[BreachExchange] Business Cybersecurity: Two Recent Court Decisions Highlight the Need to Take Preemptive Action Against Data Breaches

[Audrey McNeil]

http://www.jdsupra.com/legalnews/business-cybersecurity-two-recent-
court-31300/

Nowadays, the prudent business owner should be cognizant of cybersecurity
and the public relations and legal costs that can arise from a data breach.
By holding personal information of customers, employees, or anyone else,
the business assumes the legal and public relations obligations to keep
that information secure.

Cybersecurity is an ongoing battle against hackers and thieves who target
all businesses holding sensitive personal information. Small businesses are
perceived to be “easy targets,” less prepared and more vulnerable to a
breach. Big businesses are targets because of the large amount of
information they hold.

But if a business falls victim to a data breach, the cybersecurity battle
could take the form of litigation against customers or employees whose
personal information was accessed by the hackers or thieves.

Two recent federal court decisions add to the many legal, financial, and
practical reasons for businesses to protect against a data breach. These
decisions address whether someone whose personal information was accessed
by a hacker or thief can maintain a lawsuit against the business that held
the information without alleging the information was used to commit
identify theft or in a way to cause harm to the individual.

In other words, the courts analyzed whether the proverbial “no harm, no
foul” defense required dismissal of the claims. In both decisions, the
courts ruled that the claims would not be dismissed, thus requiring the
businesses to incur further litigation costs in defending the claims beyond
the initial pleading stage.

Galaria v. Nationwide Mutual Insurance Company

The first decision, issued in September 2016, was against Nationwide Mutual
Insurance Company. Galaria v. Nationwide Mut. Ins. Co., 2016 U.S. App.
LEXIS 16840 (6th Cir. 2016). Nationwide maintains sensitive personal
information of customers, including names, dates of birth, marital
statuses, genders, occupations, employers, Social Security numbers, and
driver’s license numbers. Hackers broke into Nationwide’s computer network
and stole the personal information of more than a million people.

Two individuals whose information was stolen filed a class action lawsuit
against Nationwide for invasion of privacy, negligence, bailment, and
violation of the Fair Credit Reporting Act. They sought damages for the
“increased risk of fraud” and expenses incurred in mitigating the risk of
fraud, such as purchasing credit reports, credit monitoring services, and
other mitigation products.

The Sixth Circuit Court of Appeals held that allegations of the
“substantial risk of harm” and reasonably incurred mitigation costs were
sufficient to avoid dismissal. The court explained that where someone’s
information was hacked, it is reasonable for that person to incur costs to
reduce the risk of identity theft.

In re Horizon Healthcare Services Inc. Data Breach Litigation

The second decision, issued on January 20, 2017, was against Horizon
Healthcare Services, Inc. In re Horizon Healthcare Servs. Data Breach
Litig., 2017 U.S. LEXIS 1019 (3d Cir. 2017). Horizon is a provider of
health insurance products and services. It collects and maintains
personally identifiable information, including names, dates of birth,
Social Security numbers, and protected health information. Thieves stole
two laptops containing unencrypted personal information of more than
839,000 Horizon members. Four individuals whose information was on the
laptops filed a class action lawsuit against Horizon for violation of the
Fair Credit Reporting Act.

The complaint against Horizon did not allege that any of the plaintiffs’
identities were stolen as a result of the data breach. Horizon moved to
dismiss the complaint for failure to allege a “cognizable injury.”

The Third Circuit Court of Appeals held that the complaint should not be
dismissed because the alleged improper disclosure of personal information
in violation of the Fair Credit Reporting Act is a “de facto” injury
allowing the plaintiffs to pursue their claim. The court acknowledged that
its prior decisions regarding the ability to sue for violations of other
federal statutes without an allegation of an actual injury were
inconsistent.

But the court explained that statutes protecting data privacy are
different. In that context, where the alleged injury from the data breach
affects the plaintiff in such a personal and individual way, a focus on
economic loss is misplaced, according to the court. Because the
unauthorized disclosure of private information has long been seen as
injurious, and unauthorized disclosure is actionable under the Fair Credit
Reporting Act, the plaintiffs had standing to maintain their claim against
Horizon.

The court was careful to clarify that it did not decide whether the
plaintiffs’ alleged damages will be sustainable on the merits. But the
court’s decision still requires Horizon to incur additional costs in
defending the lawsuit past the pleading stage and into discovery and other
stages of litigation.

Taking Preemptive Action

The rulings against Nationwide and Horizon highlight the need for
businesses to take preemptive cybersecurity measures, from a legal and
technological standpoint, to protect the sensitive personal information
they hold. While the courts do not identify the precise vulnerabilities
that allowed the data breaches at Nationwide and Horizon, we can assume if
the allegations are true that there were vulnerabilities that perhaps could
have been eliminated, but were not. As a result, Nationwide and Horizon
must incur the substantial litigation costs in defending suits even without
allegations of identity theft or that the stolen information was used to
cause damage.

To reduce the chance of a lawsuit arising from a data breach (and taking
the public relations hit as well), a business holding personally
identifiable information must implement reasonable policies and procedures
to secure such information and respond to a data breach in compliance with
notification and other applicable laws. Personally identifiable information
includes, but is not limited to, Social Security numbers, dates of birth,
credit card numbers, and health and other financial information. Businesses
also must protect log-in credentials, such as usernames, passwords, and
security questions and answers. Guarding this information is both good
business practice and required by law.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170206/b5a3af85/attachment.html>