The possibility of a cybersecurity incident—and ensuing litigation—is a fact of life for almost every business. Even companies that do not process or handle consumer information collect personal information about their employees that can be targeted by hackers or phishing scams or even inadvertently disclosed, exposing the company to potential liability.
While eliminating cybersecurity litigation risk entirely likely is not feasible, recent cases do highlight some steps that companies seeking to reduce potential exposure to cybersecurity litigation can take:
(1) Recognize that pre-incident statements about the company’s cybersecurity measures can be used to sustain deception-related claims.
(2) Assess the “reasonableness” of your cybersecurity, despite the difficulty of doing so.
(3) Pay attention to how you structure cybersecurity initiatives to protect related documents and communications based on the attorney-client privilege and work product protection.
(4) Recognize that your statements about a cybersecurity incident may be relied on by courts to sustain plaintiffs’ claims.
(5) Consider arbitration clauses, but do so cautiously.
(6) Consider opportunities to contractually allocate or disclaim liability. READ MORE
On August 21, 2019, the U.S. Court of Appeals for the Seventh Circuit held in FTC v. Credit Bureau Center, LLC, 2019 WL 3940917 (7th Cir. 2019) that the Federal Trade Commission (“FTC”) lacks authority to obtain monetary relief under Section 13(b) of the FTC Act. The FTC has relied on Section 13(b) to seek money relief in consumer protection enforcement actions, including privacy and cybersecurity matters, and had, prior to the Credit Bureau decision, suggested an intent to do so more frequently in the future. READ MORE
Amidst mounting pressure to pursue cybersecurity more aggressively, the Federal Trade Commission (“FTC”), the federal government’s most active enforcer in the space, has recently imposed increasingly stringent cybersecurity requirements in its consent orders. Given that FTC consent orders typically carry 20-year terms and a potential fine of $42,530 (which the FTC may contend applies to each consumer subject to a breach), it is vital for companies faced with an FTC cybersecurity investigation to take every possible step to narrow the scope of relief requested by the FTC. Several recent FTC cybersecurity settlements illustrate an emerging pattern: a company that litigates may secure a better deal than it would have received in an initial settlement, if not defeat the action entirely. But when considering whether to settle or litigate with the FTC, companies must still balance the various legal, business, and reputational risks at stake.
How the decision to settle or litigate can directly affect the relief imposed is evident in the FTC’s 2019 cybersecurity settlements: Unixiz, ClixSense, LightYear, Equifax, and D-Link. READ MORE
Privacy & Cybersecurity Litigation partner Michelle Visser, counsel David Cohen and associate Nicole Gelsomini authored this blog post for the Washington Legal Foundation on the unsettled state of the law on constitutional standing in privacy and cybersecurity cases in the wake of two recent Supreme Court developments. Constitutional standing challenges are, and will continue to be, an important potential tool for privacy and cybersecurity defendants seeking to dismiss certain class actions brought in federal court. To establish standing, a private plaintiff must show, among other things, that he or she faces an actual or imminent concrete injury from the defendant’s conduct. As explained in the Washington Legal Foundation post, however, the Supreme Court recently passed on two chances to clarify the test that will govern this standing inquiry, leaving defendants to wade through conflicting and ambiguous lower court precedent. The uncertain and nuanced state of this area of law underscores the importance of retaining experienced cybersecurity and privacy defense counsel when faced with this type of suit.
