cslawreport.com September 11, 2019 DATA BREACH LITIGATION Lessons From Equifax on How to Mitigate Post-Breach Legal Liability By Avi Gesser, Patrick Blakemore and Peter Bozzo, Davis Polk On July 22, 2019, the Federal Trade Commission Regulatory Liability (FTC), the Consumer Financial Protection Bureau (CFPB) and 50 state and territorial The SEC, FTC, CFTC and state attorneys attorneys general settled their claims against general all have a potential role in imposing Equifax Inc. related to a massive 2017 breach civil penalties or other forms of liability in the of Equifax data. That settlement also resolves aftermath of a cyber event. hundreds of civil consumer-fraud class actions brought against Equifax, but it does not address SEC a securities-fraud class action that Equifax’s shareholders brought against the company in The SEC can bring actions against public the wake of the breach, which could still result companies for failing to disclose in their in significant recovery for Equifax shareholders. quarterly filings that a material breach has occurred or providing materially misleading The Equifax settlement and the progress of the statements about a company’s cybersecurity securities-fraud class action are instructive as policies. The SEC pursued this course when to how civil and regulatory liability will play out Yahoo! Inc. failed to disclose a data breach for for companies imperiled by large cyber events. over two years, resulting in Yahoo!’s agreement Aside from loss of consumer and employee to pay a $35-million civil penalty. confidence, reputational damage and other losses resulting directly from a successful cyber The SEC can also bring actions against attack, there are three large buckets of legal certain regulated entities for failure to take liability that companies face: (1) federal and reasonable steps to secure customers’ personal state regulators, (2) classes of consumers and (3) information, including actions to enforce classes of shareholders (for public companies). the “Safeguards Rule,” 17 C.F.R. § 248.30(a), which requires registered broker-dealers and See also “Reducing Risk in the Dawn of Equifax investment advisers to adopt written policies and Other Cyber-Related Securities Fraud Class and procedures for protecting customer data. Actions” (Feb. 13, 2019). The SEC extracted a $1-million penalty from Voya Financial Advisors Inc. after the company suffered a cyber intrusion due to, among other things, Voya’s failure to adopt reasonable written policies that complied with the Safeguards Rule. ©2019 Cybersecurity Law Report. All rights reserved. 1 cslawreport.com See “SEC Risk Alert Highlights Policy Design of those state statutes also require companies and Implementation Failures and Roadmaps to take reasonable measures to protect Future Enforcement” (Apr. 24, 2019). personal information and allow the state attorney general to bring actions for violations. FTC See “The Growing Role of State AGs in Privacy The FTC, CFTC and state attorneys general Enforcement” (Nov. 28, 2018). can also pursue claims against companies that fail to take reasonable steps to protect Consumer Class Actions customer data. For instance, Section 5 of the FTC Act prohibits certain unfair or deceptive Following a major data breach, consumers commercial acts or practices, and the FTC often file class actions against the breached has used this authority – as it did in Equifax’s company, typically bringing claims for case – to impose liability on companies both negligence and violation of state consumer for failing to adopt adequate security measures protection laws (as well as, in some cases, and for misrepresenting (or failing to disclose) claims for unjust enrichment, breach of weaknesses in those security measures. contract/implied contract, or negligent misrepresentation). Immediately after the See CSLR’s three-part series on lessons from Equifax breach was announced, consumers the FTC’s 2018 Privacy and Data Security filed complaints against the company alleging Update: “Enforcement Takeaways” that it had willfully, recklessly or negligently (Apr. 24, 2019); “Financial Privacy, COPPA and failed to maintain adequate technological and International Enforcement” (May 1, 2019); and cybersecurity safeguards to protect users’ data “Hearings, Reports and 2019 Predictions” from unauthorized access. Yahoo!, Target and (May 8, 2019). Home Depot were subject to similar suits after data breaches exposed personal information CFTC held by those entities. Similarly, the Commodity Exchange Act gives Shareholder Class Actions the CFTC the ability to bring enforcement actions for fraudulent or manipulative conduct For public companies, shareholders may in condition with interstate commodities bring actions to recover losses in the