Increasingly, it seems that business news headlines are dominated by whatever the latest and biggest corporate data breach is. For instance, Yahoo recently announced that confidential information relating to at least 500 million – and maybe over a billion – of its user accounts was stolen back in 2014, one of the largest data breaches in history. As a result, the company faces the predictable ire of the public, as well as federal and state regulators, and was already the subject of a class action accusing the company of gross negligence one day after it announced the breach.
But for every hack that targets a giant like Yahoo, Sony, or Target, another goes after a small business. According to the 2016 Internet Security Threat Report published by Symantec, small businesses (defined as those having 1 to 250 employees) were the victims of 43% of all data breach attacks in 2015, up from 34% in 2014. In light of this, you might think that there are uniform, concrete laws and regulations governing cyber security liability and that authority to ensure consumer protection in this area would be vested in a single government authority, but the reality is not so simple. Although federal laws exist governing this topic, they are overseen by a variety of agencies with differing but overlapping authority. For example, protection of consumer financial information is regulated by the FTC and SEC under the Gramm-Leach-Bliley Act (GLBA), while healthcare data is protected by the U.S. Department of Health and Human Resources under the Health Insurance Portability and Accountability Act (HIPAA). Likewise, every state except Alabama, New Mexico, and South Dakota has its own set of laws governing data breaches. Alongside this are best-practices guidelines published by government authorities and industry groups alike.
A quick Google search will reveal plenty of useful measures that businesses can take to mitigate the risks of a data breach of sensitive information the business may have on its servers, but no system is perfect, particularly when humans are involved. So what, in the case of data breaches of consumer information, is the potential liability at stake? The post below covers just a few ways in which a business could become liable.
Liability Through FTC Enforcement:
One of the most important pieces of the data security regulation is the Federal Trade Commission (FTC) Act, which is a general consumer-protection statute geared at preventing unfair or deceptive practices rather than one written specifically for data security concerns. Nevertheless, the FTC has used its consumer-protection authority under Section 5 of the FTC Act to enforce the principle that businesses have a duty to take commercially reasonable efforts to protect any personal information they may hold. For example, in 2015 the FTC assessed a $100,000,000 penalty – the largest ever in an FTC enforcement action – on LifeLock after the company violated an earlier order and failed to properly protect its customers’ personal data.
The FTC’s ability to enforce penalties under the FTC Act for inadequate cyber security was affirmed in the Third Circuit case F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015). Even more recently, the FTC assessed penalties on LabMD Inc., finding that LabMD’s data security practices were unreasonable because it had failed to implement even basic security measures, such as:
- Intrusion detection,
- A password adequacy policy,
- Management of vulnerability,
- Monitoring of file integrity,
- Sufficient monitoring of traffic coming across its firewalls,
- Restriction and monitoring of employee access to personal information, and
- Training on data security for employees.
In the Matter of LabMD Inc., No. 9357 (F.T.C. Jul. 28, 2016).
As of August 1, 2016, liability under the FTC Act is up to $40,000 per offense, which is an increase from the earlier limit of up to $16,000 per offense. The FTC also has the authority to provide restitution to customers, require repayment of prosecution and investigation costs, and obtain injunctions. In addition to using its enforcement authority under the FTC Act, the FTC sometimes brings enforcement actions under the Safeguards Rule of the GLBA and the Fair and Accurate Credit Transactions Act (FACTA) when the data breach is within the financial services industry, and the FTC can bring actions under the Children’s Online Privacy Protection Act (COPPA) when the information collected is from children under the age of 13.
Liability Under SEC Enforcement:
The Securities and Exchange Commission (SEC) also has authority to bring enforcement actions in certain situations. For example, the SEC in June 2016 agreed to a $1,000,000 settlement from Morgan Stanley after the SEC found that Morgan Stanley failed to adopt written policies and procedures reasonably designed to protect customer information. It’s worth noting that the employee who was responsible for the breach in that case was also ordered to pay $600,000 in restitution – a lesson employers would be wise to share with their employees.
Liability Under a Negligence Theory:
Less complex than the regulatory atmosphere for data breach liability is the common law claim of negligence. In negligence, the inquiry is fairly simple:
- Was there a duty to protect the sensitive information?
- Was that duty breached?
- Did the party whose data was exposed suffer harm?
- Was the breach the cause of the harm (and was it foreseeable)?
If the answer to all those questions is yes, then the company will likely be liable for negligence. Negligence is one way in which consumers may seek to recover, without any need to rely on a regulatory enforcement action, from a business that allowed their personal information to fall into the wrong hands. For example, many of the victims of the massive 2013 Target data breach brought their claims under a negligence theory.
In light of the possibility of substantial civil liability and the tightening regulatory atmosphere surrounding data breaches, businesses would be wise to take every practicable precaution when it comes to safeguarding any sensitive information entrusted to them.