Data Breach? React to the Attack
By Matthew A. Cebrian and Brittany W. Yang
Source: Law Technology News- www.Law.com
In today's digital economy it is relatively impossible for an enterprise to conduct business without collecting, holding, or storing personally identifiable information -- names and addresses, Social Security numbers, credit card numbers, or other account numbers -- of customers, employees, business partners, students, or patients. Moreover, given recent cyberattacks against Sony, LinkedIn Corp., eHarmony Inc., Last.fm, and Wyndham Hotels, it seems that such attacks are on the rise. While there is relatively little an attorney can do to thwart the malicious keystrokes of a hacker, she can take steps to ensure her clients are prepared to react to an attack. There are a number of state and federal regulations that mandate that certain steps be taken both before and after a data breach, and failing to comply with these requirements could result in substantial liability, as well as a public relations nightmare. A recent lawsuit filed in the U.S. District Court for the Northern District of California raises questions as to whether mere compliance with California's privacy laws will act to insulate businesses from liability in the event of a breach.
Effective on July 1, 2004, the California Online Privacy Protection Act of 2003 (California Business and Profession Code §22575 et seq.) requires each owner of a commercial website or online service to conspicuously post its privacy policy on its website if it collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its website or online service. As to online services, the policy must be made available by reasonably accessible means for consumers of the online service.
This act is applicable to any individual or entity (corporation) that owns a commercial Web page or an online service that collects and records confidential personal information from an individual living in California, visiting such Web pages. This act, however, is not applicable to ISPs or similar entities who record data upon request from a third party.
Under OPPA, confidential personal information, collected online, includes first and last names, a street address, an email address, a telephone number, a Social Security number, or various other data which allows the tracking of a user. Personally identifiable information can include date of birth, height, weight, etc., when this information is recorded and stored online by the operator in combination with one of the above identifiers. An individual user is one seeking to or acquiring goods or services, money or credit for himself, his family, or his household.
OPPA is enforced through California's unfair competition law (California Business and Profession Code §17200 et seq.), which provides for civil fines and injunctive relief and may, in certain instances, allow for the recovery of attorney fees. The upside for those who may face liability stemming from a violation of OPPA, or security breaches generally, is that to a large extent, plaintiffs have not succeeded, and courts usually have dismissed the cases because the suing individuals failed to state legally cognizable claims for damages. See e.g.,Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629 (7th Cir. 2007). Thus, while a plaintiff may be able to establish a violation of the statute, his ability to recover is somewhat limited by the lack of a cognizable loss.
On Feb. 22, the attorney general of California and a collection of companies in the mobile app business (namely Amazon Inc., Google Inc., Apple Inc., Hewlett-Packard Co., Microsoft Corp., and Research in Motion Ltd.) adopted a Joint Statement of Principles, in which the AG announced its opinion that OPPA requires mobile apps that collect personal data from California consumers to conspicuously post a privacy policy. With the Joint Statement, the signatories announced their efforts to develop principles that would foster innovation in privacy protection, promote transparency in privacy practices, and facilitate compliance with privacy laws in the mobile arena. However, the principles identified are not intended to be legally binding on the companies. They center on integrating the OPPA requirements on mobile apps that are not traditionally thought of as websites or "online services." OPPA's application to mobile apps could be a harbinger of liability for developers, but strategic counsel might take the position that voluntary compliance might help to minimize social outrage in the event of a security breach.
California was the first state to adopt a law requiring consumers to be notified in the event of a data security breach. The Data Protection Act, or SB 1386, was enacted in 2002, and became effective July 1, 2003. Not surprisingly, since 2003, at least 46 states have since adopted similar laws.
SB 1386 requires businesses to disclose breaches to affected persons "in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement ... or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system."
Section 1798.81.5(a) provides: "A business that owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification or disclosure."
Section 1798.82(a) of the act states a "person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person."
For purposes of this statute, "personal information" is defined as "an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number, (2) driver's license number or California identification card number, (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account, (4) medical information, or (5) health insurance information." Notably, §1798.84(b), provides for the right to bring a civil action for violating §1798.82.
The act does not define what constitutes "reasonable security measures," instead requiring that such measures be commensurate with the type of data being maintained by the business. While this might suggest the law requires businesses keep abreast of current encryption practices, the law itself only applies to unencrypted information. Assuming counsel advise their clients to include encryption as part of their risk management strategy, SB 1386 is a lot of bark without any bite. That said, a recent suit filed against LinkedIn suggests that even encryption software will not prevent liability in the event of a breach.
On June 15, a class action was filed against LinkedIn seeking in excess of $5 million following a security breach. According to the suit, on June 6, a list of approximately 6.5 million encrypted passwords retrieved from LinkedIn's database were publicly posted online by hackers. While the passwords were indeed encrypted, the lawsuit alleges the encryption technology used was outdated and not in accordance with conventional data protection methods. As part of LinkedIn's OPPA mandated privacy policy, LinkedIn represented to its users that it would implement "industry standard protocols and technology" to protect its users information. According to the lawsuit, LinkedIn's security measures ran afoul of this representation and thus exposed them to liability. The complaint includes causes of action for violations of California Business and Profession Code §17200, breach of contract, negligence, and others.
Given the amount of information that is collected by virtually any commercially viable company in today's economy, and the rise of the frequency of those attacks being mounted by hackers, it is imperative that businesses and their counsel take steps to stay abreast of the applicable privacy laws and formulate comprehensive risk managements policies to combat this growing threat.