value of markets. their shares following disclosure of a breach. These actions often depend on attributing State AGs the stock price decline to a company’s fraudulent statements touting the quality of its Relying on breach-notification laws enacted cybersecurity programs – statements that, in in all 50 states and the District of Columbia, the wake of a breach, were arguably revealed state attorneys general may additionally bring to be false or misleading. In addition to the claims against companies that fail to provide Equifax litigation, Yahoo!, PayPal, Chegg and sufficient notice of breaches to consumers or Marriott have all faced securities fraud class directly to the attorney general’s office. Many actions following breaches at those companies. ©2019 Cybersecurity Law Report. All rights reserved. 2 cslawreport.com Shareholders may also bring derivative cases in Equifax’s Regulatory the name of the company against the directors for mismanagement in failing to prevent Settlement cyber events or adopt adequate safeguards for mitigating and responding to them. For Federal and state regulators are under instance, following the Yahoo! breach, plaintiffs increasing pressure to impose meaningful in shareholder derivative suits alleged that the penalties on companies that have experienced company’s officers and directors had failed to data breaches and have not implemented protect users’ data, notify users of the breach adequate data safeguards. The regulatory and remediate the breaches – even as they sold portion of the Equifax settlement included some of their own Yahoo! shares. Those suits $275 million in civil penalties imposed by resulted in a $29-million settlement, the first the Consumer Financial Protection Bureau significant recovery in a cyber-related derivative and state/territorial attorneys general, or lawsuit following disappointing outcomes for approximately $1.87 on a per-consumer basis. plaintiffs’ attorneys in cyber-related derivative suits brought against Wyndham and Home See “Learning From the Equifax Settlement” Depot. (Jul. 31, 2019). Which of these three buckets of legal liability Equifax’s Consumer Class will end up posing the most serious threat to companies that have experienced a large data Action Settlement breach remains unclear, but all three are coming quickly in the wake of public breach disclosures. To settle the consumer class actions and regulatory claims against it, Equifax agreed to Just a week after the Equifax settlement, pay $380.5 million (and potentially up to $505.5 Capital One announced a breach that affected million) into a fund that will, among other approximately 106 million credit card applicants things, cover credit-monitoring services for – including 140,000 customers whose Social affected consumers and compensate them for Security numbers were stolen and 80,000 out-of-pocket expenses “fairly traceable” to customers whose bank account numbers were the breach. With the personal information of compromised. Capital One already faces at least as many as 147 million people affected by the three consumer class action lawsuits arising breach, the total amount of the fund – even if from the breach and several state regulatory fully funded with $505.5 million – corresponds inquiries. Securities class actions will likely to about $3.44 per consumer. Critics described follow, considering that Capital One’s stock the settlement figure as “grievously low,” “too price dropped significantly on the day the little, too late” and insufficient to actually breach was announced, erasing over $1 billion deter misconduct or negligence by companies in market capitalization. Indeed, plaintiffs’ susceptible to data breaches. law firms are actively recruiting investors in Capital One to serve as lead plaintiffs in future Reasons for Small Settlements securities lawsuits based on the decline in Capital One’s share price following disclosure of Small settlements in consumer cases are largely the breach. due to the high bars for recovery. Plaintiffs ©2019 Cybersecurity Law Report. All rights reserved. 3 cslawreport.com typically must prove that they suffered actual In CCPA private suits, it may be difficult harm as a result of the data breach. But it is for businesses that experience a breach to often difficult to know whether a particular prove that their security procedures were consumer’s data has been accessed or used, adequate, and the cases may involve extensive and even if that could be established, damages and perhaps embarrassing discovery into a are hard to quantify if credit companies company’s cybersecurity practices. These promise to make consumers whole for any factors, combined with the threat of significant losses and provide free credit and identity statutory fines, may create more