Takeaway:
For most companies, following the SHIELD or FTC practices are sufficient to establish a reasonable security program that should protect companies from civil liability or penalty. But companies storing large amounts of personal information, or valuable proprietary information, should consider even greater controls and protections.
Robinhood, a stock trading platform, was recently sued in connection with a significant data breach. When high profile companies like Robinhood experience loss to data breach, the glare of scary headlines is only a shadow of the cost to the company. Increasingly, companies are subject to litigation risk and the corresponding damages caused by a breach.
According to a class action lawsuit filed in Federal District Court in the Eastern District of New York, over 7 million individual records were revealed in the Robinhood breach. The lawsuit alleges negligence, breach of contract, breach of fiduciary duty, and other violations of state and federal law.
Plaintiffs point out that this type of breach was reasonably foreseeable, given all the news and information on data breaches in recent years. Plaintiffs claim that Robinhood had a duty to secure their personal information. That duty – plaintiffs allege – stems from users’ relationship with the Robinhood service and is actionable based on the Federal Trade Commission Act (FTC Act), which prohibits unfair practices in or affecting commerce, and New York’s SHIELD statute.
Plaintiffs say that Robinhood failed to implement adequate policy, procedure, and technical safeguards, as recommended by the FTC and SHIELD. If those laws create an affirmative duty and obligation for implementing a reasonable security plan, then Robinhood – and others – can be found liable and assessed damages for failure to do so.
What is a “reasonable security plan”? According to Plaintiffs, a reasonable plan includes:
- data encryption
- employee training
- technological tools to defend systems against invasion
But what’s really recommended under SHIELD and FTC, and is that guidance enough to protect companies?
New York SHIELD Law
New York passed N.Y. Gen. Bus.Law Sect. 899-bb(2), the Stop Hacks and Improve Data Security Act (SHIELD), to force companies with private information of New York residents to implement and maintain reasonable security safeguards. Under SHIELD, reasonable safeguards are specified and include:
- designating a program coordinator
- vendor risk management
- assessment
- monitoring of networks and physical spaces
- disposal of aged private information
It also stipulates that entities compliant with HIPAA or Gramm Leach Bliley are compliant with SHIELD.
FTC guidance
The FTC Act has been used in other cases to establish a duty of care. In the Robinhood case, Plaintiffs allege that Robinhood’s duty is set forth in the FTC’s guidance publication called Protecting Personal Information: A Guide for Business.
The FTC’s protecting personal information guide for business is a simple, straightforward but robust set of recommendations for businesses protecting personal information. It’s organized under five catchy key principles:
- Take Stock
- Scale Down
- Lock It
- Pitch It
- Plan Ahead
These recommendations cover some of the same practices recommended by SHIELD, but include more precise guidance including:
- recommendations to implement the principle of least privilege
- demilitarized zones and firewall
- extensive physical security access controls
- vulnerability assessments
- network scanning
For most companies, following the SHIELD or FTC practices are sufficient to establish a reasonable security program that should protect companies from civil liability or penalty. But companies storing large amounts of personal information, or valuable proprietary information, should consider even greater controls and protections.
