2017 Cybersecurity Litigation Year in Review and Forecasts
Cyber-related litigation continues to be volatile, with 2017 witnessing several momentous developments including rulings on standing, the extent of insurance coverage, the fate of the Fourth Amendment’s third-party doctrine in the digital age, and the emerging standard of care for cybersecurity. At the same time, Europe is seeing its own tectonic shifts in how it handles data, including data that is shared with the United States, creating some very serious fault lines that will need to be watched closely in 2018.
Corporate Data Breach Litigation
Standing. Despite a flurry of activity in 2017, what constitutes standing to bring breach class actions still remains unsettled. There were four main decisions before the appellate courts, all of which came to different conclusions under the U.S. Supreme Court’s 2013 decision in Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013). On one end of the spectrum, the Fourth and Eighth Circuits declined to find standing for any plaintiffs under Clapper’s substantial risk test if the plaintiffs had not suffered a tangible harm. Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017); In re SuperValu, 870 F.3d 763 (8th Cir. 2017). The Eighth Circuit reached this holding for 16 out of 17 plaintiffs involving stolen credit card numbers, finding standing only for the one plaintiff who suffered fraudulent charges on his account. On the other end of the spectrum, the Third Circuit found that an alleged violation of the Fair Credit Reporting Act was sufficient to establish standing even without any economic or other tangible harm. In re Horizon Health. Serv., Inc. Data Breach Litig., 846 F.3d 625 (3d Cir. 2017). In the middle was the D.C. Circuit, finding that access by hackers to the combination of names, birth dates, email addresses and member numbers creates a substantial risk of medical identity theft even if Social Security numbers and credit card numbers were not stolen, and there was no allegation of misuse of the plaintiffs’ personal data. Attias v. Carefirst, Inc., 865 F.3d 620, 622 (D.C. Cir. 2017). The DC Circuit decision is currently on petition for a writ of certiorari at the Supreme Court, providing 2018 the opportunity to bring greater clarity to what constitutes standing in an age of increasing cyberattacks. Coverage. As the litigation threat continued to increase in 2017, companies increasingly—and rightfully—turned to specialized cyber insurance to mitigate their risk. At the same time, however, 2017 gave a rude awakening to those companies that relied on traditional insurance to cover cyber events. Courts in 2017 continued to conclude that commercial general liability policies do not always apply to cyber events. Cyber events may not even implicate the insurer’s duty to defend against breach class actions, much less provide coverage for resulting losses. For example, federal courts in Florida, Pennsylvania, and New York have all agreed that when the insured is not the one accused of publishing the protected information at issue, there can be no personal and advertising liability coverage. From a different perspective, district courts are grappling with the scope of coverage under computer fraud provisions in crime policies when a corporate entity loses money through phishing or other email scams, leaving the industry urging courts to draw a line between losses resulting from human error as a result of deceit versus losses resulting from unauthorized access to a company’s computer system. NAIC Model Law on Insurance Data Security. This past year also witnessed a host of strong cybersecurity regulation, like the new cybersecurity rules and regulations affecting securities’ professionals in New York (23 NYCRR 500), Colorado and Vermont (see 4-4 Vt. Code R. §8:8-4), as well as enhanced federal cybersecurity enforcement from the likes of the Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC) and even the Food and Drug Administration (FDA)—all of which are helping set a standard of care for cybersecurity that courts will likely pick up in 2018 and beyond. Next year may further accelerate this trend towards regulatory convergence around “reasonable” cybersecurity practices as 2017 saw adoption of the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law. The Model Law establishes minimum cybersecurity standards largely consistent with New York’s regulation. Like the other key federal and state regulations, this Model Law promotes a proactive, holistic and risk-based cyber strategy and, importantly, it requires senior corporate oversight. New York, for example, now requires affirmative sign-off on cybersecurity plans and programs (see 23 NYCRR 500), which could potentially open up directors and officers to individual liability in 2018. The NAIC Model Law, however, stops short of including many of the more specific and nuanced requirements included in the New York regulation, and it diverges in other important ways from New York, as well as other regulations, highlighting another important trend: emergence of a growing thicket of cybersecurity regulation. Navigating that thicket will prove increasingly challenging in 2018, further emphasizing the need for sound planning up front.
