United States: Cyber Suit Circus

(November 3, 2022) - David Ross and Sean Russell of Wilson Elser examine how businesses should prepare and respond to a cyberattack.

With each passing week, businesses large and small continue to be victimized by cyberattacks with no end in sight. In the hope of mitigating adverse investigatory findings and fines, they must stand ready to comply with the rigorous requirements to notify regulators and impacted inpiduals and entities. In the "cyber suit circus" that has become part of the legal landscape in the United States, complying with these requirements unfortunately acts as a spotlight inviting class action lawsuits, even if the only known victim that has suffered any financial harm is the business.

Businesses need to respond to a cyberattack quickly and efficiently to prevent follow-on issues or disruptions. Part of that process will include determining who needs to be notified and when, and to do so in a constantly evolving framework of data breach statutes and regulations. After a cyberattack, businesses also need to anticipate the likelihood that plaintiffs' attorneys will race to find a potential plaintiff and run to the courthouse to file a class action lawsuit. In this circus-like environment, several considerations may be helpful to keep in mind.

Is your business a target?

As one U.S. federal court observed several years ago, there are "only two types of companies left in the United States, according to data security experts: 'those that have been hacked and those that don't know they've been hacked.'"¹ Recent years have seen a significant increase in the threat of cyberattacks such as ransomware.² It is not uncommon for a cyberattack to make the news when it affects a large company.³ It is far less common for cyberattacks on small and medium-sized businesses to be brought to the attention of the media or general public — until those businesses provide required notice.

One development is clear: the size of a business does not provide insulation from a cyberattack. Small and medium-sized businesses are at a great risk of falling victim to a cyberattack.⁴ According to:

• The U.S. Small Business Administration, small businesses are targeted by cybercriminals because they have information cybercriminals want and typically lack the cybersecurity that larger businesses have.⁵
• A report from Barracuda Networks, an employee of a small business with less than 100 employees is more than three times more likely to be targeted by social engineering attacks than an employee of a large business is to be targeted by cybercriminals.⁶
• The United States Cybersecurity and Infrastructure Security Agency, a trend in 2021 showing "ransomware threat actors redirecting ransomware efforts away from 'big-game' and toward mid-sized victims to reduce scrutiny."⁷
• A report by Mandiant, a cybersecurity firm, the top industries under attack are business and professional services, financial, retail and hospitality, health care and high tech.⁸

These businesses often are targeted for their highly sensitive information such as payment card information, personal identifiable information and personal health information. If a business handles this type of information, it is at increased risk. A business that recognizes it may become the next victim of a cyberattack and understands the framework for responding to such an attack will benefit greatly in the long run.

Complying with notice requirements

Although data breach notification invites lawsuits, businesses should adhere to notice requirements following a cyberattack or risk being subjected to an adverse government investigation and fines. Such an outcome also would increase the publicity of the cyberattack and expose the business to additional claims.

Required notification depends on the type of business, the information at risk and the state where transactions take place. For instance, HIPAA-covered entities and their business associates must comply with the HIPAA Breach Notification Rule, requiring notification following a breach of unsecured protected health information.⁹ If the breach involves 500 or more inpiduals, the entity must notify the Secretary of Health and Human Services (HHS) and the impacted inpiduals no later than 60 days following the discovery of the breach.¹⁰

Failure to provide required notices could result in heavy fines and increase the probability of an investigation. These breach notifications also require expansive information describing the breach, the types of information involved, the steps affected inpiduals should take to protect themselves; a description of what the entity is doing to investigate, mitigate and prevent future breaches; and the contact information for the business.¹¹

Entities that collect or process personal health records for consumers but are not subject to HIPAA as a covered entity or business associate have to issue notice pursuant to the Federal Trade Commission's (FTC's) Health Breach Notification Rule when there has been unauthorized acquisition of unsecured personal health records. Businesses that fail to comply with the rule could be subject to penalties up to $46,517 per violation per day.¹²

Notice must go to affected inpiduals and the FTC, and, if there are more than 500 residents in a particular state, the entity must issue a media notice.¹³ The notice to inpiduals and the FTC must be within 60 days after discovery of the breach. If the personal health records involve more than 500 inpiduals, the notice to the FTC must be within 10 days after discovery of the breach.

The contents of the notice are similar to the HHS notice such that it must describe the details of the breach, the type of personal health records potentially impacted, steps inpiduals can take to protect themselves, steps the entity took to mitigate the risk and how the entity can be contacted by inpiduals.

In addition to the HHS and FTC requirements, various states have in-depth data breach notice requirements. For example, California requires a business to notify any California resident whose (1) unencrypted personal information was acquired or reasonably believed to have been acquired by an unauthorized person, or (2) encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key is reasonably believed to have been acquired.¹⁴

If the business is required to issue a security breach notification to more than 500 California residents, the entity must notify the California Attorney General with a sample copy of the notification.¹⁵ The notification must be written in plain language and include: "What Happened," "What Information Was Involved," "What We Are Doing," "What You Can Do" and "For More Information."¹⁶

The information businesses are required to provide to federal regulators, state attorneys general and inpiduals in the data breach notification is mandated, but it opens the door for plaintiffs' attorneys to file class action lawsuits against the victimized business. The requirement to inform inpiduals of the steps they should take to protect themselves has been used against businesses to attempt to show damages. In a recent California appellate court decision, the court allowed special contract damages, citing that the defendant's own "notice of data breach encouraged patients to monitor their credit and financial accounts to protect against harm resulting from the breach."¹⁷

The circus-like race to the courthouse

It is not surprising that the number of data breach lawsuits, specifically costly class actions, have drastically increased with the uptick in cyberattacks on businesses and the aggressive push for legal reform requiring data breach notifications.

