Class action plaintiffs have plenty of ammunition when pointing a finger at a company holding consumer data. An attack occurs, typically because of a security vulnerability and/or a novel method, and plaintiffs have a somewhat easy avenue to establish causation. For that reason, many companies and banks understandably focus their efforts on beefing up their information security policies and procedures. Pro-active banks and other companies wisely engage cybersecurity forensic consultants, procure quality cyber liability insurance, and ramp up their response plans to help establish reasonable precautions that can help counter causation arguments. However, with the rising number of data breaches in recent years exposing millions of consumer data records to potential identity thieves, the supply of consumer information – Social Security numbers, account numbers and other personal information – on the black market has exploded. That makes damages difficult to prove in data breach cases because of the high likelihood that the individual’s
personal data is out there somewhere.
It was only a matter of time before creative damages theories would arise in these cases. In a recent decision, a federal district court certified a class in a case based upon a data breach in which a massive amount of personal identifiable information (PII) was stolen over the course of several years. One notable element of this class certification order is that it is founded, at least in part, on a novel theory of damages. This theory is based on the premise that the amounts charged by the company that suffered the data breach would have had to have been reduced if the relevant market consumers were aware of the company’s failure to protect consumer data. In other words, if the market knew this company was subject to the ongoing data breach, it would have had to lower its prices in order to attract customers. Thus, the theory is that the members of the class should be able to recover these theoretical overcharges for payments they made to the defendant company during the ongoing data breach. This theory of damages allows for recovery without any evidence of the actual misuse of a consumer’s PII as a result of the data breach.
The case in which this theory of damages has been accepted involves the price charged for hotel rooms; however, one can easily imagine how this might apply to other industries, e.g., airline ticket prices. With the high level of security involved in air travel today, a great deal of information most people consider very confidential is required to purchase a ticket on an airplane. If one airline made no promise to protect the PII collected from their customers, it would probably have to charge much less per ticket than a competitor using state-of-the-art data breach protections. Who would knowingly provide their confidential information to the clutches of the dark web? A similar analogy can be made in the banking industry. If it was known that a bank was subject to a data breach or a ransomware attack, arguably, even a complete waiver of fees charged for banking services would not keep customers at the bank while their confidential financial information – and maybe their money – is siphoned off. Could this theory of damages subject a bank that suffers a data breach to a complete disgorgement of fees collected from all of the customers impacted by the breach?
As this theory of damages continues to play out in court, companies can take steps to minimize its viability. Experts in the cybersecurity field often start their presentations with the phrase “It is not if but when a cybersecurity incident will occur.” There is certainly some truth to that statement. Threat actors increasingly deploy sophisticated attacks that focus on weaknesses in both people and in systems. Making your bank 100% protected is nearly impossible; however, engaging in proactive measures consistent with best practices in the banking industry can go a long way to establish that data protection efforts are a significant part of the cost of doing business.
With threat actors using more sophisticated phishing attacks and payment fraud schemes, it is important to provide ongoing cybersecurity awareness training to employees to counter new attacks. Employers should keep thorough records of your training and the amount of time and expense involved.
Access controls, encryption, intrusion detection and vendor diligence should make up a significant part of the time and expense your bank contributes to its information security program. Access can be a difficult issue with employees working remotely and wanting the flexibility to use mobile devices. Each device presents an additional point of vulnerability, emphasizing the need for mobile device management, multi-factor authentication, technical measures preventing local storage and other controls. Encrypted data is usually an exception under data breach notification laws. Failing to encrypt data in transit and in storage makes for an easy argument by class action plaintiffs.
While many banks have an internal information security team or use an information security vendor to monitor intrusions, sophisticated threat actors develop new attacks every day. Consider engaging a firm that also does cyber forensic investigations, as they will often have recommendations for the latest threat detection technology.
Both regulators and plaintiffs’ attorneys almost always make an issue of the amount of time it takes between the first indication of a security incident and notifications to consumers and regulators. Usually, there is a good reason for some of this delay: It takes time to investigate and determine whether a breach actually occurred and the scope of the incident. Samples of data from ransomware attackers and other threat actors are unreliable, resulting in significant time spent to determine what may have been exposed. However, there are many parts of this process that can be controlled and expedited by your bank. Have a cyber-forensic firm engaged and on retainer. Make sure you fully understand your insurance coverage and how to quickly invoke it. Engage other vendors, like notice services and call center services, ahead of time to make the notice process more expedient. Hire a PR firm to help get ahead of messaging. Engage in a data mapping exercise to have a full understanding of where all of your consumer personal information is stored and who has access to it. Conduct run-throughs of your cyber incident response plan to ensure that it can be quickly invoked and followed.
Finally, with this new theory of damages gaining steam, it may make sense to address it in your customer contracts. Have your customers acknowledge that while the bank is committed to protecting your personal information, and goes to great expense to do so, no information is 100% secure. Data breaches are inevitable, but with a solid prevention program and good documentation on all of the internal and external costs of your program, you will have a much better defense that the ticket was worth the price of admission.
Stephen J. Cosentino, CIPP, is a partner at Stinson LLP in the firm’s Kansas City office. He may be reached at steve.cosentino@stinson.com.
Perry L. Glantz is a partner at Stinson LLP in the firm’s Denver office. He may be reached at perry.glantz@stinson.com.