By Connie Lindman, Mike Nitardy and Sam Berten
News last year of the SolarWinds Orion platform hack and resulting data breach rocked the public and private sector. The Russian hacker group Cozy Bear, working for the Russian Foreign Intelligence Service, infiltrated governmental agencies and some of the world’s best-known companies. Approximately a year later, we have yet to learn the complete extent of the damage, and SolarWinds is besieged on multiple fronts.
While the SolarWinds hack is, at least for now, arguably the most significant known data breach, it can serve as a lesson for other companies that may experience less dire incidents. In particular, it illustrates the array of assaults that a company may find itself defending against in both the public and private sector. This article provides a review of some of the investigations and claims a company may face following a data breach. Hopefully, it will also serve as a warning and incentive for businesses to put themselves in the best defensive position.
Public sector actions
When a cyber incident occurs, a business should anticipate investigations and potential actions from a wide array of governmental entities at the state, national and international levels.
State attorneys general, charged with protecting consumers within their states, may bring a variety of statutory and common law claims. For example, in 2018, attorneys general in over 20 states reached a settlement with Uber over claims that Uber failed to take reasonable security measures to protect personal information, and to notify victims of a data breach, after representing that it protected such information. Attorneys general in states with a data privacy statute, such as the California Consumer Privacy Act (CCPA), can bring claims under their state’s statute. Attorneys general have also brought claims under federal law, including enforcement actions under the Health Insurance Portability and Accountability Act (HIPAA) and the Children’s Online Privacy Protection Act (COPPA). In its March 2021 annual report, SolarWinds disclosed that it is being investigated by various state attorneys general.
At the federal level, investigations can be launched, and claims lodged, by multiple agencies. The Federal Trade Commission can investigate organizations that may have violated consumers’ privacy rights or misled consumers by failing to maintain security for sensitive information. Such investigations often result in the FTC bringing charges for violating Section 5 of the FTC Act, which bars unfair and deceptive acts and practices in or affecting commerce. Notably, the FTC fined Facebook $5 billion for violating consumers’ privacy and required Facebook to restructure its privacy approach through a 20-year settlement order. The FTC may also bring enforcement actions under various statutes, such as the Gramm-Leach-Bliley Act and COPPA.
The Securities and Exchange Commission also has authority to investigate cyber incidents and can impose stiff penalties. In August, the SEC levied a penalty of $1 million against Pearson for misleading customers and investors about a 2018 data breach and for waiting months after it learned of the breach to apply an available security patch. The SEC is currently investigating the SolarWinds cyberattack. In June, the SEC began asking companies that lost data to respond to information requests in exchange for something resembling amnesty, and subject to certain conditions. In addition to asking for information tailored to the SolarWinds incident, the SEC asked companies to disclose “other compromises” to any computer owned or operated by the company “between October 1, 2019, and the present and lasting longer than one day, including hacks, data breaches, or ransomware attacks.” Responses to this request may shed further light on the nature and extent of cyberattacks.
The Department of Justice conducts cyber incident investigations and, as disclosed in the SolarWinds annual report, is currently investigating the SolarWinds attack. In October, the DOJ announced the new Civil Cyber-Fraud Initiative under which the DOJ will fine government contractors and federal grantees if they fail to disclose data breaches. The False Claims Act authorizes the DOJ to impose treble damages and other penalties. As discussed below, in addition to heightened action by the DOJ, the initiative will also likely lead to additional private “whistleblower” enforcement efforts.
Various other federal entities may also seek information or bring charges. For example, the Department of Health and Human Services’ Office of Civil Rights may investigate a breach that involves protected health information. The Federal Bureau of Investigation, Office of the Director of National Intelligence, Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency can investigate, report on and coordinate government-wide response to cyber incidents. Of course, Congress may also hold hearings in connection with its legislative work, as it did for the SolarWinds breach earlier this year. Congress is currently considering the Data Security and Breach Notification Act, which would require companies to report breaches within 30 days and impose up to five years in prison for individuals who “intentionally and willfully” conceal a data breach.
While domestic authorities with an interest in data breach incidents are numerous, they are only a fraction of the potential investigatory, regulatory and enforcement authorities that may take action internationally. Businesses that collect, control or process personal data outside the United States are well-advised to obtain competent counsel in the relevant jurisdictions.
Private sector actions
The potential for private sector claims is just as numerous and diverse as those from the public sector. First, and most obviously, the companies are frequently subject to claims by the consumers or other owners of the lost data, often brought as class actions. For example, in a recent class action claim against Blackbaud, plaintiffs alleged that the data breach was caused by a deficient security program and asserted claims for various types of negligence and for unjust enrichment. In another case, involving alleged violations of the CCPA by T-Mobile earlier this year, the plaintiffs asserted claims for breach of implied contract and breach of confidence, as well as for negligence and unjust enrichment. To the authors’ knowledge, no consumer class actions have yet been brought against SolarWinds, but SolarWinds warned in its annual report that such claims may yet be brought.
SolarWinds is, however, already facing several class action lawsuits brought by shareholders alleging that the company’s actions relating to the breach caused the company’s stock price to decline. SolarWinds shareholders have also filed a derivative action against the individual members of the SolarWinds Board of Directors alleging the directors knew about and failed to monitor cybersecurity risks to the company ahead of the resulting incident.
Although not implicated in the SolarWinds incident, data breaches involving credit card numbers frequently result in fines levied by the credit card company against the breached company. For instance, Visa fined Genesco $13.3 million as a result of Genesco’s data breach. Genesco fought the fine, claiming it never violated the applicable Payment Card Industry (PCI) Security Standards, and eventually received a refund of $9 million from Visa in the settlement.
As noted above, the DOJ recently announced a new Civil Cyber-Fraud Initiative. In making the announcement, the DOJ noted that the False Claims Act allows private parties to bring cases on the government’s behalf and to share in the proceeds if their action results in the recovery of government funds. The DOJ “expects that whistleblowers [will] play a significant role in bringing to light knowing failures and misconduct in the cyber arena” and “help spur compliance by contractors and grantees.” As a result, we are likely to see an increase in private whistleblower actions brought by employees and ex-employees of government contractors and federal grantees.
Claims from individuals are not the only concern following a cyber incident. Other businesses that were damaged by the breach may also bring claims. For example, corporate customers may allege that the company breached its contractual obligations and seek damages in addition to terminating the contract. The SolarWinds incident potentially impacted over 18,000 SolarWinds customers, including Microsoft, Cisco Systems and Cox Communications. SolarWinds acknowledged in its annual report that damages claims may yet be asserted by its customers.
As the above discussion makes clear, it is important for businesses to take appropriate technical precautions to avoid a data breach. Additionally, because there is no way to entirely prevent a cyberattack, it is also important to be prepared to react quickly and appropriately if a data breach happens. Privacy policies should be reviewed and updated at least once a year. Companies should prepare a data breach plan to follow in the event of a breach. The FTC’s “Data Breach Response: A Guide for Business” is a good place to start. It can also be immensely beneficial to have an existing relationship with counsel who are experienced in handling data breach incidents.•
• Mike Nitardy and Connie Lindman are members and Sam Berten is an associate with the law firm of Frost Brown Todd LLC. Opinions expressed are those of the authors.