Business Cybersecurity: Two Recent Court Decisions Highlight the Need to Take Preemptive Action Against Data Breaches
Nowadays, the prudent business owner should be cognizant of cybersecurity and the public relations and legal costs that can arise from a data breach. By holding personal information of customers, employees, or anyone else, the business assumes the legal and public relations obligations to keep that information secure.
Cybersecurity is an ongoing battle against hackers and thieves who target all businesses holding sensitive personal information. Small businesses are perceived to be “easy targets,” less prepared and more vulnerable to a breach. Big businesses are targets because of the large amount of information they hold.
But if a business falls victim to a data breach, the cybersecurity battle could take the form of litigation against customers or employees whose personal information was accessed by the hackers or thieves.
Two recent federal court decisions add to the many legal, financial, and practical reasons for businesses to protect against a data breach. These decisions address whether someone whose personal information was accessed by a hacker or thief can maintain a lawsuit against the business that held the information without alleging the information was used to commit identify theft or in a way to cause harm to the individual.
In other words, the courts analyzed whether the proverbial “no harm, no foul” defense required dismissal of the claims. In both decisions, the courts ruled that the claims would not be dismissed, thus requiring the businesses to incur further litigation costs in defending the claims beyond the initial pleading stage.
Galaria v. Nationwide Mutual Insurance Company
The first decision, issued in September 2016, was against Nationwide Mutual Insurance Company. Galaria v. Nationwide Mut. Ins. Co., 2016 U.S. App. LEXIS 16840 (6th Cir. 2016). Nationwide maintains sensitive personal information of customers, including names, dates of birth, marital statuses, genders, occupations, employers, Social Security numbers, and driver’s license numbers. Hackers broke into Nationwide’s computer network and stole the personal information of more than a million people.
Two individuals whose information was stolen filed a class action lawsuit against Nationwide for invasion of privacy, negligence, bailment, and violation of the Fair Credit Reporting Act. They sought damages for the “increased risk of fraud” and expenses incurred in mitigating the risk of fraud, such as purchasing credit reports, credit monitoring services, and other mitigation products.
The Sixth Circuit Court of Appeals held that allegations of the “substantial risk of harm” and reasonably incurred mitigation costs were sufficient to avoid dismissal. The court explained that where someone’s information was hacked, it is reasonable for that person to incur costs to reduce the risk of identity theft.
In re Horizon Healthcare Services Inc. Data Breach Litigation
The second decision, issued on January 20, 2017, was against Horizon Healthcare Services, Inc. In re Horizon Healthcare Servs. Data Breach Litig., 2017 U.S. LEXIS 1019 (3d Cir. 2017). Horizon is a provider of health insurance products and services. It collects and maintains personally identifiable information, including names, dates of birth, Social Security numbers, and protected health information. Thieves stole two laptops containing unencrypted personal information of more than 839,000 Horizon members. Four individuals whose information was on the laptops filed a class action lawsuit against Horizon for violation of the Fair Credit Reporting Act.
The complaint against Horizon did not allege that any of the plaintiffs’ identities were stolen as a result of the data breach. Horizon moved to dismiss the complaint for failure to allege a “cognizable injury.”
The Third Circuit Court of Appeals held that the complaint should not be dismissed because the alleged improper disclosure of personal information in violation of the Fair Credit Reporting Act is a “de facto” injury allowing the plaintiffs to pursue their claim. The court acknowledged that its prior decisions regarding the ability to sue for violations of other federal statutes without an allegation of an actual injury were inconsistent.
But the court explained that statutes protecting data privacy are different. In that context, where the alleged injury from the data breach affects the plaintiff in such a personal and individual way, a focus on economic loss is misplaced, according to the court. Because the unauthorized disclosure of private information has long been seen as injurious, and unauthorized disclosure is actionable under the Fair Credit Reporting Act, the plaintiffs had standing to maintain their claim against Horizon.
The court was careful to clarify that it did not decide whether the plaintiffs’ alleged damages will be sustainable on the merits. But the court’s decision still requires Horizon to incur additional costs in defending the lawsuit past the pleading stage and into discovery and other stages of litigation.
Taking Preemptive Action
The rulings against Nationwide and Horizon highlight the need for businesses to take preemptive cybersecurity measures, from a legal and technological standpoint, to protect the sensitive personal information they hold. While the courts do not identify the precise vulnerabilities that allowed the data breaches at Nationwide and Horizon, we can assume if the allegations are true that there were vulnerabilities that perhaps could have been eliminated, but were not. As a result, Nationwide and Horizon must incur the substantial litigation costs in defending suits even without allegations of identity theft or that the stolen information was used to cause damage.
To reduce the chance of a lawsuit arising from a data breach (and taking the public relations hit as well), a business holding personally identifiable information must implement reasonable policies and procedures to secure such information and respond to a data breach in compliance with notification and other applicable laws. Personally identifiable information includes, but is not limited to, Social Security numbers, dates of birth, credit card numbers, and health and other financial information. Businesses also must protect log-in credentials, such as usernames, passwords, and security questions and answers. Guarding this information is both good business practice and required by law.
For More Information
Trenam Law’s cybersecurity team can provide legal advice and other resources to reduce the risk of a data breach, better prepare your business from a legal perspective in the event of a data breach, and respond to and defend any lawsuits or government actions after a data breach.