Protecting Your Business in the Data Age: Cybersecurity, Data Breach Prevention and Response, Related Litigation Henry M. Sneath Picadio Sneath Miller & Norton, P.C. Four Gateway Center 444 Liberty Avenue, Suite 1105 Pittsburgh, PA 15222 412-288-4000 [email protected]

Kelly A. Williams Picadio Sneath Miller & Norton, P.C. Four Gateway Center 444 Liberty Avenue, Suite 1105 Pittsburgh, PA 15222 412-288-4000 [email protected]

Robert Wagner Picadio Sneath Miller & Norton, P.C. Four Gateway Center 444 Liberty Avenue, Suite 1105 Pittsburgh, PA 15222 412-288-4000 [email protected]

October 21, 2015

Henry M. Sneath and the attorneys at Picadio Sneath Miller & Norton (PSMN®) have long been involved in matters relating to data breach and prevention, cybersecurity, trade secret and a wide range of intellectual property enforcement and protection issues. The firm has handled data breach and theft matters in lawsuits relating to business break-ups, departing employees, trade secret theft and matters pursuant to the Computer Fraud and Abuse Act. PSMN® lawyers have represented financial services and credit reporting companies in single suit and class action matters relating to consumer data breach, employee data theft and breach of consumer data protection statutes and regulations. We have advised and represented insurers in data breach matters and the still emerging issue of the insurer’s duty to protect, securely store and properly dispose of third party personal, financial and health related data. Attorney Sneath, along with others in the firm, has handled these matters at the counseling, injunction and lawsuit stages of dispute resolution.

I.

Introduction to the Life Cycle of a Data Breach

These materials will address the life cycle of a data breach and many issues that arise from each phase of the cycle. The life cycle of a data breach is usually broken down into stages such as the following: (1) identifying the breach; (2) investigating and remediating the breach; (3) activating an internal response team; (4) contacting law enforcement if applicable; (5) bringing in third parties to assist with the breach (e.g., public relations firms, outside counsel, insurers, vendors); (6) preparing for and engaging in the notification process; (7) responding to inquiries; (8) handling litigation (filing and/or defending) and fines; and (9) resuming business as usual. Each cycle of a breach could involve a separate paper diving deeply into the many intricacies involved. These materials are designed to highlight topics and issues to aid practitioners and companies in surviving a data breach. One overriding principal that carries through each stage of a data breach is clear: be prepared. Companies that are prepared are likely to survive a data breach, learn from the breach and resume business as usual more easily, more efficiently and more cost effectively. II.

Identifying the Data Breach

The first step in responding to a data breach is often the most problematic for companies: identifying that a breach has occurred. It often takes companies weeks or months to discover data breaches, even though the damage they cause occurs within mere minutes. According to a recent data breach study by Verizon, the “detection deficit” has been increasing over the last decade. On average, companies who reported information for the survey found that more than seventyfive percent of the data breaches that they had experienced compromised their systems in days or less, even though the breaches were discovered in this same timeframe less than twenty-five percent of the time. This is a disturbing trend, particularly when considering that the severity of the damage from the data breach likely will increase the longer that the data breach remains undetected. How and when a company discovers a data breach depends primarily on whether a company has taken steps to prevent a data breach from occurring in the first place. If a company has security controls in place as part of its cyber security plan, it should be in a better position to identify a breach internally in a timely manner. Gabe Bassett, Internal vs. External Discovery in the DBIR, (July 27, 2015), https://securityblog.verizonenterprise.com/?p=7156. Security controls include the comprehensive measures recognized by the National Institute of Standards and Technology, as well as the relatively more straightforward measures recognized by the SANS Institute. Compare Ronald S. Ross, Security and Privacy Controls for Federal Information Systems and Organizations (January 15, 2014), http://www.nist.gov/manuscript-publicationsearch.cfm?pub_id=915447, with SANS, Critical Security Controls for Effective 1

Cyber Defense, https://www.sans.org/critical-security-controls (“The Controls do not attempt to replace the work of NIST, including the Cybersecurity Framework developed in response to Executive Order 13636. The Controls instead prioritize and focus on a smaller number of actionable controls with high-payoff, aiming for a ‘must do first’ philosophy.”). It also helps if a company implements controls that are responsive to the threats it faces, whether those threats are internal, external, or both. Unlike an “external” data breach, which involves a person outside of the organization compromising a company’s systems, an “internal” data breach actually originates within the affected organization. Typically, it involves an employee or other corporate insider who exploits their position of authority to access sensitive data. See Verizon, 2015 Data Breach Investigations Report at 46–48, http://www.verizonenterprise.com/DBIR/2015/. Because many of the most widely reported data breaches have involved outsiders compromising companies’ systems, the threat posed by “internal” data breaches is often overlooked completely or not fully appreciated, even though they can be equally as costly. See Malathi Nayak, U.S. FCC Imposes $25 Million Fine on AT&T over Customer Data Breach, Reuters, April 8, 2015, http://www.reuters.com/article/2015/04/08/us-at-t-settlement-dataprotectionidUSKBN0MZ1XX20150408. A company should be mindful of the types of threats it faces because controls intended to prevent an employee from misappropriating trade secrets are not necessarily going to be the same as the controls that a company implements to detect a hacker. Even when a company has implemented controls, however, diligence is still required. Companies, for example, might not patch vulnerabilities in a timely manner, see Verizon, 2015 Data Breach Investigations Report at 15–17, http://www.verizonenterprise.com/DBIR/2015/, as occurred in the large-scale Home Depot data breach of 2014. Shelly Banjo, Home Depot Hackers Exposed 53 Million Email Addresses, Wall Street Journal, November 6, 2014, http://www.wsj.com/articles/home-depot-hackers-used-password-stolen-fromvendor-1415309282. Or, in other instances, they might overlook or even disregard a data breach when alerted. This is what happened in the welldocumented Target data breach, where Target actually had been alerted to the existence of the breach, but timely action was not taken to investigate it further. Michael Riley, et al., Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It, Bloomberg Business, March 13, 2014, http://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms-in-epichack-of-credit-card-data#p1. Compounding matters, Target also had turned off the feature of its system that would have deleted the malware automatically. Id. Although decisions such as these seem ill-advised in retrospect, the reality is that they are not uncommon, particularly among large-scale enterprises that receive a deluge of security threats and are looking to avoid taking measures that could interfere with their business operations.

