The possibility of a cybersecurity incident—and ensuing litigation—is a fact of life for almost every business. Even companies that do not process or handle consumer information collect personal information about their employees that can be targeted by hackers or phishing scams or even inadvertently disclosed, exposing the company to potential liability.
While eliminating cybersecurity litigation risk entirely likely is not feasible, recent cases do highlight some steps that companies seeking to reduce potential exposure to cybersecurity litigation can take:
(1) Recognize that pre-incident statements about the company’s cybersecurity measures can be used to sustain deception-related claims.
(2) Assess the “reasonableness” of your cybersecurity, despite the difficulty of doing so.
(3) Pay attention to how you structure cybersecurity initiatives to protect related documents and communications based on the attorney-client privilege and work product protection.
(4) Recognize that your statements about a cybersecurity incident may be relied on by courts to sustain plaintiffs’ claims.
(5) Consider arbitration clauses, but do so cautiously.
(6) Consider opportunities to contractually allocate or disclaim liability.
- Recognize that pre-incident statements about the company’s cybersecurity measures can be used to sustain deception-related claims.
Cybersecurity litigation claims are rarely limited to challenging the reasonableness of the defendant’s security practices. Instead, plaintiffs and regulators regularly assert claims that the company misrepresented the strength of its practices to consumers, allegedly in violation of consumer fraud statutes or common law principles of misrepresentation. If the entity is a public company, investors may also claim to have been deceived in violation of securities statutes.
Plaintiffs typically rely upon a company’s pre-incident statements about the strength of its cybersecurity measures in support of such claims. Although a company can still defend against such claims by pointing to the accuracy of its statements on the merits, statements about the strength of cybersecurity measures can prevent an early dismissal. For example, in In re Equifax, Inc. Securities Litigation, 357 F. Supp. 3d 1189, 1218-23 (N.D. Ga. 2019), plaintiffs alleged that despite Equifax’s public assurances that it had adequate cybersecurity, its system had numerous easily-exploitable vulnerabilities that resulted in a cybersecurity incident. The court held that the allegations that Equifax’s statements were inaccurate were sufficient to prevent dismissal of the plaintiffs’ securities fraud claim. See id. In contrast, saying nothing about the company’s cybersecurity measures may prevent the plaintiffs from successfully pleading a deception-based claim. See In re Brinker Data Incident Litig., No. 3:18-cv-686-J-32MCR, 2020 WL 691848, at *14, 19 (M.D. Fla. Jan. 27, 2020) (plaintiffs’ failure to identify any misrepresentations resulted in dismissal of their consumer fraud claims).
Sometimes companies are legally required to make disclosures about their security practices, but sometimes they are not. In the absence of a legal requirement, companies should carefully evaluate whether the business case for any statements about their cybersecurity measures justifies the resulting litigation risk. In addition, any such statements should always be vetted to make sure they are completely accurate.
- Assess the “reasonableness” of your cybersecurity, despite the difficulty of doing so.
Arguably, a requirement to have “reasonable” cybersecurity is unconstitutionally vague, because it fails to provide businesses with fair notice of what security measures are “reasonable.” See LabMD, Inc. v. F.T.C., 894 F.3d 1221 (11th Cir. 2018) (overturning an FTC order requiring a company to implement a “reasonably designed” security system because the order did not specify what measures would comprise such a system or how reasonableness would be determined). However, both regulators and private plaintiffs continue to assert claims premised on alleged failures to implement “reasonable” security, making it worthwhile for businesses to assess their practices. On this front, companies can—without conceding that doing so is a required component of “reasonable” security—engage in risk assessments that take into account the costs and benefits of potential enhancements to the company’s security posture and seek to comply with emerging cybersecurity standards such as those found in the Center for Internet Security’s Critical Security Controls, Massachusetts’ Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17), and New York’s Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500). While the process of conducting such security assessments can itself create litigation risk, companies can mitigate that risk by taking steps that will support a claim that related documents and communications are privileged, as discussed below.
- Pay attention to how you structure cybersecurity initiatives to protect related documents and communications based on the attorney-client privilege and work product protection.
Establishing and maintaining the applicability of attorney-privilege and work-product protection to cybersecurity-related documents and communications whenever possible is another issue to keep in mind when assessing cybersecurity litigation risk. Recent decisions have acknowledged that documents and communications are protected by the attorney-client privilege when generated to assist counsel in advising the client on cybersecurity (either pre- or post-incident) and that post-incident documents and communications are also protected by the work-product doctrine when created in anticipation of litigation. Critically, both of these protections apply not only to documents and communications generated by and exchanged with counsel but also cybersecurity experts working at the direction of counsel for the purpose of assisting counsel’s representation of the client. For detailed guidance on company actions that can support or undermine a claim of privilege or protection based on these recent cases, see The Sedona Conference, Commentary on Application of Attorney-Client Privilege and Work Product Protection to Documents and Communications Generated in the Cybersecurity Context, 21 SEDONA CONF. J. 1 (forthcoming 2020), available at https://thesedonaconference.org/download-publication?fid=4828, which members of our cybersecurity litigation team co-authored.
- Recognize that your statements about the incident may be relied on by courts to sustain plaintiffs’ claims.
