Privacy and Security Litigation and Enforcement: Growing Risks for Businesses?
May 2007
Over the last 2 years, there has been a dramatic
increase in the volume of activity relating to the privacy and security of personally
identifiable information (PII).
by Gary
Clayton
Privacy Compliance
Group, Inc.
High profile cases have involved companies such as BJ's Wholesale Club, T.J.
Maxx, DirecTV, ChoicePoint, DSW Inc., Guidance Software Inc., Xanga.com, Nations
Title Agency, Inc., and CardSystems Solutions. In addition to enforcement actions
by the Federal Trade Commission (FTC), private litigation—including class actions—has
increased.
The FTC's aggressive enforcement activity has led to new requirements for
virtually all industries, even those where there is no specific statute or regulation.
Companies now have the obligation to develop, implement, and maintain reasonable
and appropriate security protection for all personal information, including
customers, employees and others.
With all of the headlines, new state and federal laws and regulations, and
the increased enforcement, the first question you may ask is why hasn't there
been more litigation to date? There are a number of factors that have limited
the litigation. These are discussed below.
No Obvious Right of Action
In the United States, most of the new privacy and security legislation has
been passed without providing an obvious
private right of action. Under the Health Insurance Portability and Accountability
Act (HIPAA) and Gramm-Leach-Bliley, for example, there simply is no clear path
for bringing a lawsuit, even if a claim has surfaced. Courts have rejected efforts
to put a HIPAA label on a private claim, even if a "HIPAA violation" appears
to have been alleged. Under Gramm-Leach-Bliley, there is no specific private
(personal) right of action. The Gramm-Leach-Bliley legislation provides a right
of action to state attorneys general, but many states have not been active in
this area of enforcement.
Difficult To Prove Damages
One of the main impediments to litigation has been the difficulty in proving
damages. The case of Smith v. Chase Manhattan Bank,
741 N.Y.S.2d 100 (App. Div. 2002), is a good example. In Smith, a bank promised its customers in their
customer information principles that it would not and did not sell their personal
information to third parties. Instead, the suit alleged, the bank did sell customer
lists to third parties, including a telemarketing firm. Additionally, it is
alleged that the bank received a percentage of the products sold as a result
of these telemarketing services. A class of bank customers sued, alleging that
the bank violated its obligations to the plaintiff class.
Despite these serious allegations, the court's decision against the plaintiffs
is startling. The court dismissed the complaint, finding no allegation of actual
damages. Instead, the court said that "the harm" at the hearing of this purported
class action, is that the members were merely offered products and services,
which they were free to decline. This in itself did not constitute actual harm.
The court also stated:
- The complaint does not allege a single instance where a named plaintiff
or any class member suffered an actual harm due to the receipt of an unwanted
telephone solicitation or a piece of junk mail.
Accordingly, the court found that the complaint was appropriately dismissed
for failure to state a cause of action. This means that the court found that
no claim existed on the facts as they were alleged, not that the allegations
were wrong.
Limited Enforcement Activity
Other than the FTC enforcement actions, there have been relatively little
governmental enforcement actions in the area of privacy and security. As a result,
the litigation that normally follows significant government enforcement actions
has not developed. This may change with new legislative and regulatory requirements;
however, to date there have been few class action suits.
Aggressive FTC Enforcement Activity
The FTC has taken the lead in the United States in bringing enforcement activities.
The FTC's action against BJ's Wholesale has led
to more litigation than virtually all of the other enforcement actions combined.
This case has spawned a new requirement for virtually all industries—even those
where there is no specific statute or regulation—the obligation to develop,
implement and maintain reasonable and appropriate security protection for all
personal information, about customers, employees, or others. To the FTC, the
failure to develop and implement an effective information security program constitutes
an "unfair and deceptive trade practice." Accordingly, every company should be familiar with the
facts in the BJ's Wholesale case and the security
program mandated by the FTC enforcement action, so that the company can design
an effective security program for its business operations.
Over the last decade, the FTC has been an aggressive enforcer of privacy
and security programs. Typically, the FTC has relied on its jurisdiction under
Section 5 of the Federal Trade Commission Act to regulate "unfair or deceptive
trade practices." In its numerous prior enforcement actions, the FTC typically
has relied on measuring a company's promise to provide effective security precautions
(normally in its privacy policy) and has taken enforcement action where a company's
program did not live up to these promises, even where there was no legal requirement
to make such a promise.
