Data Breach Litigation – A Web of Federal and State Laws. Part One

The news has been saturated lately by stories of data breaches. The IRS discovered recently that a breach of citizens’ tax return information covered more than 330,000 taxpayers, three times that originally identified in May of this year. Target’s data breach in 2013 is back in the news because the company just settled claims against it by Visa for a whopping $67 million, and will likely pay the same to MasterCard. Most recently, many people are facing the personal and economic consequences of the Ashley Madison website data breach in July. A salient question for all entities maintaining customers’ personal information is what is the standard for securing that data? And in determining the answer to that question, entities must know the federal and state laws that potentially apply.

Federal Law: FTC Enforcement

There are certain laws that will apply to almost any U.S. entity gathering personal information. The Federal Trade Commission Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a). The Federal Trade Commission (“FTC”) has for over ten years now used its enforcement authority under the “unfairness” prong to bring actions against compromised entities for failure to use “readily available security measures.” The Third Circuit Court of Appeals in FTC v. Wyndham Worldwide Corp. recently rejected a challenge to the FTC’s power to regulate data security issues, a confirmation of authority that will likely only increase its efforts in the data security arena.

So, what does the federal rule require? The standard for unfairness has been criticized as frustratingly vague, and the Wyndham defendants unsuccessfully argued that the FTC failed to give fair notice of the specific cybersecurity standards the company was required to follow. In rejecting Wyndham’s argument, the Third Circuit suggested two primary sources for a company’s determination of the reasonableness of its security practices, both available on the FTC’s website:

  • The FTC’s guidebook, Protecting Personal Information: A Guide for Business, which describes a “checklist” of practices that form a “sound data security plan.” While the checklist does not provide certainty that a company is following the law, as the Wyndhamcourt said, “the FTC’s expert views about the characteristics of a ‘sound data security plan’ could certainly have helped Wyndham determine in advance that its conduct might not survive the cost-benefit analysis.” Opinion at 42.
  • Previous FTC complaints and consent decrees in administrative cases raising unfairness claims based on inadequate corporate cybersecurity. The court listed allegations from the FTC’s complaint against CardSystems Solutions Inc. in 2006. Other examples include the FTC’s complaint and 2008 settlement agreement with ValueClick, faulting the company for not using encryption and storing information for longer than necessary for the purposes of its gathering; and its complaint and 2008 settlement agreement with the owner of TJ Maxx, who was criticized post-breach for storing and transmitting personal information in clear text, failing to limit wireless access to its networks, failing to require the use of “strong” passwords by network administrators and others, and failure to use available patches and updated anti-virus software to secure data.

In addition to the general FTC unfairness provision, the FTC “Red Flags Rule” requires banks and financial services companies to establish an identity theft prevention program that is “appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.” It also requires action by covered entities that experience a “red flag”, which is “a pattern, practice, or specific activity that indicates the possible existence of identity theft.” 16 CFR 681.1.

PCI Data Security Standards

More specific requirements govern entities involved in payment card processing, including merchants, processing, acquiring and issuing banks, and service providers, as well as all other entities that store, process or transmit cardholder or authentification data. Those entities are required by the Payment Card Industry Security Standards Council (“PCI SSC”) Data Security Standards (“PCI DSS”) to agree contractually to specific data security requirements.

State Common Law and Statutes

Besides facing liability based on FTC enforcement and contractual agreements with financial institutions, entities who experience a data breach are likely to face litigation brought by affected customers and financial institutions that provided credit or debit cards to those customers. Indeed, class actions now seem inevitable following news of a data breach, and recent opinions have reversed a trend of denying such claims by consumers for lack of standing. For such actions, data breach targets need to be prepared for negligence claims, breach of contract actions based on company privacy policies, and breach of state consumer protection and data security or breach notification statutes. Importantly, companies need to be aware of all the states’ laws which may apply to their data security practices, and may need to tailor their data breach practices to the most stringent of state laws, despite doing the majority of their business elsewhere.


[ Part II continues here]

(original publication in