Courts are shifting the cybersecurity onus toward companies

In early data breach and cybersecurity litigation, courts took the perspective that cybercriminals were bad-acting third parties and businesses should not be held responsible in negligence for economic losses. That’s changing, however.

“Courts, in general, are looking for ways to turn to companies that are the custodians of the data, versus the individuals who traditionally have borne the uncertain burden of potential future identity theft if their data is stolen,” says Molly Meacham, shareholder at Babst Calland.

Smart Business spoke with Meacham about data breach litigation trends.

What are examples of courts shifting their approaches to data breach litigation?

In Dittman v. UPMC, the Pennsylvania Supreme Court broke new ground, finding that companies have an affirmative duty of care to protect confidential personal data that they have collected. The court viewed the actions of cybercriminals as a foreseeable risk that’s not a shield from liability. The court also did not let UPMC point to the economic loss doctrine, which previously held that if the loss is only financial, it cannot be recovered under a negligence theory.

The Dittman decision drew nationwide attention, because litigants in other states will ask their courts to adopt or reject it.

In addition, courts are looking at data breach damages. Several federal judges rejected data breach class action settlements to demand a larger or simpler recovery for the individuals, including higher caps per plaintiff, larger pools of funds and/or easier hurdles toward getting those funds.

Courts have also pushed back against the threshold issue of whether plaintiffs have to show actual damages to participate in a class action, or whether the risk of future damage is sufficient. For example, Jeep owners are pursuing class claims of diminution of value, following a well-publicized white-hat hacking incident. The manufacturer fixed the vulnerability and no vehicles were maliciously hacked, but the suit has been permitted to proceed on the theory that the cybersecurity risk resulted in damages.

How should companies react?

First, evaluate what personal information the company collects — is it from employees, or does it include consumer information? Then, how does the business use and store the data? Who has access? What security measures are in place? Some businesses collect data through their products, i.e. sensors or the Internet of Things. This is somewhat unsettled law, but if a device can access personal information, how is that data collected, transmitted, stored and protected?

Courts tend to look at how the company fits into the industry standard for the size and type of a business, as well as the type of information. Large companies, with the resources to do more, are expected to meet a higher, more sophisticated standard.

The best way to defend against a lawsuit is to show that the company took reasonable steps to stay abreast of technological developments, and that it is in line with its peer companies with regard to cybersecurity and data privacy.

What are other risks to be aware of?

Targeted social engineering — a skillfully spoofed email, call or letter to someone in corporate or finance — is increasing. Beyond providing education about social engineering techniques, executives should examine their insurance policies to see what is covered and what exclusions may apply. The language may exclude coverage when an employee unintentionally (but voluntarily) assisted a criminal in breaching the company’s defenses.

Businesses also need to think about their contracts’ indemnity provisions, and who bears the risk in a cybersecurity incident or data breach. A company needs to accurately project a vendor’s ability to contribute after a breach or line up insurance to bridge the gap. In a cybersecurity incident where both companies are jointly liable, a court may turn to the larger, financially stable company to make up the shortfall if the smaller company is insolvent.

Bottom line, knowledge is critical. Do executives understand the exposure? Is the business keeping up with industry standards and documenting its risk management to show compliance with its duty of reasonable care? Are executives reading their contracts and insurance policies? The choices businesses make today have long-term impacts, so the sooner a company addresses these issues, the better.

Insights Legal Affairs is brought to you by Babst Calland