Last week, Hilton Worldwide Holdings, Inc. announced that many of its hotels had been the latest target of a security breach involving credit and debit card payments. Just a few days before this announcement, Starwood Hotels and Resorts Worldwide Inc. said that it, too, had discovered a malware that had affected credit and debit card information belonging to customers who had dined or shopped at 54 of its hotels. Cyberattacks against America’s most thriving companies seem to be commonplace these days. They’re as recurrent as the common flu. Stuff of everyday life. Even highly sophisticated data security protocols can’t seem to escape the scorn of an ambitious hack. So why then, shouldn’t privacy and data security professionals just relax a little, and focus on dealing with cyberattacks once they happen rather than spending resources trying to prevent them in the first place? Aren’t we all doomed anyway?
This would be a tempting and perfectly understandable strategy for dealing with data breaches. But it wouldn’t be a smart move. Two significant legal developments caution against taking a lax approach to data security. If you consider them together, they just might cause you to think twice before letting your business rest on its cybersecurity laurels.
This past August, the FTC’s claws got sharper than ever with its all-out defeat of Wyndham Hotels’ attempt to have its lawsuit thrown out of court. In the lawsuit, the FTC invoked its Section 5 powers under the FTC Act to go after Wyndham for the hotel chain’s alleged failure to maintain “reasonable and appropriate” data security, which resulted in theft of consumers’ personal information. Wyndham’s mighty army of polished lawyers couldn’t convince the court that the FTC lacked the authority to bring civil claims for cybersecurity lapses. Nor did it matter that neither the FTC nor Congress has ever enacted a single law or regulation creating a standard of cybersecurity practices for folks in the hospitality industry reasonably to follow. The Court of Appeals for the Third Circuit let the lawsuit stand, and now we’re all on notice that cybersecurity practices, or lack thereof, can form the basis of an unfair practices claim under the FTC Act and expose companies of all sizes to hefty damages and injunctive relief.
But the FTC isn’t the only one to receive a boost by a favorable legal decision in recent months. Plaintiff’s lawyers had reason to exchange high fives in July when the Court of Appeals for the Seventh Circuit allowed a class action against retailer Neiman Marcus Group LLC to proceed in federal court. The decision raised many eyebrows because it had become a foregone conclusion before then that class actions for data security deficiencies would get tossed out of court due to lack of Article III standing. A reasoning had been that most financial institutions already reimburse consumers for unauthorized charges caused by identity theft. This, plus the free credit monitoring perk required by data breach notification laws in most states effectively eliminated the reasonable risk of harm requirement, which is essential for Article III standing. The Seventh Circuit in the Neiman Marcus case didn’t see things in such a simplistic way, though. It reasoned that if consumers experience theft of personal data due to substandard security practices, and some actually incur fraudulent charges and lose time restoring their credit honor with the credit bureaus, the requisite “risk of harm” requirement is shown and a claim for damages can proceed.
So here you have it: the threat of a civil action by the FTC and the possibility of massive class actions by plaintiff’s lawyers. Two good reasons to avoid complacency when it comes to cybersecurity practices.
Now that the case against inertia is on the table, here are three steps you can take right now to be proactive in improving your organization’s handling of sensitive customer or employee data:
Reassure Your Customers: Having established reasonable data protection practices within your organization, give notice to your customers about what those practices are. This is done in a privacy notice posted on your website. The notice doesn’t have to be comprehensive but it should be sufficiently informative. And it should accurately reflect your organization’s practices. Avoid boilerplate language lifted from the Internet. As the Wyndham case has shown, privacy notices that fail to truthfully reflect actual business practices could be regarded as deceptive. Wyndham had a beautifully written privacy notice on its website, but it did little to follow what it said. And please don’t waste space on your privacy notice to disclaim things, such as liability from suit or responsibility for data protection. A notice is not a contract, and even if it were, courts do not view sympathetically disclaimers of this sort.
Have an Incident Response Plan: If your organization collects sensitive customer or employee data, it is likely required by state law to have an incident response plan in place whereby customers and state officials are notified of data breaches. Failure to follow this legal requirement might subject your organization to civil penalties. Plus, delay in learning about a data breach and reporting it might be the difference between a claim that sticks around and one that is thrown out of court, as the Neiman Marcus case has taught us all.
To learn more about how to implement or improve on privacy and cybersecurity practices, please contact Patricia Acosta, PLLC.