Trial Magazine
Theme Article
Data Breaches Come in All Sizes
Big data breaches grab headlines, but smaller-scale, localized ones occur frequently and have the same impact on consumers. Learn about the features of these breaches and how to handle them.
June 2019As more and more businesses require customers to submit sensitive personally identifiable information (PII) to provide goods or services—such as Social Security numbers, addresses, phone numbers, and birth dates—people are forced to trust that these companies will safely store their data. Unfortunately, that is not always the case. There were 2,216 confirmed data breaches worldwide in 2017 alone.1 Data breaches affect companies of all sizes, with 58 percent of targets categorized as small businesses across a range of industries, including health care, education, and financial services.2
While data breaches that dominate the news tend to involve massive corporations and tens of millions of victims, a smaller data breach of a local business that affects people in a limited geographic area is more likely to come across the desk of most attorneys. Three types of data breaches frequently occur in local communities: phishing emails to office staff, employees improperly accessing medical records, or hackers deploying ransomware. Although these data breaches may be “small” in scale, the impact on victims and local communities can be devastating. Here are some key steps to take when someone seeks your advice in the aftermath of a data breach.
Categories of Attack
Data breach attacks vary, presenting different risks for victims and requiring different approaches by attorneys. A breach may implicate a single state’s laws or several states’ privacy and breach notification laws. Claims also vary depending on the type of breach, the circumstances of the breach, and the relationship between the affected people and the company that was breached. For example, if the relationship is contractual, investigate the terms of the contract to see whether a breach of contract claim is viable. The experts you consult also will vary depending on the type of breach—a HIPAA expert, a human resources expert, or a forensic expert.
Phishing attacks. A person pretending to be a legitimate contact at an organization, such as the CEO, contacts a target—often payroll staff—via email, phone, or text message. It also may involve spoofing a C-level employee’s email address and requesting specific information (known as spear-phishing due to the specific targeting) and include an infected attachment or link. The person deploying the phishing attack tries to trick targets into providing sensitive personal data. For example, a spear-phishing email purporting to be from the CEO may request that someone in the human resources department transmit employees’ personal information.
Phishing is the most common cause of data breaches, representing 93 percent of all breaches worldwide.3 Because phishing usually results in many people’s information being compromised, these cases generally are brought as class actions.4 Compared to breaches at companies such as Target and Anthem, a smaller phishing case affects hundreds or thousands of people, rather than millions. Far less sophisticated tortfeasors usually commit these breaches. They are also less complex because it is often easier to make the connection between instances of identity theft and the breach. Smaller businesses also may be more likely to settle quickly, as they cannot afford to defend cases the way that national and multinational corporations can.
Improper access of medical records. Medical records contain some of the most private details of patients’ lives, including descriptions of symptoms, diagnoses, and treatment. Pharmacy, doctor, or hospital records may go back for decades, and when health care employees access records without proper authorization under HIPAA, it can do serious harm.5
Medical records breaches include both limited breaches (an unauthorized employee checks once to see whether a particular person has recently sought treatment) and larger breaches (the employee accesses dozens of files multiple times). These cases tend to involve only a few people, or even a solitary victim, since the breaches are internal and may be motivated by personal disputes. Employees may end up sharing the confidential information with third parties, such as the victim’s friends, family, or community;6 or use the victim’s financial information for fraudulent purposes.
These cases often are filed as individual tort actions because the number of victims is low. Claims against an employee who unlawfully discloses medical records include negligence, professional malpractice, invasion of privacy, and public disclosure of private facts.7 A victim also may seek to hold the health care provider liable for the employee’s actions under the doctrine of respondeat superior.8 Finally, the victim may sue the health care provider directly for claims such as negligent training, negligent supervision, negligent retention, and professional malpractice.9
Ransomware attacks. These generally involve external access to a company’s data. A hacker gains access to a business’s systems and locks down some, if not all, of the business’s data, which often includes its customers’ or clients’ PII. The hacker demands a ransom and may threaten to post the data online or delete the data if the ransom is not paid.
