Litigating Privacy,
Cybersecurity, and
Data Breach Issues in 2014
American Bar Association
Litigation Section Program
2014 Spring Meeting
Scottsdale, AZ
© 2014 Crowell & Moring LLP
David Z. Bodenheimer
Crowell & Moring LLP
Washington, DC
Data Breach Litigation in 2014
© 2010 Crowell & Moring LLP
Data Breach Litigation
Overview of Data Breach Litigation
1. Security Standards
2. Litigation Lifecycle (Financial)
3. Litigation Lifecycle (Healthcare)
4. Litigation with Biggest Buyer
5. Other Litigation Risks
3
Security Standards
Federal Security
• Security Objectives
•
Integrity, Availability &
Confidentiality
• Acceptable Security
•
Not Perfect Security
• Risk-Based Security
•
•
Commensurate with risk and
magnitude of harm
Periodic Risk Assessments
• Cost-Effective Security
•
Cost-effectively reduce risk
to acceptable level
[FISMA, 44 U.S.C. § 3544]
Illustrative Precedent
(Federal Indian Trust Fund)
• Outdated Security
Plans(Over 66%)
• Uncertified IT
Systems(Over 75%)
• Ineffective Training
• Poor Agency Oversight
• Limited Testing
(20 most serious weaknesses)
Cobell v. Kempthorne, 455 F.3d 301 (D.C.
Cir. 2006)
4
Security Standards
Framework Security
NIST Cyber Framework
• Voluntary
•
Consensus-based Standards
• Risk-Based Security
•
Risk Assessments
• Cost-Effective Security
•
Cost-effective Risk
Management
• Senior Management Role
•
•
Not Just IT Function
Risk Considered at C-Suite
NISTCybersecurity
Framework (Feb. 2014)
5
Security Standards
Reasonable Security
• Courts have applied a
standard of
commercially reasonable
security
• Factors include:
–
–
–
–
Prior breaches & injury
Risk-based analysis
Difficulty to implement
Holistic approach (factors
as a whole vs. single type
of failure)
Illustrative Precedent
“Because it had the capacity to do
all of those things [i.e., adopt
security safeguards], yet failed to
do so, we cannot conclude that its
security system was commercially
reasonable. We emphasize that it
was these collective failures taken
as a whole, rather than any single
failure, which rendered
[defendant’s] security system
commercially unreasonable.”
Patco Const. Co. v. People’s United
Bank, 684 F.3d 197 (1st Cir. 2012)
6
Data Breach Litigation
Overview of Data Breach Litigation
1. Security Standards
2. Litigation Lifecycle (Financial)
3. Litigation Lifecycle (Healthcare)
4. Litigation with Biggest Buyer
5. Other Litigation Risks
7
Data Breach (Financial)
The Breach: Ground Zero
Biggest
Data
Breaches
(2012)
Identity Theft
Resource Center
8
Data Breach (Financial)
Investigation/Clean-Up
• $105.5 Million
– Professional Fees
– Investigation
– B2B Incentive Payments
• $35.7 Million
– Fraud Losses & Fines
• ($20 Million)
– Insurance Receipts
_____________________________________
SEC 10k Statement
“To date, we have not experienced
a material loss of revenue that
we can confirm has been related
to this event. However, this event
and our related remediation efforts
could potentially have a negative
impact on future revenues.”
• No Loss Accruals
• Insufficient Data to Estimate
Losses
• $121.2 Million (total)
9
Data Breach (Financial)
Stock Impact (2012)
Stock Impact ? (2013)
“In March 2012, it was reported that
a security breach at Global
Payments, a firm that processed
payments for Visa and Mastercard,
could compromise the credit- and
debit-card information of millions of
Americans. Subsequent to the
reported breach, the company’s
stock fell more than 9 percent
before trading in its stock was
halted.” [GAO, June 2012]
10
Data Breach (Financial)
SEC Disclosure Duty
Division of Corporation Finance
Securities and Exchange Commission
CF Disclosure Guidance: Topic No.
