2017 Cybersecurity Litigation Year in Review and Forecasts
Michael Bahar, Kristine Ellison, James Hyde and Robert Owen write: Cyber-related litigation continues to be volatile, with 2017 witnessing several momentous developments including rulings on standing, the extent of insurance coverage, the fate of the Fourth Amendment's third-party doctrine in the digital age, and the emerging standard of care for cybersecurity.
December 21, 2017 at 02:30 PM
9 minute read
Cyber-related litigation continues to be volatile, with 2017 witnessing several momentous developments including rulings on standing, the extent of insurance coverage, the fate of the Fourth Amendment's third-party doctrine in the digital age, and the emerging standard of care for cybersecurity. At the same time, Europe is seeing its own tectonic shifts in how it handles data, including data that is shared with the United States, creating some very serious fault lines that will need to be watched closely in 2018.
Corporate Data Breach Litigation
Standing. Despite a flurry of activity in 2017, what constitutes standing to bring breach class actions still remains unsettled. There were four main decisions before the appellate courts, all of which came to different conclusions under the U.S. Supreme Court's 2013 decision in Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013). On one end of the spectrum, the Fourth and Eighth Circuits declined to find standing for any plaintiffs under Clapper's substantial risk test if the plaintiffs had not suffered a tangible harm. Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017); In re SuperValu, 870 F.3d 763 (8th Cir. 2017). The Eighth Circuit reached this holding for 16 out of 17 plaintiffs involving stolen credit card numbers, finding standing only for the one plaintiff who suffered fraudulent charges on his account.
On the other end of the spectrum, the Third Circuit found that an alleged violation of the Fair Credit Reporting Act was sufficient to establish standing even without any economic or other tangible harm. In re Horizon Health. Serv., Inc. Data Breach Litig., 846 F.3d 625 (3d Cir. 2017).
In the middle was the D.C. Circuit, finding that access by hackers to the combination of names, birth dates, email addresses and member numbers creates a substantial risk of medical identity theft even if Social Security numbers and credit card numbers were not stolen, and there was no allegation of misuse of the plaintiffs' personal data. Attias v. Carefirst, Inc., 865 F.3d 620, 622 (D.C. Cir. 2017). The DC Circuit decision is currently on petition for a writ of certiorari at the Supreme Court, providing 2018 the opportunity to bring greater clarity to what constitutes standing in an age of increasing cyberattacks.
Coverage. As the litigation threat continued to increase in 2017, companies increasingly—and rightfully—turned to specialized cyber insurance to mitigate their risk.
At the same time, however, 2017 gave a rude awakening to those companies that relied on traditional insurance to cover cyber events. Courts in 2017 continued to conclude that commercial general liability policies do not always apply to cyber events. Cyber events may not even implicate the insurer's duty to defend against breach class actions, much less provide coverage for resulting losses.
For example, federal courts in Florida, Pennsylvania, and New York have all agreed that when the insured is not the one accused of publishing the protected information at issue, there can be no personal and advertising liability coverage. From a different perspective, district courts are grappling with the scope of coverage under computer fraud provisions in crime policies when a corporate entity loses money through phishing or other email scams, leaving the industry urging courts to draw a line between losses resulting from human error as a result of deceit versus losses resulting from unauthorized access to a company's computer system.
NAIC Model Law on Insurance Data Security. This past year also witnessed a host of strong cybersecurity regulation, like the new cybersecurity rules and regulations affecting securities' professionals in New York (23 NYCRR 500), Colorado and Vermont (see 4-4 Vt. Code R. §8:8-4), as well as enhanced federal cybersecurity enforcement from the likes of the Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC) and even the Food and Drug Administration (FDA)—all of which are helping set a standard of care for cybersecurity that courts will likely pick up in 2018 and beyond.
Next year may further accelerate this trend towards regulatory convergence around “reasonable” cybersecurity practices as 2017 saw adoption of the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law. The Model Law establishes minimum cybersecurity standards largely consistent with New York's regulation. Like the other key federal and state regulations, this Model Law promotes a proactive, holistic and risk-based cyber strategy and, importantly, it requires senior corporate oversight. New York, for example, now requires affirmative sign-off on cybersecurity plans and programs (see 23 NYCRR 500), which could potentially open up directors and officers to individual liability in 2018.
The NAIC Model Law, however, stops short of including many of the more specific and nuanced requirements included in the New York regulation, and it diverges in other important ways from New York, as well as other regulations, highlighting another important trend: emergence of a growing thicket of cybersecurity regulation. Navigating that thicket will prove increasingly challenging in 2018, further emphasizing the need for sound planning up front.
|'Carpenter v. United States'
Congress and the Supreme Court also faced momentous questions in 2017.
