The cybersecurity and data privacy industry is definitely a "growth industry." According to Forbes, the global cybersecurity market will be worth $173 billion in 2020, and looking to increase to $270B by 2026. So, it is not at all surprising that cybersecurity and data privacy are top priorities for the C-suite. The concerns are certainly well founded, as the number of cyberattacks are increasing, specifically this year where we see the number of cyberattacks has significantly increased since the start of the pandemic. Cybercriminals, keenly aware that we are now working and shopping from home, have moved in quickly to seize upon this opportunity.
With the increased spending in cybersecurity and data privacy, we often see how creative lawyering and lawsuits are causing new headaches for organizations already troubled by this volatile and unpredictable area of business. These lawsuits can come in several forms and are labeled as follows: (i) consumer lawsuits against companies; (ii) companies suing their vendors and service providers; and (iii) shareholder derivative lawsuits. And these are just the civil lawsuits that can be filed. There are also regulatory actions against organizations that can be brought by state Attorney Generals and other regulatory bodies to think about and defend against.
So, while some lawsuits are spurred from regulations themselves, like the California Consumer Privacy Act of 2018 (CCPA), most lawsuits in this area come about as a result of a data breach. In order to better understand these types of lawsuits, let's first examine these lawsuits through the lens of a third-party vendor causing a data breach. There is, therefore, no better example than Target.
Back in 2013, it had been reported that hackers gained access to Target's payment card system through a third-party HVAC vendor. This one data breach has served both as a cautionary tale of how vendors are one of the biggest threats to an organization and also as a roadmap to litigation that can occur post-breach.
First, we should examine the consumer litigation. The data breach itself resulted in over 100 lawsuits across the country, which were consolidated into one multi-district litigation in the United States District Court for the District of Minnesota. According to the class action lawsuit, the data breach affected between 70-110 million customers who shopped at Target stores between November 27 and December 18, 2013. Target ultimately entered into a settlement with the class action plaintiffs for $10 million.
Next, we should look at lawsuits between companies that resulted from the Target breach. In 2014, Connecticut-based Putnam Bank filed a class action lawsuit against Target alleging, among other things, negligence, negligent omission, or a violation of Minnesota's Plastic Card Security Act which is all related to the 2013 data breach. After losing at pre-trial on a motion to dismiss, and after an additional year of litigation, Target entered into a $39.4 million settlement with the banks, credit unions, and MasterCard, who were all plaintiffs in the lawsuit.
Finally, we reach shareholder derivative suits. In 2014, Target was in court again; this time it was the defendant in a shareholder derivative action. Target's shareholders alleged that Target had breached its fiduciary duties to its shareholders by failing to properly provide for and oversee an information security program in actively attempting to conceal the extent of the breach and by also failing to give customers and the public prompt and accurate information about the breach. Under this fact pattern, and taking into account Minnesota law, it was ultimately determined that it was not in Target's best interest to pursue the litigation against the directors and executives.
Companies should be acutely aware that while these lawsuits are not always ultimately successful, they are for sure costly both financially and to the internal corporate resources and time it takes to mount a defense. In addition, it is important to keep in mind that the Target litigation occurred at a time when this cyber litigation was not as commonplace. Today, we almost take that for granted the plaintiff attorneys use the Target case as a veritable roadmap and are much better equipped to make successful arguments and allegations.
By the same token, attorneys can use laws like the CCPA as a framework to support litigation. What emerges is that no organization can ever be fully prepared for the onslaught of lawsuits. Being proactive is definitely key and something a good attorney would encourage for every client, but unfortunately, for no particular reason, may not be the starting point for every organization experiencing the aftershocks of a breach. There are, however, things your organization can keep in mind to lessen the pain, which includes the following:
1. Assess your systems
Let's remember the old adage: you don't know what you don't know. How can you possibly protect your data if you don't know where it is and consequently what it is doing? Having a data privacy and security assessment performed helps to demonstrate cyber/privacy maturity, as well as provide a framework for improvement. Constant improvement is critical and can reduce liability and exposure because it demonstrates a concrete commitment to security and privacy. Once litigation begins, it is hard to argue that your business is negligent or ignoring privacy and security if it is constantly aware of and improving those practices.
2. Stack the odds in your favor
Let's never forget that the best defense is a good offense. Make sure that your data security and privacy program is fully developed and, more importantly, operationalized. This means having written policies and procedures in place, training on those policies, and having direct accountability. It also means having a fully developed third-party vendor management program. If your cybersecurity/data privacy approach is purely technical or a straight out-of-the-box solution, then you are likely doing it wrong. Every business has a unique blueprint and set of goals and initiatives to grow its profitability. A customized and tailored program where tech and legal are working together needs to be sensitive to these goals and keep them front and center when moving forward. This then leads to the final point.
3. Arm your counsel
Aside from good policies and procedures, make sure your attorney is well-versed, and not just conversant, in how to structure your business contracts to be able to provide maximum protection for your organization. This means counsel needs to have the ability to drill down into the nuances, with the ability to understand the data and its interplay with the technology and the laws that impact them. Most attorneys who practice exclusively in this area keenly understand that it is not a place where you can cut corners. Building a solid foundation, even if it must be done while in the midst of a turbulent breach, can go a long way in mitigating liability in preparation for future litigation.
While we await just what types of lawsuits we will see develop as a result of the current increase in cyberattacks, Target's experience is both a litigation roadmap and a terrifying glimpse into what could be if organizations are not proactively taking steps regarding compliance with cybersecurity standards and data privacy laws. So, assess your systems, stack the odds in your favor, and arm your counsel because in this area of the law, luck favors the prepared (and potentially reduces liability).
Rebecca L. Rakoski, Esquire is the co-founder and managing partner at XPAN Law Group, a boutique international and domestic cybersecurity and data privacy law firm. Rebecca counsels and defends public and private corporations, and their boards, during data breaches and responds to state/federal regulatory compliance and enforcement actions. She advises her clients on a proactive, multi jurisdictional approach to identify and address data privacy and cybersecurity compliance gaps and potential liabilities. If your organization has any questions regarding its liability or regulatory obligations, please feel free to reach out to Ms. Rakoski at firstname.lastname@example.org.