2 Cybersecurity
Date: October 13, 2011
Summary: This guidance provides the
Division of Corporation Finance's views
regarding disclosure obligations relating to
cybersecurity risks and cyber incidents
Disclosure Duties
• Risk of Cyber Incidents
• Prior Security Breaches
• Adequacy of Preventative
Measures
Shareholder Actions
“Delaware’s Court of Chancery ruled in the
1996 Caremark case that a director’s good
faith duty includes a duty to attempt to
ensure that a corporate information and
reporting system exists and that failure to
do so may render a director liable for
losses caused by the illegal conduct of
employees. The Delaware Supreme Court
clarified this language in the 2006 Stone
v.Ritter case – deciding that directors may
be liable for the damages resulting from
legal violations committed by the
employees of a corporation, if directors fail
to implement a reporting system or
controls or fail to monitor such systems.”
Office of National Counterintelligence Exec.
(Oct. 2011)
11
Data Breach (Financial)
B2B Disputes
• Customer Termination
– “VISA also removed the company
from its list of approved
processors.” [GAO, June 2012]
• Contract Disputes
– 33.6% reduction in costs for 2013
– Due to prior year charges (in part)
for two contractual disputes in 2012
• Contract Settlements
– $105.5 Million due in part to
“incentive payments to certain
business partners”
Insurance Disputes
• Insurance Coverage
– $30 Million Policy Limit
– $1 Million Deductible
• Insurance Recovery
– $20 million Recovered under Policy
• Insurance Dispute
– Dispute involving excess liability
policy
– Issue: whether policy’s “privacy” &
“technology services” coverage apply
– State Nat’l Ins. Co. v. Global
Payments, No. 1:13-CV-01205 (ND
Ga. filed Apr. 2013)
12
Data Breach (Financial)
Consumer Action
SEC 10k Statement
• Class Action
– Willingham Class Action
• Standard
– Failure to maintain reasonable &
adequate procedures
– Failure to timely notify of breach
• Causes of Action
–
–
–
–
–
Negligence
Federal Stored Comm. Act
Fair Credit Reporting Act
Georgia Unfair Trade Practices Act
Other common law claims
• Dismissal (Mar. 6, 2013)
BUT:
“This event could result in
additional lawsuits in the
future.”
13
Data Breach (Financial)
FTC Investigtion
“In addition, governmental entities
have made inquiries and the Federal
Trade Commission has initiated an
investigation related to the event.”
• FTC Implications
– Investigations & subpoenas
– Wyndham-style litigation
– Consent decrees
Congressional Role
Sen. Casey (Apr. 2, 2012)
“Following this breach, I wrote to [you] to
express my concern and my staff has
reached out to staff at the Federal Trade
Commission (FTC) and the Federal
Reserve.” [Letter cc:’d to FDIC, FCT, NCUA]
CEO Responds (Apr. 4, 2012)
FTC “settled 50 law enforcement
actions” relating to data security.
Edith Ramirez (FTC Commissioner),
Sen. Judiciary Comm., Feb. 4, 2014
14
Data Breach Litigation
Overview of Data Breach Litigation
1. Security Standards
2. Litigation Lifecycle (Financial)
3. Litigation Lifecycle (Healthcare)
4. Litigation vs. World’s Biggest Buyer
5. Other Litigation Risks
15
Data Breach (Healthcare)
The Breach: Ground Zero
Biggest
Data
Breaches
(2011)
Key Facts
Identity Theft
Resource Center
• 4.9 Million TRICARE Beneficiaries
• Backup Tapes Stolen from Employee’s Car
16
Data Breach (Healthcare)
$4.9 Billion Suit vs. DoD
Privacy Act Remedies
• Criminal Penalties
– $5,000 fine for willful violations
• Civil Sanctions
“The Defense Department has been
hit by a $4.9 billion class action
lawsuit filed on behalf of four
military family members and the 4.9
million Tricare beneficiaries whose
personal information was contained
on tapes stolen from a car in San
Antonio in September.”
– Injunctive relief
– Damages ($1,000 minimum)*
– Attorney fees
• Administrative Remedies
– Adverse personnel actions
– Contract remedies
“U.S., Veterans Settle VA Data Breach Privacy
Act Class Action for $20 Million,” Privacy Law
Watch (1/29/09)
17
Data Breach (Healthcare)
Seven Class Actions
•
Richardson et al. v. TMA, SAIC, & DoD
(DCDC)
•
Arrellano et al. v. SAIC (W.D. Tex.)