2

For companies that have not implemented controls or have done so without making them part of a comprehensive cyber security plan, the identification process will prove to be even more difficult. See U.S. Department of Justice, Cybersecurity Unit, Best Practices for Victim Response and Reporting of Cyber Incidents, April 2015, http://www.justice.gov/sites/default/files/opa/speeches/attachments/2015/04/29/cr iminal_division_guidance_on_best_practices_for_victim_response_and_reporting _cyber_incidents2.pdf. In the absence of controls, it will take longer to discover the breach, and the odds that the breach will be discovered by a person outside of the company become much greater. See generally Verizon, 2014 Data Breach Investigations Report at 3 (“Attackers have got [sic] faster at breaching systems. Defenders are getting faster too—but they’re falling further behind. Many successful breaches are detected by third parties, such as law enforcement agencies, specialist fraud detection organizations, or even customers.”). Similarly, if companies have implemented controls but have not established a protocol to follow when a breach is discovered, the identification process will be similarly problematic. Despite a number of highly publicized data breaches in recent years, many companies will find themselves reacting defensively when a breach occurs because they are not prepared for the breach. Some of these companies choose to be reactive because they perceive the likelihood of a breach or the resulting cost to be outweighed by the cost of taking preventative measures, see Erik Sherman, The reason companies don’t fix cybersecurity, CBS Moneywatch, March 12, 2015, http://www.cbsnews.com/news/the-reason-companies-dont-fixcybersecurity/, while others, including many small and midsize businesses, refuse to acknowledge that they could fall victim to a data breach. See Advisen, Cyber Exposures of Small and Midsize Businesses-A Digital Pandemic, October 2014, http://www.thehartford.com/dm/cyber/ui/files/The_Hartford_Cyber_Report_FIN AL_10-14.pdf. Regardless of the reason, however, the end result for these companies is the same: in the event of a breach, they will be more constrained in their ability to identify the source of the breach and, as a result, may increase the overall cost of the data breach substantially. III.

Remediating the Breach, Law Enforcement and Third Party Assistance

After a breach has been identified, the next step is remediation. Because every data breach and every company is different, there is no “blue print” for remediation. Generally speaking, however, remediation will begin with the obvious step of remedying the breach. Companies that have implemented cyber security plans should attempt to follow their plans unless there is good cause for deviating from them. Doing so not only should allow for an orderly and efficient response by allowing responsibilities to be assigned to the appropriate personnel, but it also should help insulate the company and its principals from liability in the event of subsequent litigation. In the event that a company does not have a cyber 3

security plan, however, then it quickly must endeavor to identify the persons who will be responsible for overseeing the response to the breach and what their responsibilities will be. Often times, companies will find it necessary to take remedial action that goes beyond the technical measures necessary to fix the breach. Such action might include working with law enforcement, whose involvement could limit the consequences of the breach. In a recent “internal” data breach case, for example, the FBI used a federal search warrant to stop a former PPG employee from sharing “hundreds of millions of dollars” worth of trade secrets with a Chinese company. Associated Press, FBI Alleges Former PPG Employee Gave Trade Secrets to Chinese Firm, Wall Street Journal, May 8, 2015, http://www.wsj.com/articles/fbi-alleges-former-ppg-employee-gave-trade-secretsto-chinese-firm-1431116752. As this case illustrates, law enforcement’s search and seizure power can be instrumental in mitigating the damage that results from a data breach. In fact, companies should consider developing a relationship with law enforcement in advance of a breach as part of its response plan. Besides law enforcement, companies also might decide to involve a public relations firm in an effort to minimize the reputational damage resulting from the breach. Considerable literature has been dedicated to the reputational damage that can result from a data breach. See, e.g., Ponemon Institute, Reputation Impact of a Data Breach, November 2011, http://www.experian.com/assets/databreach/white-papers/reputation-study.pdf. Like every other aspect of a data breach, however, the extent of the reputational damages varies. For instance, in the case of the high-profile Sony data breach, the Ponemon Institute recently found that the damage can be short-lived, especially in the case of larger businesses. Erik Sherman, The reason companies don’t fix cybersecurity, CBS Moneywatch, March 12, 2015, http://www.cbsnews.com/news/the-reasoncompanies-dont-fix-cybersecurity/. Consequently, as common sense might suggest, not every data breach will have permanent damage on a company’s reputation. Nonetheless, companies “data response” teams should be aware of the issue and be prepared to engage a public relations firm if necessary. No matter what the nature of the remedial measure, however, companies should consult with outside legal counsel before taking any action. Outside counsel is essential to formulating a successful response because of the myriad of legal issues attendant to a breach. These issues include consumer notification and litigation, among numerous others. Additionally, working with outside counsel has the benefit of protecting the aspects of the investigation and response, which involve outside counsel, from disclosure under both the attorney-client privilege and the work product doctrine. See Leslie C. Thorne and Laurel D. Brewer, How to Preserve Privilege During Data Breach Investigations, A.B.A. Section of Litigation, March 11, 2015, http://apps.americanbar.org/litigation/committees/businesstorts/articles/winter201 5-0315-preserving-privilege-during-data-breach-investigations.html. Thus, 4

outside counsel should be an integral part of the remediation process following a breach. IV.

