Lessons from Equifax on How to Mitigate Post-Breach Legal Liability

cslawreport.com

September 11, 2019 DATA BREACH LITIGATION Lessons From Equifax on How to Mitigate Post-Breach Legal Liability

By Avi Gesser, Patrick Blakemore and Peter Bozzo, Davis Polk

On July 22, 2019, the Federal Trade Commission Regulatory Liability (FTC), the Consumer Financial Protection Bureau (CFPB) and 50 state and territorial The SEC, FTC, CFTC and state attorneys attorneys general settled their claims against general all have a potential role in imposing Equifax Inc. related to a massive 2017 breach civil penalties or other forms of liability in the of Equifax data. That settlement also resolves aftermath of a cyber event. hundreds of civil consumer-fraud class actions brought against Equifax, but it does not address SEC a securities-fraud class action that Equifax’s shareholders brought against the company in The SEC can bring actions against public the wake of the breach, which could still result companies for failing to disclose in their in significant recovery for Equifax shareholders. quarterly filings that a material breach has occurred or providing materially misleading The Equifax settlement and the progress of the statements about a company’s cybersecurity securities-fraud class action are instructive as policies. The SEC pursued this course when to how civil and regulatory liability will play out Yahoo! Inc. failed to disclose a data breach for for companies imperiled by large cyber events. over two years, resulting in Yahoo!’s agreement Aside from loss of consumer and employee to pay a $35‑million civil penalty. confidence, reputational damage and other losses resulting directly from a successful cyber The SEC can also bring actions against attack, there are three large buckets of legal certain regulated entities for failure to take liability that companies face: (1) federal and reasonable steps to secure customers’ personal state regulators, (2) classes of consumers and (3) information, including actions to enforce classes of shareholders (for public companies). the “Safeguards Rule,” 17 C.F.R. § 248.30(a), which requires registered broker-dealers and See also “Reducing Risk in the Dawn of Equifax investment advisers to adopt written policies and Other Cyber-Related Securities Fraud Class and procedures for protecting customer data. Actions” (Feb. 13, 2019). The SEC extracted a $1‑million penalty from Voya Financial Advisors Inc. after the company suffered a cyber intrusion due to, among other things, Voya’s failure to adopt reasonable written policies that complied with the Safeguards Rule.

See “SEC Risk Alert Highlights Policy Design of those state statutes also require companies and Implementation Failures and Roadmaps to take reasonable measures to protect Future Enforcement” (Apr. 24, 2019). personal information and allow the state attorney general to bring actions for violations. FTC See “The Growing Role of State AGs in Privacy The FTC, CFTC and state attorneys general Enforcement” (Nov. 28, 2018). can also pursue claims against companies that fail to take reasonable steps to protect Consumer Class Actions customer data. For instance, Section 5 of the FTC Act prohibits certain unfair or deceptive Following a major data breach, consumers commercial acts or practices, and the FTC often file class actions against the breached has used this authority – as it did in Equifax’s company, typically bringing claims for case – to impose liability on companies both negligence and violation of state consumer for failing to adopt adequate security measures protection laws (as well as, in some cases, and for misrepresenting (or failing to disclose) claims for unjust enrichment, breach of weaknesses in those security measures. contract/implied contract, or negligent misrepresentation). Immediately after the See CSLR’s three-part series on lessons from Equifax breach was announced, consumers the FTC’s 2018 Privacy and Data Security filed complaints against the company alleging Update: “Enforcement Takeaways” that it had willfully, recklessly or negligently (Apr. 24, 2019); “Financial Privacy, COPPA and failed to maintain adequate technological and International Enforcement” (May 1, 2019); and cybersecurity safeguards to protect users’ data “Hearings, Reports and 2019 Predictions” from unauthorized access. Yahoo!, Target and (May 8, 2019). Home Depot were subject to similar suits after data breaches exposed personal information CFTC held by those entities.

Similarly, the Commodity Exchange Act gives Shareholder Class Actions the CFTC the ability to bring enforcement actions for fraudulent or manipulative conduct For public companies, shareholders may in condition with interstate commodities bring actions to recover losses in the value of markets. their shares following disclosure of a breach. These actions often depend on attributing State AGs the stock price decline to a company’s fraudulent statements touting the quality of its Relying on breach-notification laws enacted cybersecurity programs – statements that, in in all 50 states and the District of Columbia, the wake of a breach, were arguably revealed state attorneys general may additionally bring to be false or misleading. In addition to the claims against companies that fail to provide Equifax litigation, Yahoo!, PayPal, Chegg and sufficient notice of breaches to consumers or Marriott have all faced securities fraud class directly to the attorney general’s office. Many actions following breaches at those companies.