In the last few years, thousands of ransomware attacks have occurred, striking everywhere from businesses to local police departments to individuals.10 Ransomware attacks have resulted in litigation between a company and its customers whose data was breached, as well as between the company and its insurer.
In phishing and ransomware cases, a class action is usually more appropriate and cost effective because these typically involve more than 100 victims. In these cases, plaintiffs may allege negligence, breach of contract, unjust enrichment, and state law claims, such as consumer protection act violations.11 For example, in an ongoing ransomware class action, an orthopedics office sued the electronic health records vendor Allscripts, alleging that it failed to properly secure clients’ data even though it was aware of the increasing risk of ransomware attacks.12
Initial Steps
With limited exceptions, most data breach victims learn that their PII has been compromised only when the breached company notifies them and the press. Timely notification is important because the longer a company keeps the breach secret, the higher the risk to the victims who do not know to take steps to protect themselves.
All 50 states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have passed data breach notification laws.13 Although these laws vary, they all require private or government entities to notify victims of data breaches that have exposed PII within a relatively short period of time.14 Some states set a specific deadline, such as within 45 or 60 days from when the company learns of the breach15; other states merely require notice using vague language such as “in the most expedient time possible and without unreasonable delay.”16 When a victim of a data breach comes to you seeking advice, identify the type of breach and then take certain initial steps to gather information.
Review the breach notification letter. In a phishing or ransomware breach, the victims should receive a standard form letter notifying them of the breach and providing basic information about the scope of the breach, what information was exposed, and potentially how the breach occurred. Clients likely received the letter before contacting a lawyer.
However, the breach letter often does not include all of this basic information. State laws require breached companies to provide some information, such as when the breach occurred,17 what sensitive information was acquired,18 a general description of the breach incident,19 and remedial measures implemented to secure the information and prevent future breaches.20
Request additional information. Information regarding the company’s cybersecurity practices and how the breach occurred is critical to determine negligence. But companies frequently ¬withhold or downplay information about how the breach occurred, and this may make it hard to evaluate the case before filing. Under these circumstances, sending Freedom of Information Act (FOIA) requests to the Office of Civil Rights and all state regulatory agencies to which a breach must be reported can be helpful. These agencies often require companies to provide certain information regarding the circumstances of the breach and the company’s cybersecurity practices. Identifying the type of breach, the information that was exposed, and the company’s conduct before, during, and after the breach is essential.21
Also send a letter to the breached company, putting it on notice that it needs to preserve all documents; tangible items such as computers, hard drives, and even servers; and electronically stored information such as emails, system logs, and forensic images. In data breach cases, evidence such as log files may not be aggregated and therefore may not be maintained for very long in the normal course of business. Data also may be destroyed or lost in a breach investigation.
Early discovery. After concluding the initial investigation and filing your case, craft your discovery requests to learn exactly what measures, if any, a breached company used to try to prevent the attack. When businesses disregard crucial and well-known prevention measures, their negligence is clear.
For example, the IRS has repeatedly warned payroll and human resources professionals about phishing schemes.22 Training employees to recognize phishing attacks has long been an industry standard even for smaller businesses because it reduces the chance that information will be compromised.23 The Federal Trade Commission (FTC) provides a cybersecurity guide for small businesses that explains best practices for preventing phishing attacks.24 Taking measures such as using software that indicates whether an email is from an internal or external source and testing employees with fake phishing emails further reduce the risk of compromised information.
Counsel clients on credit monitoring. Advise them on how to protect their personal information, such as monitoring credit and financial accounts, ordering credit reports, freezing credit, and changing ¬passwords. While most breached companies offer victims one or two years of credit monitoring, the quality of the credit monitoring offered varies significantly. Clients need to understand the adequacy of the credit monitoring product to determine whether they should enroll in that product, pay for a different credit monitoring product, or monitor their credit on their own.
One or two years of protection is typically inadequate because thieves may wait to sell the stolen information and buyers may wait to use it. Determine whether the product covers all three credit bureaus. Some companies offer a barebones credit monitoring service in the initial breach letter, but litigation may result in lengthier and more robust credit monitoring services that will better protect victims from identity theft in the long run.