Notification Requirements and Process

Once a company has determined that a data breach has occurred that affects its customers’ personal information, it must begin to take steps to notify its customers. Currently, 47 states, plus the District of Columbia, Puerto Rico, the US Virgin Islands, and Guam have differing laws requiring companies to provide notice to their customers of the breach (Alabama, New Mexico, and South Dakota currently do not). See, e.g., http://www.ncsl.org/research/telecommunicationsand-information-technology/security-breach-notification-laws.aspx. As might be expected, differences in these laws make a single form notification letter or announcement generally impractical. In addition, failing to comply with these laws can result in substantial fines and criminal inquiries from law enforcement agencies. What matters for notification purposes is the residency of the person whose information has been taken or viewed, not the residency of the company who was breached or where the breach occurred. For companies that have databases that contain information relating to customers across the nation, this means that they must be prepared to potentially issue different notification letters in order to comply with every state’s laws. Given the multitude of laws, most companies will not be able to navigate the notification requirements without substantial help from outside individuals and companies, such as attorneys and consultants. The threshold for requiring notification is different in every state. Some states require notification if a system holding a customer’s unencrypted personal information is believed to have been breached, but other states also require that there be a material risk that the breach will harm the customer before notification is required. So, it is possible that a breach will require notification under one state’s laws but not under another’s. In these mixed circumstances, the company will need to decide whether to provide notification to everyone, or only to the customers in some states. The company will also need to decide whether it will notify customers in those jurisdictions that currently have no data breach notification requirements. In general, California and Massachusetts are thought to have the most stringent notification laws, so their laws can be used as a starting point when determining what information must be told to customers. But, again, a company may not be able to create one letter that will work in each state. For example, under Massachusetts’s law, the notice cannot include information about the nature of the breach or the number of individuals affected. In contrast, California’s law requires that the notice contain a general description of the breach, and New York’s law requires that the company describe the categories of information that were breached. 5

Once a company decides it must provide notice of a data breach to its customers, there is a lot of work that must be done, often in a short period of time. Most states do not specify a specific time period in which notice must be given, but, instead, require notification without unreasonable delay. However, depending on the type of data that has been breached, there might be a specific time period. For example, with respect to medical information that has been breached, California requires notice to the affected patients and the California Department of Health Services within 15 business days of the discovery of the breach. See Cal. Health & Safety Code § 1280.15(b). Ohio, Vermont, and Wisconsin require notice in the most expedient time possible, but no later than 45 days after discovery of the breach. See Ohio Rev. Code § 1349.19(B)(2); Vt. Stat. Ann. tit. 9, § 2435(b)(1); Wis. Stat. § 134.98(3). Many states do have provisions that extend the time to notify affected customers if law enforcement believes that a delay is appropriate, though. So, this is another reason to reach out to law enforcement agencies as soon as possible. Almost all states require that the notice include contact information where a recipient of the notification letter can call or visit a website for further information. So, in addition to preparing these notification letters, a company must also create or contract with a call center to handle what could be a substantial number of phone calls from customers. The individuals handling these calls will need to be trained and informed about what happened with the breach and what information and advice they can and should provide, in addition to staying “on message” with the company’s response. The company’s IT group will also likely need to create appropriate web pages on the company’s website with information about the breach. Also, certain companies, such as retailers, should give some thought about how employees in stores should handle questions from customers. One response may be to provide some type of literature with information about the breach and which also directs all inquiries to a central communication center. Before a company begins to provide notice to its affected customers, it needs to have thought through what its message to its customers will be. Customers will likely view a data breach as a violation of their privacy, but the severity of that violation can vary widely. A breach of data that doesn’t include financial or health-related information may not be as concerning to customers. On the other hand, as the Ashley Madison data breach shows, there can be significant real-life consequences to these breaches that go beyond dollars and cents. A company is going to want to be able to demonstrate that it had taken and continues to take the security and privacy of its customers’ information seriously, despite the fact that its systems were breached. The type of message and response will need to be tailored to the type of breach and the consequences that are likely to flow from it, and a public relations firm can help to tailor this message. In general, the following steps will likely need to be started and completed within a period as short as a couple of weeks in order to comply with the myriad of notification laws: 6

1.

Identify the individuals that must be given notice.

2.

Identify where these individuals are located and the statutorily required information that must be provided to them in those jurisdictions.

3.

Create a database with the individuals’ last known contact information.

4.

Create a call center and train the individuals who will be responding to the calls.

5.

Create a webpage with relevant information about the breach for the public and the press.

6.

Draft the required notifications letters.

7.

Physically print the notification letters with the appropriate information.

8.

Mail/send the letters.

9.

Track which letters are sent, when they were sent, and whether any letters are returned as undelivered.

10.

Resend or attempt to resend any returned letters.

These steps can be a logistical nightmare, especially if the breach affects hundreds of thousands of customers, whose information may not be current or that may contain errors due to being entered incorrectly or through issues with exporting the data. Given all of the requirements for notifying customers, many companies find that working with a notification consultant can streamline this process and help to make sure that the company meets its legal obligations in notifying the affected individuals. One best practice is to work with a notification consultant before any breach has occurred. This allows the company and the consultant to work through many of the issues that are likely to occur in a less stressful environment and without the surrounding chaos of an actual data breach. For example, draft notification letters can be created that comply with the various states’ requirements. Although all the information cannot be included before a breach occurs, much of the boilerplate language can be thoughtfully prepared ahead of time, instead of being drafted in the middle of a crisis. Additionally, the consultant can make sure that it is able to receive the relevant electronic information from the company when a breach occurs, such as the names and addresses of the affected customers. One of the last things a company wants to 7

hear is that its customer database is not in a format where the relevant information for the notification letter can be easily extracted. In addition to a notification consultant, a company may want to work with a credit monitoring company ahead of time. Companies that have been breached sometimes provide free credit monitoring services for their affected customers for a limited time as a means of mitigating any potential damages caused by the breach. Arranging for this kind of service before a breach occurs allows the company the time to evaluate the various services and obtain quotes for the costs. Attempting to first contact these credit-monitoring services after a breach occurs is another distraction that can be avoided by careful preparations (as well as putting the company in a less-than-ideal bargaining position for those services). Finally, working with a consultant beforehand lets the company develop strategies for how to address the public relations aspect of the breach, such as deciding whether to notify all customers who may have been affected, rather than just the ones that the company is legally-obligated to notify, deciding whether to offer credit monitoring services to affected customers, and deciding who should be the public “face” of the company, among other things. V.