Shareholders may also bring derivative cases in Equifax’s Regulatory the name of the company against the directors for mismanagement in failing to prevent Settlement cyber events or adopt adequate safeguards for mitigating and responding to them. For Federal and state regulators are under instance, following the Yahoo! breach, plaintiffs increasing pressure to impose meaningful in shareholder derivative suits alleged that the penalties on companies that have experienced company’s officers and directors had failed to data breaches and have not implemented protect users’ data, notify users of the breach adequate data safeguards. The regulatory and remediate the breaches – even as they sold portion of the Equifax settlement included some of their own Yahoo! shares. Those suits $275 million in civil penalties imposed by resulted in a $29‑million settlement, the first the Consumer Financial Protection Bureau significant recovery in a cyber-related derivative and state/territorial attorneys general, or lawsuit following disappointing outcomes for approximately $1.87 on a per-consumer basis. plaintiffs’ attorneys in cyber-related derivative suits brought against Wyndham and Home See “Learning From the Equifax Settlement” Depot. (Jul. 31, 2019).

Which of these three buckets of legal liability Equifax’s Consumer Class will end up posing the most serious threat to companies that have experienced a large data Action Settlement breach remains unclear, but all three are coming quickly in the wake of public breach disclosures. To settle the consumer class actions and regulatory claims against it, Equifax agreed to Just a week after the Equifax settlement, pay $380.5 million (and potentially up to $505.5 Capital One announced a breach that affected million) into a fund that will, among other approximately 106 million credit card applicants things, cover credit-monitoring services for – including 140,000 customers whose Social affected consumers and compensate them for Security numbers were stolen and 80,000 out-of-pocket expenses “fairly traceable” to customers whose bank account numbers were the breach. With the personal information of compromised. Capital One already faces at least as many as 147 million people affected by the three consumer class action lawsuits arising breach, the total amount of the fund – even if from the breach and several state regulatory fully funded with $505.5 million – corresponds inquiries. Securities class actions will likely to about $3.44 per consumer. Critics described follow, considering that Capital One’s stock the settlement figure as “grievously low,” “too price dropped significantly on the day the little, too late” and insufficient to actually breach was announced, erasing over $1 billion deter misconduct or negligence by companies in market capitalization. Indeed, plaintiffs’ susceptible to data breaches. law firms are actively recruiting investors in Capital One to serve as lead plaintiffs in future Reasons for Small Settlements securities lawsuits based on the decline in Capital One’s share price following disclosure of Small settlements in consumer cases are largely the breach. due to the high bars for recovery. Plaintiffs

typically must prove that they suffered actual In CCPA private suits, it may be difficult harm as a result of the data breach. But it is for businesses that experience a breach to often difficult to know whether a particular prove that their security procedures were consumer’s data has been accessed or used, adequate, and the cases may involve extensive and even if that could be established, damages and perhaps embarrassing discovery into a are hard to quantify if credit companies company’s cybersecurity practices. These promise to make consumers whole for any factors, combined with the threat of significant losses and provide free credit and identity statutory fines, may create more serious civil theft monitoring. Indeed, many large-scale exposure for companies that have experienced consumer class actions arising from data large breaches. breaches have been dismissed on the grounds that plaintiffs cannot even establish standing See CSLR’s two-part series on CCPA priorities: to bring the case because they cannot show “Turning Legislation Prep Into a Program that they have suffered any harm. Several Shift” (Jun. 5, 2019); “Tackling Data Subject courts have found that, where consumers Rights Requests and Vendors” (Jun. 12, 2019); could not point to specific, concrete injuries and its two-part series on preparing for (such as fraudulent charges) resulting from a the CCPA: “Securing Buy-In and Setting the data breach, their injuries were hypothetical Scope” (Feb. 27, 2019); and “Best Practices and future harms insufficient to confer standing. Understanding Enforcement” (Mar. 6, 2019).

See also “The New Normal: Easier Data Breach Equifax’s Securities Fraud Standing Is Here to Stay” (Feb. 6, 2019). Litigation CCPA’s Attempt to Address Deficient Monetary Recoveries The securities-fraud suit pending against Equifax presents another avenue for significant California has attempted to address the liability. In securities class actions (unlike deficiencies and incentive structures that consumer class actions), the plaintiffs result in low recoveries in cyber-related are the company’s shareholders, and the consumer cases through the California measure of damages is the loss in value of the Consumer Privacy Act (CCPA) of 2018. The company’s stock resulting from its alleged statute permits certain users whose personal misrepresentations or omissions. In Equifax’s information is subject to unauthorized access case, the date when the breach was announced to recover between $100 and $750 per breach saw Equifax’s stock price close at $142.72. Eight (or actual damages, whichever is higher) if days later, that value had declined to $92.98, the breach results from a “business’s violation a decrease of approximately 36 percent. of the duty to implement and maintain Three months after the announcement, it reasonable security procedures and practices had climbed back only to $116.83, reflecting appropriate to the nature of the information to an approximately $3‑billion loss in market protect the personal information.” This statute capitalization from the date when the breach – and comparable laws being proposed in became public. other states – creates the possibility for more potent consumer class actions going forward.