In the BJ's Wholesale case, however, the FTC
took enforcement action despite the fact that BJ's Wholesale apparently made
no representations to its customers concerning security protections. Instead,
the FTC alleged that the company's information security practices, taken together,
did not provide "reasonable security for sensitive customer information." Specifically,
the FTC alleged that BJ's Wholesale violated the FTC Act because it:
- Failed to encrypt consumer information when it was transmitted or stored
on computers in BJ's Wholesale stores;
- Created unnecessary risks to the information by storing it for up to30
days, in violation of bank security rules, even when it no longer needed
the information;
- Stored the information in files that could be accessed using commonly
known default user IDs and passwords;
- Failed to use readily available security measures to prevent unauthorized
wireless connections to its networks; and
- Failed to use measures sufficient to detect unauthorized access to the
networks or to conduct security investigations.
BJ's Wholesale settled with the FTC without admitting any wrongdoing. The
company's settlement includes not only a requirement to implement a "comprehensive
information security program that is reasonably designed to protect the security,
confidentiality and integrity of personal information collected from or about
consumers," but also requires the company to have an independent third party
assessment of this program, every other year for
the next 20 years, subject to ongoing FTC oversight.
Implications
The FTC has extended the reach of its information security enforcement activities
with each successive enforcement action. Starting with regulated entities, and
moving on to breach of security representations, and now to the general obligation
to maintain an effective security program, the FTC has essentially created a
national, nonstatutory standard requiring all businesses that collect and maintain
personal information to develop and implement an effective information security
program. This means that the program must be appropriate to the "size" and "complexity"
of the company's business activities, and must take into account the "sensitivity"
of the information.
This program must include a risk assessment
that addresses the company's overall collection of personal information and
is not limited to "electronic" information. Following the risk assessment, the
company must make "reasonable" choices about how it is to mitigate the risks
identified in the assessment. Once this initial assessment and plan has been
developed, a company must test, monitor, and regularly reevaluate the program,
to ensure that the program keeps pace with developments both in the information
security field in general, and in the specific operations and environment of
the company.
There have been a number of enforcement actions that have resulted in whopping
fines. The recent Do-Not-Call settlement with DirectTV included a $5.3 million
penalty. The 2005 action against ChoicePoint not only resulted in a huge fine,
but also led to a significant volume of class action and even securities litigation.
The FTC collected a $15 million settlement from ChoicePoint.
What's on the Horizon?
Anyone who is familiar with the "Y2K" crisis should be fully aware of the
hazards of predicting the future when it comes to technology and data risks.
Nevertheless, it is likely that the next 3 years will bring a number of changes,
including:
-
Litigation over Identity Theft: The
sheer number of incidents involving lost or stolen data will certainly result
in plaintiffs who suffer real financial and emotional damages. These cases
will help establish legal precedents for privacy damages.
-
Litigation Related to Security Breaches: As security breaches continue to make front-page news, you can count on
increased litigation. Companies that sustain security breaches are almost
certain to point the finger at their vendors, partners and third parties
that handle their employee and customer litigation. These suits are very
likely to define the obligation to appropriately choose and contract with
third parties that handle personal information.
-
Litigation over the Costs of Mitigating Security
Breaches: The costs associated with security breaches can reach the
millions of dollars in actual expenses—not including brand damage. Companies
will increasingly try to recover these costs from vendors or other third
parties that are involved.
-
Security Breach Notification Issues: Currently, 36 states and the city of New York have passed security breach
notification laws. The costs involved in notifying individuals that their
data has been lost can escalate very quickly. A recent Forrester report
concluded that the costs of a data breach could range up to $305 per customer record.
-
More Enforcement: A number of state
attorneys general have placed privacy enforcement information on the home
page of their Web sites. Additionally, in the recent annual conventions
of the National Association of Attorneys General (NAAG), a considerable
amount of their agendas have focused on privacy, security, and identity
theft. With the significant public and media interest in enforcement actions,
you can count on additional proceedings to be brought against high profile
companies.
-
Increased State and Local Government Pressure
on Federal Government: The states have taken the lead in enacting
privacy and data protection laws. The clearest example relates to the security
breach notice laws. While Congress has been unable to pass a single law
on this issue, 36 states have done so. Pressure on Congress will result
in new privacy legislation at the federal level.
Conclusion
It appears that the difficulty in proving damages has left the plaintiffs'
bar unimpressed with the potential "pot of gold" related to privacy litigation.
Absent substantial lucre, the plaintiffs' bar has not brought much litigation
and has generally failed to understand and clearly articulate how the misuse
of personal information can cause damages. As privacy breaches become more frequent,
you can bet that this situation will change, and that litigation and enforcement
actions will eventually establish a body of law allowing an individual to recover
for "damages" to his or her privacy.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author’s employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.