Skip Navigation Links.
Collapse IRMI OnlineIRMI Online
Expand How To Use IRMI OnlineHow To Use IRMI Online
My Paid Publications
Expand What's NewWhat's New
Expand DashboardsDashboards
Expand Commercial Liability InformationCommercial Liability Information
Expand Commercial Property InformationCommercial Property Information
Expand Commercial Auto InformationCommercial Auto Information
Expand D&O, PL, E&O, EPLI InformationD&O, PL, E&O, EPLI Information
Expand Workers Compensation InformationWorkers Compensation Information
Classifications and Cross-References
Collapse Risk Mgt. and Multiline InformationRisk Mgt. and Multiline Information
Expand Risk Management -- Why and HowRisk Management -- Why and How
Collapse Free Risk Management and Multiline CommentaryFree Risk Management and Multiline Commentary
Expand Brand Equity and Product RecallBrand Equity and Product Recall
Expand Catastrophe Risk ManagementCatastrophe Risk Management
Expand Corporate AviationCorporate Aviation
Expand Corporate Fraud PreventionCorporate Fraud Prevention
Collapse Cyber and Privacy Risk and InsuranceCyber and Privacy Risk and Insurance
Hacking, Malware, and Social Engineering Threats (January 2012)
SEC Issues Guidance on Cybersecurity and Cyber Incident Disclosure (December 2011)
The Militarization of Cyber Space and the Risks for U.S. Businesses (November 2011)
SEC Requires Disclosure of Cyber Attacks (October 2011)
Massachusetts Enacts Privacy Regulations (September 2011)
Avoiding Privacy Risks: Smile! You're on the Web Camera! (March 2010)
The Developing Legal Standards for Data Security (August 2008)
Privacy and Security Litigation and Enforcement: Growing Risks for Businesses? (May 2007)
Deflecting and Responding to Data Security Breaches (February 2006)
"Media Liability" Coverage in Tech/Media/eBusiness Policies (February 2006)
Variations in "Fraud/Dishonesty" Exclusions in Tech/Media/eBusiness Policies (January 2006)
Insuring Liability for Third-Party Claims Seeking Lost Profits (November 2005)
Addressing Liability Risks for Data Loss from an Insurance and Contractual Risk Transfer Perspective (July 2005)
Addressing Privacy Risk from an Insurance and Contractual Risk Transfer Perspective (May 2005)
Storing Liability: The Increasing Risks of Off-Site Data Storage (May 2005)
Privacy: Outsourcing and the Need for a Vendor Compliance Strategy (March 2005)
E-mail Privacy: Does Your E-mail Take a Pit Stop? (September 2004)
Indemnity and Insurance Provisions in E-Business Contracts (July 2004)
Protecting Data Assets: Not Just a Cyberspace Issue (June 2004)
New Liability Forms and Media, Tech, and E-Business Risks (May 2004)
Protecting Your Employees from Identity Theft (February 2004)
Creating a Privacy Policy Compliant with the New Online Privacy Protection Act (December 2003)
Tech E&O—A Primer for Risk Managers (November 2003)
Going Public: Dealing with the Disclosure Mandate of California's Latest Privacy Law (September 2003)
Cyber Liability Insurance Market Update (August 2003)
Security Requirements in a Privacy World (June 2003)
The Growing Privacy Risk and the Insurance Industry (February 2003)
Insuring First-Party Cyber Risk for Fortune 1000 Companies (November 2002)
Stand-Alone E-Business Insurance: Who's Buying, Selling, and Why? (September 2002)
The End of Computer Virus Coverage as We Know It? (May 2002)
You Say Professional Services, I Say B2B Activities (January 2002)
Is Computer Data "Tangible Property" or Subject to "Physical Loss or Damage"?—Part 1 (August 2001)
Is Computer Data "Tangible Property" or Subject to "Physical Loss or Damage"?—Part 2 (November 2001)
E-Commerce Insurance Issues: A Year in Review (June 2001)
New Stand-Alone E-Commerce Insurance for First-Party Risks? (February 2001)
New Stand-Alone E-Commerce Insurance for Third-Party Liability Claims (Part 1) (December 2000)
New Stand-Alone E-Commerce Insurance for Third-Party Liability Claims (Part 2) (December 2000)
Third-Party Liability E-Commerce Risks and Traditional Insurance Programs (August 2000)
First-Party E-Commerce Risks (June 2000)
Insurance Issues for E-Commerce Activities (May 2000)
Expand Drafting and Interpreting Insurance PoliciesDrafting and Interpreting Insurance Policies
Expand Enterprise Risk ManagementEnterprise Risk Management
Expand Internal ControlsInternal Controls
Expand NanotechnologyNanotechnology
Expand Political RiskPolitical Risk
Expand Risk Management TechnologyRisk Management Technology
Expand SecuritySecurity
Expand Terrorism Risk Management & InsuranceTerrorism Risk Management & Insurance
Expand IRMI InsightsIRMI Insights
Expand IRMI Update Newsletter ArchivesIRMI Update Newsletter Archives
Expand Risk Finance InformationRisk Finance Information
Expand Construction InformationConstruction Information
Expand Personal Lines InformationPersonal Lines Information
Expand Claims, Caselaw, LegalClaims, Caselaw, Legal
Expand Insurance IndustryInsurance Industry
Expand Glossary of Insurance & Risk Management TermsGlossary of Insurance & Risk Management Terms
Expand SearchSearch
Terms of Use
Privacy Statement
System Requirements
Support

