When a data breach occurs, the guilty party—a fraudster or criminal syndicate— is often nowhere to be found. Who bears the loss from a breach perpetrated by a fraudster: the consumer whose data was compromised, the financial institution where the data was used, or the business that failed to protect the data? Often, the loss initially falls on the financial institution through account or card agreement provisions or deadlines imposed by statutes or regulations. Can a financial institution recover these losses from a business with whom it has no contract? This depends on which law applies.
Which law applies for data breaches?
While statutes require banks and their vendors to protect customers’ Personally Identifiable Information (“PII”), the obligation of other businesses to do so is not as well defined. Regulatory obligations to protect data vary by industry and geography. In the U.S., the Graham Leach Bliley Act (“GLBA”) requires parties classified as “financial institutions” (including check cashing businesses, payday lenders, non-bank lenders, personal property or real estate appraisers, professional tax preparers, courier services, and credit card reporting agencies) to protect PII. The Federal Trade Commission Act, Fair Credit Reporting Act, the Disposal of Consumer Report Information and Records, Fair and Accurate Credit Transactions Act of 2003, Standards for Safeguarding Customer Information, or the Privacy of Consumer Financial Information govern some industries. The General Data Protection Regulation (GDPR) imposes responsibilities on companies that collect and maintain data belonging to individuals within the EU. The New York Cybersecurity Regulation applies to financial service industries required to operate under a license, registration, charter, permit or accreditation by New York law.
Yet many businesses outside of these industries and geographical areas collect and retain PII. Retail stores, on-line vendors, insurance agencies, life insurance companies, leasing companies, storage facilities, doctor’s offices and restaurants all collect and retain PII. Retail stores in the U.S. may do business in all fifty states or across international borders. While a breach may affect consumers and banks all over the country, the notification requirements depend on the law where the impacted individual is located. There is no federal statute setting a national standard for notification obligations. All fifty U.S. states now have statutes requiring private or governmental entities to notify individuals of security breaches, but they vary from state to state. Many states also have consumer protection statutes imposing obligations on businesses to protect consumer privacy.
Relying on common law for data breach losses
Most regulations do not provide a private cause of action for a breach of a duty. As a result, claimants in data breach cases rely in part on the common law of the states, i.e. that law comprised of judicial decisions. Claimants typically sue a non-contractual party for negligence (the “failure to exercise the standard of care that a reasonably prudent person would have exercised in a similar situation”) in failing to protect the data; breach of duty arising under a “special relationship” between non-contracting parties; or an “implied” contract between parties. The common law varies from state to state, however, creating disparities in the ability to recover. Some states recognize a common law duty to protect confidential data. Others do not. A key question in the ability to recovery, therefore, is which state’s law applies?
That issue arose in Veridian Credit Union v. Eddie Bauer, LLC., where an Iowa-chartered credit union sued a corporate citizen of the state of Washington. Plaintiff alleged that hackers accessed Eddie Bauer’s point of sale (“POS”) systems, stole credit and debit card data and sold it to individuals who made fraudulent transactions on those payment cards. Washington had a statute regarding cyber-intrusion; Iowa did not. The common law was also different between the two states. The judge decided that Washington law should apply, noting that Eddie Bauer was a corporate citizen of Washington and the interests of Washington consumers were affected.
Recovering damages from data breach
The amount and type of damages that can be recovered also varies from state to state. In Independent Community Bankers of America v. Equifax, Inc., the plaintiff banks claimed damages for the administrative costs to cancel and replace customers’ payment cards and the cost of protective measures to reduce risk of identity theft. In addition, the banks sued to recover losses from loan and deposit account fraud, fraudulent activity related to stolen identities and misuse of PII and payment card data covering fraudulent purchases. These are out-of-pocket losses.
A data breach, however, may not result in an immediate financial loss. Can a consumer recover damages for an increased risk of data theft? Plaintiffs make that argument in Beekman v. Lord & Taylor, LLC, where a criminal syndicate that obtained customers’ debit and credit card information from Lord & Taylor threatened to release it for sale on the dark web. The plaintiffs sued for damages based upon an “increased risk” of identity theft and a “deprivation of the value” of their PII. The Delaware court has not ruled on this claim. The Ninth Circuit, in Stevens v. Zappos.com, Inc., found the heightened threat of a loss was sufficient to allow the plaintiffs to file suit, particularly since some consumers had already suffered losses from the breach. For cases based on Article III of the U.S. Constitution, however, federal circuits are split on whether a consumer has standing to bring suit.
Need for consistent ability to recover data breach losses
The ability to recover data breach losses from non-contacting parties depends, therefore, on the jurisdiction where the financial institution or consumer is found; the federal and state statutes and regulations applicable to a particular industry, and the common law of forum state. Until statutory guidance is provided by Congress; or a uniform standard is adopted by the majority of the states; or a consistent body of common law is developed (a process that can take many years), there is likely to be a great deal of inconsistency in the ability to recover losses from data breaches caused by a non-contractual third parties’ failure to protect confidential data. The law in this area likely will lag behind this rapidly changing technology. For now, the ability to recover losses from a data breach will need to be evaluated on a case by case basis.