State laws (and in limited situations federal law) require that businesses disclose certain types of incidents to the individuals whose personal information was involved and/or to regulators. Compliance with these statutes is important because an inadequate or untimely notice could potentially result in liability.
A company’s statements about a cybersecurity incident can be used to support class action plaintiffs’ claims, however. Therefore, companies should closely consider whether and how to make statements that are not legally required and should be careful that such statements do not unnecessarily increase the company’s litigation risk.
Article III standing, for instance, requires a showing that the plaintiff has been injured or faces an imminent injury. In In re Zappos.com, Inc., 888 F.3d 1020, 1027 (9th Cir. 2018), the court cited defendant’s suggestion that its customers should change their passwords on any account where they used the same or similar password as one factor supporting its finding that the plaintiffs had adequately alleged an imminent harm. The Seventh Circuit held that statements about the scope of an incident, Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016), as well as an offer of credit monitoring, Remijas v. Neiman Marcus Grp. LLC, 794 F.3d 688, 690 (7th Cir. 2015), supported a finding that plaintiffs faced a risk of harm sufficient to establish standing.
Likewise, anything a company says about a cybersecurity incident it has suffered may be cited as relevant to whether the company experienced an unauthorized access or exfiltration of personal information, which is a necessary component of many cybersecurity claims. Not all security incidents result in unauthorized access or exfiltration. And yet, plaintiffs will strain to interpret any acknowledgement of a cyberattack as a concession that such access or exfiltration has occurred. Accordingly, companies should carefully evaluate whether and how to make any statements about a security incident that are not legally required and should be careful not to overstate the facts in such disclosures.
- Consider arbitration clauses, but do so cautiously.
Private cybersecurity litigation is typically brought in the form of a class action, which potentially exposes companies to enormous litigation costs in addition to potential liability to the proposed class. Arbitration offers a potential alternative to avoid this exposure. As the Supreme Court has noted, for example, individual arbitration involves “lower costs, greater efficiency and speed, and the ability to choose expert adjudicators to resolve specialized disputes.” Stolt-Nielsen S.A. v. AnimalFeeds International Corp., 559 U.S. 662, 685 (2010).
Recognizing the strong federal policy of encouraging arbitration under the Federal Arbitration Act, a number of putative cybersecurity class actions have been dismissed or stayed in favor of arbitrations. See, e.g., Gutierrez v. FriendFinder Networks, Inc., No. 18-cv-5918-BLF, 2019 WL 1974900 (N.D. Cal. May 3, 2019); Yu v. Volt Info. Scis., Inc., No. 19-cv-1981-LB, 2019 WL 3503111 (N.D. Cal. Aug. 1, 2019). Accordingly, companies should consider including in their agreements with consumers and employees a mandatory arbitration clause with a class action waiver that is broad enough to include disputes over cybersecurity incidents.
However, at least one recent decision highlights the potential for significant costs associated with individual arbitration claims. In Abernathy v. DoorDash, Inc., No. C 19-7545 WHA, 2020 WL 619785, at *1 (N.D. Cal. Feb. 10, 2020), almost 6,000 DoorDash employees filed individual arbitration claims in the AAA, complaining that they had been improperly classified as contractors, not employees. After DoorDash refused to pay the $12 million in fees it allegedly owed for the arbitrations, the court granted plaintiffs’ motion to compel arbitration (and to require DoorDash to pay the associated fees). See id. at *3.
DoorDash was an employment case, and signing up a substantial number of consumers for a mass arbitration following a cybersecurity incident may be significantly more difficult than signing up employees/contractors. Nevertheless, while companies should closely consider arbitration provisions, the ultimate strategy chosen should take into account the risks associated with mandatory arbitration.
- Consider opportunities to contractually allocate or disclaim liability.
Before a cybersecurity incident occurs, companies should understand the types of losses an incident may cause them to incur, review whether their current insurance portfolio covers such costs, and adjust as appropriate. Specialty cyber insurance policies can provide coverage not only for exposure to litigation and regulatory investigations but also out-of-pocket costs to respond to a cybersecurity incident (including investigation and notification costs), to recreate lost data or deal with ransomware demands, and lost income from a business interruption. While companies are increasingly investing in cyber insurance policies, in some cases those policies have excluded coverage for loss categories that were predictable pre-incident. See, e.g., P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co., No. CV-15-01322-PHX-SMM, 2016 WL 3055111 (D. Ariz. May 31, 2016) (policy exclusion for claims incurred by contractual obligation held to preclude breached merchant from recovering for payment card brand assessments it had committed to pay in its agreement with a payment processor).
Similarly, companies should review contracts with their vendors and service providers to be aware of limitations or disclaimers of liability for cybersecurity issues as well as to identify opportunities to allocate their own liability risk. For example, in Affy Tapple, LLC v. ShopVisible, LLC, No. N18C-07-216 MMJ CCLD, 2019 WL 1324500, at *2-3, 6 (Del. Super. Ct. Mar. 7, 2019), an e-commerce vendor successfully disclaimed all extra-contractual warranties concerning cybersecurity, and the court reserved for later decision whether the vendor successfully limited the remedy for breach of its express warranties to repair and replacement.
 Brinker refused to dismiss the plaintiffs’ implied contract claims, however. See id. at *5.
 The AAA, like many arbitration organizations, requires the company to pay the lion’s share of the fees in consumer and employee arbitrations.