3. “There are only two types of companies: those that have
been hacked, and those that will be.” –Robert Mueller
Odds: Security @100% / Hacker @ 1TargetHome DepotNeiman MarcusMichaelsSpecsTJ MaxeBaySally BeautyPF Chang’sUPSDairy QueenJimmy John’sJP Morgan ChaseKmartStaplesSonyAshley Madison
4.
5.
6. www.solidcounsel.com
Cost of a Data Breach – US
2013 Cost
$188.00 per record
$5.4 million = total average cost paid by organizations
2014 Cost
$201 per record
$5.9 million = total average cost paid by organizations
2015 Cost
$217 per record
$6.5 million = total average cost paid by organizations
(Ponemon Institute Cost of Data Breach Studies)
11. www.solidcounsel.com
Litigation: Business / Real Harm
Standing has not been an issue in cases where the harm is readily
ascertainable: “Target does not challenge Plaintiffs’ allegations with
respect to the elements of causation and damages.” In re Target
Corp. Customer Data Sec. Breach Litigation, 64 F.Supp.3d 1304, 1310 (D.
Minn. 2014) (Financial Institutions Litigation).
12. www.solidcounsel.com
Litigation: The Good Old Days
Fear from the heightened risk of future identity theft or fraud
from a data breach does not give legal standing to sue by a
party whose data may have been compromised.
“Allegations of future harm can establish Article III standing if that
harm is “certainly impending,” but “allegations of possible future
injury are not sufficient.” Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138,
1147 (2013).
“[A]llegation of future injury may suffice if the threatened injury is
‘certainly impending’ or there is a ‘substantial risk’ that the harm will
occur.” Susan B. Anthony List v. Driehaus, 134 S.Ct. 2334, 2341 (2014).
“Peters has not made the requisite demonstration of injury,
traceability and redressability for her alleged injuries.” Peters v. St.
Joseph Services, 74 F.Supp.3d 847 (S.D. Tex. Feb. 11, 2015).
13. www.solidcounsel.com
Litigation: Sensing Change?
Target’s Proposed Consumer Litigation
Settlement (March 19, 2015)
Target pay $10 million to interest-bearing escrow
account.
Consumers eligible for up to $10,000, if
Show proof of losses from the data breach
(prioritized).
Remaining funds will be disbursed later.
14. www.solidcounsel.com
Litigation: The Tectonic Shift
Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688, 693 (7th
Cir. 2015).
“The plaintiffs allege that the hackers deliberately targeted Neiman
Marcus in order to obtain their credit-card information. . . . [t]here is
‘no need to speculate as to whether [the Neiman Marcus customers’]
information has been stolen and what information was taken. . . .
there is an ‘objectively reasonable likelihood’ that such an injury
will occur.”
“At this stage in the litigation, it is plausible to infer that the plaintiffs
have shown a substantial risk of harm from the Neiman Marcus data
breach. Why else would hackers break into a store’s database
and steal consumers private information? Presumably, the purpose
of the hack is, sooner or later, to make fraudulent charges or assume
those consumers’ identities.”
15. www.solidcounsel.com
Litigation: The Trends?
Standing
Theft of data v. negligent loss of data?
Target Fin. / Sony / Ashley Madison – the harm?
Overall Litigation Trend
Incrementalism
Who’s gonna get it?
Who has best opportunity to control?
18. www.solidcounsel.com
Regulatory Response – SEC
January 2014: SEC indicates companies need
Policies & Procedures for:
1. Prevention, detection, and response to
cyber attacks and data breaches,
2. IT training focused on security, and
3. Third party access to company systems
and vendor third party due diligence.
19. www.solidcounsel.com
Regulatory Response – SEC
April 2014: Office of Compliance Inspections and
Examinations (OCIE) Cybersecurity Initiative
Examine 50 registered broker-dealers and
registered investment advisors.
7 page sample cybersecurity doc request.
Detailed cybersecurity questions.
Extensive 3rd party provider questions.
20. www.solidcounsel.com
Regulatory Response – SEC
S.E.C. v. R.T. Jones Capital Equities Management, Consent
Order (Sept. 22, 2015).
“Firms must adopt written policies to protect their clients’
private information”
“they need to anticipate potential cybersecurity events
and
have clear procedures in place rather than waiting to
react once a breach occurs.”
violated this “safeguards rule
100,000 records (no reports of harm)
$75,000 penalty
21.
