Data security: Congress and courts step into the breach

In early February 2015, Anthem Blue Cross and Blue Shield (f/n/a WellPoint Inc.), one of the nation’s largest health insurance companies, announced that a cyber-attack, possibly originating from China, exposed substantial personal data of 80 million customers, including Social Security numbers, home and email addresses, telephone numbers, medical identification numbers and income data.

Within a week, reports surfaced that cyber criminals were exploiting the breach to try to trick Anthem’s customers into disclosing even more personal information, including credit card information. A consumer in California has already sued Anthem in a class action (Morris v. Anthem Inc. 15-cv-00196 U.S. D Ct. CD. CA). This is only the latest in a series of data breaches that led Sen. Richard Blumenthal (D-Conn.) to label 2014 the “Year of the Data Breach.”

President Obama’s first legislative proposal for 2015 is a bill entitled Getting It Right on Data Breach and Notification Legislation in the 114^th Congress (Data Breach Bill), which received a hearing on Feb. 5. Currently, data breaches are largely governed by a patchwork of state laws that create compliance complexities for businesses.

Wisconsin, for example, has a data breach notification law, Wis. Stat. Ann § 134.98. Most state laws require consumer notification, but three states actually have laws holding business and governmental entities responsible to financial institutions for certain costs from credit card information breaches that those financial institutions incur. Groups like the National Retail Federation, the Direct Marketing Association, and the Information Technologies Industry & Council support national legislation that would preempt the state law. A key provision of the Data Breach Bill is a requirement that businesses notify customers within 30 days of discovering the breach.

Even before these latest massive breaches, several state attorneys general and the Federal Trade Commission, under their consumer protection authority, prosecuted businesses for lax data-security practices. Private plaintiffs in the form of consumers and financial institutions that issue credit cards have sued retailers like Target under a variety of theories, including negligence for failing to properly secure customer data.

The Bureau of Justice Statistics recently found that direct and indirect financial losses from identity theft totaled $24.7 billion. Currently, the cost of credit card fraud from such data breaches is borne disproportionally by the financial institutions issuing the credit cards, because they have to cover the cost of any fraud on customer accounts resulting from the data breach and must absorb new card-issuance fees. Target tried to have a lawsuit brought by financial institutions trying to recover their costs dismissed, but in December 2014, a federal district court in Minnesota permitted the case to proceed.

(Continued)

Consumers face a more difficult challenge when trying to sue businesses for failing to secure their personal information. The majority of courts have dismissed such consumer claims because the consumers have not suffered any “appreciable” injury and therefore lack standing to sue. Surprisingly, most courts don’t consider that having one’s personal information stolen is in itself a sufficient injury.

There is no question that the legal landscape owing to federal legislation and class-action suits is changing.

In the meantime, businesses should consider taking the following steps:

1. Continue improving the systems in place to protect customer personal information, including training employees to avoid actions like leaving work computers in unlocked vehicles.
2. Be sure that agreements with vendors that possess or have access to customer data contain strong provisions on data protection, including indemnification language in the event of a data breach and an assurance that data security standards are in place.
3. Carefully consider and limit where and how customer data is held (e.g., data on employees’ personal devices).
4. Conduct substantial due diligence on companies retained for IT outsourcing and facility management that would have access to customer data.
5. Implement a data-retention policy that ensures unneeded personal data are deleted on a routine schedule.

Congress, the courts, companies, and consumers all have an important role to play in reducing the risks of data breaches. One can only hope that all parties can come together quickly to address these growing risks.

Gina Carter is a shareholder in the Madison office of Whyte Hirschboeck Dudek S.C., where she leads the Intellectual Property Counseling & Protection Team and is a member of the Technology Law Team. She regularly advises on and litigates data breach and other intellectual property matters. She can be reached at gcarter@whdlaw.com.