Responding to Inquiries

Depending upon the nature of the company affected and the nature of the breach, companies may need to be prepared to respond to inquiries from customers about the status of their information. For customer relation purposes, companies need to avoid consumer discomfort and outrage because they feel uninformed and helpless. Additionally, companies may need to respond to media inquiries. The experience of high profile data breaches have yielded valuable information about what companies, particularly larger companies, should do to prepare for an onslaught of inquiries. Experian has gathered this information in its Data Breach Response Guide (2014-2015 Edition), http://www.experian.com/assets/data-breach/brochures/2014-2015-data-breachresponse-guide.pdf. In addition, helpful advice for responding to media inquiries can be found in the Computer Security Incident Handling Guide: Recommendations of the National Institute of Standards and Technology published in August 2012. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf. This information can be summarized as follows: 1.

Integrate communications into data breach response planning: having a technical incident response team is not enough. The better prepared companies take the following steps to effectively integrate communications:

8

a.

Develop a communications incident response process and plan that clearly outlines who will be responsible for developing and approving the key messages that will be communicated to the media and internal audiences.

b.

Make sure that the communications plan includes drafts of key media materials that will be useful during an incident. While the details of breaches vary from breach to breach and will impact the final version of any response, having a starting point in place is beneficial. Draft documents should include: •

Holding statements for media for a variety of breach scenarios;

•

Q&A covering likely questions from media, financial stakeholders and customers;

•

Letter from company leadership to be shared with customers;

•

Key messages document; and

•

Customer web portal to post information when available.

c.

Conduct a data breach crisis communications simulation to test how effectively your breach will likely be managed.

d.

Train key spokespeople on how they would likely respond to questions from the media related to a security incident. Include the importance of not revealing sensitive information, such as technical details of countermeasures that could assist other attackers and the positive aspects of communicating important information to the public fully and effectively (as possible). The following are examples of questions to ask the communications point person during the exercise: •

Who attacked you? Why?

•

When did it happen? How did it happen? Did this happen because you have poor security practices?

9

e.

•

How widespread is this incident? What steps are you taking to determine what happened and to prevent future occurrences?

•

What is the impact of this incident? Was any personally identifiable information (PII) exposed? What is the estimated cost of this incident?

As mentioned above, identify and vet an outside public relations firm with specific expertise in data breaches to be your partner during an incident.

2.

Be lean, yet integrated. Determine who is on the team and keep it small. The team requires a leader with the authority to make decisions about press statements and media strategy. The additional essential team members, in most cases, include the heads of IT, security, legal, communications, business, and perhaps the CEO. This same approach applies to outside advisors—it is best to keep the team small.

3.

Be prepared for a fluid situation (i.e. be patient). With major breaches, it may take a month to be able to answer the key questions that customers and the media want to know such as: How did the breach occur? When did it occur? What was taken? Is the breach over? The best approach when information is not known yet is to tell as much as is known, admit what is unknown, and provide updates.

4.

Manage the message. It is important for companies to communicate the right messages at the right time in the lifecycle of a data breach. Key principles include: a.

Focusing initial messages on the steps being taken to investigate the issue and if possible, framing it as a criminal issue (for example, a lost laptop may involve negligence rather than criminal conduct);

b.

Being careful about the information being transmitted via social channels;

c.

Setting up appropriate media/social media monitoring and reviewing posts and other information to determine how the company and the breach are being covered;

d.

Communicating clearly and effectively with customers; and

10

e.

Where applicable, responding to policymakers, regulators and industry stakeholders.

When drafting and preparing the key communications materials, and in the event of an actual breach, companies should rely on the advice of their communications response team, including their internal and external public relations representatives and legal counsel. Both can help a company maneuver through the challenging issues of creating customer good will in a crisis situation and avoiding any potential admissions that could later present issues for a company. In addition, when preparing to respond to customers, companies should determine what they can do to ease customer’s minds and provide solutions to perceived threats and risks. For example, when credit card information is stolen, companies can remind the consumer that they will not be held liable for any fraudulent purchase made using their card. Offering credit monitoring, as mentioned above, is also helpful and may help avoid litigation (research shows that individuals affected in a breach who receive free credit monitoring are six times less likely to file a lawsuit against the breached company (Empirical Analysis of Data Breach Litigation, Carnegie Mellon & Temple Universities, 2012). If someone has evidence that their information was in fact fraudulently used, companies may want to consider providing access to case investigators or identity restoration services. Also, there are strategies that should be considered for minimizing media coverage. One such strategy is to communicate early and deliver on promised updates. If the media has to work hard to get information, this may lead to more focus on the story and negative inferences. Also, if notification letters are sent, they may “go public” via social media. Trying to hide from media inquiries in this instance may result in the company looking deceitful. If a company is on the offensive in responding to inquiries, it has a better chance of controlling the message, looking forthcoming and honest with its customers. According to Visa’s “Responding to a Data Breach, Communications Guidelines for Merchants,” the best practices for companies when communicating about a breach include the following: •

Being transparent in actions taken and demonstrating that you are getting the word out.

•

Following any normal media routine (if the company has one).

•

Avoiding speaking in absolutes.

•

Avoiding misleading statements.

11

•

Not attempting to withhold key details.

•

Staying focused and concise about the information delivered.

•

Taking responsibility for the breach.

•

Not playing the victim as the media will hold the company responsible.

•

Expressing regret—apologize unconditionally.

•

Putting an executive face on the issue.

•

Considering all audiences.

•

Explaining the response work that the company is engaged in to remedy the breach and its impact.

•

If law enforcement is involved, explaining that the company is cooperating.

Additionally, a company may need to respond to inquiries from law enforcement agents. A company may be a target of an investigation by regulatory agencies and other law enforcement authorities. The company should be aware of regulations and laws in advance of any breach to make sure that they are as compliant as possible and to handle an investigation response in the best possible manner. Of course, having legal counsel involved will also be required. A more detailed discussion of regulatory actions is below. VI.

Litigation and Fines A.

Lawsuits Directed at Hackers—Civil and Criminal Remedies

If a company and/or law enforcement are fortunate enough to identify the hackers who created the data breach, whether insiders or outsiders, there are several statutes that provide civil and/or criminal remedies. 1.

Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, is a federal criminal statute that regulates hacking and other computer crimes. Computers protected under the CFAA are very broad. It covers any computer used in or affecting interstate or foreign commerce. 18 U.S.C. § 1030(e)(2). There are five general types of claims under the CFAA: a.

