APU Business

A Business Primer on Big Data and Cybersecurity Litigation

big-data-cybersecurityBy Saundra McDavid, JD, MBA
Faculty Member, School of Business at American Public University

Recent trends in business intelligence have added yet another area of concern for the business practitioner–cybersecurity liability.  It’s not only about whether a server will be hacked; it’s about the types and amounts of data that are being collected.

The term “big data” should now be recognized as a term of importance by anyone in business.  Big data is the result of data collection that goes beyond the names and addresses of a customer list. Applications and websites now collect everything from browsing habits to customer interests to locations.  When this information can be combined to distinguish a person’s identity it becomes personally identifiable information(PII).

Collecting big data can result in big damages. In fact, the damages awarded to date for the big data claims overwhelmingly outweigh all damages from merely being hacked. This is a major area of concern for businesses.

Cybersecurity litigation

A series of unwelcome scenarios can result from the collection of PII, stating when a phone call comes in from the information technology department indicating that the company’s server has been compromised.  Class action lawsuits based upon an invasion of privacy and negligent security practices of the company can follow and the company can even find itself the target of a criminal investigation for violation of state and federal statutes.

Note some recent cybersecurity cases:

Barnes and Noble announced that 63 of its stores had a security breach and credit card information may have been stolen (In re Barnes & Noble Pin Pad Litigation, 2013). Plaintiffs filed suit based on a number of claims, including untimely and inadequate notification of the security breach, improper disclosure of their PII, loss of privacy, expenses incurred in efforts to mitigate the increased risk of identity theft or fraud, time lost mitigating the increased risk of identity theft or fraud, an increased risk of identity theft, deprivation of the value of plaintiffs’ PII, and anxiety and emotional distress. The suit was dismissed for lack of standing, due to the plaintiffs’ inability to show damages that resulted from the activity of the defendant.

Target announced hackers had stolen customer’s credit card information (Target Brands, Inc., 2013). It now faces class action lawsuits by both consumers and a bank, which is a relatively new tactic in litigation (Schafer, Kas et al v. Target Corporation et al., 2014). The bank is asking for damages due to the expenses incurred reissuing credit cards and paying for credit monitoring.

The use of data collected wrongfully is another concern. Google and two other companies were recently sued due to their practice of using PII such as IP addresses and browsing history to target ads to consumers (In re: Google Inc. Cookie Placement Consumer Privacy Litigation, 2013). The fact that a particular person’s web browsing history could be sold for up to $52 was acknowledged by the court, however, it was not enough to establish damages. The court dismissed the case for lacking of standing.

There is also the case of Harris v. comScore. comScore faced consumer complaints that it collected unauthorized data through the use of software OSSProxy. This software collects data such as file names, passwords, data entered into web browsers, and the content in PDF files. The information is then analyzed and sold by comScore.  Plaintiffs sued comScore for violation of federal statutes, instead of the usual invasion of privacy claims. Specifically used were the Stored Communication Act (“SCA”), 18 U.S.C. § 2701(a), The Electronic Communication and Privacy Act (“ECPA”),18 U.S.C. §2511(1)(a) and the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030(a)(2)(C).  The court, in allowing the certification of a class, noted that the lack of known damages was not relevant due to the statutory damages that are allowed under the ECPA and SCA claims.  This case has now evolved to the largest class ever certified (with over tens of millions of plaintiffs) with a potential damage award amounting in the billions of dollars.

Delta Airlines was also a target due to violations of California’s Online Privacy Protection Act (CalOPPA) with its mobile app, Fly Delta.  The CalOPPA requires developers of apps to conspicuously display a privacy policy within the app itself. (Delta’s policy was on its website, not within the application.)  Delta’s app was found deficient and the California attorney general filed suit; asking for up to $2,500 for each copy of the app that had been downloaded (The People of the State of California v. Delta Air Lines Inc., 2012). The case was dismissed due to the CalOPPA being preempted by the Airline Deregulation Act of 1978.

Insurance coverage

Most insurance companies are now excluding cybersecurity data events from general liability. The industry as a whole is perplexed at how to value the coverage and is waiting for that first big cyber terrorism insurance claim to occur. Unauthorized access to property is also generally not covered in a policy.

From the view of the plaintiff’s attorney

As with any litigation mitigation strategy, it’s best to know what plaintiffs’ attorneys look for when determining whether to file suit.  As expected, the most litigated area is PII; attorneys look for violations of laws that apply to the use or maintenance of data.  Individual cases are not attractive, the big money for plaintiffs’ attorneys are class action suits.  Likewise, state courts are not ideal forums so these types of cases tend to be filed in federal court.

Attorneys also look for the representations the company has made about managing data – were published security policies violated? If so, there are possible unjust enrichment and breach of contract claims.

Easy cases of negligence are also attractive. Were basic security measures ignored which created an environment ripe for intrusion?  The National Institute of Standards and Technology has provided recommended minimum levels of protection in its Cybersecurity Framework. The business owner should strive to exceed these minimum levels.

Plaintiff’s attorneys also look for companies that won’t hire big law firms to defend the claim; they want a quick settlement or an easy win in the event of litigation.

From the view of the attorney general

In determining whether to file suit the attorney general considers a lack of security procedures, failure to report the breach to the AG’s office, and failure to give notice to consumers.

Have a plan

Every company needs to have a cybersecurity plan that includes a plan of action in the event of a breach of data.  Upon learning of a breach, forensics need to be performed to find out the source.  This is a critical step and the attorney general’s office, the insurance company, and outside forensics experts can all be used to perform this task.   Outside council that specializes in security breaches should also be called.

Plans need to include disclosure to the attorney general and notification to the affected consumers. Public relations plans, 800 numbers for customers and credit monitoring services are all areas that should be considered in the event of a data breach.

Also important is the timeline for notification requirements.  Forty-seven states currently have breach notification laws and a federal law is in process.  These range from five days to 60 days and vary by industry.

Time spent in preparation before a data breach occurs or before a mobile application is developed can help prevent class-action litigation and loss of good will.   Pertinent questions would be:

1)     What types of data are being collected and where is it stored?

2)     What types of security measures are used to protect that data?

3)     Has there been a security review by the insurance company?

4)     What type of plan is in place in the event of a data breach?

5)     What privacy notice is listed on the company webpage and in any mobile applications developed by the company?

If the company shows exposure in any of these areas, then a broader investigation into its cybersecurity practices is warranted.

About the Author

Saundra McDavid has a JD and MBA from St. Louis University. She is a member of the Missouri bar and practices in the areas of cybersecurity and intellectual property law.  She is a faculty member in the School of Business at American Public University.

Comments are closed.