By Richard J. Bortnick, Wilson Elser
For businesses large and small, compliance with federal, state and foreign privacy laws and regulations has become an essential business obligation. These laws govern a company’s collection, storage, use, sharing and disposal of personally identifiable information (PII), protected health information (PHI) and payment card information (PCI).
A company’s innocent or inadvertent failure to abide by these laws, or its failure to timely and fully disclose how it performs such tasks, can make it a target for regulatory proceedings and civil class actions. These lapses also can be a source of reputational damage to the business. In addition, a significant number of public and private entities simply are unaware of the laws that govern consumers’ and employees’ privacy rights and the associated risks and exposures.
The Risks Are Real
Government regulators and class action plaintiffs’ attorneys are targeting organizations believed to be noncompliant in these areas, as well as those that have suffered data breaches. Additionally, many lenders, customers and potential customers are conducting “audits” of their clients’ and business partners’ electronic environments to identify any vulnerabilities that could lead to a privacy breach. Then there are ransomware and advanced persistent threats (APTs). All of this scrutiny makes it critical for business owners and managers to invest the time and resources needed to comply with these new standards by adopting required plans and policies, performing mandatory employee training, and conducting timely audits and assessments to ensure that their organizations meet today’s mandates governing the security and privacy of data they hold.
So, too, the frequency and severity of ransomware and the U.S. government’s limitations on where payments can be made have put tremendous stress on insurance companies and businesses that rely on internet connectivity to function. If those entities deal with third-party vendors, the magnitude of the risk can multiply exponentially. The same applies to APTs, which are cyber-attacks executed by sophisticated bad actors targeting specific information, usually in a long-term campaign involving multiple steps.
In short, the risks are real, particularly for small and medium-sized firms, which typically do not have the robust cybersecurity protections of larger companies with significant information technology budgets. In 2019, the average cost of a breach was $8.9 million, the cost per breached record was $242 for PII and the cost per record for PHI was $428. Perhaps more importantly, a Deloitte University Press study reveals that 80 percent of consumers indicate they are more likely to do business with companies that have not experienced a privacy event than with a company that has suffered one.
For years, a panoply of regulators has been investigating privacy breaches and prosecuting enforcement actions against companies conducting business in their states. Fines in these proceedings often have exceeded $1 million. At the same time, consumer class actions can allege damages that defy quantification. In California alone, since the adoption of the California Consumer Privacy Act (CCPA) on January 1, 2020, more than 25 regulatory investigations and a rapidly growing number of CCPA class actions have been opened, with consumers seeking damages between $100 and $750 per affected class member, per incident.
The Greater Threat
As dangerous as a regulatory investigation may be, consumer class action litigation presents an even greater risk.
According to the Complaint, “the dark web is replete with stolen Walmart accounts for sale,” including credit and payment card information. The Complaint further avers that Walmart’s online security systems were vulnerable to unauthorized access. The named plaintiff also asserted he had communicated with the alleged hackers and verified that the available personal information belonged to Walmart’s customers, a highly uncommon allegation in privacy litigation. Citing the CCPA, the named plaintiff seeks class-wide damages of at least $100 and up to $750 per affected consumer. For Walmart, a potential class of two million Californians could yield between $200 million and $1.5 billion in damages.
While smaller businesses might not have a corresponding customer base, even a company with 50,000 California residents as consumers could face damages ranging from $5 million to $37.5 million or more.
As one would expect, courts in California evaluate each lawsuit carefully, based on its individual facts. For example, in Rahman, the court found that the plaintiff lacked Article III standing in a case involving the theft of non-sensitive personal information arising from a data breach.
There, Marriott moved to dismiss for lack of subject-matter jurisdiction after confirming that no sensitive information had been compromised. Marriott argued that although the hackers had accessed the plaintiff’s personal information, the data lacked the sensitivity required to sustain a finding of injury in fact. The court agreed.
