Learning From Data Breach Cases To Reduce Legal Risk

Print PDF Icon
Authored by Anjali Jenna (AJ) Teigen for Law360

The average cost of a data breach is on the rise.

According to the 2022 ForgeRock Consumer Identity Breach Report, the average cost in 2021 of recovering from a data breach in the U.S. is $9.5 million — an increase of 16% from the previous year.

Lawsuits and regulatory fines are a significant factor contributing to the growing cost. This year, several notable class action settlements have been announced, including T-Mobile for over $350 million, the U.S. Office of Personnel Management for $63 million and the Ambry Genetics Corp. for over $12.25 million.

This article looks at the alleged security failures in recent data breach litigations and proposes steps companies may consider to help reduce the legal risk of a data breach.

Recent Examples

In 2021, T-Mobile suffered a data breach that compromised personally identifiable information, or PII, for more than 54 million current, former or prospective customers.

According to the complaint, John Erin Binns accessed the data through a misconfigured gateway GPRS support node. Binns was then able to gain access to the production servers, which included a cache of stored credentials that allowed him to access more than 100 servers.

Binns was able to use the stolen credentials to break into T-Mobile's internal network. According to the complaint, T-Mobile failed to fully comply with industry-standard cybersecurity practices, including proper firewall configuration, network segmentation, secure credential storage, rate limiting, user-activity monitoring, data-loss prevention, and intrusion detection and prevention.

After learning about the breach, T-Mobile publicly announced the data breach and sent notices via brief text messages. Allegedly, T-Mobile's text messages explicitly told some customers that their Social Security number had not been comprised.

But, by contrast, T-Mobile's messages failed to inform customers whose Social Security number had been compromised of this fact.

As part of settlement of the class action, T-Mobile agreed to pay $350 million to customers and to boost its data security spending by $150 million over the next two years. T-Mobile also reached a $2.5 million multistate settlement with 40 attorneys general.

In 2013 through 2014, a cyberattack on the Office of Personnel Management resulted in data breaches affecting more than 21 million people, which is reported as among the largest thefts of personal data from the U.S. government in history.

The Office of Personnel Management allegedly failed to comply with various Federal Information Security Modernization Act requirements, to adequately patch and update software systems, to establish a centralized management structure for information security, to encrypt data at rest and in transit, and to investigate outbound network traffic that did not conform to the domain name system protocol.

The Office of Personnel Management agreed to pay a $63 million settlement with current, former and prospective government workers affected by the breach.

In January 2020, the systems of Ambry Genetics, a state-of-the-art genetic testing laboratory, were hacked, which exposed PII and protected health information of its patients.

According to the complaint, Ambry Genetics failed to take standard and reasonably available steps to prevent the data breach, including failing to encrypt information and properly train employees, failing to monitor and timely detect the data breach, and failing to provide patients with prompt and accurate notice of the data breach.

Ambry Genetics agreed to settle the class action litigation for $12.25 million plus three years of free credit monitoring and identity theft insurance services to the proposed class.

Settlement participants can also submit a claim for up to $10,000 in reimbursement for out-of-pocket costs traceable to the data security breach and submit a claim for up to 10 hours of documented time dealing with breach issues at $30 per hour.

These key data breach litigations highlight the risks of insufficient security measures and insufficient notice to affected customers in the event of a breach. To help reduce the legal risk, we suggest the following.

Limit the scope of data collection and retention to only what is necessary.

Companies should analyze business practices to determine what PII is collected, the purpose of the collected PII and how long that PII needs to be retained.

The risk and liability of a data breach can be limited by restricting collected PII to only what is necessary and discarding that data once it is no longer necessary. Document the collected data to ensure it is periodically reevaluated and discarded at the appropriate time.

Implement reasonable industry-standard security measures.

Reasonable, basic security measures generally stem from industry standards and practices, regulations and guidance, and federal and state laws.

As some examples, recent data breach litigations highlight the following as reasonable, expected security measures:

  • Encrypting sensitive data;
  • Implementing multifactor authentication;
  • Patching and updating software systems;
  • Securing cached information and login credentials;
  • Monitoring the network for threats; and
  • Responding to security incidents.

Implement a comprehensive security program and team with oversight and input from company leadership.

Companies should build a security team that is responsible for setting security policies and procedures, documenting and managing the collected data, assessing the risk of a data breach, applying security controls, training employees on data security awareness and policies, monitoring for potential data breaches, and auditing the effectiveness of the security program.

The security team should have support from leadership and typically includes an interdisciplinary team of stakeholders across a business, including the information technology department that is well-versed in computer technology and data security, legal to monitor and ensure compliance with data protection laws and mitigate legal risk, and a lead privacy or data protection authority — e.g., a chief data protection officer.

The team should develop and be prepared to follow a strategy to address a suspected data breach or security incident, including fixing vulnerabilities that may have caused a breach, preventing additional data loss, fixing vulnerabilities the breach may have caused and notifying appropriate parties.

The team should ensure the response strategy is up-to-date with state and federal laws.

Be accurate in public disclosures and notices.

All 50 states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving PII.

The notice generally should include how the breach happened, what information was taken, how the thieves have used the information, if known, what actions the business has taken to remedy the situation, what actions the business is taking to protect individuals — e.g., offering free credit monitoring services — and how to reach the relevant contacts in the business.

Failing to accurately report the breach — for example, failing to accurately identify what data was compromised — to customers could result in liability for the company as well as personal liability for senior employees and executives responsible for responding to the data breach.

Conclusion

Taking these preventative measures to secure PII, maintain compliance with data protection guidelines and laws, and develop a plan to address and respond to a suspected breach can help businesses to reduce the likelihood of potential civil liability.

This article was originally published in Law360's Expert Analysis section on December 7, 2022. Read more at: https://www.law360.com/articles/1555322. 

Jump to Page

By using this site, you agree to our updated Privacy Policy and our Terms of Use.