In June 2018, medical laboratory LabMD obtained the first-ever court decision overturning a Federal Trade Commission (FTC) cybersecurity enforcement action. (The team directing that effort – led by Doug Meal and Michelle Visser – joined Orrick in January 2019). There, the Eleventh Circuit held that an FTC cease-and-desist order imposing injunctive relief requiring LabMD to implement “reasonable” data security was impermissibly vague. In the wake of LabMD, the FTC’s new Chairman, Joseph Simons, stated that he was “very nervous” that the agency lacked the remedial authority it needed to deter allegedly insufficient data security practices and that, among other things, the FTC was exploring whether it has additional untapped authority it could use in this space. In this regard, Chairman Simons and Commissioner Rebecca Kelly Slaughter announced that the FTC is examining whether it can “further maximize its enforcement reach, in all areas, through strategic use of additional remedies” such as “monetary relief.” READ MORE
Noting the “astounding” statistics on the use of smartphones and other mobile devices to “shop, bank, play, read, post, watch, date, record, and go” across consumer populations, the FTC has recently re-focused its attention on mobile security issues. As the amount of information collected on mobile devices, and through applications on those devices, continues to rise exponentially, unsurprisingly, mobile devices have become increasingly fertile grounds for cyberattacks. Against this backdrop, in February 2018 the FTC issued a 134-page report titled Mobile Security Updates: Understanding the Issues (the “Report”). Not long afterward, on April 2, 2018, the FTC appointed a new Acting General Counsel, Alden Abbot, who has substantial experience in the mobile-communication industry, including serving in key legal roles at Blackberry Corporation and the National Telecommunications and Information Administration in the Department of Commerce. Although the Report is narrowly focused on processes for patching vulnerabilities and software updates, the FTC notes that the Report is “part of an on-going dialogue” and that it intends to work with industry, consumer groups, and lawmakers to further the “goals of reasonable security and greater transparency” in its efforts to improve mobile-device security. READ MORE
A recent skirmish about standing in data breach class actions (this time in the Eighth Circuit), involving securities and brokerage firm Scottrade, suggests that, even if plaintiffs win that limited question, there are other key battles that can win the war for defendants. As we reported with Neiman Marcus, P.F. Chang’s, Nationwide, and Barnes & Noble, the Eighth Circuit’s decision in Kuhn v. Scottrade offers important proactive steps that organizations should consider taking that can mitigate post-breach litigation exposure. READ MORE
In the latest sign that data breach class actions are here to stay—and, indeed, growing—the D.C. Circuit resuscitated claims against health insurer CareFirst BlueCross and Blue Shield, following a 2015 breach that compromised member names, dates of birth, email addresses, and subscriber identification numbers of approximately 1.1 million individuals. The decision aligns the second most powerful federal appellate court in the nation with pre-Spokeo decisions in Neiman Marcus and P.F. Chang and post-Spokeo decisions in other circuits (Third, Seventh, and Eleventh). In short, an increased risk of identity theft constitutes an imminent injury-in-fact, and the risk of future injury is substantial enough to support Article III standing.
The D.C. Circuit’s holding is an important development. First, the D.C. Circuit went beyond credit card numbers and social security numbers to expand the scope of data types that create a risk to individuals (i.e., names, birthdates, emails, and health insurance subscriber ID numbers). Second, the decision makes clear that organizations should carefully consider the interplay between encryption (plus other technical data protection measures) and “risk of harm” exceptions to notification, including exceptions that may be available under HIPAA and GLBA statutory regimes. READ MORE
August 28, 2017 marks the end of the initial 180-day grace period for compliance under the New York Department of Financial Services’ “first-in-the-nation” cybersecurity regulations (the “Rules”). The initial regulations were proposed last year, but NY DFS received robust public comments that led to significant amendments. While the proposed regulations set out proscriptive, one-size-fits-all requirements, the final Rules align more closely to flexible federal, financial sector guidance, captured in the NIST cybersecurity framework and the FFIEC cybersecurity assessment tool. Accordingly, the final Rules require that cybersecurity programs be calibrated to periodic “risk assessments” that give entities discretion to specify the criteria used to identify, evaluate, and remediate risks, in the context of technological developments and corporate controls.
While covered entities are technically required to be in compliance with the Rules as of Monday, there are additional transitional periods for certain items (see below), and entities have until February 15, 2018 to submit their first certifications to NY DFS. For organizations still working through compliance requirements, the below steps may help to prioritize and implement a work plan. READ MORE
Last week, as part of its Fall Technology Series, the Federal Trade Commission (“FTC”) hosted a much-anticipated workshop to explore the privacy concerns associated with drones. Although many in the audience hoped that this workshop would provide some insight into the FTC’s perspective and position on regulation of drones and privacy, the workshop left attendees with more questions than answers. We were there, and provide you with some of the key takeaways.