News Detail Banner
All News & Events

Article: “We’ve Been Hacked!”—New Developments in Cyber-Security Litigation

Business Litigation Reports

February’s Business Litigation Report advised clients that they could prepare for potential data breaches by conducting readiness audits and preparing cyber incident response plans. (See Traversing the Breach, February 2015.) This warning has now taken on new urgency. The Seventh and Third Circuits recognized civil causes of action by both public and private plaintiffs against companies that sustain cyber security breaches.

Seventh Circuit Holds That Hacked Customers Have Standing
In Remijas v. Neiman Marcus, 794 F.3d 688 (7th Cir. 2015), the Seventh Circuit held that retailers who expose their customers to a data breach can be sued even before such consumers suffer any tangible loss. Neiman learned in mid-December 2013 that a malware attack had compromised customer credit card information, leading to fraudulent charges. The plaintiffs asserted Neiman’s alleged misconduct exposed them to an increased risk of credit card fraud and identity theft in the future. They also asserted that they had lost time and money resolving the fraudulent charges and mitigating the risk of future identity theft and suffered financially because they would not have made purchases at Neiman had they known the risks involved. The district court held that the plaintiffs could not show standing because they alleged only speculative future injuries that could result from the data breach. Any allegations of impending or past harm were, the district court held, not concrete because any future loss was or would be compensated. The district court also rejected the plaintiffs’ contention that they had overpaid for goods, stating that such a holding would open the door to lawsuits against stores that failed to provide adequate physical security to customers based on an over payment theory even when they could show no physical injury.

On appeal, the Seventh Circuit disagreed and held that the complaint alleged sufficient past and future injuries to support standing. The plaintiffs argued on appeal that they suffered past injury in the form of “lost time and money protecting themselves against future identity theft and fraudulent charges.” They contended they need not wait until hackers commit fraud or identity theft to obtain class standing because they are likely to be injured in the future. Neiman responded that the plaintiffs’ claimed injuries were too speculative to provide standing to sue. After all, even though these customers’ information had been compromised, they had not yet suffered any ill-effects from the use of that information, and it was uncertain that they ever would. According to Neiman, whatever costs the plaintiffs incurred trying to avoid fraud were not cognizable injuries. Neiman also argued that it was uncertain that the data breach had caused the plaintiff’s injuries; another major retailer, Target, had suffered a data breach in the same time period.

The Seventh Circuit disagreed with Neiman’s arguments. The court stated, “[p]resumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” Id. The panel also concluded that the defendant had the burden “to prove that their negligent actions were not the ‘but-for’ cause of the plaintiff’s injuries.” Id. at 696 (internal citations omitted).

The court did reject the plaintiffs’ more speculative claims of injury. For example, the court held that the data breaches did not deprive consumers of their private information, as “private information” is not a property right under federal law. The court also rejected the argument that the plaintiffs “overpaid” because Neiman did not adequately expend resources building a secure system. Finally, the court rejected the quasi-unjust enrichment argument that Neiman pocketed more than its fair share by choosing to not build a robust security regime.

Third Circuit Holds That Failure to Secure Data May Be an Unfair and Deceptive Trade Practice
Potential liability from data breaches is not limited to class actions. Recently, the Third Circuit held in FTC v. Wyndham, 799 F.3d 236 (3d Cir. 2015), that the FTC could pursue claims against a hotel chain from whom hackers stole the information of 619,000 guests, leading to over $10 million in fraudulent charges to stolen credit card numbers. The FTC sued Wyndham for engaging in “unfair” and “deceptive” practices under 15 U.S.C. section 45(a), alleging that Wyndham failed to provide appropriate security for its guests’ personal information. Because the hotel failed to follow its own advertised privacy policy, the court concluded that the plaintiffs had properly alleged unfair and deceptive business practices.

Each Wyndham branded hotel had a property management system that processed consumer information including names, home addresses, email addresses, telephone numbers, payment card account numbers, expiration dates, and security codes. Wyndham also operated a computer network in Phoenix that connected to all of these property management systems. The FTC claimed that Wyndham failed to offer basic data security—for example by using easy passwords to limit access to the hotels’ property management systems and the Wyndham corporate network, and by failing to adequately deploy firewalls. In spite of this, Wyndham advertised: “We safeguard our Customers’ personally identifiable information by using industry standard practices.”

The Third Circuit decision addressed: (i) whether the FTC has authority to pursue data security breaches as “unfair” practices, and (ii) whether Wyndham had sufficient notice that its conduct fell within that statute. First, the court held that Wyndham’s failure to employ basic protection methods (such as encryption and firewalls) could amount to an unfair practice. This failure unnecessarily exposed consumers to financial injury and deprived them of the benefit of their purchase. Second, a finding of liability under the Federal Trade Commission Act did not violate guarantees of due process and fair notice. The court rejected Wyndham’s claim it was entitled to know with “ascertainable certainty” the Commission’s interpretation of the definition of adequate cybersecurity practices. The court reasoned that it is enough that the hotel chain had fair notice of what the Act requires, and that its conduct could fall within the bounds of the applicable statute, 15 U.S.C. section 45. Further notice was provided through FTC administrative complaints and ensuing consent decrees, which were published on the FTC’s website and noticed in the Federal Register. Wyndham argued that allowing the FTC’s unfairness authority to police their alleged security failures would be an unprecedented expansion of the FTC’s regulatory authority. They argued that this was tantamount to allowing the FTC “to sue supermarkets that are sloppy about sweeping up banana peels,” but the court disagreed. “[W]ere Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability under [section] 45(a).”

Following the decision, the FTC chairwoman (and former Quinn Emanuel partner) Edith Ramirez released a statement: “Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”

                                                                            *           *          *

Remijas v. Neiman Marcus and FTC v. Wyndham collectively have strengthened the ability of private and public plaintiffs to bring lawsuits against firms that are victims of hackers. Firms can expect civil litigation if their security measures are inadequate and hackers break into their networks, and should be particularly aware of “unreasonable” security policies. Examples from Wyndham include the use of simple passwords, absence of firewalls, use of unsecured networks, and failure to restrict access to networks and private information. Cyber incident response plans should include measures such as a legal response, notification, public communications, and specific measures to remedy the gap in the firm’s security policies. Firms should keep abreast of the FTC’s enforcement efforts to determine what data security measures are required under 15 U.S.C. section 45. One additional area (not addressed by the Third Circuit) that businesses should take note of is the FTC’s decision to bring a claim against Wyndham for its allegedly misleading privacy policy. The FTC’s actions are a warning that firms who market that they protect customer information must also implement policies that support that claim.