Target recently agreed to pay ten-million dollars to settle a class-action suit following a massive breach of customer data during 2013 holiday season.[1] As part of the settlement, Target is required to implement additional security measures by appointing a chief information security officer and establishing a written information security program. [2] This ten million dollars only adds to the already $252 million in costs that Target has already accrued as a result of the breach, and the costs are continuing to pile on. [3]
On December 19, 2013, hackers stole over forty-million customer credit and debit-card accounts from Target when its point-of-sale (POS) terminals were infected with an unsophisticated malware.[4] Additionally, Target also identified an additional seventy-million customer records such as names, phone numbers, and email addresses were also stolen a month later.[5] Ultimately, the stolen credit and debit card account numbers were sold on online black markets. [6]
Using a “kill-chain” approach, which argues that continuous network monitoring is more effective than static defense, cybersecurity analysts concluded that there were a number of missed opportunities for Target to prevent this particular attack.[7]
More recently, Sony, having already incurred $170 million in costs after hackers penetrated the Playstation Network in April 2011 and stole seventy-seven million customer records, was once again a target of a highly publicized attack in December, 2014.[8] In a series of threats and leaks, the hacker group Guardians of Peace (GOP) influenced the cancellation of a Sony movie release, The Interview.[9] Additionally, the circumstances of the attack ignited a firestorm of controversy about attribution, cyber terrorism, and cyber security when North Korea was accused of perpetuating the attack.[10] Sony has stated that the hack has only cost the firm $15 million, despite some initial estimates from security experts that it would have lost $100 million.[11]
Both examples show that the substantive costs from data breaches are growing and corporate liability is increasing. Recently, the United States District Court for the Southern District of Florida approved one of the first mass data-breach settlements for affected consumers.[12] In that case, AvMed, a health care services company, sold unencrypted laptops containing “protected health information.”[13] After the District Court dismissed the class-action suit alleging breach of contract, negligence, and other causes of action, for failing to state a claim, the victims appealed the dismissal to the Eleventh Circuit Court of Appeals.[14] The Eleventh Circuit reversed the judgment, holding that identify theft victims had sufficient causation when their stolen personal information were used to create new accounts within a ten-to-fourteen month gap.[15] Now, a judge has approved a similar settlement in the Target data breach case.[16] This occurred after the United States District Court for the District of Minnesota denied Target’s motion to dismiss on a majority of claims.[17] This trend may suggest that courts are increasingly willing to rule in favor of consumers affected by data security breaches at the expense of corporations.
The willingness of the courts seems consistent with recent legislative efforts to protect consumers and hold corporations liable for failing to report data breaches. For instance, many states have data-breach statutes that hold individuals and entities liable for failing to timely notify consumers of a breach.[18] From a federal perspective, The Personal Protection and Breach Accountability Act of 2014 was proposed but failed to pass, which would have created severe penalties for companies that failed to report data breaches.[19] Furthermore, it stated required compensation and credit monitoring for victims of data breaches.[20]
With all these changes, it is likely that corporations will commit more resources and attention towards protecting sensitive information. However, the balance between the amount of investment corporations are willing to commit to cyber security and the potential costs associated with liability still remains a major question. To add to the complexity, the role of insurance is still rather obscure. For instance, in Zurich American Insurance Company v. Sony Corporation, the New York court held that commercial general liability policies did not compel Zurich to defend nor indemnify Sony for the 2011 hacks. [21] This contradicts a similar case in California.[22]
To make matters more interesting, there are recent articles suggesting that U.S. export-grade encryption keys in the 1990s, which was considered inferior, are coming back to haunt websites today because it has created potential vulnerabilities that are exploitable.[23]
The interplay between corporations, consumers, insurances, and the government continues to make the allocation of corporate liability in cybersecurity a complicated matter. Consequently, further development in this key area will likely be forthcoming as more data breaches occur.
[1] Peter Cooney & Supriya Kurane, Target Agrees to pay $10 Million to Settle Lawsuit from Data Breach, Reuters (Eric Walsh et al. eds., Mar. 19, 2015) (available at: Reuters).
[2] Id.
[3] Kevin M. McGinty, Target Data Breach Price Tag: $252 Million and Counting, Mintz Levin (Feb. 26, 2015) (Insurance proceeds covered $90 million of the $252 for an actual loss of about $162 million in 2013 and 2014.) (available at: National Law Review).
[4] Majority Staff Report for the S. Comm. on Commerce, Science, and Transportation, 113th Cong., A “Kill Chain” Analysis of the 2013 Target Data Breach, 1-2 (March 26, 2014) (available at: S. Commerce).
[5] Id.
[6] Id. at 2.
[7] See id. at 5-11 (discussing the attack timeline and the missed opportunities to identify the threat); see also Doina Chiacu, Target Could Have Prevented Credit Card Hack: Senate Report, Reuters (Mar. 25, 2014) (summarizing the report) (available at: Reuters).
[8] Martyn Williams, Playstation Network Hack will cost Sony $170M, Network World (May 23, 2011) (available at: Network World); Risk Based Security (RBS), A Breakdown and Analysis of the December, 2014 Sony Hack (Dec. 5, 2014) (available at: RBS).
[9] See RBS, supra note 8.
[10] See RBS, supra note 8.
[11] Cecilia Kang, Sony Pictures Hack cost the Movie Studio at least $15 million, The Washington Post (Feb. 4, 2015) (available at: Washington Post); Seth G. Macy, Trend Micro Report: Hack May Have Cost Sony $100 Million, IGN (Feb. 24, 2015) (available at: IGN).
[12] See Jaikumar Vijayan, Court Approves First-of-its-Kind Data Breach Settlement, Computer World (May 17, 2014) (discussing AvMed’s $3 million settlement when several unencrypted laptops containing health information were stolen) (available at: Computer World).
[13] See Resnick v. AvMed, Inc., 693 F.3d 1317, 1322 (11th Cir. 2012).
[14] See Vijayan, supra note 12.
[15] See Resnick, 693 F.3d at 1327-28.
[16] Steve Karanowski & Michelle Chapman, Judge OKs $10 Million Settlement in Target Data Breach, Associated Press (AP) (Mar. 19, 2015) (available at: Associated Press).
[17] In re Target Corp. Data Sec. Breach Litigation, No. 14-2522, 2014 WL 7192478, at *23 (D. Mass. Dec.. 18, 2014).
[18] Id. at *9-20; see VA. Code Ann. § 18.2-186.6 (2014) (providing a sample of data breach notice law).
[19] Jared Magill, The Crooked Path to Determining Liability in Data Breach Cases, Wired (Mar. 2013) (available at: WIRED).
[20] Id.
[21] Young Ha, N.Y. Court: Zurich not Obligated to Defend Sony Units in Data Breach Litigation, Insurance Journal (Mar. 17 2014) (available at: Insurance Journal).
[22] See id. (discussing Hartford Casualty Insurance Company v. Corcino & Associates et al).
Comments