Over the past few months, the securities- Mitigating Cybersecurity fraud case against Equifax has moved steadily forward. Plaintiffs filed suit on September 8, Risk 2017, just one day after Equifax announced the breach. The court denied the defendants’ The Equifax settlement and the pending motion to dismiss in relevant part on January class action securities case provide several 28, 2019, permitting the plaintiffs’ claims important data points for companies trying to against Equifax to proceed. The court held assess their cyber risks and how best to reduce that plaintiffs had sufficiently alleged that those risks. Companies should review the Equifax made misleading statements about settlement, as well as the measures imposed the quality of its cybersecurity protections on other companies as part of cybersecurity and its compliance with data protection laws. resolutions, and see (1) how they compare, Although the federal securities laws pose (2) whether there is significant risk that their a heightened bar for pleading scienter, the cybersecurity will be viewed as inadequate court concluded that plaintiffs had cleared or their statements about their cybersecurity this bar by pointing to evidence that Equifax will be viewed as inaccurate and (3) what steps knew – based on pre-breach audit reports, they can take to reduce such risks. investigations and warnings from employees – about the inadequacy of its security systems Guidance on Achieving at the time it made statements touting them. Reasonable Security From Equifax Finally, the court concluded that plaintiffs had adequately alleged loss causation by pointing The Equifax settlement provides insight to a potential causal connection between into what regulators view as reasonable revelations about Equifax’s cybersecurity cybersecurity measures. As such, it provides failings and the decline in its stock price. some guidance for companies on how to (1) establish reasonable cybersecurity In July 2019, the court denied Equifax’s request techniques to reduce the risks of civil and to file an interlocutory appeal of the order regulatory liability and (2) avoid regulatory on the motion to dismiss. Plaintiffs have also and shareholder civil risk arising from public filed a motion for class certification, which claims that the company’s cybersecurity defendants have opposed – in part on the is “reasonable,” “effective” or reflects “best ground that plaintiffs’ damages methodology practices,” if such statements do not match will overcompensate the plaintiff class by how courts or regulators would view the permitting them to recover for stock declines company’s data protection measures. that resulted from the fact of the breach itself (as opposed to any alleged misrepresentations The settlement requires Equifax to: or omissions about Equifax’s data security). The motion remains pending, and discovery is • identify an employee who will be proceeding in the case. responsible for the company’s information security initiative;

• annually review internal and external 5. limiting the number of individuals with security risks and implement any administrative computer privileges, as measures necessary to mitigate or well as the length of time privileged eliminate them; access is granted; • evaluate and test the efficacy of its 6. ensuring prompt adoption of software security measures; patches and updates; • adopt (and enforce) written policies or 7. conducting regular penetration testing guidelines aimed at implementing an and vulnerability assessments; enhanced information security program; 8. monitoring computer networks for • offer regular training programs on suspicious behavior and unauthorized cybersecurity issues, including at least activity by employees; and annual training on security awareness for 9. Maintaining an updated incident response all employees; plan, and conducting annual tabletop • keep the board of directors (or a relevant exercises to the plan; and subcommittee) updated about the 10. Having a data minimization policy that company’s information security program; allows for the identification and deletion and of old sensitive data that is no longer • ensure that third parties with access to needed for business, legal or regulatory Equifax data are employing sufficient purposes. cybersecurity measures.

Top Ten Data Protection Measures

Ten examples of specific steps companies are Avi Gesser is a partner in Davis Polk’s litigation taking to implement the kinds of requirements department, representing clients in a wide set forth in the Equifax settlement and reduce range of cybersecurity issues and counseling their cyber risk include the following: companies that have experienced cyber events.

1. mapping where personal information and Patrick Blakemore is an associate in Davis Polk’s sensitive data are collected and stored litigation department. in the company, and knowing what is connected to the network; Peter Bozzo is an associate in Davis Polk’s 2. encrypting sensitive data on the network litigation department. and on portable devices such as laptops; 3. implementing multi-factor authentication for remote logins to their networks, and discontinuing access through webmail programs; 4. granting employees access only to the parts of the network that they need to do their work;