Privacy and Security Litigation and Enforcement: Growing Risks for Businesses?

May 2007

Over the last 2 years, there has been a dramatic increase in the volume of activity relating to the privacy and security of personally identifiable information (PII).

by Gary Clayton
Privacy Compliance Group, Inc.

High profile cases have involved companies such as BJ's Wholesale Club, T.J. Maxx, DirecTV, ChoicePoint, DSW Inc., Guidance Software Inc., Xanga.com, Nations Title Agency, Inc., and CardSystems Solutions. In addition to enforcement actions by the Federal Trade Commission (FTC), private litigation—including class actions—has increased.

The FTC's aggressive enforcement activity has led to new requirements for virtually all industries, even those where there is no specific statute or regulation. Companies now have the obligation to develop, implement, and maintain reasonable and appropriate security protection for all personal information, including customers, employees and others.

With all of the headlines, new state and federal laws and regulations, and the increased enforcement, the first question you may ask is why hasn't there been more litigation to date? There are a number of factors that have limited the litigation. These are discussed below.

No Obvious Right of Action

In the United States, most of the new privacy and security legislation has been passed without providing an obvious private right of action. Under the Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley, for example, there simply is no clear path for bringing a lawsuit, even if a claim has surfaced. Courts have rejected efforts to put a HIPAA label on a private claim, even if a "HIPAA violation" appears to have been alleged. Under Gramm-Leach-Bliley, there is no specific private (personal) right of action. The Gramm-Leach-Bliley legislation provides a right of action to state attorneys general, but many states have not been active in this area of enforcement.

Difficult To Prove Damages

One of the main impediments to litigation has been the difficulty in proving damages. The case of Smith v. Chase Manhattan Bank, 741 N.Y.S.2d 100 (App. Div. 2002), is a good example. In Smith, a bank promised its customers in their customer information principles that it would not and did not sell their personal information to third parties. Instead, the suit alleged, the bank did sell customer lists to third parties, including a telemarketing firm. Additionally, it is alleged that the bank received a percentage of the products sold as a result of these telemarketing services. A class of bank customers sued, alleging that the bank violated its obligations to the plaintiff class.

Despite these serious allegations, the court's decision against the plaintiffs is startling. The court dismissed the complaint, finding no allegation of actual damages. Instead, the court said that "the harm" at the hearing of this purported class action, is that the members were merely offered products and services, which they were free to decline. This in itself did not constitute actual harm. The court also stated:

  • The complaint does not allege a single instance where a named plaintiff or any class member suffered an actual harm due to the receipt of an unwanted telephone solicitation or a piece of junk mail.

Accordingly, the court found that the complaint was appropriately dismissed for failure to state a cause of action. This means that the court found that no claim existed on the facts as they were alleged, not that the allegations were wrong.

Limited Enforcement Activity

Other than the FTC enforcement actions, there have been relatively little governmental enforcement actions in the area of privacy and security. As a result, the litigation that normally follows significant government enforcement actions has not developed. This may change with new legislative and regulatory requirements; however, to date there have been few class action suits.

Aggressive FTC Enforcement Activity

The FTC has taken the lead in the United States in bringing enforcement activities. The FTC's action against BJ's Wholesale has led to more litigation than virtually all of the other enforcement actions combined. This case has spawned a new requirement for virtually all industries—even those where there is no specific statute or regulation—the obligation to develop, implement and maintain reasonable and appropriate security protection for all personal information, about customers, employees, or others. To the FTC, the failure to develop and implement an effective information security program constitutes an "unfair and deceptive trade practice." Accordingly, every company should be familiar with the facts in the BJ's Wholesale case and the security program mandated by the FTC enforcement action, so that the company can design an effective security program for its business operations.

Over the last decade, the FTC has been an aggressive enforcer of privacy and security programs. Typically, the FTC has relied on its jurisdiction under Section 5 of the Federal Trade Commission Act to regulate "unfair or deceptive trade practices." In its numerous prior enforcement actions, the FTC typically has relied on measuring a company's promise to provide effective security precautions (normally in its privacy policy) and has taken enforcement action where a company's program did not live up to these promises, even where there was no legal requirement to make such a promise.