Improperly obtained information: Intentionally accessing a protected computer without authorization or by exceeding 12

authorized access and obtaining information (18 U.S.C. § 1030(a)(2)); b.

Fraudulent scheme: Knowingly and with intent to defraud, access a protected computer without authorization or by exceeding authorized access and by this conduct furthers the intended fraud and obtains anything of value exceeding $5,000 (18 U.S.C. § 1030(a)(4));

c.

Causes damage or loss (in one of three ways): (1) Knowingly transmitting code, etc. and intentionally causing damage to a protected computer without authorization; (2) intentionally accessing a protected computer without authorization and recklessly causing damage; or (3) intentionally accessing a protected computer without authorization and causing damage and loss (18 U.S.C. § 1030(a)(5));

d.

Trafficking in passwords: Knowingly and with intent to defraud, traffics in any password or similar information if such trafficking affects interstate or foreign commerce (18 U.S.C. § 1030(a)(6)); and

e.

Extortion: With the intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any— (1) threat to cause damage to a protected computer; (2) threat to obtain information from a protected computer without authorization or by exceeding authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or (3) demand or request for money or something of value in relation to damage to a protected computer.

The criminal penalties for violating the CFAA include a range of imprisonment from up to one year to a maximum of life in prison (when death results from intentional computer damage). Penalties also include fines. In 1994, the CFAA was amended to add civil remedies for any person who suffers damage or loss by a violation of the CFAA. The amendment allows any person to seek compensatory damages and injunctive relief or other equitable relief from the violator of the CFAA. 18 U.S.C. § 1030(g). There is a split in the Circuit courts between a narrow interpretation of the term “without authorization” and a broad interpretation of that term. The court in 13

United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc) and the court in WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012) take the “narrow view” of the term “without authorization.” Under the narrow view, an employee given access to a work computer is authorized to access that computer regardless of his or her intent to misuse information and any policies that regulate the use of information. Dresser-Rand Co. v. Jones, 957 F. Supp. 2d 610, 615 (E.D. Pa. 2013). On the other hand the courts in U.S. v. John, 597 F.3d 263 (5th Cir. 2010); U.S. v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); Int'l Airport Ctrs, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006); Cultural Travel BV v. Explorica, Inc., 274 F. 3d 577 (1st Cir. 2001) take the “broad view,” which finds that if an employee has access to information on a work computer to perform his or her job, the employee may exceed his or her access by misusing the information on the computer, either by severing the agency relationship through disloyal activity, or by violating employer policies and/or confidentiality agreements. Dresser-Rand, 957 F. Supp. 2d at 615. The U.S. Supreme Court has yet to resolve the split. 2.

Federal Economic Espionage Act

The Federal Economic Espionage Act, 18 U.S.C. §§ 1831 et seq. provides civil and criminal penalties for the theft of trade secrets. Economic espionage occurs when a person or entity knowingly targets or acquires trade secrets to knowingly benefit a foreign government, foreign instrumentality or foreign agent. The elements of a violation of the act are: 1.

the intent to convert a trade secret

2.

related to a product or service in interstate or foreign commerce

3.

for economic benefit of anyone but the owner

4.

intending or knowing that offense will injure the owner

5.

knowingly: a.

steals or without authorization takes information;

b.

without authorization copies, downloads, destroys, transmits, sends information;

c.

receives, buys, or possesses information knowing that it was obtained improperly;

d.

attempts to do (1)–(3); or

e.

conspires to do (1)–(3).

Criminal penalties include a maximum of 15 years in prison/$5 million fine for an individual and a maximum of $10 million or three times the value of the stolen trade secret for organizations. Additionally, in a civil action, the Attorney General may obtain injunctive relief to prevent the offense. 14

3.

Wiretap Act and Electronic Communications Privacy Act

The Wiretap Act, as amended by the Electronic Communications Privacy Act, 18 U.S.C. §§ 2510-2522, prohibits the interception, use or disclosure of wire and electronic communications unless a statutory exception applies. It also authorizes civil actions by private persons. The sanctions available under the statute include actual damages, punitive damages, statutory damages and attorneys’ fees. 4.

Stored Communications Act

The Stored Communications Act, 18 U.S.C. §§ 2701-2712, makes it illegal to intentionally access, without or in excess of authorization, a facility through which an electronic communication service is provided, and obtain, alter or prevent authorized access to a wire or electronic communication while it is in electronic storage. The act is designed to protect potential intrusions on individual privacy. Garcia v. City of Laredo, 702 F.3d 788, 791 (5th Cir. 2012), cert. denied, 133 S. Ct. 2859, 186 L. Ed. 2d 911 (2013). Violators can be convicted criminally with fines and or imprisonment. A civil action may be brought by any electronic communications services provider, subscriber, or other person aggrieved by a violation of the law. Civil damages that are available under the act include actual damages, the violator’s profits, punitive damages, costs and attorneys’ fees. 5.

The Lanham Act and the Copyright Act

If a data breach results in the infringement of a copyright or a trademark, relief may be available under the Copyright Act or the Lanham Act (trademarks). Companies and their IP counsel should keep the availability of these statutes in mind as they determine the extent of information obtained and improperly used as a result of a data breach. The Lanham Act is found at 15 U.S. C. § 1051 et seq. and the Copyright Act is found at 17 U.S.C. § 101 et seq. Both statutes provide civil remedies, and the Copyright Act provides criminal penalties (17 U.S.C. § 506). 6.

State Computer Crime Laws

Keep in mind that states also may have laws targeting computer fraud. California is one state that has enacted such legislation. In California, it is illegal to knowingly access and without permission alter, damage, delete, destroy or otherwise use any data, computer, computer system or computer network to defraud, deceive, extort, or wrongfully control or obtain money, property or data. Cal. Penal Code § 502. Each applicable state’s computer crime laws should be

15

consulted in the event of a breach and identification of the party breaching, assuming that the company intends to take criminal legal action. 7.

Common Law Claims

In addition to the many statutory claims a victim of a data breach may have, there are common law causes of action that may fit a data breach situation depending upon the facts of the case. For example, companies and their counsel should consider the feasibility of claims for misappropriation of trade secrets, conversion, unjust enrichment, unfair competition, breach of contract, intentional interference with contract and prospective contract, breach of fiduciary duty, and the breach of the duty of loyalty. B.

