INSIGHT: Minimizing Litigation, Reputational Risk in the Data Breach Age

Perhaps you get the news by phone, or possibly in an email. Your heart sinks. Somehow, you thought it wouldn’t happen to your business. Hadn’t legal, compliance, and IT taken all the necessary steps to protect your data?

Spoiler alert: it wasn’t, and now your company is exposed to substantial and costly litigation risk, not to mention a public relations nightmare.

Over the past few years, litigators—and the public at large—have watched some of the world’s most recognized companies fall victim to breaches of their confidential data. First came the public excoriation, and inevitably, the lawsuits.

A data breach costs a typical business nearly $4 million, not including reputation and goodwill, according to the Ponemon Institute. The question seems to have become not will your company or institution be hacked, but when, where, and how destructive will the breach be?

That said, important lessons can be learned from the past that can help minimize both reputational damage and financial cost of breaches and resulting litigation.

Don’t Hesitate

The numbers in the now-infamous Yahoo! breach are staggering. Three billion accounts were implicated across three years, from 2013-2016, and 194 million people adversely affected in the United States and Israel, resulting in a $117.5 million settlement.

Ubiquitous ride-share behemoth Uber will pay even more—$148 million— for a massive data breach in 2016. The settlement followed a 10-month investigation into a breach that exposed personal data from 57 million Uber accounts, including 600,000 driver’s license numbers.

What we can learn: Get ahead of the situation. Both Yahoo! and Uber were taken to task—in public and in lawsuits against them— for taking too long to let impacted customers know what had occurred. In Uber’s case, Chief Executive Dara Khosrowshahi disclosed the breach more than a year after the company was hacked under the previous CEO. Khosrowshahi said the incident should have been disclosed to regulators at the time it was discovered in 2016.

Marriott is also dealing with the legal and public relations aftermath of a hack that was not quickly disclosed. It exposed 9.1 million encrypted payment card numbers, 385,000 valid card numbers, and 5.25 million unencrypted passport numbers.

If You Know It’s Broke, Fix It

In 2017, Equifax suffered a breach that exposed the personal information of approximately 148 million customers. In its recent SEC filing, the company estimated that it has spent over $1.4 billion recovering from the breach. The institution is also defending suits brought by attorneys general of multiple states on behalf of affected citizens. They allege that Equifax knew that it had substantial flaws in its cybersecurity systems.

Notably, at least one of those attorneys general has stated publicly that Equifax’s major sin was not that the breach occurred, but rather Equifax’s insufficient action to ensure the data it maintained was adequately protected.

A similar but smaller situation occurred recently in the City of Fort Worth, Texas. The city council was briefed on allegations of sweeping problems with IT security but did not make the information public. The former IT manager filed a suit that he was fired in retaliation for reporting to officials that the city’s cybersecurity had been compromised, including that more than $500,000 was stolen from the city and employees’ medical and personal information was left unprotected.

What we can learn: Don’t put your head in the sand. If your institution is aware of weaknesses in its cybersecurity, failing to take remedial measures will potentially exacerbate the public relations aftermath of a breach, not to mention materially impact the ability to defend a lawsuit successfully.

Unsecured Is Unprotected

Washington State University (WSU) recently settled a class-action lawsuit for $4.7 million, stemming from a 2017 data breach caused by the theft of portable hard drives containing personal and health data. The drives contained the unencrypted data of approximately 1.2 million people, compiled by the WSU Social and Economic Science Research Center. The compromised data included Social Security numbers and personal health data.

What we can learn: Keep data under lock and key. WSU’s storage of sensitive personal information in an unsecured public storage unit that lacked security cameras on a removable medium was certainly not a best practice and almost unquestionably forced them into a difficult posture in litigation. No matter how data is maintained, making sure security protocols are in place, including passwords, encryption, and a limited number of individuals with access, will reduce the risk of a breach and improve the institution’s litigation posture.

It Is Not Just Your Customers That Can Be Hurt

In a 2017 data breach at Sonic restaurants, hackers used malware to infiltrate the company’s systems and steal customer cardholder information, resulting in the disclosure of customer data. Sonic agreed to pay up to $4.3 million, with affected customers receiving between $10 and $40 each. Unique in the aftermath, however, was a claim by American Airlines Federal Credit Union (AAFCU) that Sonic failed to protect its point of sale systems or update them with current technology.

The credit union alleged that, as a result of Sonic’s failure, it had to cancel cards, close accounts, block transactions, refund affected customers, and increase fraud monitoring efforts, costing AAFCU money. AAFCU has further asked the federal court in the Western District of Oklahoma to certify the case as a class action, which would allow other financial institutions to seek compensation as well.

What we can learn: Think three-dimensionally. When considering potential litigation exposure that could arise from a breach, institutions should not only think about their direct customers, but downstream entities that could be adversely impacted and have a cause of action.

Any business that keeps customer data electronically—from a Fortune 500 company to a law firm, doctor’s office, or mom and pop retailer—needs to be vigilant to prevent or minimize data breaches and resulting litigation and reputational damage.

That said, there is much to be learned from prior breaches that can help businesses of all sizes reduce their risk of a costly data security breach and resultant litigation.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

David Solomon is global general manager with GLG Law, a platform that connects lawyers with expert witnesses in complex fields. He began his career as a litigator at Anderson Kill & Olick in New York was previously with Axiom Global and Bloomberg LLP.