In the BJ's Wholesale case, however, the FTC took enforcement action despite the fact that BJ's Wholesale apparently made no representations to its customers concerning security protections. Instead, the FTC alleged that the company's information security practices, taken together, did not provide "reasonable security for sensitive customer information." Specifically, the FTC alleged that BJ's Wholesale violated the FTC Act because it:

  • Failed to encrypt consumer information when it was transmitted or stored on computers in BJ's Wholesale stores;
  • Created unnecessary risks to the information by storing it for up to30 days, in violation of bank security rules, even when it no longer needed the information;
  • Stored the information in files that could be accessed using commonly known default user IDs and passwords;
  • Failed to use readily available security measures to prevent unauthorized wireless connections to its networks; and
  • Failed to use measures sufficient to detect unauthorized access to the networks or to conduct security investigations.

BJ's Wholesale settled with the FTC without admitting any wrongdoing. The company's settlement includes not only a requirement to implement a "comprehensive information security program that is reasonably designed to protect the security, confidentiality and integrity of personal information collected from or about consumers," but also requires the company to have an independent third party assessment of this program, every other year for the next 20 years, subject to ongoing FTC oversight.

Implications

The FTC has extended the reach of its information security enforcement activities with each successive enforcement action. Starting with regulated entities, and moving on to breach of security representations, and now to the general obligation to maintain an effective security program, the FTC has essentially created a national, nonstatutory standard requiring all businesses that collect and maintain personal information to develop and implement an effective information security program. This means that the program must be appropriate to the "size" and "complexity" of the company's business activities, and must take into account the "sensitivity" of the information.

This program must include a risk assessment that addresses the company's overall collection of personal information and is not limited to "electronic" information. Following the risk assessment, the company must make "reasonable" choices about how it is to mitigate the risks identified in the assessment. Once this initial assessment and plan has been developed, a company must test, monitor, and regularly reevaluate the program, to ensure that the program keeps pace with developments both in the information security field in general, and in the specific operations and environment of the company.

There have been a number of enforcement actions that have resulted in whopping fines. The recent Do-Not-Call settlement with DirectTV included a $5.3 million penalty. The 2005 action against ChoicePoint not only resulted in a huge fine, but also led to a significant volume of class action and even securities litigation. The FTC collected a $15 million settlement from ChoicePoint.

What's on the Horizon?

Anyone who is familiar with the "Y2K" crisis should be fully aware of the hazards of predicting the future when it comes to technology and data risks. Nevertheless, it is likely that the next 3 years will bring a number of changes, including:

  1. Litigation over Identity Theft: The sheer number of incidents involving lost or stolen data will certainly result in plaintiffs who suffer real financial and emotional damages. These cases will help establish legal precedents for privacy damages.

  2. Litigation Related to Security Breaches: As security breaches continue to make front-page news, you can count on increased litigation. Companies that sustain security breaches are almost certain to point the finger at their vendors, partners and third parties that handle their employee and customer litigation. These suits are very likely to define the obligation to appropriately choose and contract with third parties that handle personal information.

  3. Litigation over the Costs of Mitigating Security Breaches: The costs associated with security breaches can reach the millions of dollars in actual expenses—not including brand damage. Companies will increasingly try to recover these costs from vendors or other third parties that are involved.

  4. Security Breach Notification Issues: Currently, 36 states and the city of New York have passed security breach notification laws. The costs involved in notifying individuals that their data has been lost can escalate very quickly. A recent Forrester report concluded that the costs of a data breach could range up to $305 per customer record.

  5. More Enforcement: A number of state attorneys general have placed privacy enforcement information on the home page of their websites. Additionally, in the recent annual conventions of the National Association of Attorneys General (NAAG), a considerable amount of their agendas have focused on privacy, security, and identity theft. With the significant public and media interest in enforcement actions, you can count on additional proceedings to be brought against high profile companies.

  6. Increased State and Local Government Pressure on Federal Government: The states have taken the lead in enacting privacy and data protection laws. The clearest example relates to the security breach notice laws. While Congress has been unable to pass a single law on this issue, 36 states have done so. Pressure on Congress will result in new privacy legislation at the federal level.

Conclusion

It appears that the difficulty in proving damages has left the plaintiffs' bar unimpressed with the potential "pot of gold" related to privacy litigation. Absent substantial lucre, the plaintiffs' bar has not brought much litigation and has generally failed to understand and clearly articulate how the misuse of personal information can cause damages. As privacy breaches become more frequent, you can bet that this situation will change, and that litigation and enforcement actions will eventually establish a body of law allowing an individual to recover for "damages" to his or her privacy.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
Advertisements
    
 
© 2000-2012 International Risk Management Institute, Inc. (IRMI). All rights reserved.