Report fraud or identity theft. If your client has already experienced fraud or identity theft, such as the filing of a fraudulent tax return or unauthorized credit card charges, advise him or her to file an online report with the FTC first.25 Then instruct your client to file a police report in person. Your client should bring a copy of the FTC report, a valid government ID, proof of address, and proof of theft (such as a credit card statement with fraudulent charges) when filing the police report.
Overcoming Standing Challenges
It is common in data breach cases, particularly those filed in federal court, for the defendants to file a motion to dismiss for lack of standing. To defeat this motion in federal court, plaintiffs who have not experienced fraud must show that the threatened injury is “certainly impending” or “there is a ‘substantial risk’ the harm will occur.”26 To make this showing, include in the complaint as much information as possible about the breach. It is especially important to list what information was compromised, such as Social Security numbers, birth dates, and addresses, and to provide any information that indicates that the intent of the tortfeasor is to sell this valuable personal data. Make the argument that your client’s compromised data from the breach is already being sold. In certain cases, such as when the FBI has alerted a company of a breach, the victims may know that their information is for sale on the dark web—feature this prominently in the complaint.
Case Resolution
Data breach cases are likely to settle rather than go to trial, with the most common damages being several years of credit monitoring services, plus reimbursement for class members’ out-of-pocket costs. Some type of injunctive relief, such as improved security practices, is also common.
Phishing attacks. Two recent settlements provide a framework for the resolution of phishing data breach cases. In Sackin v. TransPerfect Global, Inc., a TransPerfect employee disclosed W-2s and payroll information in response to a phishing email, which compromised other employees’ information and exposed them to identity theft.27 Shortly after the breach, TransPerfect offered victims two years of minimal credit monitoring.28 Finding this insufficient, the victims filed a class action, and TransPerfect then filed a motion to dismiss for lack of standing and for failure to state a claim on which relief could be granted.29
Shortly after the motion was largely resolved in the plaintiffs’ favor, the case was settled. TransPerfect agreed to provide to settlement class members an additional three years of credit monitoring with a more extensive plan, to improve data security practices, and to reimburse up to $4,000 for unreimbursed economic costs resulting from the data breach.30
In Brady v. Scotty’s Holdings, an employee responded to a phishing email by sharing the personal information of Scotty’s employees.31 Scotty’s agreed to provide identity theft protection and reimburse employees up to $150 for identity theft services purchased independently, up to $350 if a false or fraudulent tax return was filed, and up to $150 for a false IRS tax transcript request.32 Scotty’s also agreed to undertake preventative actions such as cybersecurity training and new security protocols.33
Medical records access. Resolution of and damages in an improper access to medical records case vary. In a case involving a Walgreens pharmacist who disclosed personal health information about a customer after a soured romantic relationship, the plaintiff presented evidence that she had experienced severe mental distress and humiliation, as well as a general mistrust of all health care providers, after her personal information was shared with others. The jury awarded $1.8 million, finding Walgreens jointly liable with the employee who disclosed the information.34 A state appellate court affirmed the verdict.35
Ransomware. Although it is difficult to accurately measure the damage caused by ransomware attacks, one cybersecurity company estimated that ransomware attacks cost victims $375 million in ransoms and up to $75 billion in expenses and lost productivity in 2016 alone.36
Understanding the different types of breaches and likely outcomes is essential to bringing the right claims on your clients’ behalves.
Hadley L. Matarazzo is a partner at Faraci Lange in Rochester, N.Y. Lynn A. Toops is an attorney at Cohen & Malad in Indianapolis. They can be reached at hmatarazzo@faraci.com and ltoops@cohenandmalad.com.
Notes
- Verizon, 2018 Data Breach Investigations Report 4 (11th ed., Apr. 2018) https://enterprise.verizon.com/resources/reports/2018/DBIR_2018_Report.pdf.
- Id. at 5, 12.
- Id. at 11. (Pretexting—or including a narrative—is also included in this count of the most common cause of data breaches.)
