Data breaches come in many different forms, sizes, and levels of complexity, but they tend to share certain key facts: A third-party bad actor—whether through a phishing attack, a ransomware attack, exploitation of a zero-day vulnerability, or other means—gains access to a company's information technology systems. Following execution of the company's incident response plan, forensic analysis determines that customer, patient or other personal data was actually or potentially accessed or exfiltrated during the course of the attack, requiring the company to notify relevant regulatory authorities of a data breach and provide notification letters to all persons whose personal information (PI) or protected health information (PHI) was affected.
Plaintiffs' lawyers—typically after discovering media reports of the data breach or scouring notifications posted by state attorneys general or the U.S. Department of Health and Human Services' Office of Civil Rights (the office responsible for enforcing HIPAA)—identify individuals who received a breach notification letter. Once engaged to represent the "aggrieved," those lawyers file a class action lawsuit on their clients' behalf. Plaintiffs' lawyers, no matter the type of information that was potentially exposed or the sophistication of the company's data security measures, routinely argue that the data breach was entirely preventable but for the company's greed and incompetence in failing to employ "reasonable," "appropriate" or other additional security measures. The causes of action typically include, among others, negligence, negligence per se, breach of contract, breach of implied contract, invasion of privacy, violations of state unfair and deceptive practices act statutes, and violations of state privacy statutes, some of which can include statutory damages.
It has become increasingly difficult for defendants to get these suits fully dismissed at the pleading stage. Even so, we have identified several strategies that prospective defendants might consider when investigating a potential data breach and providing breach notifications in order to better position themselves in the event of litigation.
1) Make issuing a litigation hold a standard part of your incident response plan to bolster privilege and work product assertions.
In previous blog posts, we have discussed strategies for maintaining attorney-client privilege and attorney work product protections for forensic reports drafted in the aftermath of a data breach. Under the attorney work product doctrine, a party to litigation generally "may not discover documents and tangible things that are prepared in anticipation of litigation or for trial by or for another party or its representative."[1] Thus, the key question is whether a forensic report was prepared in anticipation of litigation. Timely distribution of a legal hold notice to relevant employees, IT personnel, and contractors can help companies establish this fact should litigation occur.
Plaintiffs' lawyers have had some success gaining access to forensic reports by arguing that the reports are not attorney work product because the primary purpose for their creation was to determine the cause and scope of the intrusion for business purposes—not the prospect of litigation—and that this sort of investigation is necessary regardless of the possibility of future litigation. The prospect of plaintiffs' discovering these reports is a troubling one for defendant companies because a written forensic report can provide plaintiffs with valuable insights into the key question underlying every data breach class action: Did the company employ reasonable security measures? Although forensic reports do not typically opine on that question directly, they often contain vital relevant details, such as how the attackers moved through the defendant's network, the security measures the defendant had in place (and, by extension, those that it did not), and how the attackers were able to circumvent those measures. If the details of a written forensic report suggest that certain reasonable security measures were not in place or not implemented correctly at the time of the breach, the value of a case may rise significantly and reduce the defendant company's leverage in the settlement negotiations that typically occur at or before the time that plaintiffs seek class certification.
As a reaction to the possible discoverability of forensic reports, companies often take a number of measures to strengthen prospective claims that those reports are attorney-client privileged communications and attorney work product. Those include, among other things: (1) having counsel engage the forensic consultant and documenting that anticipated litigation is the basis for the engagement; (2) ensuring the statement of work differs substantially from any existing statements of work between the company and the forensic consultant and, again, documenting that anticipated litigation is the central reason for the engagement; and (3) better yet, hiring a forensic consultant with whom the company did not have an existing relationship prior to the data breach. Many companies are simply electing not to create any written report at all.
A tool that is frequently not employed, however, is drafting and circulating a litigation hold notice upon discovery of the data breach. This often slips through the cracks and a litigation hold notice is not circulated until after a lawsuit is filed. But doing so early in the process can help strengthen a claim that the forensic consultant was engaged, and the report prepared, in anticipation of litigation and protected by attorney work product privilege—what better evidence is there that the company was anticipating litigation and that the consultant was hired and the forensics report was prepared at counsel's direction as a result of that prospect than issuance of a litigation hold expressly stating that documents should be preserved in anticipation of litigation? A timely litigation hold notice should be a standard part of breach counsel's incident response playbook for a breach that is suspected to be of any significant magnitude or include sensitive data.
