By Adam Ira
There is no shortage of headlines reporting on major data security breaches across the United States. It is no surprise that the wheels of justice have turned slowly in defining the scope and extent of liability for data security breaches. However, the law is catching up to the feverish pace of the information age. Accordingly, if your company has not done so already, it may be worth considering (1) preparing an emergency plan of action for a data breach; (2) training employees on cybersecurity best practices; and (3) procuring a cyber-liability insurance policy.
A pending case in the Southern District of Indiana may test the limits of cyber liability in Indiana. Class action was brought against Scotty’s Brewhouse (see 1:17-cv-1313-TWP-MJD), in which plaintiffs argue that the alleged breach by Scotty’s of their personally identifiable information, or PII, has caused them undue financial hardship by delaying receipt of their tax returns due to IRS delays to investigate fraud, among other damages listed. The complaint alleges Scotty’s should have been aware of increased so-called “spoofing” fraud because, among other things, the FBI had issued a public service announcement regarding amplified “spoofing” attempts. According to the complaint, spoofing fraud has been increasing recently, and the basis of the plaintiffs’ claims is that Scotty’s allegedly failed to adequately train its employees in cybersecurity protocols. The plaintiffs’ suit could prove to be a thermometer for how state common law may develop in the data breach age.
That said, it is possible that Indiana’s Economic Loss Doctrine could effectively bar liability for a data breach. In short, the doctrine bars liability under a theory of negligence for a loss which is purely economic in nature (i.e. no actual damage to person or property). It is difficult to conceptualize the mere loss of one’s PII as a distinct and palpable injury. It could be argued that the mere loss of one’s identity does not constitute an “injury” for purposes of tort liability. In contrast, one could be injured when they must pay for credit monitoring because they have been made aware of a malicious third-party’s possession of their PII.
The most commonly “breached” information is personally identifiable information such as Social Security numbers, birth dates or driver’s license numbers. An invasion of privacy claim could have more traction where there is a loss of more than mere PII (i.e. photographs proliferated after iCloud breach). However, is one’s PII truly “property” that can be injured? Certainly, it would be trespassory for an individual to physically steal W-2s from a mailbox. That said, then it’s logical to conclude it is likewise a trespass for hackers to bypass cybersecurity measures to obtain the same information from an electronic database. One theory is that an entity holding PII in a database may hold a bailment over the “electronic property” and could potentially be liable for its loss to and misuse by a third party.
Utilizing the crystal ball to look into the future, it is possible that data breach claims may follow suit of asbestos and black lung claims, and one way to equitably compensate victims of data security breaches would be to establish a fund similar to the Black Lung Disability Trust Fund or the quagmire of asbestos litigation. This could provide a certainty of recovery to those with legitimate claims and a certain finality of liability for those involved in the loss of PII. However, currently, there is far less certainty as to the risk presented by a data loss to a company’s bottom line. The Scotty’s data breach litigation may well shed light on these uncertainties.
That said, in the wake of the recent WannaCry cyberattack that spread rapidly worldwide, it is worthwhile to examine the current risks facing your business and re-evaluate your company’s plan of action. The WannaCry ransomware cryptoworm utilized what is believed to be a software program of National Security Agency origin to rapidly deploy a program to encrypt the data of infected computers that were not current with Windows updates. The WannaCry cryptoworm was spread essentially “through the air” on wireless networks, much like influenza would spread on a crowded bus.
If your business is without a plan of action, precious customer data may be lost while your staff watches helplessly. Who will unplug the servers? Who will obtain Bitcoin(s) to pay off a ransom? Ransomware is typically time sensitive, and the value of the ransom increases with time, so if your staff utilizes time figuring out what Bitcoin is and how to obtain it, it may cost your company more. If your company hasn’t already, explore implementing a plan of action.
• Identify who to call in the event of a data breach to manage mitigation, communication with clients and forensics/experts.
• Consider not only reactive measures to a breach, but proactive measures that can help prevent or mitigate the damage, which could include staying abreast of recent trends in social engineering schemes (phishing, spoofing, etc.).
• Utilize the FBI as a resource for education on proactive measures. They are often willing to send agents to work with companies that may be targets for hackers to develop proactive measures to prevent a breach.
Another important measure may be for your company to obtain a cyber-liability insurance policy. While the policy would be the last line of defense to protect your company’s bottom line, cyber-liability policies are still relatively new, and the scope and breadth of coverage can vary significantly from carrier to carrier. However, generally, a cyber-liability policy can potentially provide coverage existing policies cannot in the event of a data breach for notification expenses, defense against regulatory enforcement, credit monitoring, business interruption, data loss, fraudulent transfers and extortion (terms, conditions, coverages vary from policy to policy and state to state per each state’s requirements). On the bright side, cyber policies are becoming more cost effective as the pool of insured rapidly expands due to more frequent and sophisticated cyberattacks.•
• Adam Ira is an attorney at Kightlinger & Gray’s Indianapolis office. A founding member of the firm’s Data Security Practice Group, he also represents clients in a broad spectrum of state and federal litigation and general liability defense for retail and hospitality industries. The opinions expressed are those of the author.