Litigation Against the Company

While a company that has suffered a data breach may feel like a victim and seek to take criminal and civil action against the “hacker,” anyone whose sensitive information was stolen or published will be seeking to take action against the company suffering the data breach. This section will address the status of the law in this regard. In short, plaintiffs are having a difficult time satisfying standing requirements or otherwise establishing actual harm when they file claims. While that is true, that is not stopping suits from being filed and requiring companies to endure expensive litigation and/or settlements. 1.

Federal Law

Currently, there is no federal data breach statute. Attempts are being made in Congress to change this, but to date, there has been no success. A bill titled, “The Data Security and Breach Notification Act of 2015” was authored by the Energy and Commerce Committee Vice Chairman Marsha Blackburn (R-TN) and Rep. Peter Welch (D-VT). The bill seeks to implement a comprehensive plan to help safeguard sensitive consumer information and shield citizens from the harmful consequences of data breaches. Until there is such a statute, plaintiffs have been creative in using federal law to bring claims against companies that have permitted their data to be compromised. These statutes include The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act, the Stored Communications Act, the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act. 2.

State Law

As noted above, most states have data breach notification laws, but fewer states have laws that extend to the actual loss of the data. States that have such laws include Massachusetts, California, Connecticut, Rhode Island, Oregon, 16

Maryland and Nevada. The laws require that companies maintain certain safeguards to protect state residents’ personal information from being compromised. See 201 CMR 17.00 et seq.; Cal. Civ. Code § 1798.81.5; Conn. Gen. Stat. § 42-471; R.I. Gen. Laws § 11-49.2-2; Or. Rev. Stat. § 646A.6.22; Md. Code, Comm. Law § 14-3501; Nev. Rev. Stat. § 603A.210. The Massachusetts statute is the most comprehensive and burdensome of the state data security laws. It requires every person or entity holding, processing or otherwise accessing personal information of Massachusetts residents to develop, implement and maintain a comprehensive written information security program containing administrative, technical and physical safeguards of personal data. Also, the statute requires computer systems and companies to have specific safety requirements such as: •

Secure user authentication protocols/passwords, secure access control measures, monitoring of systems, up-to-date firewalls and virus/malware protection;

•

Encryption of all records and files containing personal information that will travel across public networks and will travel wirelessly;

•

Encryption of all personal information stored on laptops or portable devices;

•

Requirements that third-party service providers receiving personal information provided by a company, by contract, maintain security measures in compliance with the regulations;

•

Training for employees on compliance with data security policies; and

•

Regular monitoring and review of security measures, at least annually, to ensure that they are preventing unauthorized access to personal information.

Realize that this law applies to companies that are located inside and outside Massachusetts, as long as the company has access to personal information of Massachusetts residents. California has the “Shine the Light Law” found at Cal. Civil Code §§ 1798.83-1798.84, which requires companies to disclose details of the third parties with whom they have shared their personal information. Also, California enacted a data security law, Cal. Civil Code § 1798.81.5, which requires businesses to implement and maintain reasonable security procedures to protect personal information from unauthorized access, destruction, use modification, or

17

disclosure. California has also created an Office of Privacy Protection (http://oag.ca.gov/privacy). In addition to the above state statutory claims, plaintiffs may allege claims for data breaches under theories of: (1) state consumer protection or unfair trade practices; (2) negligence; (3) invasion of privacy; (4) breach of implied or express contract; and/or (5) unjust enrichment. 3.

The Status of Consumer Data Breach Claims a.

Standing

One of the largest hurdles for plaintiffs seeking to sue companies like Target and Home Depot has been a lack of standing. The challenge is that plaintiffs have been largely unable to show an injury-in-fact, which is a legally protected interest that is: (1) concrete and particularized; and (2) actual or imminent and not conjectural or hypothetical. Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61, 112 S. Ct. 2130, 119 L. Ed. 2d 351 (1992). It is often the case in data breach cases that there is little to no evidence of how a person’s PII has been used after it left the defendant’s control. Thus, a plaintiff often cannot plead an actual financial harm or identity theft arising from the loss of data because of this lack of evidence. Additionally, plaintiffs are usually reimbursed for any financial loss that occurred due to stolen credit card information. Plaintiffs have tried to rely on the threat of future harm to satisfy the standing requirement but have been largely unsuccessful. A minority of courts have found a plaintiff to have standing without facts alleging an actual financial loss. E.g., Moyer v. Michaels Stores, Inc., No. 14-561, 2014 U.S. Dist. LEXIS 96588, at *13 (N.D. Ill. July 14, 2014) (“The Seventh Circuit has held that a consumer who faces an elevated risk of identity theft stemming from a data security breach satisfies the injury-in-fact requirement even if she has not suffered a direct financial loss.”), citing, Pisciotta v. Old Nat’l Bancorp., 499 F.3d 629 (7th Cir. 2007); Claridge v. RockYou, Inc., 785 F. Supp. 2d 855, 861 (N.D. Cal. 2011). Despite surviving the standing challenge, however, some of these cases are dismissed for failing to allege facts sufficient to meet the elements of the claims alleged. E.g., Claridge, 785 F. Supp. 2d at 861. In addition, a majority of courts now follow the U.S. Supreme Court’s opinion in Clapper v. Amnesty International USA, 568 U.S. ___, 133 S. Ct. 1138, 185 L. Ed. 2d 264 (2013), to find that standing is lacking in data breach litigation, even though Clapper was not a data breach case. In Clapper, plaintiffs alleged that a warrantless surveillance program of the National Security Agency required individuals to incur expenses to protect the confidentiality of their communications. The Supreme Court held that the possibility of unauthorized access to their sensitive information was not sufficiently imminent, and the expenditure of money to prevent surveillance was not sufficiently tied to an 18

