As the year closes with yet another high-profile lawsuit, 2014 has brought about not only a seemingly constant flow of data breaches, but of litigation stemming from the loss of personal data from a wide range of plaintiffs.
“We knew it was coming, but it’s now very clear that it’s no longer only consumer class actions that we have to worry about,” said Laurie Kamaiko, partner with Edwards Wildman’s insurance and reinsurance department. “The range of exposures that comes out of a major breach really expanded. We’re seeing a totally different kind of breach.”
This week saw the filing of a class action lawsuit against Sony Pictures by its employees, the majority of whom saw their personally identifiable information, including Social Security numbers, salaries, and emails, stolen by hackers calling themselves “Guardians of Peace.” It represents a new area of litigation relating to data breaches, a field that grew in dramatic and, in some cases, creative ways in 2014.
The cases decided in 2014 may have enormous impact for data breach litigation in the future. Attorneys told Advisen that the body of law in the field is still limited and most decisions, while carrying precedential weight, are still only the view of the ruling court. Each decision means “as much as courts will decide what they think it means,” in the words of one attorney.
“These are all green fields,” stated Richard Bortnick, attorney with Traub Lieberman Straus & Shrewsberry. He highlighted a stakeholders’ lawsuit against the directors and officers of the Wyndham hotel chain — Dennis Palkon v. Stephen P. Holmes et al. and Wyndham Worldwide Corp. — as having the “biggest and broadest-reaching” effect on future courts.
“In some respects, it sets the bar for what directors and officers should be doing,” he said. “It’s a court ratifying Wyndham’s conduct” with regard to cyber breach avoidance and amelioration.
Bortnick added: “You’re going to see defense lawyers raising the Wyndham type of defense as a defense.”
While dependent on the facts of each specific case, derivative actions and shareholder lawsuits should be expected to increase in 2015, as investors and interested parties seek accountability at an executive level, attorneys said. Consumer class actions have become an eventuality following most data breaches, but courts take individual views on their legal standing.
“Courts have not yet landed at a common place with respect to consumer class actions,” said Bornick. “It’s going to take a number of appellate decisions before things shake themselves out.”
Legal costs comprise a major portion of the costs stemming from data breaches. “When you have a large breach, you’re talking about a whole range of lawsuits. The D&O suits, but even when they’re successfully defended, they’re still very costly,” Kamaiko told Advisen.
The dismissal of the D&O lawsuit against Wyndham represented a “good win for the defense bar,” she noted. However, businesses are beginning to realize the exposures they can face.
“The whole concept of compliance and breach preparedness includes recognizing what risks you’re dealing with,” Kamaiko noted. As an added dimension of the lawsuits that have emerged, organizations are realizing that cyber insurance offers more than simply breach response coverage.
The rush of data breach litigation in 2014 began in early February with an insurance coverage decision relating to Sony Online Entertainment’s 2011 Playstation breach. A New York judge ruled that since the 2011 hacking was not committed by Sony itself, it did not qualify for coverage under Sony’s commercial general liability policies and insurers would not have to indemnify for losses arising out of the breach. The case is one that has since heightened the need for comprehensive cyber insurance coverage and prompted a specific exclusion for data losses in traditional policies. It’s also one that has inspired a healthy amount of debate on whether the ruling was correct.
“It’s almost laughable,” said Roberta Anderson, attorney with K&L Gates in Pittsburgh. She noted that Sony had liability for the breach, which should have triggered recovery under the policy. Had Sony actually caused the breach, as the ruling suggested was required for coverage, “intentionality” exclusions would come into play.
“It underscores the hurdles that organizations can encounter when trying to get coverage under legacy policies,” she said.
Bortnick highlighted the Federal Trade Commission’s (FTC) case against LabMD, a medical testing company that collected and exposed the personal information of about 10,000 customers, as significant in allowing the FTC to pursue complaints against businesses over data security and privacy issues as unfair and deceptive practices. Wyndham faced a similar complaint to determine whether the FTC has jurisdiction over its data breach case. In the FTC’s view, failing to properly secure data constitutes an unfair and deceptive trade practice.
Anderson called the FTC-Wyndham battle significant.
“Wyndham took the unprecedented step of pushing back and saying that it didn’t act in an unfair and deceptive manner,” she told Advisen.
Anderson also cited the series of class actions arising in 2014 over Target’s 2013 payment card breach, one of which addressed the potential liability of merchants to payment card issuers. This year saw banks and credit unions begin to fight back against data breaches at retailers that piled the costs of reissuing cards, notifying customers, and paying back fraudulent charges on the financial institutions. The US District Court in Minnesota found that payment card issuers could pursue an action against Target, noting, “Although the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur.”
Several cases that made headlines in 2014 are likely to continue into 2015 and beyond, as cases “rattle around different courts years and years down the road,” Bortnick pointed out.
Anderson had the same view. “It’s been a big year and 2015 is going to be another big year.”