Plaintiffs' attorneys race to court shortly after a business suffers a cyberattack to become the first to file what are often seen as cookie-cutter complaints because they merely duplicate earlier filed data breach complaints. They contain nothing new more than a few short paragraphs on an enlisted plaintiff, who often has not suffered any real tangible injury, and material lifted from the required data breach notification.

This rush to file will continue to decrease the time between when a business falls victim to a cyberattack and then victim to a plaintiff's lawsuit. Therefore, it is important for a business to be prepared to face litigation shortly after suffering a cyberattack.

Take proper steps to protect your business

It is imperative for a business that falls victim to a cyberattack to take immediate steps that include:

• "Securing systems and fixing any vulnerabilities related to the breach¹⁸
• Contacting any applicable insurance carrier immediately
• Assembling an incident response team, including legal counsel, to conduct a comprehensive breach response¹⁹
• Engaging legal counsel well versed in data breach class action litigation.

Businesses should understand that responding to a cyberattack is important, but statements made during this process (and potentially the timeline involved in providing notification) will likely be referenced by plaintiffs' counsel in the filing of a rapid complaint. Involving counsel early, and being familiar with the common allegations and plaintiffs' reliance on information provided in the data breach notification process, will enable a response to the cyberattack that minimizes risk to the extent possible and can assist in developing defenses early on for a future class action.

Prepare for potential litigation

There are several key factors to consider when investigating and responding to a cyberattack that will play a crucial role in any potential litigation moving forward.

Determine the number of potentially impacted inpiduals.

An investigation can be costly, especially if it requires data mining. Notifying all customers instead of determining the exact number of potentially impacted inpiduals may be cost-effective, particularly at the outset of responding to a cyberattack. However, it can have expensive consequences if litigation arises from the incident and if the cyberattack impacted a much smaller subset.

Plaintiffs' counsel frequently will assert that the size of a class in a class action is everyone who received notice of the data breach. It is prudent to undertake a careful cost-benefit analysis between notifying a universe of inpiduals or entities and the cost, time and effort to determine, if possible, the actual inpiduals or entities potentially impacted by the cyberattack.

Determine what type of information was potentially compromised.

A business may seek to reduce the short-term cost by listing all information that it collects, rather than what information was potentially impacted by the cyberattack. This too, however, can have significant consequences for reporting to regulators as well as in any future litigation. An over-inclusive list of information will be used against the business in litigation and may result in much more expensive class action litigation. Again, a careful cost-benefit analysis of cost, time and effort is essential.

Be consistent with the timeline of the data breach.

Regulators and state attorneys general require details of the cyberattack. Those details include the date of the breach, the date the business became aware of the breach and when the business notified inpiduals of the breach. It is important to track these dates carefully. Any inconsistency in these dates could trigger or become an issue in a government investigation and be used against the business in litigation.

Given the cyber-circus atmosphere, it is vital for a business to anticipate the regulatory and litigation consequences of a cyberattack. While a business world without the circus-like legal landscape would be ideal, until that time arrives businesses are best served by having a plan ready now.

Footnotes

1. Storm v. Paytime, Inc., 90 F. Supp. 3d 359, 360 (M.D. Pa. 2015) (citation omitted).

2. 2021 Trends Show Increased Globalized Threat of Ransomware, CISA (February 9, 2022), https://bit.ly/3SVNikp

3. Biggest Data Breaches in U.S. History [Updated 2022], Kyle Chin (August 5, 2022), https://bit.ly/3zyFdeK

4. How aligning security and the business creates cyber resilience, Accenture (2021), https://accntu.re/3DLEOH9

5. Strengthen your cybersecurity, U.S. Small Business Association, https://bit.ly/3DScR1B

6. Spear Phishing: Top Threats and Trends (March 2022), https://bit.ly/3fpWGis

7. 2021 Trends Show Increased Globalized Threat of Ransomware, CISA (February 9, 2022), https://bit.ly/3SVNikp

8. M-Trends 2022, Mandiant (2022), https://bit.ly/3NnkxvO

9. 45 CFR §§ 164.400-414.

10. Id.

11. Id.

12. Health Breach Notification Rule: The Basics for Business, FTC (January 2022), https://bit.ly/3Wlrb9X

13. 16 CFR §§ 318.1-6.

14. California Civ. Code s. 1798.82(a).

15. California Civ. Code s. 1798.82(f).

16. California Civ. Code s. 1798.82(d).

17. Moore v. Centrelake Med. Grp., Inc., 83 Cal. App. 5th 515, 534 (2022).

18. Data Breach Response: A Guide for Business, FTC (February 2021), https://bit.ly/3FAs0G3

19. Id.

Originally Published by Westlaw Today

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.