United States: Not A Matter Of ‘If’ – But ‘When’: Employers Would Be Smart To Prepare For An Inevitable Data Breach

By necessity, companies collect and maintain large amounts of data about their employees, some of which may be considered personally identifiable information (PII) afforded special protection by data privacy law, and by local, state, and federal laws and government agencies. Companies therefore need to be keenly aware of their obligations under data privacy laws that govern their collection and use of this information. Further complicating compliance efforts, many companies are adopting cloud-based information management strategies, which may achieve certain efficiencies with respect to costs and data availability, but may also increase the risk of liability under data privacy laws. In addition, companies that collect, store, or transfer PII face the very real risk of data breach, which in turn could lead to negative publicity and/or litigation.

Generally speaking, data privacy laws only give special protections to data defined as PII. Depending on the applicable law, this definition includes information that can be used to uniquely identify a person, such as a Social Security number, name, driver license number, or bank account numbers. Some definitions also include other combinations of information that could be used in conjunction with other data to identify someone, such as date of birth, address, or gender. Pennsylvania's Breach of Personal Information Notification Act, for example, defines PII to include an individual's first name or first initial and last name in combination with and linked to any one or more of the following data elements:

This statute does not apply to data elements above if they are either encrypted or redacted, or to "publicly available information that is lawfully made available to the general public from Federal, state or local government records."

In addition to Pennsylvania laws, a number of federal data privacy laws also apply to PII collected, used, or transferred by Pennsylvania companies, most notably the Health Insurance Portability and Accountability Act (HIPAA),² the Health Information Technology for Economic and Clinical Health Act (HITECH),³ and the Fair and Accurate Credit Transactions Act (FACTA).⁴ These laws, written to protect against identity theft and other privacy-related concerns, apply to certain health-related information and consumer financial data.

Companies that collect, store, or process employee PII also face an increasing risk of class action lawsuits based not only on the company's use of that information, but also on the theft or misuse of PII due to data breach.⁵ Many states, such as California and Delaware, which have liberal data breach laws that allow private rights of action for security incidents regardless of a likelihood of injury, have facilitated class action lawsuits. A recent survey of data breach litigation found that the average settlement award in these cases was approximately $2,500 per plaintiff, with mean attorneys' fees reaching $1.2 million.⁶ In spite of these risks, companies may be able to avoid class certification if the plaintiffs fail to establish standing to bring suit on behalf of a class. A pivotal question for standing is establishing injury-in-fact, which has successfully prevented certification of many purported data breach class actions.

Data breaches – the theft or loss of secure information – have become an all-too-common event; most companies should anticipate having a data breach. One report identifies the loss of 174 million data records in 855 separate incidents in 2011 alone.⁷ Another security study found that 90 percent of the companies and organizations surveyed had at least one data breach.⁸ Further, the advent of "big data" and cloud computing can mean enormous losses of data from a single breach, which can equal very large classes of potential plaintiffs.⁹ The plaintiff's bar is watching data breaches very closely—a lawsuit was filed within 24 hours of Zappos.com reporting a data breach. In spite of these daunting statistics, it may be possible for companies to dismiss class action suits if there has been no injury-in-fact resulting from the data breach.

While there is disagreement between circuits regarding the need for plaintiffs to demonstrate actual harm in order to have standing in federal courts, the Third Circuit Court of Appeals has held that "allegations of hypothetical, future injury" are not sufficient to establish standing.¹⁰ More recently, the United States Supreme Court, in Clapper v. Amnesty International USA, held that in order to establish standing, plaintiff's injuries must be "concrete, particularized, and actual or imminent," and may not be based only on a "speculative chain of possibilities."¹¹ While Clapper is not a data breach case, the Court's reinforcement of standing requirements will likely result in a higher bar to establish federal standing for data breach plaintiffs.

The likelihood of a data breach or privacy issue occurring in any business has become a virtual certainty. All companies would be prudent to increase their risk mitigation efforts and beef up administrative, technical, and physical security to prevent data breaches. Since more than a third of breaches are caused by third parties, it is critical to strengthen indemnification provisions with third parties who have access to a company's data, coupled with increased training of employees on the handling of PII. Such measures may also serve to convince a court that no likelihood of actual damages from an actual injury-in-fact exists upon which a class action lawsuit can be based. Companies should also evaluate their insurance coverage, and confirm that they have a liability policy in place that specifically covers the costs associated with data breaches and related incidents.

Footnotes

1. 73 P.S. § 2302.

2. See http://www.hhs.gov/ocr/privacy/.

3. See http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html.

4. See http://www.ftc.gov/os/statutes/fcrajump.shtm.

5. See Class Actions Adding to the Cost of Data Breaches, Pepper Hamilton LLP Client Alert (October 2012), available at http://www.pepperlaw.com/publications_update.aspx?ArticleKey=2466.

6. Sasha Romanosky et al., Empirical Analysis of Data Breach Litigation, Temple University Beasley School of Law, Legal Studies Research Paper No. 2012-29 (2012). Available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1986461.

7. Verizon RISK Team, 2012 Data Breach Investigations Report (2012). Available at http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf.

8. Ponemon Institute, Perceptions About Network Security (2011). Available at http://www.juniper.net/us/en/local/pdf/additional-resources/ponemon-perceptions-network-security.pdf.

9. The FTC provides valuable guidance on these issues, including the concept of "privacy by design." See FTC Releases Final Report on Consumer Privacy Best Practices, Pepper Hamilton LLP Client Alert, available at http://www.pepperlaw.com/publications_update.aspx?ArticleKey=2375.

10. Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011).

11. 568 U.S. ___ (Feb. 26, 2013).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.