2) Only offer identity theft protection services to affected individuals if there is a plausible threat that the information potentially exposed could cause identity theft or financial harm.
As part of providing notice to affected persons, companies often offer one or two years of identity theft protection services. These products may offer valuable protections to individuals, including notifications when personal information is found on the dark web, automated fraud alerts, identity restoration services, and up to $1 million in identity theft insurance coverage for out-of-pocket expenses resulting from identity theft. Offering these products can help a company mitigate future damages and claims in instances where PI is potentially exposed that can lead to fraudulent charges or identity theft. Offering identity theft protection services can also be a good public relations move to show customers, employees, the public, and regulators that the company is taking the breach and protection of their PI or PHI seriously. A handful of states require companies to provide identify theft protection services following a breach affecting Social Security numbers or certain other government ID numbers.
The problem, however, is that an offer of identity theft protection services is increasingly being used by plaintiffs' attorneys and the courts as an indication that there is a real threat of future harm to affected persons. In many lawsuits, plaintiffs are unable to identify an actual injury suffered that can plausibly be tied to the data breach, and instead allege that they lost time worrying about and taking preventative measures against possible harm, experienced vague "privacy injuries," and suffered diminution of the value of their PI. They also complain about the risk of future injury (i.e., that they will be the victim of identity theft sometime in the future). Generally, this type of damage or injury theory leaves the lawsuits subject to attack for the failure to allege, in federal cases, injury-in-fact under Article III of the Constitution or the damage elements for the causes of action asserted.
In many cases, plaintiffs seek to overcome these pleading attacks by pointing to the breach notification letters and the offer of identity theft protection services. Plaintiffs argue that the offer of these services shows that the company recognizes a threat of future harm such that, even absent a concrete injury or information that could be used to plausibly commit identity theft,[2] the case should be allowed to proceed.[3] In an effort to avoid this result, companies should carefully consider the decision to offer these services and products in the first instance.
To be sure, providing these sorts of services and products to affected persons can make sense under certain circumstances, including where Social Security Numbers or bank account details are involved. But where this type of information has not been impacted and, for example, only health information was potentially exposed, the offer serves no practical purpose beyond good public relations. Meanwhile, the company may hinder its ability to dispose of a data breach case in the early stages where the plaintiffs otherwise have not pled a plausible injury. This, in turn, could cause the company to incur substantial legal fees in defending the case through class certification and beyond, or cause the company to settle on less favorable terms to avoid those costs and the risk of further litigation. The company should consider whether the public relations boost is truly worth the potential adverse impact in litigating, particularly where opt-in rates for such insurance products are typically below 5%.
3) Choose carefully the language used in the breach notification letter.
Most state law breach notification statutes require companies to send notification letters to affected persons and to provide certain information about the incident, including a description of the data breach, the types of personal data involved, how the company is responding, the steps affected individuals can take to protect themselves, and contact information for the notifying company.[4] While the information presented in those sections needs to be informative and factual, it does not require a company to roll out the red carpet for plaintiffs' lawyers.
Plaintiffs already use the mere fact of the breach notification letter to argue that a threat of future harm exists, claiming that the only reason a cyber-criminal would go to the trouble of committing a data breach would be to misuse the information exfiltrated—and some courts have agreed.[5] This simplistic view ignores that forensic investigations may show that the PI or PHI that was potentially accessed or exfiltrated during the incident was not the primary target or that identify theft was not the primary aim of the attackers. It also is often the case, particularly in ransomware attacks, that attackers exfiltrate data not to use it for identity theft or similar fraud, but rather to extort the victim company into paying a ransom to have the data deleted. Given that plaintiffs will argue that the notification letter is per se evidence of future harm, companies should, to the extent possible, include more information in the letter that might be helpful in defending against future litigation.
