When Bad Guys Attack: Data Breach and Legal Exposure

Cyber criminals hack businesses for a myriad of reasons: to rob bank accounts by hacking email accounts and intercepting wire transfers; to file fraudulent tax returns using stolen customer or employee personal data; to commit health insurance or Medicare fraud; to steal intellectual property; to destroy  property; and to deny service.  Websites are also hacked as a mechanism to cyber hack other businesses. (See data protection tips here.)

Cyber hackers include your employees, identity thieves, contractors and vendors, business competitors, terrorists, state-sponsored actors and others. The success of your business and its very existence could be placed in jeopardy because of unauthorized business account access, loss of ability to execute transactions, regulatory, reputational and litigation costs, and significant remedial costs.

Focusing on the litigation ramifications, let’s use the following fictional ABC Co. case study to understand the various laws involved.

ABC Co. is a Missouri corporation, is not publicly traded, and is neither a health organization nor a financial institution.

An external cyber hacker illegally gains access to ABC Co.’s server and obtains W-2 forms of 500 current and former Missouri resident employees including personally identifiable information such as social security numbers, addresses, and salary information of ABC Co. employees. The employee data was not encrypted. As a result of the data breach, a false tax return was filed on behalf of one of the employees and the other employees incurred costs for security services. Because of the breach, there is a risk of identity fraud or other fraud.

ABC Co. executives check Missouri statutes and find that under Section 407.1500, personal information has indeed been disclosed. Further, since a false tax return has been filed, notification to those employees affected by the breach is required. However, given that less than 500 employees have been affected, ABC Co. does not have to notify consumer reporting agencies or the Missouri Attorney General. Missouri statute requires that notification must be made without unreasonable delay and consistent with measures necessary to determine sufficient contact information and to determine the scope of the breach and to restore the “reasonable integrity, security and confidentiality of the system.”

ABC Co. notifies all affected employees. In its notice, the company explains what occurred, identifies the type of personal information that was obtained, provides a telephone number for the employee to call and contact information for consumer reporting agencies, advises that the employee is to remain vigilant, and offers a complimentary two-year membership to a service that helps detect misuse of personal information.

Is ABC Co. safe and what is its’ legal exposure?  No, ABC Co. is not safe if it failed to take reasonable steps to prevent wrongful dissemination of personal information.

To determine legal exposure, the following analysis would be performed.

1. Is the business covered by federal statute?

In this example, most federal laws do not come into play. Laws affecting cybersecurity breaches include the Security Exchange Commission for publicly traded companies, brokers, investment advisors,  health care providers (HIPPA Breach Notification Rule), consumer protection (Federal Trade Commission, accounting rules (System and Organization Controls), financial institutions (Graham  Leach Biley Act), and the Stored Communications Act.

The breach could also give rise to a consumer class action suit. Criminal penalties could also be accessed against the perpetrator under the federal wiretap and electronic surveillance laws, the Computer Fraud and Abuse Act and other state surveillance laws.

2. What are the various state laws for states where the past and current employees reside? 

In this example, I assumed that only Missouri residents were affected, which is very unrealistic. You must follow the law where the employee resides. Most state data breach notification laws provide for civil remedies. Additionally, state attorney generals have the power to bring an action in law or equity to address violations of breach notification requirements.

Several states provide for private rights of actions, allowing affected individuals to seek an injunction or recover actually damages, and, in some cases, litigation and attorney fees. For example, California and Rhode Island also protect information such as passwords.

3. What about causes of action for negligence and breach of contract?  

Missouri has not ruled on this, but many courts have. With similar facts, in Savidge v. Pharm-Save, Inc. (W.D. KY, Dec. 1 2017), a federal court in Kentucky refused to dismiss a case that pleaded negligence and contract violations. It held that with respect to negligence, the company had a duty to “safeguard personally identifiable information” that employees provide to their employer for the purposes of proving identity, receiving compensation and tax records.

The plaintiff alleged that Savidge did not establish process and procedures to protect the information from wrongful disclosure and provided insufficient training. The employee plaintiffs suffered because of their purchase of credit monitoring services and identity theft protection services as well as expenses incurred in responding to a fraudulent tax return.

A breach of contract was also adequately pled, according to the court, because the company implicitly promised that it would take adequate measures to protect employees’ personal information and the company breached that obligation through the release of personal information.  See also Castillo v. Seagate Technology, (N.D. Cal. Sept. 14, 2016) where a phisher claiming to be CEO asked a handful of employees to request W-2 information for all employees and Sackin v. TransPerfect Global, Inc.  (S.D. New York , Oct. 4, 2017)  where a phisher claiming to be CEO asked for W-2 forms and payroll information.  In Sackin, the court found that the plaintiff pled a breach of common law duty by claiming that the company did not take “reasonable steps to prevent wrongful dissemination of Plaintiffs’ [personally identifying information] – including erecting a digital firewall, conducting data security training and adopting retention and destruction policies.”

4. Are there international laws at play? 

International laws apply if the company does business in foreign countries or has foreign offices, suppliers or customers and individuals are affected. For example, the General Data Protection Regulation (GDPR), approved by EU Parliament, is effective on May 25, 2018. It applies to all companies processing personal date for subjects resident in the EU, organizations can be fined up to $5 of annual global turnover or E 20 Million (whichever is greater), and breach notification is mandatory where it is likely to result in a risk for the rights and freedoms of individuals and the notification must be done within 72 hours of first becoming aware of the breach.   The Data Subject Rights are significant including right to access information from the controller, the right to be forgotten, data portability and privacy by design.

5. Are ABC Co.  Directors and Executives (CEO and CIO) at risk? 

Missouri has no law on this. Under Delaware law, directors owe fiduciary duties to their shareholders and have important roles in overseeing corporate risk management, which includes cyber security risk. Executive officers such as CEOs and Chief Information Officers can also be sued.

Businesses must analyze breaches under countless state, national, and international laws. Tax returns are due soon. Please take appropriate measures to protect your customers and employees personally identifiable information. As one court said, “Why else would hackers break into a store’s database and steal consumers’ private information?  Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume consumer identities.”

It is not a question of if, but when a business will be hacked.  Be prepared and take reasonable steps to protect personal information.

Posted by Attorney Ruth A. Binger. Binger serves both emerging and mature businesses concentrating in corporate law, intellectual property and technology law, cybersecurity, digital media law, and labor and employment law. Her commitment to the success of small to medium-sized businesses, and her understanding of multi-faceted issues inherent in operations, are what distinguish Binger’s practice.

Upcoming event:

Cyber Awareness Panel Webinar

Danna McKitrick is proud to join Associated Industries of Missouri in sponsoring a panel of cyber experts in a Cyber Awareness Panel Webinar on January 23, 2018, at 2:00 p.m. Ruth Binger, a cybersecurity and business law attorney with Danna McKitrick, will serve as moderator and will present on a company’s legal exposure when hit with a data breach. Other topics to be discussed include how to protect your company data, employee data, and customers’ information from being hacked and what to do if your system is hacked. Binger will join representatives from the U.S. Secret Service, SpearTip, RubinBrown, FleischmanHillard, and Daniel and Henry in this live video panel discussion.

Free and open to everyone!

Register here