By Neil Bloomfield and Lindsey Frye. This will be our first in a series of updates on the status of regulation and enforcement in the context of cybersecurity related issues. Regulation and liability in the context of a cyber attack present complex questions. The easy target is the individual or organization that committed that attack—the criminal hacker. Unfortunately, the easy target is often beyond the jurisdiction of U.S. courts, and even if they are not, they lack the resources to provide a meaningful recovery. Secondary targets, which have become the focus of litigation, legislation, regulation, and enforcement actions are the institutions that have been attacked. Essentially the direct victims of the attack are asked to compensate other victims or pay fines because of they failed to prevent criminal activity.
This complexity continues when attempting to identify the victims. If we are going to treat the companies that are attacked as culpable parties, then the remaining victims are the individuals whose information was held by the hacked company. These individuals; however, often have difficulty demonstrating traditional markings of harm because while hundreds of thousands, if not millions, of records have been stolen, most individuals experience no adverse action and any potential harm, such as false charges on a credit card, are never paid by these victims.
It is with this complex backdrop, that we will be providing updates on the state of legislative and regulatory updates, enforcement actions, and civil litigation dealing with cybersecurity breaches.
Who Will Lead Government Enforcement Remains Unclear
In its first nine months, the Trump administration’s cybersecurity focus has been preventative, not prosecutorial, in nature. The President and certain regulatory agencies have shown awareness of the threat and are taking active steps to bolster the nation’s cyber infrastructure.
In May of 2017, President Trump signed an Executive Order on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” The order directs agency heads to institute uniform standards for managing cybersecurity risk. Firms working with the federal government will also be expected to maintain similar cybersecurity protocols. Trump’s FY2018 budget includes proposals to increase cybersecurity funding at the Department of Homeland Security ($1.5 billion) and the FBI ($41.5 million). And in May, the House of Representatives passed the Strengthening State and Local Cyber Crime Fighting Act of 2017. The bill is designed to enable the National Computer Forensics Institute to assist state and local authorities in investigating cybercrimes.
No federal agency has yet been given clear jurisdiction over cybersecurity events. Prior to the Trump administration, the Federal Trade Commission (FTC) has been the leading enforcement agency for cybersecurity breaches practices. The FTC uses its authority under Section 5 of the FTC Act to exercise jurisdiction over cyberattacks and cyber breaches, asserting “unfair” cybersecurity practice claims against institutions that have been hacked. The FTC’s jurisdiction went largely unquestioned until being challenged by Wyndham Hotels. The Third Circuit upheld the FTC’s authority in 2015, but, an additional challenge to the FTC’s authority brought by LabMD is currently on appeal in the 11th Circuit.
In March 2016, the Consumer Finance Protection Bureau (CFPB) issued its first cyber-related enforcement action, in a move some thought indicated the CFPB’s intent to take the lead in the cyber space. But there have been no enforcement actions since, and considering Trump’s stated intention to overhaul Dodd-Frank, the future of the CFPB is unclear. Trump’s proposed budget significantly limited the CFPB’s 2018 funding; Senate Republicans have long advocated for the firing of the CFPB’s director, Richard Cordray.
The new co-directors of the Securities and Exchange Commission (SEC’s) Division of Enforcement have both publicly referenced the cyber risk facing the markets. On August 7, the SEC issued a risk alert highlighting cybersecurity observations from examinations of 75 firms. The report identified issues in policies and procedures, including lack of enforcement, and insufficient system maintenance.
State authorities are also seeking to fill the void in cybersecurity enforcement. In March of this year, the New York Department of Financial Services (DFS) announced new cybersecurity requirements for financial service companies. The regulations require covered entities to establish and maintain a cybersecurity program, have a written cybersecurity policy, and establish and periodically review an access privilege protocol. August 28, 2017 marked the 180-day transition period by which covered entities were required to be in compliance with the requirements. Also, as of August 28, entities covered by the DFS cybersecurity protocol must provide 72-hour notice to DFS of any cybersecurity event.
Civil Litigation Remains Focused on Standing
The Supreme Court’s May 2016 decision in Spokeo, Inc. v. Robins addressed whether a violation of a statutory right is sufficient to satisfy the standing requirement of “injury in fact.” The Court ruled that a “bare, procedural violation, divorced from any concrete harm” will not grant standing. Data breach actions include claims for violations of state statutes and claims arising under common law. Spokeo does provide some guidance to data breach claims brought under state statutes, but does not solve the larger question of whether the threat of future harm meets the concreteness requirement. To date, the Supreme Court has not squarely addressed the specific issue of standing outside of the statutory violation context.
As a result, a circuit split persists on the question of standing for class action data breach plaintiffs. The First, Third, and Fourth Circuits have found that an increased risk of future identity theft does not satisfy Article III standing requirements. The Sixth, Seventh, and Ninth Circuits have found that this potential future harm does.
Institutions continue to face significant exposure in civil litigation. In June of this year, Anthem agreed to settle litigation over its 2015 hack for $155 million, which will be the largest ever settlement for a data breach if approved by the court. In July, Ruby Corporation, the owners of the Ashley Madison website, agreed to pay $11.2 million to settle two dozen lawsuits as a result of a 2015 incident involving as many as 37 million members’ personal identifying information being exposed online.
Cyberattacks continue to be a topic of significant interest for regulators, prosecutors, and class action attorneys. This interest is only going to increase as breaches become more frequent and larger in scale such as the recently disclosed hack at credit reporting firm Equifax, which announced that data on 143 million U.S. customers was obtained in a breach discovered on July 29. We will continue to bring you updates as government authorities, companies, and courts struggle with these complex issues.