Data privacy is a hot topic. With popular companies like Target and Uber facing class action lawsuits over data breaches and new hacks occurring every single day, customers and businesses alike are concerned about data privacy – and the lawsuits that come with data breaches.
What is the future of litigation over data? What are the boundaries of data privacy regulation? Are there any limits to the legal liabilities? Liisa Thomas, Robert Newman, and Alessandra Swanson of Winston & Strawn LLP seek to answer these questions and more in their new research paper: A Perilous Patchwork: Data Privacy and Civil Liability in the Era of the Data Breach, which will be released this Tuesday as part of our 16th Annual Legal Reform Summit.
The research paper looks at the patchwork of civil liability that U.S. companies face over data breaches, including investigations by federal regulators, actions by state attorneys general, and lawsuits brought by consumers and private entities.
Research author Liisa Thomas and her Winston & Strawn colleague Kari Rollins answer questions about their research and key findings. Read below to get a feel for the data liability landscape, but attend the Legal Reform Summit on Tuesday, October 27th to get the full picture.
Register for the Summit here.
Who can bring a data privacy lawsuit against a company?
Generally, lawsuits are brought by two primary groups: (1) regulators—both state (like attorneys general) and/or federal (like the Securities and Exchange Commission or Federal Trade Commission)—in the form of enforcement actions under applicable state laws or federal regulations; or (2) private citizens—likely in the form of a class action (if a class of similarly situated citizens was impacted by the data breach or privacy violation)—under, for example, state consumer protection laws. However, data privacy lawsuits can also be brought by other companies when a relationship exists between the two parties that involves the access, use, storage, or transmission of protected information.
Does a consumer have to suffer some injury in order to bring a data privacy lawsuit?
Yes, in order for a consumer to have standing to bring a data privacy lawsuit, he or she must be able to demonstrate that he or she has suffered “concrete, particularized, and actual or imminent” injury that is “fairly traceable to the challenged action” and can be “redress[ed] by a favorable ruling.”
What constitutes an actual injury, however, is a matter of hot debate among the courts right now, with plaintiffs attempting to demonstrate as harm their increased future risk of identity theft and/or the costs associated with proactively having to prevent identity theft (i.e. canceling credit cards, obtaining credit monitoring services, etc.).
What causes of action have private litigants brought against companies to redress alleged harms suffered from a data breach?
Although they have experienced little success, plaintiffs have pursued several causes of action in an attempt to find legal relief when their personal information has been compromised by a data breach. These include claims for:
(1) Fraudulent or deceptive conduct brought under relevant state unfair and deceptive trade practices acts.
(2) Negligence (i.e. for breaching an alleged legal duty to exercise reasonable care to protect plaintiffs’ personal information).
(4) Breach of contract (i.e. that the company breached a binding agreement to protect plaintiffs’ personal information).
(5) Fair Credit Reporting Act violations (against companies qualifying as “consumer reporting agencies,” the definition of which has expanded given the large volume of data that is collected and reported about consumers by companies to better understand and market to their customers).
(6) Electronic Communication Privacy Act claims and the Stored Communication Act.
(7) Kitchen sink claims, such as common law claims for conversion, unjust enrichment, and bailment.
Despite the myriad types of causes of actions plaintiffs have pursued, these claims face significant challenges and have been largely unsuccessful.
What must a company do when they believe customer information has been compromised?
If a company suspects that the protected personal information of its customers or employees may have been compromised as a result of a security incident (whether physical or cyber), that company should take several initial and immediate steps:
(1) Secure the data (i.e. stop the bleeding, remove the malicious code or technology, revoke/change compromised user credentials, etc.).
(2) Convene the incident response team or the key individuals from legal, information technology/security or privacy/compliance, and the relevant business or operational department.
(3) Engage outside assistance, if needed (for example, outside data breach/privacy counsel and/or a third-party forensic investigator).
(4) Initiate a forensic investigation to assist counsel in answering the factual and legal questions necessary to determine the company’s legal obligations relating to the incident.
(5) Decide if involving law enforcement is warranted or prudent, and create a communications strategy. Most importantly, take actions to preserve privilege at all times (i.e. get counsel involved from the very start, ensure the investigation is conducted at the direction of counsel).