March.05.2020
The possibility of a cybersecurity incident—and ensuing litigation—is a fact of life for almost every business. Even companies that do not process or handle consumer information collect personal information about their employees that can be targeted by hackers or phishing scams or even inadvertently disclosed, exposing the company to potential liability.
While eliminating cybersecurity litigation risk entirely likely is not feasible, recent cases do highlight some steps that companies seeking to reduce potential exposure to cybersecurity litigation can take:
Cybersecurity litigation claims are rarely limited to challenging the reasonableness of the defendant’s security practices. Instead, plaintiffs and regulators regularly assert claims that the company misrepresented the strength of its practices to consumers, allegedly in violation of consumer fraud statutes or common law principles of misrepresentation. If the entity is a public company, investors may also claim to have been deceived in violation of securities statutes.
Plaintiffs typically rely upon a company’s pre-incident statements about the strength of its cybersecurity measures in support of such claims. Although a company can still defend against such claims by pointing to the accuracy of its statements on the merits, statements about the strength of cybersecurity measures can prevent an early dismissal. For example, in In re a Multinational Consumer Credit Reporting Agency Securities Litigation, 357 F. Supp. 3d 1189, 1218-23 (N.D. Ga. 2019), plaintiffs alleged that despite the Multinational Consumer Credit Reporting Agency's public assurances that it had adequate cybersecurity, its system had numerous easily-exploitable vulnerabilities that resulted in a cybersecurity incident. The court held that the allegations that the Multinational Consumer Credit Reporting Agency's statements were inaccurate were sufficient to prevent dismissal of the plaintiffs’ securities fraud claim. See id. In contrast, saying nothing about the company’s cybersecurity measures may prevent the plaintiffs from successfully pleading a deception-based claim. See In re Brinker Data Incident Litig., No. 3:18-cv-686-J-32MCR, 2020 WL 691848, at *14, 19 (M.D. Fla. Jan. 27, 2020) (plaintiffs’ failure to identify any misrepresentations resulted in dismissal of their consumer fraud claims).[1]
Sometimes companies are legally required to make disclosures about their security practices, but sometimes they are not. In the absence of a legal requirement, companies should carefully evaluate whether the business case for any statements about their cybersecurity measures justifies the resulting litigation risk. In addition, any such statements should always be vetted to make sure they are completely accurate.
Arguably, a requirement to have “reasonable” cybersecurity is unconstitutionally vague, because it fails to provide businesses with fair notice of what security measures are “reasonable.” See LabMD, Inc. v. F.T.C., 894 F.3d 1221 (11th Cir. 2018) (overturning an FTC order requiring a company to implement a “reasonably designed” security system because the order did not specify what measures would comprise such a system or how reasonableness would be determined). However, both regulators and private plaintiffs continue to assert claims premised on alleged failures to implement “reasonable” security, making it worthwhile for businesses to assess their practices. On this front, companies can—without conceding that doing so is a required component of “reasonable” security—engage in risk assessments that take into account the costs and benefits of potential enhancements to the company’s security posture and seek to comply with emerging cybersecurity standards such as those found in the Center for Internet Security’s Critical Security Controls, Massachusetts’ Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17), and New York’s Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500). While the process of conducting such security assessments can itself create litigation risk, companies can mitigate that risk by taking steps that will support a claim that related documents and communications are privileged, as discussed below.
State laws (and in limited situations federal law) require that businesses disclose certain types of incidents to the individuals whose personal information was involved and/or to regulators. Compliance with these statutes is important because an inadequate or untimely notice could potentially result in liability.
A company’s statements about a cybersecurity incident can be used to support class action plaintiffs’ claims, however. Therefore, companies should closely consider whether and how to make statements that are not legally required and should be careful that such statements do not unnecessarily increase the company’s litigation risk.
Article III standing, for instance, requires a showing that the plaintiff has been injured or faces an imminent injury. In In re Zappos.com, Inc., 888 F.3d 1020, 1027 (9th Cir. 2018), the court cited defendant’s suggestion that its customers should change their passwords on any account where they used the same or similar password as one factor supporting its finding that the plaintiffs had adequately alleged an imminent harm. The Seventh Circuit held that statements about the scope of an incident, Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016), as well as an offer of credit monitoring, Remijas v. Neiman Marcus Grp. LLC, 794 F.3d 688, 690 (7th Cir. 2015), supported a finding that plaintiffs faced a risk of harm sufficient to establish standing.
Likewise, anything a company says about a cybersecurity incident it has suffered may be cited as relevant to whether the company experienced an unauthorized access or exfiltration of personal information, which is a necessary component of many cybersecurity claims. Not all security incidents result in unauthorized access or exfiltration. And yet, plaintiffs will strain to interpret any acknowledgement of a cyberattack as a concession that such access or exfiltration has occurred. Accordingly, companies should carefully evaluate whether and how to make any statements about a security incident that are not legally required and should be careful not to overstate the facts in such disclosures.
Private cybersecurity litigation is typically brought in the form of a class action, which potentially exposes companies to enormous litigation costs in addition to potential liability to the proposed class. Arbitration offers a potential alternative to avoid this exposure. As the Supreme Court has noted, for example, individual arbitration involves “lower costs, greater efficiency and speed, and the ability to choose expert adjudicators to resolve specialized disputes.” Stolt-Nielsen S.A. v. AnimalFeeds International Corp., 559 U.S. 662, 685 (2010).
Recognizing the strong federal policy of encouraging arbitration under the Federal Arbitration Act, a number of putative cybersecurity class actions have been dismissed or stayed in favor of arbitrations. See, e.g., Gutierrez v. FriendFinder Networks, Inc., No. 18-cv-5918-BLF, 2019 WL 1974900 (N.D. Cal. May 3, 2019); Yu v. Volt Info. Scis., Inc., No. 19-cv-1981-LB, 2019 WL 3503111 (N.D. Cal. Aug. 1, 2019). Accordingly, companies should consider including in their agreements with consumers and employees a mandatory arbitration clause with a class action waiver that is broad enough to include disputes over cybersecurity incidents.
However, at least one recent decision highlights the potential for significant costs associated with individual arbitration claims. In Abernathy v. DoorDash, Inc., No. C 19-7545 WHA, 2020 WL 619785, at *1 (N.D. Cal. Feb. 10, 2020), almost 6,000 DoorDash employees filed individual arbitration claims in the AAA, complaining that they had been improperly classified as contractors, not employees. After DoorDash refused to pay the $12 million in fees it allegedly owed for the arbitrations,[2] the court granted plaintiffs’ motion to compel arbitration (and to require DoorDash to pay the associated fees). See id. at *3.
DoorDash was an employment case, and signing up a substantial number of consumers for a mass arbitration following a cybersecurity incident may be significantly more difficult than signing up employees/contractors. Nevertheless, while companies should closely consider arbitration provisions, the ultimate strategy chosen should take into account the risks associated with mandatory arbitration.