Data Breach Defenses When Consumer Plaintiffs Come Knocking

By Kristin Casler, featuring John A. Yanchunis of Morgan & Morgan Complex Litigation Group and Ronald Raether of Troutman Sanders LLP.

With the near-daily news of data breaches large and small, it’s only natural for companies to focus on security and prevention. But if it’s true that there are only companies that have been breached and those that don’t yet know they have, then a breach may be unavoidable and it might behoove companies gird for the next step—defending the inevitable litigation.

Prominent plaintiff attorney John A. Yanchunis of Morgan & Morgan’s Complex Litigation Group said he has seen—and participated in—an increasingly large wave of litigation. His office files as many lawsuits as the staff is able to accommodate. That’s pretty scary stuff for companies and their insurers. Increasingly it is also a concern for companies’ third-party vendors, as plaintiffs add them to litigation in a broader search for liability for their damages.

“Companies have to be prepared for the next stage of litigation,” said Ron Raether of Troutman Sanders LLP. “There are going to be cases that go beyond the motion to dismiss stage. Eventually there is going to be a case that is not as clear-cut as Merrill Lynch, where an employee went rogue. We’re going to have to go to a jury.” Raether is a respected specialist and frequent speaker on the topics of insurance coverage and cyber risks. Raether and Yanchunis served on the faculty of the Data Breach & Privacy Litigation Forum earlier this year in San Francisco, produced by HB Litigation Conferences.

Companies can’t be afraid to engage in discovery, Raether said. They need to get their documentation in place and know who their witnesses will be. Stereotypical IT personnel don’t always make the best witnesses, he noted.

“Too many companies are too scared or the law isn’t certain enough on standards for them to be ready to defend,” Raether said.

Naturally, the best defense is prevention. But if, as previously stated, a breach is inevitable, the true first line of litigation defense is demonstrating you tried your very best. Courts usually look for “reasonable” breach-prevention measures. The definition of reasonable, however, is as clear as an old dog’s eyes.

There just aren’t that many court decisions out there, Raether said. He suggested that the constant stream of settlements and early dismissals has prevented the courts from defining what is reasonable.

More and more small and midsize entities are being breached and sued, these experts said, and these entities are at a greater risk of going out of business because of the litigation.  While insurance may afford protection and make lawsuits more feasible for plaintiffs, the key is still to have reasonable security control.

Unfortunately, there may be too much fluidity in technology and security and threats to simply do A, B and C to secure your fate, the speakers said. In litigation, it’s going to be case by case and fact intensive.

That said, Raether advised, “Companies need to understand what regulators are saying. Know what your peers are doing. Ultimately, when the plaintiffs come knocking, you’ll be able to show your process and adherence to it was reasonable.”

In the cases that have made it to court, there has been an interesting tension between reality and harm. One of most disturbing, the speakers said, is a ruling on credit monitoring. Offering credit monitoring has long been among the best practices following a data breach. It’s a gesture of good will and eases consumers’ fears. Yet in Remijas et al. v. The Neiman Marcus Group LLC, the Seventh Circuit U.S. Court of Appeals, reinstating a class action, asked why a company would pay for credit monitoring if it didn’t think there could be long-term damage to its customers. The credit monitoring was an admission of harm in the court’s eyes, Raether said, even though California requires breached companies to offer it.

“We’re between a rock and a hard place,” Raether said. “Based on Neiman Marcus, how do I advise my client?” Raether has asked the regulators but has received no clear-cut guidance.

In fact, the definition of harm is just as elusive as a defined “reasonable” standard of care. Yanchunis said he recently argued in a mediation that damages from false tax returns in 2014 targeting university athletes go beyond the immediate penalties of the returns. “Those athletes are going to have a fraud alert on their file, and for the foreseeable future there will be a 60-to-90-day delay in their refund. So the damage is the time value of money. Judges have not yet grasped how this information can be used to damage consumers down the road.”

Third-party liability actions on the rise 

One rapidly emerging area of data breach litigation is third-party liability. Courts are even asking, “Why aren’t you suing the hacker or the company that certified your system as secure, or the vendor that implements your point-of-sale system?”

These types of third-party suits are not new—they just appear to be growing, the experts said, perhaps because of increased liability, or more settlements or big payouts.

It’s becoming more and more common for organizations to send their data elsewhere for storage, so they don’t have to hold it in their own insecure systems. They also rely on vendor-provided security systems, or use third parties to process data or provide a service. For plaintiffs, it can be a great way to expand liability. It also can be an interesting way to sidestep problematic arbitration clauses. For organizations that relied on promised security, it can help share or shift responsibility for the breach.

“We are going after POS people, and are finding some interesting business-to-business battles,” one attorney said.

“In some cases, a vendor was clearly making mistakes and clearly had poor security. Companies are not going to just sit there and let them get away with it.”

But, you have to have a good contract. If your service provider is poor and your contract doesn’t have any liability provisions, it may be hard to bring a case. So, organizations are concentrating on those terms that afford a better chance for the data owner to go after the service provider in the event of a breach.

What’s a company to do?

As data breach litigation continues to work its way through the courts, it’s critical to cover all of your bases. Be proactive. Don’t be afraid. Stay current on all aspects of data breach prevention, so your measures fit with what regulators want and your peers are doing. You’re more likely to meet whatever definition of “reasonable” is determined to be when you get to court. Pay particular attention to your vendor contracts and obtain some data breach insurance, no matter what size entity you are.

This article is derived in part from a presentation at HB Litigation Conferences’ Data Breach and Privacy Litigation Forum.