•
Biggerman et al. v. TMA, SAIC, & DoD
•
Moskowitz et al. v. TMA, SAIC, & DoD
•
Palmer et al. v. TMA, SAIC, & DoD
•
Losack et al. v. SAIC (D SD CA)
•
Deatrick v. SAIC(D ND CA)
•
Adcock v. SAIC(D ND FL) (dismissed)
SEC 10k Statement (2012)
(DCDC)
(DCDC)
(DCDC)
18
Data Breach (Healthcare)
MDL Class Action
SEC 10k Statement (2013)
• Class Action
– In re SAIC Backup Tape Data Theft
• Causes of Action
–
–
–
–
–
–
–
Negligence
Breach of express/implied contract
Invasion of privacy
Texas Deceptive Trade Practices
California Acts (multiple)
Fair Credit Reporting Act
Privacy Act
• Potential Loss/Risk
– Insurance Coverage
– $10 Million Loss Recorded
– Multiple Factors Affect Loss/Risk
19
Data Breach (Healthcare)
HHS OCR Investigation
SEC 10k Statement (2013)
“The Company has been informed that
the Office for Civil Rights (OCR) of
the Department of Health and Human
Services (HHS) is investigating
matters related to the incident.
OCR is the division of HHS charged
with enforcement of [HIPAA]. OCR
may, among other things, require a
corrective action plan and impose civil
monetary penalties against the data
owner (Department of Defense) and, in
certain situations, against the data
owners’ contractors, such as the
Company.”
20
Data Breach (Healthcare)
Shareholder Demand
SEC 10k Statement (2013)
“The Company has also received three
stockholder demand letters related to
City Time (one of which is also
related to the TRICARE matter
described above). An independent
committee of the Company’s board of
directors reviewed two of the demands
and the Company has decided not to
pursue the claims outlined in their
demand letters. The third demand
is under review by the
independent committee.”
21
Data Breach Litigation
Overview of Data Breach Litigation
1. Security Standards
2. Litigation Lifecycle (Financial)
3. Litigation Lifecycle (Healthcare)
4. Litigation vs. World’s Biggest Buyer
5. Other Litigation Risks
22
World’s Biggest Buyer
800-Pound Information Gorilla
“The Federal government is the largest single
producer, collector, consumer, and disseminator
of information in the United States and perhaps
the world.” (OMB, 2007)
“Largest buyer of IT on the planet”
VivekKundra (Federal CIO)
Sen. Homeland Security Comm.
(2011)
23
Cyber Litigation – FCA Suits
Security Problem
- Improper disposal of data
Impact
 False Claims Act suit
“PLASTILAM, INC. failed to take
sufficient steps to safeguard
confidential data, including the names
and Social Security numbers of over
100 Medicare beneficiaries. The
investigation revealed that a number
of misprinted beneficiary cards were
discarded, whole, in an unsecured
dumpster.”
24
Cyber Disputes – Suspension
Security Problem
- Misuse of DoD data
(wrong purpose)
Impact
 Suspension
 Loss of $5B Contract
“But earlier this month the deputy
general counsel of the U.S. Air Force
suspended the L-3 unit responsible
for the work from receiving new
orders because of the investigation.
Employees at L-3’s special support
programs division were accused of
copying government emails and
forwarding them without the author’s
knowledge.”
L-3 Trips as Lockheed
Snatches $5 Billion Contract
“A disputed U.S. military contract worth up to
$5 billion was finally awarded to Lockheed
Martin Corp. (LMT) this week after the U.S.
Air Force launched an investigation into
possibly inappropriate email activities at rival
L-3 Communications Corp. (LLL).
L-3, a New York-based provider of military
and aerospace equipment, reduced its 2010
outlook as a result of the lost contract, which
represented about 3% of its 2009 revenue,
according to a government filing. Full-year
profit is now expected to be in a range of
$8.09 to $8.29 a share, compared to a prior
view of $8.13 to $8.33 a share.”
25
Cyber Litigation vs. Fed. Gov.
Security Problem
Protest Litigation
- Prior security risks
Impact
 Protest Litigation
Company’s “nonconformance with
system security requirements ‘may
have put the Medicare program at
risk,’ [and] ‘could have a negative
effect on the Offeror’s ability to
perform efficiently and protect the
confidentiality, integrity, and
availability’ [of Mediare data].”
