Has the standard of care for retailers handling consumer data shifted in the last 9 months? As analysts compare the recent Home Depot data breach to the data breach of the credit card processing system at Target last December, the similarities may be more than just interesting: the software and websites used to perpetrate the hacks are so astonishingly parallel that the recently filed complaint (Kelsey O’Brien v. Home Depot Inc.) specifically cites the earlier and widely publicized incident at Target to make its case that Home Depot had been negligent in protecting customer information.
The complaint claims that, after it became known that a program called BlackPOS, described by security firm McAfee Inc. as “an ‘off-the-shelf’ exploit kit for sale that can easily be modified and redistributed with little programming skill or knowledge of malware functionality,” was the method used in the Target attack, “many retailers, banks and card companies” responded “by adopting the use of microchips in U.S. credit and debit cards, technology that helps make transactions more secure…” (Complaint, Pg.6). Home Depot did not adopt this new standard. It was only after suffering their own data breach that they decided to quickly implement chip-enabled checkout terminals at all US stores by the end of 2014 (Complaint, Pg 6).
Plaintiffs will urge that Target’s travails set a new standard of care — what the Complaint calls “reasonable security standards” based on “industry best practices concerning data theft,” showing “negligence in preventing such data theft from occurring…” (Complaint, Pg. 17).
Whether the factual allegations hold up and whether Plaintiffs can adequately allege and prove damages remains to be seen. But the legal underpinnings for liability rest on established principles negligence, notice and failing to implement an available fix. See In re Sony Gaming Networks and Customer Data Security Breach Litigation, 996 F. Supp. 2d 942 (S. D. Cal. 2014)(duty to employ “reasonable” security measures to protect private data). Indeed, Plaintiffs’ allegations echo the calculus of negligence, or “Hand formula,” established in United States v. Carroll Towing Co. 159 F.2d 169 (2d. Cir. 1947), holding that a legal duty of care is breached whenever the damages resulting from a foreseeable loss is greater than the burden (i.e. cost) of taking precautions against that loss. As Judge Learned Hand put it: “to state it in algebraic terms: if the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i. e., whether B > PL.”
So while Home Depot thrives on the “do-it-yourself” consumer, companies relying on do-it-yourself security to protect consumer data may wish they had called the experts to deploy the latest technology.