected by the breach or wait until a full investigation had been conducted. It decided that early notification would be most 
beneficial for its clients and notified them of the breach via email and mail. Overly says responding quickly to a client’s stolen 
material limits not only potential financial damages, but also legal and reputational problems.

Many firms are reluctant to notify customers before doing extensive due diligence, however. Henning says Target and Neiman Marcus were slow to respond 
and slow to inform customers, and those delays exacerbated an already difficult situation and triggered pretty negative PR. ‘They treated it like an internal problem,’ he says.

A matter of governance

Moreover, shareholders have 
a right to know of any major 
issue that affects the material 
performance of a company. ‘The damage to your business reputation and your ability to operate can be so significant,’ Henning says, ‘that it goes beyond the question: Is it material?’

Legally, Deenis notes that companies have until the next quarter’s earnings report to notify shareholders about data breaches and losses. For example, Target’s data breach occurred in December 2013, but it waited to explain the business impact until its 10K was due in March 2014.

A Target spokesperson told Bloomberg News that ‘Target will fully comply with the SEC’s rules in that report, including an update to the material risks related to cyber-security and cyber-incidents, as well as a 
discussion of the financial impact of the data breach, to the extent known.’ Nonetheless, the delay caused US Senator John  Rockefeller to question why the company ‘has not yet reported the massive data breach [it] recently suffered to the SEC’.

Directors can take a proactive role and try to convince their companies to take security breaches more seriously, try to prevent them, and set up policies that contribute to minimizing any legal damage. Boards can request detailed reports on what security measures are being taken to 
prevent cyber-crime. In industries such as healthcare and financial services, boards are mandating that policies be created to limit damage, Overly suggests. For example, when any data is shared with a third party, client data must be protected in order for the agreement to be signed.

The most effective way to manage any losses is ‘to be as proactive as possible,’ Overly points out. The more transparent companies are in disclosing what has occurred and the potential effect on customers, the better. When firms withhold information about data breaches, customers think they’re hiding something and feel uneasy.

‘It’s all in the communication,’ Overly explains. ‘That’s why companies are hiring consultants to do forensic examination and PR staff to make sure communication is handled properly.'