Conversely, in a consolidated case involving online and mail order retailer Hanna Andersson and Salesforce.com, a class of consumers alleging violations of the CCPA agreed to settle with the defendants for $400,000, pending court approval. The plaintiffs had argued that the defendants’ alleged failure to implement and maintain reasonable security procedures and practices had caused a data breach. As part of the settlement, the defendants agreed to a plan to improve their data security, including regular risk assessments, implementation of multifactor authentication for all cloud service accounts, hiring additional technical personnel, conducting regular phishing and penetration testing, and establishing a director of cyber security. In other words, the very types of best practices discussed below. Finally, the defendants agreed not to oppose an application for attorneys’ fees and costs of up to $120,000, which is not included in the above settlement amount.
Vigilance and Expert Legal Defense
Simply put, consumer class actions under the CCPA can get ugly. We all have seen the results in other consumer privacy lawsuits around the country; it’s not a pretty picture. And even where a company prevails on a motion to dismiss or obtains a summary judgment in its favor, the legal fees alone can reach well into six figures. This is not inexpensive litigation; no matter the outcome, the cost of defending these actions dwarfs the expense of providing compliance training and implementing best practices.
Employment- and consumer-related risks and exposures also have become increasingly prevalent, particularly under the Americans with Disabilities Act (ADA). A company must be vigilant to ensure that its websites and other e-commerce solutions are compliant, lest it face ADA class actions. Beyond the consumer and employment class actions, public companies that have been hacked face the threat of shareholder litigation. Yahoo! settled a derivative action for $29 million, and other companies have made seven-figure payments to settle with their shareholders.
In sum, class action lawsuits, whether filed on behalf of consumers, employees and/or shareholders, can subsidize a plaintiff counsel’s retirement fund at the expense of the noncompliant company (and possibly its insurers as well).
For more than 15 years, lawyers have counseled business entities on best practices in the field of data privacy, as well as their regulatory obligations. We have trained their employees on compliance strategies designed to lower a company’s risks and exposures arising from its collection, storage, use, disclosure and deletion of PII, PHI and/or PCI, extending such training to its customers, clients, employees, potential employees and business partners. We also frequently engage with regulators to protect our clients’ capital.
FEDERAL, STATE AND INTERNATIONAL REGULATORY SCHEMES
Privacy legislation at the federal level remains largely industry-specific, such as the mandates imposed on health care providers and insurers under the Health Insurance Portability and Accountability Act (HIPAA), financial institutions under the Gramm-Leach-Bliley Act (GLBA), and all regulated entities and individuals under the Federal Trade Commission Act.
To fill in the gaps created by federal law, a myriad of state data security and privacy laws have been enacted, and continue to evolve on an almost monthly basis. These laws typically regulate entities of all sizes, regardless of whether they have one or many employees, so long as they own or are in possession of the PII, PHI and/or PCI of consumers, employees and potential employees.
For example, in 2004, California became the first state to enact privacy legislation designed to protect its residents’ PII. Next came the CCPA, which was followed by the passage of the even-more stringent California Privacy Rights Act (CPRA) by referendum in November 2020.
On March 2, 2021, Virginia became the second state to enact a comprehensive data privacy law, the Virginia Consumer Data Protection Act (VCDPA). The VCDPA draws from the CCPA and the CPRA, although it differs in important respects that should incentivize companies doing business in or marketing to Virginia residents to reassess their collection and use of consumer personal information and modify their compliance policies and procedures accordingly.
Nevada, Vermont, Connecticut and Colorado also have enacted data privacy laws that take guidance from the CCPA and other state and international laws. Other states, such as Florida and Washington, are not far behind.
Following suit, New York has enacted the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which imposes data security obligations on companies that do business in or collect information concerning New York residents. At the same time, the Cybersecurity Regulation of the New York Division of Financial Services (NYDSF) requires New York‒regulated financial services institutions ‒ including agencies and branches of non-U.S. banks licensed in the state of New York ‒ to assess their cybersecurity risk profile and implement a program designed to protect consumers and “ensure the safety and soundness of the institution,” as well as New York’s financial services industry.
In turn, Illinois became one of the first states to focus on biometric and genetic data, enacting the Biometric Information Privacy Act (BIPA) and the Genetic Information Privacy Act (GIPA). The availability of a private right of action under BIPA has led to countless class action lawsuits. New York City also has enacted a new biometrics privacy ordinance that went into effect in July 2021.