Wisconsin Physicians Service Ins. Corp.,
GAO B-401068.14 (Jan. 2013)
26
Cyber Disputes – DOJ & IGs
Security Problem
- Failure to install safeguards
Thompson, Langevin Demand
Investigation into Department
Cyber Attacks (Sept. 24, 2007)
Impact
IG investigation
 False statement risk
 Criminal exposure
“criminal investigation”
“fraudulent statement”
27
Contractor Liability Risks
on the Cyber Battlefield
Going on the Offensive:
Contractors in Cyber War
International Law
-Authority to attack?
- Authentication?
- Rogue virus?
U.S. Law
$50 Billion Lawsuit
“One lawsuit alone, filed May
12 by a purported national
class of Verizon customers,
seeks $50 billion in damages.”
[“Court Will Decide State Secrets Issues First in
NSA Phone Surveillance Class Action Suit,”
Privacy Law Watch, June 9, 2006]
- Electronic surveillance &
wiretapping laws
-Covert operations (Title 10 vs.
Title 50)
-Posse Comitatus (DoD &
domestic operations)
28
Data Breach Litigation
Overview of Data Breach Litigation
1. Security Standards
2. Litigation Lifecycle (Financial)
3. Litigation Lifecycle (Healthcare)
4. Litigation vs. World’s Biggest Buyer
5. Other Litigation Risks
29
IP & Trade Secrets Gone?
Do the CEO, CFO, & GC Care?
Wiped
Out?
© 2011 Crowell & Moring LLP
30
Data Losses & Cyber Breach
2x Library of Congress
 38 terabytes of lost data
“As an example of the threat, one
American company had 38
terabytes of sensitive data and
intellectual property exfiltrated from
its computers – equivalent to nearly
double the amount of text contained
in the Library of Congress.”
[Sen. Whitehouse, May 10, 2010]
2x
It’s Personal
“As an example, in 2008, [China’s]
APT1 compromised the network of a
company involved in a wholesale
industry. . . . Over the following 2.5
years, APT1 stole an unknown
number of files from the victim and
repeatedly accessed the email
accounts of several executives,
including the CEO and General
Counsel.”
[Mandiant Report (Feb. 2013)]
31
IP Cyber Losses
One Firm’s IP Loss
$1 Trillion IP Losses
“For example, a 2011 FBI report
noted, ‘company was the victim
of an intrusion and lost 10
years’ worth of research and
development data –valued
at $1 billion – virtually
overnight.’”
“Last year alone, cyber
criminals stole intellectual
property from businesses
worldwide worth up to
$1 trillion.” (President
CRS Report, 2013 Cybersecurity
Executive Order (Mar. 2013)
Obama, 2009)
32
Cybered M&A Deals
Infiltrated M&A Deals
• $2.4 Billion Huiyuan Deal.
Coca Cola’s deal collapsed
after hackers took key files
• $40 Billion BHP Deal. BHP
Billiton Ltd’s bid to acquire
Potash Corp. collapsed after
cyber theft
“Coke Gets Hacked and Doesn’t Tell
Anyone,”Bloomberg.com(Nov. 2012)
Counter Intel Report
“Information was pilfered from the
corporate networks of a US
Fortune 500 manufacturing
company during business
negotiations in which that
company was looking to acquire a
Chinese firm. . . . [T]his may have
helped the Chinese firm attain a
better negotiating and pricing
position.”
National Counter-intelligence
Executive Report (Oct. 2011)
33
Data Breach
(IP/Trade Secrets)
Investors Really Care
• 70% of investors – interested
in reviewing corporate cyber
practices
• 80% of investors – likely
would not invest if history of
cyber attacks
Zogby Analytics Survey (Mar. 2013)
Litigation Risks
•
•
•
•
•
SEC Investigations
Shareholder Suits
Regulatory Violations (DFARS)
Export Investigations (ITAR)
B2B Disputes
– NDA Violations
– Trade Secret Breaches & IP Losses
34
Questions?
David Z. Bodenheimer
Crowell & Moring LLP
dbodenheimer@crowell.com
(202) 624-2713
26834453
35