publication
The Legal Reality of a Cyber Security Breach
October 11, 2015
No company is immune to a data breach. Many have already suffered one (or more), many others don't yet realize they have been breached, and for the rest (a tiny minority)—it may be just a matter of time. This is the world that we all operate within—and what we do and how we manage data security is driven most significantly by the law.
Effectively navigating this area is a complex matter. Despite numerous attempts, there is still no single federal law that regulates data security. Currently, the FTC Act is the federal watchdog when it comes to monitoring data security, and it has the authority to review and regulate any activity that affects consumer data. More specifically, the Act applies to personally identifiable information (PII). For example, if your business collects a consumer's name along with their email address or other contact information, your activity falls under the FTC's jurisdiction. Your risk of non-compliance is very real as even unknowingly not following procedures found in your privacy policy can trigger the FTC's involvement.
Data security guidelines set by standard-setting entities, such as the National Institute of Standards and Technology (NIST), may also impact the legal reality you need to observe. Courts are likely to more closely pay attention to what these and other subject matter experts are recommending. So if NIST points to certain relevant best practices for dealing with data security, and your company did not implement them, you should be prepared to convincingly explain why those practices are not relevant; this is not likely to be a trivial or inexpensive task.
With all of this in mind, it is important that you ensure that you procure from your counsel a proper information security policy (ISP) and an incident response plan (IRP). This ensures key business documents were drafted (and periodically updated) by a lawyer who took into account current statute and case law. For this to happen, your lawyer must be intimately familiar with and keep constant (daily) tabs on developments in federal and state courts, administrative bodies such as the FTC, and standards-setting organizations such as NIST.
There are countless cases (judicial and administrative) that need to be considered when drafting the ISP and IRP. The common denominator between the ones listed below is that when companies have effective policies and practices in place, they can really save the day.
Krottner v. Starbucks. When an unencrypted laptop containing PII of thousands of Starbucks employees was stolen, the court agreed that the plaintiff was "immediately in danger of sustaining some direct injury as the result of the challenged conduct."
Clapper v. Amnesty International. The gold standard for disposing of cases for failure to prove sufficient harm. The U.S. Supreme Court held that plaintiff's fears of being surveiled by the government were "highly speculative" and based on a highly attenuated chain of possibilities that did not result in a certainly impending injury.
In re Sci. Applications Int'l Corp. (SAIC) Backup Tape Data Theft Litig. A thief stole encrypted backup tapes containing personal medical information. The court concluded that the plaintiffs suffered no immediate injury because the thief would have needed to identify the tapes, obtain specialized equipment to read them, break the encryption, etc.
Remijas v. Neiman Marcus. Despite the fact that thousands of Neiman Marcus customers had actual fraudulent charges on their credit cards following a breach, the court was not persuaded that unauthorized credit card charges for which none of the plaintiffs were financially responsible qualified as 'concrete injuries.'
Target MDL No. 14-2522. An example of state law being applied extraterritorially as the judge refused to limit the scope of the Minnesota law to in-state transactions.
Contrast with Resnick v. Avmed. 1.2 million current and former Avmed members' PII was stored in unencrypted laptops that were stolen. Unlike other cases, such as Clapper, the court found that use of PII 10 and 14 months after the laptops were stolen was sufficient to demonstrate that identity theft was fairly traceable to the theft of the laptops containing the PII.
Published in the 2015 Cyber Security Summit Guide.
Eran Kahana is a technology and intellectual property attorney with extensive experience advising clients in domestic and international settings. His practice focuses on cyber security, patent, trademark, and copyright law. Eran serves as general counsel and on the Board of Directors for the Minnesota Chapter of InfraGard, a nonprofit partnership between the FBI and the private sector dedicated to the protection of critical infrastructure, and is a Research Fellow at Stanford Law School, where he writes and lectures on the legal aspects of using artificial intelligence.