Insights

Class Action Implications of Cybersecurity Incidents

A major data breach is often followed by class action lawsuits, which can be costly and create risk and uncertainty at a time when the company is still dealing with the fallout from the incident. In this episode, Justin Wolosz, a partner in Choate’s Complex Trial and Appellate Litigation Group, and Adam Bookbinder, a partner in Choate's Government Enforcement & Compliance Group, discuss implications of class action lawsuits following data breaches and how companies can anticipate and minimize risks.

Transcript

Welcome to Choate’s Litigation Updates. A podcast series hosted by our trial attorneys covering current litigation issues in life sciences, financial services, healthcare, consumer products, and private equity.


Justin Wolosz: In today’s podcast we’re going to discuss something that often follows a data breach but gets less attention early on than the immediate technical and operational issues – a class action lawsuit on behalf of the individuals who had their data compromised.

My name is Justin Wolosz and I am a partner in Choate’s Complex Trial and Appellate Litigation Group. I handle a wide variety of civil litigation and one area of focus is consumer class actions. Joining me today is Adam Bookbinder, a partner in our Government Enforcement Group. Before joining Choate, Adam spent 18 years in the U.S. Attorney’s Office in Boston and was the Chief of the Office’s Cybercrime Unit. Adam, can you outline the problem we’re going to talk about today?

Adam Bookbinder: Happy to do that Justin. So, a data breach is a real crisis for a company that is affected by it, and understandably there is a lot of focus on the immediate responses to the problem including things like getting the threat actors out of the network, assessing and repairing damage that they have caused – whether that is technical, PR customer relations, or other kinds of damage. It is easy in the middle of a crisis like that to overlook the fact that the people whose data has been accessed or stolen may file civil litigation – a civil lawsuit including a potential class action and that is starting to happen more and more frequently. These days any major data breach is followed by one or maybe several class action lawsuits and these can be costly and can create risk and uncertainty at a time when the company is still scrambling to deal with practical fallout of the incident with regulators, with customer complaints and other things.

So, before we talk more about this, let me just say a couple of things about class action suits. These are lawsuits filed not on behalf of just one or a couple of people who claim they were adversely affected by a data breach. They are filed on behalf of everyone who was affected. At least that’s their attempt to represent the entire group of people affected by an incident and because of that, these are generally not suits that start when one or a couple of people go and find a lawyer who can represent them. Instead, these suits generally are initiated by plaintiffs’ counsel who for a living bring these kinds of lawsuits on behalf of classes and individuals and they find a situation which they think may give rise to this kind of a suit and then they go out and then they find plaintiffs who they can represent in bringing the suit. The claims that they include generally include negligence, an allegation that the company should have done a better job in preparing and preventing this kind of an incident and oftentimes unfair business practices they will allege that the company may have misrepresented the state of its security.

So, Justin can you talk a little bit now about some of the things that companies can do to begin to manage this kind of litigation even before a suit is filed and maybe even before there is a data breach at all.

JW: Well, even when a company has not suffered a data intrusion, it can be helpful to think through how certain issues would play out if it did face an intrusion and if class action litigation followed. So, for example, we recommend that clients review the agreements that govern the relationships with customers or others who have provided personal information. This is often the terms and conditions of a client’s website and consider how they will apply in the event of a data intrusion class action lawsuit. One critical question in connection with that review is, is there an arbitration clause? Arbitration can have many advantages. It is often more streamlined and efficient and lower cost but the law on interpreting arbitration clause sometimes evolves. So, timely review of an arbitration clause in light of current law can be important. Another related point to consider is do the terms address class action status or possible class arbitration? The Supreme Court has said that unless there is clear intent to allow class arbitration, an arbitration has to proceed on an individual basis meaning there would not be a class as Adam was just discussing if the clause fits within that principle. It is also worth considering whether there are other provisions that attempt to address data breach liability directly or whether there are other policies that might affect data intrusion litigation. For example, the company’s privacy policy or a user name and password requirements and what the company says about them.

And finally, you will want to take steps to ensure that the terms and conditions and really all policies are enforceable. You know, ensure that any acknowledgment by the customer is sufficient to bind them to the agreement. Make sure that the terms and conditions are hyperlinked on key pages or all pages of a website.

Each of the things that I just discussed really need to be considered together with the applicable law so that the intent is achieved in a way that is enforceable in the event of a data breach litigation.

Adam, can you talk about some of the steps companies can take immediately after a data breach to reduce their class action risks down the road?

AB: Yes, I mean they have to start – somebody has to start by addressing the immediate issues. They have to take steps to protect the data that they have – particularly customer data – from further exposure so that might mean a broad password reset requiring everybody to change their password. It might mean installing and mandating the use of multifactor authentication if that is not already in place and then taking other kinds of cybersecurity steps to make sure that this incident doesn’t continue and doesn’t happen again. Companies are also going to have to consider whether to notify their customers about what had happened. They may well want to do that but they often will want to wait until they at least have the basic facts down. They know what has happened. In the initial first days after an incident, those facts are often very unclear. The other thing that companies are going to want to do is satisfy any reporting requirements they have – whether under state law or potentially international obligations to, for example, the EU under the GDPR to report the incident. So, those are things they’ve got to do right away but they also need to involve their legal team before taking any of these steps.

Justin, do you want to talk a little bit more based on your experience about why it’s important to involve, in particular, litigation counsel early in the data breach response.

JW: Absolutely. So, you want experienced counsel working with you to make sure that the regulatory and reporting responses that Adam was just talking about consider the possibility of a class action lawsuit. You have to remember that plaintiffs’ lawyers are watching closely. They will examine every statement and try to gain any advantage they can. You don’t want to be caught helping plaintiffs because of something as simple as an unartful word choice. And then relatedly, you will want to consider with counsel whether there are early steps you can take to limit damages that customers might face but also to help satisfy their concerns in the hope of avoiding a lawsuit. You can consider other offers that companies have made like credit monitoring. But again, you are going to want to consider that with counsel because some courts have found that an offer of credit monitoring can be an acknowledgment that customers are at risk of identity theft. And you will want to consider how to document any offer together with counsel so that you maximize the chance that a plaintiff can’t turn your offer or the disclosure you made with it into evidence that they’ll attempt to use against you in class action litigation.

Well, that concludes our discussion today. Thanks for joining me in this discussion Adam and thanks to all of you for listening.

 


The information presented in this recording is for educational purposes only. It does not constitute legal advice for a specific situation. If you wish to obtain legal advice, you should retain an attorney and explain the facts of your particular situation.