Public Notification of Data Breaches: Between a Rock and a Hard Place
Two Parker Poe attorneys write that they believe 2018 will see a growing emphasis on disputes arising from corporations' delays in notifying the public, the affected individuals and regulatory bodies about their breaches.
March 19, 2018 at 11:29 AM
6 minute read
|
A change in emphasis in disputes over data security breaches is coming. To date, the focus has been on issues and potential damages arising from the breach itself and the subsequent loss of private, personal information. In light of recognized delays from both Equifax and Uber, combined with the confusing array of breach notification responsibilities, we believe 2018 will see a growing emphasis on disputes arising from a corporation's delay in notifying the public, the affected individuals and regulatory bodies about the breach.
A Multitude of Disclosure Obligations
The fact is that determining an appropriate period of time within which a company should disclose a data breach, the theft of personal information or both is far from simple. Nearly every state has its own set of data security laws, but only some address disclosure requirements. Even within this subset, there can be conflicting requirements in different states. For example:
- What qualifies as stolen personal information triggering the disclosure obligation often differs from state to state;
- Some states dictate specific times within which to make disclosures while others are silent; and
- Some state laws discuss the role of law enforcement in making disclosure decisions while others do not.
In short, if you are a company that does business in multiple states and suffers a data breach, you might find it difficult to comply with all applicable state laws.
State laws are truly just the beginning of the assortment of competing interests as a growing list of regulators insert themselves into the mix. On Feb. 21, 2018, the SEC issued a “Statement and Guidance on Public Company Cybersecurity Disclosures,” updating a previous guidance issued in 2011. This new guidance raises the possibility that disclosures should be made earlier than existing state laws require. New York recently implemented its own regulations, requiring all “financial institutions” doing business in New York to report breaches, and attempted breaches, to state regulators within 72 hours. The regulations also require a written response plan to cybertheft that, presumably, will include self-imposed specifics related to public and regulatory notifications. While that may seem like enough confusion, international companies have the soon-to-be-implemented European General Data Protection Regulations. The GDPR, which will come into effect in May, generally requires notification within 72 hours of a breach. And this is just to name a few.
While there remain pleas for a federal law to create a uniform standard, such efforts face significant hurdles. Some argue federal proposals are too strict (including one bill proposing jail time for corporate officers who knew about and failed to properly disclose breaches of data security). Others complain a federal standard will be less imposing than the laws of many states and therefore should not be enacted. While a federal law may seem like a panacea, competing interests may make it more difficult to pass than some may hope.
Delay May Create Claims
The legal risks arising from a delay in disclosing a data security breach are materially different from a claim relying on the breach itself. As a publicly traded company, Equifax's stock traded for weeks based on imperfect public information. Moreover, certain executives sold stock during the intervening period, presumably for prices higher than they would have received, had the breach been disclosed. Delaying notice therefore, at a minimum, exposes the company to lawsuits, both derivative and directly under the federal and state securities laws. In fact, the U.S. Attorney's Office in Atlanta announced on March 14 that the company's chief information officer—one of the individuals who sold his stock in the interim period—was charged with insider trading.
In addition, Uber has been publicly discussed as a prime IPO candidate for years, which includes the yearlong period in which it did not disclose data security lapses. Certainly that information would be relevant to bankers and investors. Did the breach play a role in the timing of the IPO and, if so, were investors made aware? Again, the delay in disclosure opens the door to litigation. These are but a few of the issues raised by the delay in notifying the public and affected parties.
Simply put, the risks of a claim are enhanced in a situation where a company knows of a breach of its data security but delays disclosing the issue. The SEC, itself a victim of a breach, recognizes this. As noted, the SEC just issued updated guidance. That 2018 guidance makes specific note for both the need of “timely” disclosures and the need for publicly traded companies to protect against insider trading. Indeed, the SEC guidance seems to suggest that a publicly traded company may have to make multiple disclosures of a single breach event, updating shareholders as new information is learned.
Will Delay Claims Be More Successful?
Lawsuits seeking to recover damages arising from the actual data breach have, to date, experienced what can best be described as mixed results. There is a federal circuit split on whether individuals whose information is stolen suffered measurable damages such as to have standing to sue the corporation that was breached. Derivative actions have faced an even harder road, with the majority of such cases being dismissed due to the benefits of business judgment rules.
As noted, a claim arising from the delay in disclosing the breach is materially different. Certainly, any individual who traded in the corporation's stock during the delay period may have a claim under state or federal securities laws. Public statements of corporations, both formal and less formal, will be subjected to scrutiny to see if the fact of an undisclosed breach becomes a materially false or misleading omission. Regulatory investigations are almost certain, with Equifax being subject to a congressional hearing while Uber is reportedly being investigated by governments around the globe.
Data security issues, by all accounts, are in the forefront of the mind of general counsel around the country. The risks—reputational, financial and otherwise—of suffering a data breach are enough to keep people awake at night. However, the risks associated with balancing the multiple concerns of when to disclose a significant data breach may be the bigger risk to a corporation's bottom line. 2018 may serve to highlight that concern.
John C. Amabile is a commercial litigator in the Atlanta office of Parker Poe Adams & Bernstein. He has tried dozens of cases to judges, juries and arbitrators, representing clients in a range of industries that include real estate, logistics and technology.
Micheal L. Binns is a patent litigator in the Atlanta office of Parker Poe Adams & Bernstein. His experience includes the litigation, counseling and prosecution of all forms of intellectual property.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Business Breakups: Why Business and Commercial Cases Are Well-Suited to Mediation
5 minute read
In RE: Hair Relaxer Marketing, Sales Practices and Products Liability Litigation
Trending Stories
- 1Stock Trading App Robinhood Hit With Privacy Class Action 1 Month After Alleged Data Breach
- 2NY High Court Returns Fired Priest's Discrimination Claim to State Agency
- 3Digging Deep to Mitigate Risk in Lithium Mine Venture Wins GM Legal Department of the Year Award
- 4Reminder: Court Rules and Statutes Apply to Pendente Lite Custody Decisions
- 5Consumer Cleared to Proceed With Claims Against CVS 'Non-Drowsy' Medication, Judge Says
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