For example, while the notification letter must present factual information about the incident, that information need not only include negative findings that cast the company in a bad light. It can also include, to the extent applicable, a statement that the company did not find clear evidence that there was a breach or that investigative findings suggest that the information is not in the public domain or has not been misused or distributed by the attackers. This latter disclosure might be applicable in ransomware events, where the ransom was likely the sole reason behind the attack, rather than the attenuated chain of events set forth in most class action complaints that suggest that criminals piece together information on individuals bit-by-bit to create comprehensive dossiers over time. Criminals are likely to choose the most expedient path and therefore look for complete packets of information they can use and monetize quickly. By indicating that there is no evidence that the information is in the public domain or has been otherwise disclosed or misused, a company can weaken plaintiffs' arguments that there is a risk of future harm.[6]
Companies can also make better use of disclosures about how they are responding to the breach. While companies often do not want to disclose the payment of a ransom, doing so might be helpful in seeking early dismissal of data breach class actions. Of course, there are many reasons that companies may choose not to pay a ransom, and companies ultimately should balance potential benefits (including in prospective litigation) against the legal and reputational risks. But where a company does pay a ransom, disclosure of that fact may be helpful in litigation.
As set forth above, plaintiffs always argue that the only aim of a data breach is to steal and monetize PI and PHI. This simply is not true; in ransomware incidents, the attackers' primary motivation is to extort the company into paying a ransom for decryption of data the company needs access to or deletion of exfiltrated data. While companies certainly should not place their unwavering faith in the word of criminals, there is at least some reason to suspect that these attackers do what they say—if they were found not to be decrypting or deleting data despite receiving a ransom payment, companies likely would stop paying ransoms entirely. Absent factual allegations of actual misuse, ransomware cases where the ransom has been paid ought to result in courts more closely scrutinizing conclusory claims of damage or injury.
Similarly, companies can make better use of required disclosures about how individuals can protect themselves. Too often, these disclosures simply encourage affected persons to do things like remain vigilant against incidents of identity theft and fraud, to review their account statements, explanation of benefits, and credit reports for suspicious activity and to detect errors over the next 12 to 24 months. But if, for example, there was no financial account information or Social Security Number information potentially exposed in the data breach, providing such a disclosure can be weaponized by plaintiffs' lawyers to argue that a company has conceded a risk of future harm. It can be reiterated in the notification letter that—while persons should always monitor their accounts and credit scores—the type of information that is most useful for identity theft or other fraud appears not to have been involved. Or, if sensitive information like Social Security numbers was involved, the company may want to reiterate that the company has no information suggesting that the PI or PHI is in the public domain or that an unauthorized party has otherwise misused or distributed the data.
In short, many companies can do more upon discovery of a data breach to arm themselves to defend against the increasingly common class action litigation that follows. By putting in place a litigation hold promptly, only providing identity theft protection services where required or where the risks to personal data call for such services, and making better use of breach notification letters, companies can better position themselves to defend against data breach litigation—particularly where there is no evidence of injury or damage.
[1] Federal Rule of Civil Procedure 26(b)(3).
[2] TransUnion, LLC v. Ramirez, 141 S. Ct. 2190, 2207 (2021) ("[I]n a suit for damages, the mere risk of future harm, standing alone, cannot qualify as a concrete harm – at least unless the exposure to the risk of future harm itself causes a separate concrete harm."); Clapper v. Amnesty Int'l USA, 568 U.S. 398, 409, 416 (2013) (holding that plaintiffs "cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.").
[3] Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 694 (7th Cir. 2015) (in credit card breach matter noting that "Neiman Marcus offered one year of credit monitoring and identity-theft protection to all customers for whom it had contact information and who had shopped at their stores between January 2013 and January 2014. It is unlikely that it did so because the risk is so ephemeral that it can safely be disregarded."); cf. Brett v. Brooks Bros. Grp., Inc., 2018 WL 8806668, at *8 (C.D. Cal. Sep. 6, 2018) ("Plaintiffs' names, credit and debit card numbers (along with card expiration dates and verification codes)...simply do not rise to the level of sensitivity of the information in Krottner or Zappos or similar cases.").
[4] See, e.g., Cal. Civ. Code § 1798.82(d)(1)(D).
[5] See, e.g., Galaria v. Nationwide Mut. Ins. Co., 663 F. App'x 384, 388 (6th Cir. 2016) ("Where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims' data for the fraudulent purposes alleged in Plaintiffs' complaints.").
[6] This being said, it is important for companies to be cautious when drafting these notification letters and not overpromise or provide unwarranted assurances. Authorities have fined companies for stating in public disclosures, for example, that there was no evidence that data was compromised despite evidence that it was being sold on the dark web or for referring to a confirmed breach as a "potential exposure." Companies must strike a balance in their notification letters that addresses potential mitigating factors without potentially misleading recipients.
[View source.]
