This article was originally published in Law360 with permission to reprint.
How much does the question of harm matter in cybersecurity law? The answer is: It depends on who is bringing the claim.
Businesses confronting data breaches can face litigation from private consumers as well as from governmental entities. Managing litigation risk varies in these contexts because of the limitations of bringing private rights of action. One such limitation is the requirement of proving actual harm in private actions. As explained further below, the bar for enforcement is lower when federal regulators bring an action against an entity. Businesses must be mindful that the lack of actual harm may not be an avenue to dismiss these claims. Employing best practices is still paramount in helping businesses mitigate the risks that come from private party suits and government enforcement actions.
Proving Actual Harm in Private Party Suits
In private actions in federal court, plaintiffs must overcome the “actual injury” threshold for Article III standing to bring suit. This hurdle is difficult to overcome because often at the time of the breach, the injury to customers is unknown and unpredictable. There likely has not been any evidence of the use of the hacked information, or whether the information hacked (if such evidence exists) can reasonably be traceable to the breach. Corporations defending against such suits have invoked a 2013 U.S. Supreme Court case, Clapper v. Amnesty International, 133 S. Ct. 1138 (2013), to contest standing.
In Clapper, the Supreme Court held that, in order for a plaintiff who alleges future harm to have the necessary Article III standing to sue in federal court, the plaintiff must demonstrate that the harm is “certainly impending.” Id. at 1143. Defendants to data breach cases have successfully used Clapper to defeat standing in motions to dismiss. For example, in Carlsen v. GameStop Inc., a 2015 case in the U.S. District Court for the District of Minnesota, the court (citing Clapper) determined that there was no actual injury arising from the defendant’s alleged use of Facebook to share personally identifiable information in violation of the company’s privacy policy. 112 F. Supp. 3d 855 (D. Minn. 2015). In Austin-Spearman v. AARP, the D.C. district court (citing Clapper) determined there was no actual injury stemming from an alleged company privacy policy violation involving Facebook’s and Adobe’s ability to collect the personally identifiable information of AARP members who brought the suit. 2015 U.S. Dist. LEXIS 98069, Civil Action No. 14-cv-1288 (KBJ) (D.D.C. July 28, 2015).
That said, the Clapper threshold can be overcome in certain circumstances. For example, in Remijas v. Neiman Marcus Group LLC, 794 F.3d 688 (7th Cir. 2015), plaintiffs brought a putative class action against the luxury retailer stemming from a 2013 hack, which compromised approximately 350,000 credit cards. The district court determined that the plaintiffs did not have standing because they lacked a showing of harm. The Seventh Circuit reversed and concluded there was standing, noting that “Clapper does not … foreclose any use whatsoever of future injuries to support Article III standing.” Id. at 693. “[I]n our case there is no need to speculate as to whether [the Neiman Marcus customers’ information] has been stolen and what information was taken. … [T]he Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an objectively reasonable likelihood that such an injury will occur.” Id. The court also noted that at the time of the pleading, there had been over 9,000 cards that were the subject of the breach that showed fraudulent charges and that these individuals have suffered actual damage in “sorting things out,” the process of cleaning up the charges and obtaining reimbursement. This breach also demonstrated that the class had shown a substantial risk of harm.
Remijas, however, has been read narrowly by other courts. For example, in the Eastern District of New York, the district court in Whalen v. Michael Stores Inc. distinguished Remijas, noting that the Neiman Marcus breach resulted in 9200 fraudulent transfers where the complainant in Whalen only alleged a single fraudulent transfer (which was reimbursed) to herself as the putative class representative and no fraudulent transfers to others. 2015 U.S. Dist. LEXIS 172152, 14-CV-7006 (JS) (ARL) (E.D.N.Y. Dec. 28, 2015). Meeting the actual harm standing requirement in federal court thus remains critical for private litigants bringing suit against companies involved in data breaches. While some courts appear willing to accept a modest showing of harm at the pleadings stage, as in Remijas, courts more likely will continue to toss out cases on motions to dismiss where the threshold is not met.
It is worth keeping in mind that the bar to bringing a claim in state court might not be as high as the Article III standing requirement in federal court. For example, in a recent Massachusetts state court case, Walker v. Boston Med. Ctr. Corp., 2015 Mass. Super. LEXIS 127, No. 2015-1733-BLS 1 (Mass. Super. Ct., Nov. 19, 2015), the court denied Boston Medical Center’s (BMC) motion to dismiss a class action complaint against it stemming from a 2014 data breach affecting patient records. The court noted that “Plaintiffs do not know, at this stage, whether any unauthorized person actually gained access to their medical records. Id. at *2. BMC filed a motion to dismiss, citing both lack of standing and failure to state a claim, arguing that the complaint failed to allege specific injury. The court allowed the claim to proceed, determining that the mere risk of injury was sufficient for standing and for stating a claim. The Walker case demonstrates that state law can be far more flexible in permitting claims to proceed when no actual injury is alleged.