imminent threat of harm to support injury-in-fact standing. The Supreme Court also found that the plaintiff’s so-called “mitigation expenses” (expenses necessary to mitigate the risk of the improper use of their personal information) was essentially a form of manufactured standing, i.e. an injury created by plaintiffs’ own actions. Courts are finding that the approach of the Supreme Court in Clapper is equally appropriate in data breach cases. The majority is finding that neither an increased risk of harm nor the expenditure of money to mitigate that potential future harm is enough to confer Article III standing. In re Sci. Applications Int’l Corp., 45 F. Supp. 3d 14, 26-27 (D.D.C. 2014) (theft of data tapes); In re Barnes & Noble Pin Pad Litig., No. 12-8617, 2013 U.S. Dist. LEXIS 125730, at *6-7 (N.D. Ill. Sept. 3, 2013) (payment card hacking); Polanco v. Omicell, Inc., 988 F. Supp. 2d 451, 466-71 (D.N.J. 2013) (theft of laptop); see also Hammer v. Sam’s East, Inc., No. 12-2618, 2013 U.S. Dist. LEXIS 98707, at *6-8 (D. Kan. July 16, 2013). Despite this majority, at least two courts have rejected a narrow application of Clapper in a data breach case. In Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015), a class action was filed against Neiman Marcus for a data breach of PII by its customers. The complaint alleged a number of theories for relief: negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy and violation of multiple state data breach laws. The district court dismissed the action for lack of standing, i.e. lack of injury. On appeal, the Seventh Circuit reversed and held that plaintiff’s did have standing. The court reasoned that customers should not have to wait until hackers commit identity theft or credit-card fraud to give the class standing because there is an objectively reasonable likelihood that such an injury will occur. “At this stage in the litigation it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store’s database and steal consumers’ private information”? Remijas, 794 F.3d at 693. In In re Sony Gaming Networks & Customer Data Security Breach Litigation, 996 F. Supp. 2d 942 (S.D. Cal. 2014), a California district court concluded that plaintiffs allegations that their PII was collected by Sony and then wrongfully disclosed as a result of the intrusion was sufficient to withstand a standing challenge. In re Sony Gaming Networks & Customer Data Security Breach Litigation, 996 F. Supp. 2d 942, 960-62 (S.D. Cal. 2014). Even though Sony argued that the plaintiff’s allegations were insufficient because none of the named plaintiffs alleged that their PII was actually accessed by a third party, the court found that Clapper did not require such allegations. In re Sony, 996 F. Supp. 2d at 961-62. Instead, the court found that plaintiffs plausibly alleged a "credible threat" of impending harm based on the disclosure of their Personal Information following the intrusion and that this was sufficient to establish Article III standing. Id. 19

b.

Alternate Theories of Harm

Due to the lack of success of asserting the injury of mitigation damages, plaintiffs are asserting other creative theories of harm with varied levels of success. These theories include lost time and inconvenience, emotional distress, decreased economic value of PII and denial of the benefit of the bargain. See e.g., Storm v. Paytime, Inc., 14-cv-1138, 2015 U.S. Dist. LEXIS 31286, *20-21 (M.D. Pa. Mar. 13, 2015) (increased time and inconvenience); In re Sci. Applications Int’l Corp., 45 F. Supp. 3d 14, 29 (D.D.C. 2014) (emotional distress); In re Barnes & Noble Pin Pad Litig., No. 12-cv-8617, 2013 U.S. Dist. LEXIS 125730,*13 (N.D. III. Sept. 3, 2013) (deprivation of value of PII); In re Adobe Sys. Privacy Litig., 66 F. Supp. 3d 1197, 1224 (N.D. Cal. 2014) (breach of contract/benefit of the bargain). These claims have had mixed success, but companies facing data breach claims may be seeing more of these types of claims in the future. c.

Class Actions

Data breach cases have certainly spawned many putative class action lawsuits. The appeal of a class action is that the event giving rise to the claims is the same for everyone. However, the few cases to survive the standing challenge and motions to dismiss have been unable to successfully certify the class. To obtain class certification, the named plaintiff in the suit must establish the following: 1.

The class is so numerous that joining each individual plaintiff to the lawsuit is not practical (numerosity);

2.

There are questions of law or fact common to the class (commonality);

3.

Plaintiff’s claims are typical of those of the class (typicality); and

4.

Plaintiff will fairly and adequately protect the interests of the class (adequacy of representation).

Wal-Mart Stores, Inc. v. Dukes, 564 U.S. ___, 131 S. Ct. 2541, 2548, 180 L. Ed. 2d 374 (2011). In addition, the proposed class must satisfy at least one of the three requirements listed in Fed. R. Civ. P. 23(b). In data breach suits, it is of course difficult for the plaintiff to show actual injury. Even if he or she can do this, it is difficult or impossible to know how many other individuals suffered the same actual injury. Also, individual variations about whether a specific person’s information was actually accessed 20

and whether he or she suffered injury present significant hurdles in attempting to establish predominance under Fed. R. Civ. P. 23(b)(3). Class action plaintiffs in data breach cases have tried several theories designed to overcome these challenges. These include statutory damages, statistical sampling, benefit of the bargain, price inflation and fraud on the market, and issues certification. Statutory damages can help eliminate issues about the amount of damages but does not solve the problem of having to address other individualized issues in the case. Statistical sampling was attempted in In re Hannaford Bros. Co. Customer Data Sec. Breach Lit. 293 F.R.D. 21, 31-33 (D. Me. 2013), but the plaintiff failed to provide the actual sampling evidence needed. The benefit of the bargain theory is not likely to work as actual damages are required, and there has been little success based on the theory of price inflation and fraud on the market. Rule 23 permits a court to certify a class for the purpose of resolving a discrete legal or factual issue rather than an entire case. Fed. R. Civ. P. 23(c)(4). However, certifying a single issue in a data breach class action may not eliminate the need to eventually examine each individual claim. Thus, issue certification may not be helpful. d.

State Court Actions

Plaintiffs have been increasingly filing lawsuits in state court to avoid the Article III standing issue, which does not apply in state court. However, state courts have also reached the conclusion that the risk of future injury alone is insufficient to support a claim. State courts view this as a lack of evidence of injury. Also, even if plaintiffs bring their cases in state court, they may not be able to keep it there because under the Class Action Fairness Act of 2005, most large data breach cases can be removed to federal court due to diversity and the amount in controversy. One strategy to avoid this would be to sue a defendant in its home state and restrict the class to the citizens of that state. Of course, that limits the class size, but it may be better than the alternative of no class action from plaintiff’s perspective. C.

