The Next Battleground for Data Breaches…Shareholder Lawsuits?

Companies ill-prepared for data breaches and failing to take reasonable steps to secure data and computer systems face increasing and serious risks to the business. Specifically, companies, officers, and boards must start taking data and computer-systems security seriously or risk shareholder lawsuits.

Shareholder Lawsuits for Data Breaches

In two recent presentations, I mentioned the coming risk of shareholder lawsuits, even in small and closely-held companies, against officers and board members for failing to reasonably secure data assets and computer systems and for failing to provide reasonable disaster recovery, data breach response, and information governance policies. Today, as part of their fiduciary duty to shareholders, boards and officers must be aware of cybersecurity issues and must prepare to properly respond to events—where the assumption is no longer if a security breach will occur but when breaches will occur (and how will it be detected and mitigated). Experts estimate the current probability of a data breach at a company as 22%. [Global cost of data breach goes up by 15 percent, Help Net Security (May 5, 2014) (over two years).]

A recent summary report shows how damaging data breaches can be to shareholders and customers. Data from 2011 (the most recent) shows average data breach costs at $3.5 million per incident or about $145 per record compromised. [Global cost of data breach goes up by 15 percent, Help Net Security (May 5, 2014); or see  Cybersecurity concerns becoming a boardroom issue, Help Net Security (Mar. 6, 2014) (placing the median cost at $59 million.] Proportionally, even smaller businesses can suffer significant costs from a data breach—recent reports indicating that 60% of small businesses close after a data breach incident (while small businesses typically have high closure rates anyway, the report does reasonably illustrate a increase in risk of closure). [George Westerman, Your Business Is Never Too Small For A Cyber Attack, Here’s How To Protect Yourself, Forbes (May 13, 2013).] Data breach costs not only include initial response (which can be steep) but data restoration, systems recovery, future mitigation steps, mandatory reporting requirements (Pennsylvania has a data breach reporting act), systems integrity verification (because a data breach fundamentally raises issues regarding the integrity of any data in the system), financial systems restoration, etc.

Furthermore, cybercriminals increasingly use highly sophisticated attack methods. Recent surveys indicate that cybercriminals might elude detection for an average of 229 days (over seven months)—a number that sadly has not improved much in years despite increasing recognition of threats. [Advanced attackers go undetected for 229 days, Help Net security (Apr.11, 2014).] (See also a recent report regarding an alleged year-long data breach at a technology manufacturer, [ John Leyden, French hard-drive maker LaCie cops to YEAR LONG card data leak, The Register (Apr. 16, 2014).])  Boards and officers will be hard-pressed to demonstrate reasonable actions as part of their fiduciary duty when a breach has been on-going for months (and also adds to the damages as a poor backup program may be undermined by lengthy breaches).

While data breach victim lawsuits have fared poorly in courts (so far), shareholder lawsuits are likely to be more successful simply because the shareholders can demonstrate de facto damages from a breach (in contrast to the supposed “difficulty” according to many courts of proving damages for data breach victims). Furthermore, due to maturing and readily available cybersecurity policies, methods, and best-practices, reasonable data security falls well within a board’s and officer’s duties.

FTC Enforcement for Data Breaches

Shareholder lawsuits might also be indirectly aided by recent FTC actions. At least a first salvo seems to permit the Federal Trade Commission (FTC) to file lawsuits for deceptive practices and unfair practices under 15 U.S.C. § 45(a) in some cases of data breaches. See FTC v. Wyndham, Case 2:13-cv-01887-ES-JAD (D.N.J. Apr. 7, 2014) (a 42 page opinion denying Wyndham’s motion to dismiss and impliedly affirming FTC power in some cases to initiate actions under deceptive and unfair practices for data breaches), [ Jaikumar Vijayan, FTC can sue companies hit with data breaches, court says, Network World (Apr. 10, 2014)], [Michael Cooney, FTC goes after Wyndham for data breaches at its hotels, Network World (Jun. 27, 2012)], or [Press Release: FTC, FTC Files Complaint Against Wyndham Hotels For Failure to Protect Consumers’ Personal Information]. For company officers and board members, this should be a wake-up call. An FTC action could also trigger shareholder lawsuits arising from fines, penalties, loss of goodwill, and company devaluation. (Note: States will likely closely look at this opinion and potentially add state enforcement actions.)

The Take-away: Companies Must Take Cybersecurity and Customer Data Seriously or Risk Shareholder Lawsuits

The message becomes clear: as part of reasonable actions and fiduciary duties, companies must take data security (cybersecurity) seriously (even small and closely held companies) or risk shareholder lawsuits (and possible enforcement actions from regulatory authorities). Taking proper action includes legal advice on the emerging area of cybersecurity—acknowledging the convergence of legal and technical issues (this is not just something for the IT department anymore although they play an important role in the entire process)— and reasonable actions such as implementing widely available cyberscurity best practices, policies, and systems.

 Update

Others are starting to realize the exposure of board members, directors, and officers–see, e.g., Marlisse Silver Sweeney, Directors May Be Personally Vulnerable in Company Data Breaches, Law Technology News (May 12, 2014).

2014-08-19 The Community Health Systems breach of 4.5 million medical records, apparently stretching over three months, resulted in filing of an SEC Form 8-k Item 8.01 Other Events statement revealing the breach.