22. www.solidcounsel.com
Regulatory Response – FTC
In re GMR Transcription Svcs, Inc., 2014 WL 4252393
(Aug. 14, 2014). FTC’s Order requires business to
follow 3 steps when contracting with third party
service providers:
1. Investigate before hiring data service
providers.
2. Obligate their data service providers to adhere
to the appropriate level of data security
protections.
3. Verify that the data service providers are
complying with obligations (contracts).
23. www.solidcounsel.com
Regulatory & Administrative
F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir.
Aug. 24, 2015).
The FTC has authority to regulate cybersecurity under
the unfairness prong of § 45(a) of the Federal Trade
Commission Act.
Companies have fair notice that their specific
cybersecurity practices could fall short of that provision.
3 breaches / 619,000 records / $10.6 million in fraud
Rudimentary practices v. 2007 guidebook
Website Privacy Policy misrepresentations
25. www.solidcounsel.com
Officer & Director Liability
“[B]oards that choose to ignore, or minimize, the importance of
cybersecurity oversight responsibility, do so at their own peril.” SEC
Commissioner Luis A. Aguilar, June 10, 2014.
Derivative Litigation the wave of the future.
Trend of holding responsible those perceived to be in position of control vis-
à-vis those perceived as being the victim.
Heartland Payment Systems, TJ Maxx, Target, Home Depot, Wyndham
Derivative claims are premised on the harm to the company that stem from
the data breach, a much different standard than the harm / standing issues
that plaintiffs face in consumer data breach litigation.
Derivative plaintiffs rely on Caremark claims that are premised on the officers
and directors’ lack of oversight which is a breach of the duty of loyalty and
good faith. Companies cannot insulate the officers and directors for a
breach of this duty.
Caremark standard: (1) “utterly failed” to implement reporting system or
controls; or (2) consciously failed to monitor or oversee system.
26. www.solidcounsel.com
Officer & Director Liability
Palkon v. Holmes, 2014 WL 5341880, *5-6 (D. NJ Oct. 20, 2014).
Palkon, a Wyndham shareholder, brought a derivative action against
its officers and directors for failing to ensure that Wyndham
implemented adequate security policies and procedures.
Included Caremark Claim: “Defendants failed to ensure that the
Company and its subsidiaries implemented adequate information
security policies and procedures . . . .” (Pl’s Complaint ¶ 4)
Court granted Motion to Dismiss, finding the board satisfied the
business judgement rule by staying reasonably informed of the
cybersecurity risks and exercising appropriate oversight in the
face of the known risks.
The well-documented history of diligence and compliance showed
the board had discussed cybersecurity risks, company security policies
and proposed security enhancements in 14 quarterly meetings and
had implemented some of those cybersecurity measures.
28. You will be breached.Will you be
liable?
It’s not the breach; it’s your diligence
that matters most.
Companies have a duty to be
reasonably informed of and take
reasonable measures to protect
against cybersecurity risks.
31. ShawnTuma
Partner, Scheef & Stone, L.L.P.
214.472.2135
shawn.tuma@solidcounsel.com
@shawnetuma
blog: shawnetuma.com
web: solidcounsel.com
This information provided is for educational purposes only, does not constitute legal advice,
and no attorney-client relationship is created by this presentation.
ShawnTuma is a cyber lawyer business leaders trust to help solve problems
with cutting-edge issues involving cybersecurity, data privacy, computer
fraud, intellectual property, and social media law. He is a partner at Scheef &
Stone, LLP, a full service commercial law firm inTexas that represents
businesses of all sizes throughout the United States and, through its Mackrell
International network, around the world.
Texas SuperLawyers 2015
Best Lawyers in Dallas 2014 & 2015, D Magazine (Digital Information Law)
Council,Computer &Technology Section, State Bar ofTexas
Chair, Civil Litigation & Appellate Section,CollinCounty BarAssociation
College of the State Bar ofTexas
Privacy and Data Security Committee, Litigation, Intellectual Property
Law, and BusinessSections of the State Bar ofTexas
Information SecurityCommittee of the Section on Science &Technology
Committee of theAmerican BarAssociation
NorthTexasCrime Commission,Cybercrime Committee
Infragard (FBI)
InternationalAssociation of Privacy Professionals (IAPP)
Information Systems SecurityAssociation (ISSA)
Board of Advisors,Optiv Security
Contributor, Norse DarkMatters Security Blog
Editor, BusinessCyber Risk Law Blog