Regulatory Actions 1.

Department of Health and Human Services (HHS)

The Department of Health and Human Services (HHS) aggressively enforces the data privacy and security laws found in the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). In January 2013, the HHS issued the final omnibus HIPAA/HITECH rule which made important changes to the privacy and security requirements under each act. These changes include:

21

•

Extending HIPAA violation liability to “business associates” to whom protected health information is disclosed (e.g. third-party administrators, accounting firms);

•

More broadly defining “business subcontractors of business associates;

•

Lowering the threshold for reporting breaches, which will result in more breaches being reported; and

•

Increasing penalties based on the level of negligence, with a maximum penalty of $1.5 million per violation.

associate”

to

include

There have been many settlements paid as a result of entities violating HIPAA. For instance on May 7, 2014, the HHS issued a press release that New York and Presbyterian Hospital paid $3.3 million and Columbia University paid $1.5 million and agreed to a substantive corrective action plan, which included undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff and providing progress reports. (http://www.hhs.gov/news/press/2014pres/05/20140507b.html). 2.

Federal Trade Commission (FTC)

The Federal Trade Commission Act (15 U.S.C. §§ 41-58) is a federal consumer protection law that prohibits unfair deceptive practices and has been applied to offline and online privacy and data security policies. The Federal Trade Commission (FTC) is the agency that enforces the Federal Trade Commission Act (FTC Act). In addition, the FTC has authority to enforce the “Financial Services Modernization Act (“Gramm-Leach-Bliley Act”), which regulates the collection, use and disclosure of financial information. It applies to financial institutions and other businesses that provide financial services and products. The FTC has brought many enforcement actions against companies failing to comply with posted privacy policies and for the unauthorized disclosure of personal data. The FTC takes the position that it has general authority over unfair and deceptive practices related to data security based on Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45. Wyndham Worldwide Corporation challenged the FTC’s authority to regulate data breaches caused by third parties under Section 5, claiming that the FTC is abusing its enforcement authority and punishing the victim of a crime. The issue arose after hackers successfully accessed Wyndham Worldwide’s computer systems on three different occasions between 2008 and 2009. In total, hackers stole personal and financial information for hundreds of thousands of consumer leading to over $10.6 million in fraudulent charges. The FTC filed suit in federal District Court, alleging that Wyndham’s conduct was an unfair practice 22

and that its privacy policy was deceptive (the later issue was not before the Third Circuit). Federal Trade Commission v. Wyndham Worldwide Corp., No. 143514, 2015 U.S. App. LEXIS 14839 (3d Cir. Aug. 24, 2015). The district court found in favor of the FTC and Wyndham appealed. Two issues were certified for review: (1) Whether the FTC can bring a Section 5 unfairness claim involving data security; and (2) Whether the FTC must formally promulgate regulations before bringing an unfairness claim. The Third Circuit affirmed the district court’s decision that the FTC has the authority to regulate companies’ data security practices under Section 5. The Third Circuit rejected Wyndham’s arguments that Congress’s legislation and the FTC’s prior statements contradicted the FTC’s attempts to assert authority over cybersecurity. The court also held that the FTC need not formally promulgate regulations before bringing an unfairness claim. The court reasoned that Wyndham was not entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity standards are required under Section 5 of the FTC Act. Instead, the issue was whether Wyndham had fair notice that its conduct could fall within the fair meaning of the statute itself. Finding that fair notice is satisfied as long as the company can reasonably foresee that a court could construe its conduct as falling within the meaning of the statute (Section 5), and finding that Wyndham did not argue that it lacked fair notice that cybersecurity practices can, as a general matter, form the basis of an unfair practice under Section 5, the court found that Wyndham had fair notice under the statute. The facts of this case were also such that Wyndham should have had notice that its conduct violated the statute. For instance, the FTC did not allege that Wyndham used weak firewalls, IP address restrictions, encryption software and passwords. Rather, the FTC alleged that Wyndham failed to use any firewall at critical network points, did not restrict specific IP addresses at all and did not use any encryption for certain customer files and did not require some users to change their default or factory–setting passwords at all. Wyndham, 2015 U.S. App. LEXIS 14839, at *46-47 (emphasis in original). This case highlights the need for companies to have certain baseline security controls. Such controls should include requiring strong passwords, establishing reasonable access control measures, using encryption for sensitive stored data and when transmitting sensitive data, and monitoring unauthorized access to the system. Also, this case shows that it is critical for companies to follow their own privacy policies and honor user privacy preferences.

23

VII.

Resume Business “As Usual”

Resuming business “as usual” after a data breach is a bit misleading—or at least it should be. Hopefully, any company that suffers a data breach will have learned from what occurred and improve in the area of data breach and data breach response. Each incident response team should ideally evolve to reflect new threats, improved technology and lessons learned. The NIST Computer Security Incident Handling Guide (http://dx.doi..org/10.6028/NIST.SP.800-61r2) provides a helpful list of questions to be discussed and answered at such “lessons learned” meetings: •

Exactly what happened, and at what times?

•

How well did staff and management perform in dealing with the incident? Were the documented procedures followed? Were they adequate?

•

What information was needed sooner?

•

Were any steps or actions taken that might have inhibited the recovery?

•

What would the staff and management do differently the next time a similar incident occurs?

•

How could information sharing with other organizations have been improved?

•

What corrective actions can prevent similar incidents in the future?

•

What precursors or indicators should be watched for in the future to detect similar incidents?

•

What additional tools or resources are needed to detect, analyze and mitigate future incidents?

It is also helpful to collect data about each incident. This data can be used to plan and as part of the company’s risk assessment process. It can also be used to measure the success of the incident response team. Helpful data includes the number of incidents handled, time spent on each incident, an objective assessment of each incident and a subjective assessment of each incident. CONCLUSION We are living in a world changed drastically by technology. Companies that do not acknowledge this reality and prepare for an inevitable data breach, and 24

the various stages of a data breach, may find themselves facing a time consuming, financially draining experience. Companies that are prepared will likely recover, learn from the experience and move forward.

25