‘Carpenter v. United States’
Congress and the Supreme Court also faced momentous questions in 2017. In particular, the Supreme Court faced the question of the continuing applicability of the Fourth Amendment’s third-party doctrine to today’s modern, digital age. In late November, in Carpenter v. United States, the justices heard arguments on whether the Fourth Amendment permits the warrantless collection of a criminal defendant’s cell site location data. While this case will have wide-ranging significance when decided in 2018, in the cybersecurity and privacy context, one aspect is particularly worth noting. Because the Fourth Amendment generally covers U.S. persons, not foreigners, a ruling that is explicitly confined to U.S. persons may exacerbate the difficulties for companies that must navigate the global regulatory thicket.
Schrems II
In what is known as Schrems II, the Irish High Court threw into doubt the model contractual clauses between European companies and US companies that wish to engage in cross-border data flows, citing a lack of trust in how the US will treat EU data. The Data Protection Commissioner (Ireland) v. Facebook Ireland Limited (and Maximillian Schrems) [2017] IEHC 545. The court referred the case to the Court of Justice of the European Union, with a decision expected in 2018.
FISA §702
Similarly, at the time of publication, Congress had not reauthorized the expiring §702 of the Foreign Intelligence Surveillance Act (FISA), which was a focal point of the Schrems II decision. Section 702 allows the government to collect information on non-U.S. persons located abroad. While much of the focus in the U.S. has been on how to treat the inevitable, incidental collection of U.S. person data, in 2018, much of the focus will be on the effect §702 has on the global regulatory and litigation landscape. Indeed, the bulk of the 152-page Schrems II opinion discussed §702 and its application of data privacy protections only for U.S. persons, not foreigners.
Developments in Europe
General Data Protection Regulation. While many in 2017 began to prepare for sweeping new privacy regulations coming out of the EU, 2018 will see that trend accelerate as the General Data Protection Regulation (GDPR) enters into force on May 25, 2018. The GDPR is designed to be “future-proof” against technological developments and hopes to harmonize data privacy laws across the EU—but not necessarily with other jurisdictions—thus setting up the potential for conflicting regulatory requirements for U.S. companies. While requiring greater transparency and accountability from companies, it includes greater privacy protections for individuals. As a matter of law, U.S. companies will have to comply with GDPR if they:
target offering of goods or services to individuals in the EU (even if for free);
monitor the behavior of individuals who are in the EU including for purposes such as behavioral advertising;
provide services to EU clients involving using personal data, for example, by hosting EU personal data on U.S.-based servers; or
provide centralized IT systems or data storage functions for the enterprise which contain personal data about the employees and customers of any EU subsidiaries.
In addition to the issues Schrems II discussed, the GDPR also will have litigation and regulatory enforcement impacts in the United States and for U.S. companies abroad. For example, failure to comply with the GDPR carries the potential for a fine of 4 percent of global turnover or 20 million euros, whichever is greater. In addition, companies may find themselves having to choose which regulatory regime to comply with, and which to violate, making proactive planning on conflicting regulatory requirements critical. Government-Funded Insurance for Cyberattacks by Terrorists. In late November, the UK’s national terrorism and state-backed reinsurer, Pool Reinsurance Co. Ltd., announced that it will begin providing coverage for physical damage and direct interruption to businesses resulting from an act of terrorism. The UK government makes this move as it recognizes the increasingly evolving threat from terrorists both remotely and directly. The coverage provided will include buildings, contents, and business disrupted during a police investigation into a terrorist attack but will exclude intangible assets. The First UK Breach ‘Class Action’. 2017 witnessed the first UK breach class action, and it heralded increasing breach litigation for 2018, especially with the advent of the GDPR. On Dec. 1, 2017, the English High Court considered a 6,000-person compensation class action against a company whose former IT auditor stole and uploaded employee payroll data to the internet. Although declining to find the company directly liable to the employees, the court did find that the company was vicariously liable for the auditor’s actions. Permission to appeal has been granted to the company. In the meantime, however, the judgment provides clarity to claimant lawyers who will use it as a route-map against other companies.
Conclusion
Ultimately, 2017 was a tremendously significant year for cybersecurity litigation, and the explosion of cybersecurity regulation in 2017 also signifies an even more significant litigation year in 2018, both here and abroad. Anticipating and mitigating what is coming not only helps prevent breaches, but also can help limit the litigation and regulatory enforcement fallout that could—and often does—ensue. Michael Bahar is a partner, Kristine Ellison is an associate, and James Hyde and Robert Owen are partners, at Eversheds Sutherland.