At the same time, many businesses are subject to the European Union’s (EU’s) General Data Protection Regulation (GDPR), which applies to every organization that has a web presence and markets products or services in a direct manner to consumers in the EU. Canada, Australia and other foreign jurisdictions have adopted their own privacy regimes, with respect to which you should be knowledgeable and compliant if your company does business in one or more of those countries.
WHAT SHOULD COMPANIES BE CONCERNED ABOUT?
Do your company’s employees know the difference between PII and nonprotected data? Do they know what constitutes PII, PHI and PCI in the jurisdiction(s) where your business operates? While some examples of PII may be obvious, such as social security numbers, far more is involved.
While some organizations differ, there are typically seven stages at which internal policies and regulations apply: creation, processing, storage, use, sharing, archival and destruction. To avoid regulatory fines, consumer and shareholder class actions, and the associated legal fees, employees should know how to collect information appropriately, classify and update it accurately, share it responsibly, and delete it when requested by a consumer pursuant to law or when it is no longer of use.
Data Handling Outside the Office
The security of information kept on mobile devices is often overlooked. Some of the most common threats include loss or theft of mobile devices, use of unsecured public Wi-Fi spots and shoulder surfing (spying on the user of an ATM, computer or other electronic device) in public spaces – all issues that need to be addressed in corporate policies and employee training to ensure that your workforce knows how to avoid these kinds of risks. With more people working remotely, the question of how to protect data outside the office is more important than ever.
Payment Card Industry Data Security Standards
The Payment Card Industry Data Security Standards (PCI-DSS) mandate that all companies that accept, process, store or transmit credit card information maintain a secure environment. The PCI-DSS applies to any organization ‒ regardless of size or number of transactions ‒ that accepts, transmits or stores cardholder data. Different requirements apply to organizations depending on their transaction volume over a 12-month period. At the discretion of their acquirer or service provider, businesses that do not comply with PCI-DSS may be subject to fines, card replacement costs, costly forensic audits and other expenses in the event of a privacy incident.
SO, WHAT DO YOU DO? AND WHAT DO WE DO?
Businesses must recognize that they cannot ignore or take a relaxed approach to their data security and privacy compliance; it is a necessary and critical component of a company’s operations. While the requirements for each business will be different ‒ depending on the relevant industry, location and other factors ‒ there are some general practices attorneys train a business’s employees to follow so that they meet their and your compliance obligations:
When performed properly, such services and tools should mitigate and reduce a company’s risks and potential exposures arising from an adverse privacy incident, including ransomware and phishing. Also, a company’s demonstrated risk and loss reduction could ultimately lead to an insurance premium abatement that over time may result in the services and tools paying for themselves several times over.
A company’s failure to comply with data privacy laws can have disastrous consequences. This is an enterprise-level risk that needs to be managed properly. According to a 2018 study by the National Cyber Security Alliance, 60 percent of small businesses that experienced a cyber-attack went out of business within six months of the event.
It is axiomatic that cyber and other types of insurance policies can be dense and complicated. As a result, it is incumbent on brokers and underwriters to guide their clients and prospective policyholders regarding selection of the products, coverages and deductibles appropriate for their unique, individual needs, risks and exposures. It goes without saying that financial professionals should know the types and scope of the insurance products a company needs and ensure that those needs are fulfilled.
In short, an effective data privacy program will go a long way toward avoiding the substantial perils that could befall a noncompliant entity. A company’s continuing viability could be short-lived without it.
About the author: Richard J. Bortnick, Of Counsel at Wilson Elser, is an industry-renowned problem solver who litigates and counsels U.S. and international insurers and corporations on cyber, privacy and technology risks and exposures; directors & officers liability; insurance coverage; products liability; and commercial litigation matters. In addition, Rick drafts insurance policy forms of varying types, including those covering cyber/ privacy/ technology risks and exposures, and serves as an expert consultant on cyber insurance matters involving the historical existence and scope of cyber insurance products. For nearly 20 of his 36-year legal career, Rick has served as a trusted adviser to public and private entities of all sizes on their privacy, cyber and technology risks, and he has trained hundreds of business executives and others on their commercial and legal responsibilities. Contact Richard J. Bortnick at [email protected]