In particular, the Supreme Court faced the question of the continuing applicability of the Fourth Amendment's third-party doctrine to today's modern, digital age. In late November, in Carpenter v. United States, the justices heard arguments on whether the Fourth Amendment permits the warrantless collection of a criminal defendant's cell site location data. While this case will have wide-ranging significance when decided in 2018, in the cybersecurity and privacy context, one aspect is particularly worth noting. Because the Fourth Amendment generally covers U.S. persons, not foreigners, a ruling that is explicitly confined to U.S. persons may exacerbate the difficulties for companies that must navigate the global regulatory thicket.
|Schrems II
In what is known as Schrems II, the Irish High Court threw into doubt the model contractual clauses between European companies and US companies that wish to engage in cross-border data flows, citing a lack of trust in how the US will treat EU data. The Data Protection Commissioner (Ireland) v. Facebook Ireland Limited (and Maximillian Schrems) [2017] IEHC 545. The court referred the case to the Court of Justice of the European Union, with a decision expected in 2018.
|FISA §702
Similarly, at the time of publication, Congress had not reauthorized the expiring §702 of the Foreign Intelligence Surveillance Act (FISA), which was a focal point of the Schrems II decision. Section 702 allows the government to collect information on non-U.S. persons located abroad. While much of the focus in the U.S. has been on how to treat the inevitable, incidental collection of U.S. person data, in 2018, much of the focus will be on the effect §702 has on the global regulatory and litigation landscape. Indeed, the bulk of the 152-page Schrems II opinion discussed §702 and its application of data privacy protections only for U.S. persons, not foreigners.
|Developments in Europe
General Data Protection Regulation. While many in 2017 began to prepare for sweeping new privacy regulations coming out of the EU, 2018 will see that trend accelerate as the General Data Protection Regulation (GDPR) enters into force on May 25, 2018. The GDPR is designed to be “future-proof” against technological developments and hopes to harmonize data privacy laws across the EU—but not necessarily with other jurisdictions—thus setting up the potential for conflicting regulatory requirements for U.S. companies. While requiring greater transparency and accountability from companies, it includes greater privacy protections for individuals. As a matter of law, U.S. companies will have to comply with GDPR if they:
- target offering of goods or services to individuals in the EU (even if for free);
- monitor the behavior of individuals who are in the EU including for purposes such as behavioral advertising;
- provide services to EU clients involving using personal data, for example, by hosting EU personal data on U.S.-based servers; or
- provide centralized IT systems or data storage functions for the enterprise which contain personal data about the employees and customers of any EU subsidiaries.
In addition to the issues Schrems II discussed, the GDPR also will have litigation and regulatory enforcement impacts in the United States and for U.S. companies abroad. For example, failure to comply with the GDPR carries the potential for a fine of 4 percent of global turnover or 20 million euros, whichever is greater. In addition, companies may find themselves having to choose which regulatory regime to comply with, and which to violate, making proactive planning on conflicting regulatory requirements critical.
Government-Funded Insurance for Cyberattacks by Terrorists. In late November, the UK's national terrorism and state-backed reinsurer, Pool Reinsurance Co. Ltd., announced that it will begin providing coverage for physical damage and direct interruption to businesses resulting from an act of terrorism. The UK government makes this move as it recognizes the increasingly evolving threat from terrorists both remotely and directly. The coverage provided will include buildings, contents, and business disrupted during a police investigation into a terrorist attack but will exclude intangible assets.
The First UK Breach 'Class Action'. 2017 witnessed the first UK breach class action, and it heralded increasing breach litigation for 2018, especially with the advent of the GDPR. On Dec. 1, 2017, the English High Court considered a 6,000-person compensation class action against a company whose former IT auditor stole and uploaded employee payroll data to the internet. Although declining to find the company directly liable to the employees, the court did find that the company was vicariously liable for the auditor's actions. Permission to appeal has been granted to the company. In the meantime, however, the judgment provides clarity to claimant lawyers who will use it as a route-map against other companies.
|Conclusion
Ultimately, 2017 was a tremendously significant year for cybersecurity litigation, and the explosion of cybersecurity regulation in 2017 also signifies an even more significant litigation year in 2018, both here and abroad. Anticipating and mitigating what is coming not only helps prevent breaches, but also can help limit the litigation and regulatory enforcement fallout that could—and often does—ensue.
Michael Bahar is a partner, Kristine Ellison is an associate, and James Hyde and Robert Owen are partners, at Eversheds Sutherland.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrump's SEC Overhaul: What It Means for Big Law Capital Markets, Crypto Work
Trending Stories
- 1DOJ Asks 5th Circuit to Publish Opinion Upholding Gun Ban for Felon
- 2GEO Group Sued Over 2 Wrongful Deaths
- 3Revenue Up at Homegrown Texas Firms Through Q3, Though Demand Slipped Slightly
- 4Warner Bros. Accused of Misleading Investors on NBA Talks
- 5FTC Settles With Security Firm Over AI Claims Under Agency's Compliance Program
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250