- See, e.g., Curry v. Schletter Inc., 2018 WL 1472485 (W.D.N.C. Mar. 26, 2018); Savidge v. Pharm-Save, Inc., 2017 WL 5986972 (W.D. Ky. Dec. 1, 2017); Sackin v. TransPerfect Global, Inc., 278 F. Supp. 3d 739 (S.D.N.Y. 2017); Hapka v. Carecentrix, Inc., 2016 WL 7336407 (D. Kan. Dec. 19, 2016); Castillo v. Seagate Tech., LLC, 2016 WL 9280242 (N.D. Cal. Sept. 14, 2016).
- See 45 C.F.R. §164.508 (2019).
- See, e.g., Walgreen Co. v. Hinchy, 21 N.E.3d 99 (Ind. Ct. App. 2014), on reh’g, 25 N.E.3d 748 (Ind. Ct. App. 2015).
- Id. at 105.
- Id.
- Id.
- See Kaveh Waddell, The Extortionist in the Fridge, The Atlantic (Jan. 6, 2016), https://www.theatlantic.com/technology/archive/2016/01/the-extortionist-in-the-fridge/422742/.
- See, e.g., Complaint at 15–21, Surfside Non-Surgical Orthopedics, P.A. v. Allscripts Healthcare Solutions, Inc., No. 1:18-cv-00566 (N.D. Ill. filed Jan. 25, 2018).
- Id.; Patrick Howell O’Neill, Allscripts Faces Lawsuit After Ransomware Attack Impacts Doctors’ Offices Across U.S., Cyberscoop (Jan. 29, 2018), http://tinyurl.com/y6nlmam9.
- Nat’l Conference of State Legislatures, Security Breach Notification Laws (Sept. 29, 2018), http://tinyurl.com/nrb9bs7.
- Id.
- See, e.g., Ala. Code §8-38-5(b) (2018) (45 days); Del. Code Ann. tit. 6, §12B-102(c) (West 2019) (60 days).
- Cal. Civ. Code §1798.82(a) (West 2019).
- See, e.g., Ala. Code §8-38-5(d)(1).
- Id. at §8-38-5(d)(2).
- See Cal. Civ. Code §1798.82(d).
- See, e.g., Ala. Code §8-38-5(d)(3).
- Adam J. Blank & Zachary J. Phillipps, Make the Most of FOIA, Trial 45 (Mar. 2019).
- See, e.g., IRS, IRS Alerts Payroll and HR Professionals to Phishing Scheme Involving W-2s, IR-2016-34 (Mar. 1, 2016), http://tinyurl.com/gqchs46; see also IRS, IRS, States and Tax Industry Renew Alert About Form W-2 Scam Targeting Payroll, Human Resource Departments, IR-2017-10 (Jan. 25, 2017), http://tinyurl.com/zmf2y2r.
- See Dinah Wisenberg Brin, Employee Training Critical to Cybersecurity, Soc’y for Human Resource Mgmt. (Aug. 9, 2018), http://tinyurl.com/y24zokxd.
- Fed. Trade Comm’n, Cybersecurity for Small Business: Phishing, http://tinyurl.com/yyn5yoo3.
- Reports can be filed with the FTC at https://www.identitytheft.gov.
- Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334, 2341 (2014) (quoting Clapper v. Amnesty Int’l USA, 568 U.S. 398, 410, 414 n.5 (2013)).
- Sackin, 278 F. Supp. 3d at 744.
- Order Granting Preliminary Approval of Class Action Settlement and Approving Notice Program at 9, Sackin v. TransPerfect Global, Inc., No. 1:17-cv-01469-LGS (S.D.N.Y. Mar. 13, 2018).
- Sackin, 278 F. Supp. 3d 739.
- Order, supra note 28.
- Exhibit 1, Settlement Agreement and Exhibits at 2, Brady v. Scotty’s Holdings, LLC, No. 1:17-cv-01313 (S.D. Ind. May 6, 2018).
- Id. at 13–15.
- Id. at 16.
- Walgreen, 21 N.E.3d at 106.
- Id.
- Adam Chandler, How Ransomware Became a Billion-Dollar Nightmare for Businesses, The Atlantic (Sept. 3, 2016), https://www.theatlantic.com/business/archive/2016/09/ransomware-us/498602/.