Data Breaches Draw Congressional Scrutiny
The data security legal landscape is changing quickly, which can be exciting for lawyers, but unpredictable and scary for companies trying to measure and minimize the risks. This article discusses three areas that I recommend all in-house lawyers and corporate executives should monitor in 2014.
When a company suffers a data breach, its notification obligations are governed by a patchwork of 46 state laws, federal sector-based laws, international laws and contractual obligations. The law that applies to the breach is the law of the jurisdiction where the individual whose information was compromised resides.
So when an employee loses a laptop containing personally identifiable information for thousands of individuals, chances are all 46 state data breach notification laws are in play, which can be expensive and confusing for a company that does not use experienced counsel. Some similarities between the laws exist, but they often differ on how soon a company must issue notification, who it must notify, and how it must notify.
A federal data breach notification law would go a long way to resolving some of this uncertainty. Until recently, all attempts in Congress to enact such a law failed due to state concerns about preemption and lack of federal resources to enforce such a law. The high-profile nature of the Target data breach appears to be affecting the legislative environment, with Congress now holding hearings to understand how to better protect consumers when data breaches occur, and data breach notification laws being introduced for consideration.
But some unanswered questions remain regarding the proposed federal legislation: How quickly will companies have to notify of a data breach, and will the law give companies time to understand and remedy the breach? What role will regulatory authorities play in enforcing the law? Will the law allow for private causes of action? Will state breach notification laws be preempted?
It will be important to monitor what relief companies obtain from the federal government in the form of a data breach notification law that tries to unify the existing patchwork of state laws.
Private Class Actions
On the litigation front, I'm watching two big issues in 2014: liability arising from data breaches and liability arising from companies' failure to adequately disclose what information they collect about consumers and how they use that information.
Until recently, plaintiffs have not experienced much success with class action lawsuits against companies that have suffered data breaches. Courts usually conclude the plaintiffs lacked standing and suffered no real damages or cognizable harm.
Nevertheless, a few recent cases, including two filed in the Southern District of Florida, have resulted in favorable outcomes for the plaintiffs and should give corporate organizations pause for concern.
In one case, two unencrypted laptops were stolen from a company's conference room. The laptops contained personally identifiable information for approximately 1.2 million individuals. The plaintiffs filed a class action lawsuit that the trial court dismissed on the ground that the plaintiffs had not suffered any cognizable injuries. The appellate court disagreed and allowed the lawsuit to proceed, reasoning in part that the plaintiffs had paid premiums to the company, and a portion of those premiums was for administrative services (including securing the customers' information), and the plaintiffs were entitled to pursue that small portion of their premiums as damages. The case settled for approximately $3 million, demonstrating the importance for any company to have a strong information security plan in place.