Sidestepping Actual Harm in Government Enforcement Suits
Federal enforcement agencies and regulators do not need to hurdle the actual harm standing barrier. A recent case before the Third Circuit, which is the latest word on this issue, illustrates the point. In Federal Trade Commission v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015), the panel articulated two holdings. First, it held that the FTC’s powers to bring administrative actions under its general enforcement powers (specifically 15 U.S.C. §45(a), which allows the FTC to enforce the prohibition against “unfair or deceptive acts or practices in or affecting commerce”) extended to cybersecurity. The “unfair practices” at issue in Wyndham included failing to have adequate security procedures to prevent or mitigate the cyberattacks that led to the lawsuit, failing to maintain adequate unauthorized detection systems, and failing to follow the right procedures in responding to cyberattacks.
Second, the Third Circuit panel held that actual injury was not necessary for the FTC to bring a claim. The court noted that the “FTC Act expressly contemplates the possibility that conduct can be unfair before actual injury occurs.” Id. at 246. This holding indicates that a hacking event is all that is needed to trigger a claim, if all the other elements are satisfied concerning the inadequacy of the prevention and mitigation procedures, etc. Businesses facing charges leveled by the FTC thus will not be able to assert the same standing defenses that have succeeded in private suits.
While actual injury is not a requirement, a recent FTC administrative case suggests that the Wyndham decision does not give the FTC carte blanche to ignore the likelihood of harm altogether.
In LabMD Inc. v. FTC, Docket No. 9357 (Nov. 13, 2015), the FTC brought an administrative enforcement action in 2013 against LabMD regarding breaches that had occurred several years earlier. The administrative law judge, in an initial decision, dismissed the FTC’s complaint, finding (among other things) that the FTC failed to meet its burden to prove that LabMD’s alleged unreasonable data security practices caused or were likely to cause substantial consumer injury. The ALJ in LabMD found that the absence of evidence of any actual harm was dispositive. He observed that even in Wyndham, there were specific instances where hackers stole personal and financial information leading to $10.6 million in fraudulent charges; but in LabMD, the amount of time between the point at which the security breaches occurred (2008) and the trial (2015), without the presentation of any evidence of actual injury, led the ALJ to the conclusion that “likely” harm was not only speculative, but in fact quite unlikely. The LabMD case may be the exception that proves the rule that enforcement is appropriate in all circumstances except the rare case where there is a record that harm has not and very likely will not take place.
While the facts and holding of Wyndham are confined to the FTC’s powers, it remains to be seen how broadly other government actors, such as the Federal Communications Commission and the U.S. Securities and Exchange Commission, will wield their authority in light of the Wyndham decision. Under the SEC’s “safeguards rule,” for example, the SEC is authorized to bring an enforcement action against registered entities that have violated Regulation S-P (17 CFR § 248.30(a)), which pertains to safeguarding customer records and information. But the contours of that power are as yet untested: As with actions brought by the FTC, actions will more likely settle before we obtain further guidance. This is why Wyndham was such an important case.
Last September, the SEC settled its first such regulatory action with R.T. Jones Capital Equities Management. The SEC alleged that R.T. Jones “fail[ed] to adopt any written policies and procedure to ensure the security and confidentiality of [personally identifiable information] and protect it from anticipated threats or unauthorized sources.” See SEC Press Release 2015-202.
Does the SEC in fact have such power? Extrapolating from Wyndham, it likely does. The SEC’s authority would not be preempted by the existence of other laws or regulations governing the company’s data security practices. Would harm have to be shown? Extrapolating from Wyndham and reading the text of the rule, perhaps it does not. In Wyndham, the court interpreted the language of the FTC Act defining an unfair act or practice as one that “causes or is likely to cause substantial injury” (15 U.S.C. § 45(n)). For its part, the safeguards rule refers to failing to safeguard records and information. Just as an unfair act that is “likely to cause” substantial injury will trigger liability under the FTC, failing to safeguard information under the rule without more will likely be sufficient for the SEC to bring an enforcement action. Companies will not be protected from enforcement actions merely by showing the lack of evidence of actual harm to victims of the breach.
What Does This Mean for Businesses?
The question of harm is a key component to data security litigation. While courts come at the question in different directions depending on who is bringing the suit (and under what authority), the takeaway for businesses remains the same: No harm does not necessarily mean no foul. The best way to minimize exposure, whether from private or public litigants, is to create good policies on security, breach notification and mitigation and stick to them.
