Michael Waters is a Shareholder at Vedder Price and a member of the firm’s Privacy, CyberSecurity & Media practice group. He counsels clients in all industry sectors on privacy and data security issues. He assists clients in preparing for and responding to data breaches, and represents clients in litigation and regulatory agency investigations related to privacy and technology matters.  Mr. Waters has earned the designation of Certified Information Privacy Professional (CIPP/US) through the International Association of Privacy Professionals (IAPP).

Christopher P. Skroupa: To what extent are you seeing litigation that focuses on the human factor in cyber defense?

Michael Waters: Litigation has been a bit strange on this front. There have been quite a few lawsuits arising out of data breach events, but courts have dismissed the majority of cases due to a lack of damages and standing. Cases that survive a motion to dismiss tend to settle quickly. As a result, litigation rarely gets to the point where human culpability is litigated. That said, companies that have suffered a data breach event often face regulatory investigations, and state and federal regulatory agencies focus heavily on the human factor in their investigations. The agencies understand that some breaches are inevitable, particularly those involving sophisticated cyber intrusions, but they want to make sure organizations are implementing reasonable safeguards to lessen the likelihood of a breach.

Skroupa: What has been mandated in terms of visibility or severity that companies should be aware of?

Waters: Although there is a lack of universal standards in this area, there have been some attempts to clarify how levels of negligence will impact the severity of fines imposed on breached entities.  For example, the HITECH Act, which is an extension of HIPAA, provides a tiered system for imposing civil monetary penalties against breached entities that directly correlates to the level of human culpability.  If the HHS Office for Civil Rights determines that an organization exhibited reasonable diligence in attempting to prevent the breach, then the organization will be subject to the smallest level of fines. Whereas if OCR determines that the organization was guilty of willful neglect in protecting patient information, they are subject to the highest level of fines.

Skroupa: Is this an issue that at some point is going to be litigated in the courts?

Waters: Notwithstanding the fact that data breach class actions are often dismissed, plaintiffs still file cases and have had some recent success.  For example, the Seventh Circuit recently reversed the dismissal of a case arising out of a breach involving Neiman Marcus.  If more cases survive dismissal, parties will eventually litigate the question of negligence.

Skroupa: Are there things that class action litigators are looking at when they consider taking legal action?

Waters: The size of the breach and number of potentially affected individuals is typically the most significant consideration for class action litigators.  This is due not only to the size of the potential payout, but the fact that, at times, it may be difficult for plaintiff’s counsel to know and consider the care an organization took to protect information pre-breach.  In some situations, attorneys will perform pre-filing due diligence.  For example, an action seeking to inspect Home Depot’s books and records was filed prior to the filing of a data breach-related shareholder derivative suit against that company.  However, that type of pre-suit discovery is rare, and in matters involving the largest breaches, class actions are still filed as a matter of course.

Skroupa: How can companies demonstrate that they acted with reasonable diligence to prevent the breach?

Waters: That typically is going to involve a demonstration that the company had appropriate administrative, technical, and physical safeguards in place pre-breach. Companies should consider doing a risk assessment to focus specifically on those safeguards.  If they ever find themselves in front of a regulator or in court, they can say that they made well-reasoned decisions based on an assessment of risks. Organizations should also consider employee training and table top or mock breach exercises to increase the likelihood individuals within the organization will respond appropriately to a breach event.

Skroupa: Are there any standards set from prior precedents, or do you feel that the demonstration of meeting fiduciaries is an evolving standard?

Waters: Negligence or reasonableness standards often arise out of the court system.  However, as these issues are rarely litigated in data breach cases, standards are largely arising out of the actions taken by regulatory enforcement agencies. For example, when enforcement agencies investigate organizations that have suffered a breach, they regularly inquire about the organization’s administrative, technical and physical safeguards.  We counsel clients to anticipate these questions, pre-breach, and get to a point where they would feel comfortable defending their safeguards and responding to the agencies’ questions.

Skroupa: In addition to Home Depot, can you offer us some other examples of high profile cases that resulted in class action litigation that put the company on the defensive?

Waters: There have been a number–Target has faced litigation on a number of fronts, including class actions involving individuals and credit card issuers, as well as shareholder derivative suits.  Wyndham is another example of a company who has had to fight on multiple fronts, including shareholder suits and a high profile FTC investigation.  Sony is another high profile case that recently settled.