Note: this article was previously posted on Norse’s DarkMatters.
In December 2014, the Court in the Target data breach lawsuits issued a ruling that will impact the future course of data breach litigation (the Order).
In the Order, the Court identified multiple distinct data security duties that Target, as well as other companies, owe their customers and their business associates’ customers. This post discusses those duties.
All of the lawsuits have been consolidated into one federal district Court in Minnesota that is divided into two categories of cases: (1) the Consumer Cases are the cases brought by the consumer data subjects whose information was breached; (2) the Financial Institution Cases are the cases brought by financial institutions to recover the costs they incurred as a result of the breach, such as the costs of issuing new payment cards to Target’s customers.
The Order was limited to certain issues in the Financial Institution Cases but will certainly have an impact on the Consumer Cases, as well as other data breach cases in the future.
How much impact? That remains to be seen as this body of jurisprudence is continually evolving, however, it is trending towards allowing more and more of these data breach liability claims. The Court’s rulings in this Order are consistent with that trend.
In the wake of this ruling, we have seen a wide array of commentary ranging from examples of its impact being grossly overstated to those treating it as though it had no impact whatsoever. The reality is in the middle.
Takeaway #1: The Court did not find Target liable for anything – at this juncture…
First, it is important to note that this was only a preliminary ruling on what is called a motion to dismiss, not a final ruling on the substantive merits of the case. The Court did not find Target liable and could not have at this early stage of the case.
There are two general components to a lawsuit: the law and the facts. The law is like a framework–the skeleton–that provides the structure for the lawsuit and the legal basis for the claims.
The facts are like everything else–the muscle, tissue, and flesh–that are then applied to the legal framework to give form to the lawsuit.
A motion to dismiss is a procedural device that permits a defendant in a lawsuit to challenge the legal basis for the claims by, essentially, arguing that even if everything the plaintiff says is true, the law does not recognize a cause of action to support the claims on the basis of the facts alleged.
When evaluating a motion to dismiss, the parties do not provide, and the Court does not consider, any evidence. Rather, the Court assumes the facts in the plaintiff’s complaint are true and construes all reasonable inferences from those facts in the light most favorable to the plaintiff.
To prevail, the plaintiff need only plead enough facts in its complaint to state a claim to relief that is plausible on its face. This is a fairly low hurdle to pass.
The Order concerns Target’s Motion to Dismiss the Financial Institutions Cases and the only thing the Court was deciding was whether the Plaintiffs’ Complaint contained adequate allegations such that, if there is sufficient evidence produced later in the case to prove those allegations, they would support the claims alleged.
The Court found that most of the allegations were sufficient. But again, this is not a finding of liability, it is only a finding that the case can proceed to the next level.
Now, to make sure we are clear, while it is premature to say the Court found Target liable, the Court did find that the legal basis for the claims are valid (for the most part) and, if the evidence produced at trial is consistent with what is alleged, Target then could be found liable under recognized principles of law. As the rest of this post explains, this is not good for Target or any other company that becomes a victim of a data breach.
Takeaway #2: Companies have a duty to protect certain data from hackers, not disable security devices, and respond when alerted of an attack…
The primary cause of action against Target is general negligence. While the claim in this case is governed by Minnesota law, negligence in Minnesota is like negligence elsewhere. The basic elements of negligence claims are the existence of duty, breach, causation, and damages. The only element at issue at this stage of the proceeding was the existence of a duty.
Target argued that, because the data breach was caused by a third party’s (the hackers) criminal conduct, Target did not have a general duty to protect another (the Plaintiffs) from such harmful conduct unless there was a “special relationship” between Target and the person harmed.
The Plaintiffs argued that Target’s duty was not so limited to only cases of a “special relationship” but instead, “Target’s own conduct, in failing to maintain appropriate data security measures and in turning off some of the features of its security measures, created a foreseeable risk of the harm that occurred, and Plaintiffs were the foreseeable victims of that harm.”
This, according to the Plaintiffs, made Target owe them such a duty. The Court agreed with the Plaintiffs. As the Court ruled,
Although the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur. Indeed, Plaintiffs’ allegation that Target purposefully disabled one of the security features that would have prevented the harm is itself sufficient to plead a direct negligence case: Plaintiffs allege that Target’s “own conduct create[d] a foreseeable risk of injury to a foreseeable plaintiff.”
* * *
Plaintiffs have plausibly alleged that Target’s actions and inactions–disabling certain security features and failing to heed the warning signs as the hacker’ attack began–caused foreseeable harm to Plaintiffs. Plaintiffs have also plausibly alleged that Target’s conduct both caused and exacerbated the harm they suffered. And Plaintiffs’ allegation that Target was solely able and solely responsible to safeguard its and Plaintiffs’ customers’ data is also plausible.
* * *
Plaintiffs have adequately pled that Target owed them a duty of care, and their negligence claim will not be dismissed on this basis.
The Court identified 3 distinct duties that Target (and now other companies) have in the data breach context: (1) a duty to safeguard its and its business associates’ customers’ data; and (2) a duty to not disable security features that would prevent a data breach; and (3) a duty to heed the warning signs of an attack and respond appropriately.
Companies that do not comply with these duties can expect to be found liable for negligence and required to pay appropriate damages.
Takeaway #3: Regarding their data security capabilities, companies may have certain duties to disclose and not make misleading statements…
In addition to the negligence claim, Plaintiffs sued Target for the tort of negligent omission. The basis of Plaintiffs negligent omission claim was the allegation that “Target ‘failed to disclose material weaknesses in its data security systems and procedures’ that it had an obligation to disclose.”
Plaintiffs alleged this obligation to disclose existed because Target knew important information about this issue that the Plaintiffs could not have known. The Court found that Plaintiffs allegations supported a claim for negligent omission because “Target held itself out as having secure data systems when Target knew that it did not have secure systems and had taken affirmative steps to make its systems more vulnerable to attack.”
The main point here is that Target is alleged to have had actual knowledge that it had data security vulnerabilities yet held itself out as being otherwise.
Ultimately, what this means is that companies that are aware of particular vulnerabilities in their computer systems may not hold themselves out as having secure data systems–especially after they have taken affirmative steps to disable some of those security features.
In other words, if a company is going to have advanced threat detection devices, they must use them and then recognize and respond to such warnings or else risk being found liable for failing to do so.
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.