Continuing technological advances allow companies to store increasing amounts of personal data about their customers. Maintaining this information can help both companies and consumers, allowing for more tailoredcustomer service without requiring customers to provide the same information repeatedly.
However, recent high-profile events show that digitized data can be vulnerable to physical or electronic theft, exposing personal information to unauthorized third parties and, ultimately, potential identity theft.
These events have sparked a political and legal debate about whether and in what circumstances a company that maintains data can be held liable in a lawsuit for damages when data theft occurs.
Although a company can face consequences for failing to use reasonable measures to protect its customers’ data, current law is inconsistent and not well settled. Political pressure, however, may lead to legislative changes in the relatively near future that give more leverage to plaintiffs who sue over private datasecurity breaches.
The federal Privacy Act allows individuals to sue the government for failure to adequately protect personal data, but there is no counterpart applicable to the private sector.
Companies can be held liable in a broader context — as opposed to an individual lawsuit — in two ways: via the Federal Trade Commission and through consumer class actions brought by private parties or state attorneys general.
The FTC and Information Security
The FTC is an independent government agency that protects consumers by policing “unfair competition” or “deceptive acts or practices that affect commerce,” and has recently focused on information security.
Initially, the FTC only enforced company “privacy policies,” reasoning that a company’s failure to follow its own published policy was a “deceptive act” punishable by the agency. The FTC brought a number of enforcement actions under this theory, and forced a number of companies to settle the charges by agreeing to implement a stricter security program, by paying a small fine, or both.
In the settlements, the companies agreed to implement much stricter security programs and periodically retain an independent security standards auditor.
Since 2004, the FTC has expanded its enforcement activities. The agency now claims that a company’s failure to take reasonable measures to protect customers’ personal information is itself an unfair practice in violation of the FTC Act.
In the past two years, the FTC has brought more than a dozen enforcement actions under this theory, with settlements requiring tighter data security measures and payment of fines, as well as the FTC’s legal expenses.
Consumer Class Actions
Consumers often wish to enforce their rights through private litigation, where they can potentially receive financial awards generally not available through FTC settlements. In the past several years, consumers have flooded the courts with lawsuits — primarily class actions — often following FTC action. Many of these cases are still pending. If one of these cases results in a verdict, it would be a first.
Although some cases have settled with payments to plaintiffs, litigation in this area is currently problematic for plaintiffs for two reasons:
- As there are no laws providing private rights of action to consumers specifically for a data security breach, consumers must generally rely on state consumer protection, false advertising, implied contract, and fraud laws to bring suit against private companies. These tools are vague, at best, and rarely provide a framework that is adequate for dealing with data security breaches.
- Data security breaches often do not cause any identifiable or quantifiable harm to the individuals whose information was compromised. In certain cases, courts have therefore labeled the damages claimed by plaintiffs as “speculative” or “nonexistent” and have dismissed lawsuits because of this defect. However, certain political and legislative developments indicate that the climate could soon change.
The Future of Data Privacy Class Actions
In the past year, the U.S. has seen a movement toward a new privacy regime — the beginning of a chain reaction that could bring about a standard federal data privacy law.
More frequent and more significant breaches have caused increased media attention on data privacy, on the implications of the breaches, and on the lack of satisfactory means to hold companies liable. This, in turn, has led to more aggressive regulation and enforcement by the government, new and proposed privacy legislation, and more consumer class actions.
The trend is clear: Consumers, government actors and legislators are all pushing for greater liability for those responsible for breaches.
Congress and state legislatures have begun considering new laws relating to data privacy and security. With respect to laws on consumer data security breaches, California has taken a lead role.
In July 2003, California Senate Bill 1386 went into effect, becoming the first state law providing for mandatory notification in the event of a breach. Some 30 states have enacted similar legislation. Although these laws do not provide for a private cause of action, they could still contribute to increased litigation, because more consumers will know about data breaches.
Congress has considered a number of bills introduced to address consumer data security, although none have passed yet. Notable bills introduced by the 109th Congress include the Personal Data Privacy and Security Act of 2005, the Consumer Privacy Protection Act of 2005, the Financial Privacy Breach Notification Act of 2005, and the Information Protection and Security Act. Most of these would create a federal notification law along the lines of California’s, while only one would create a private right of action for consumers.
In addition to these pending bills, Sen. Hilary Clinton, D-New York, announced on June 16, 2006, her intent to introduce legislation providing for a “Privacy Bill of Rights.” The Privacy Rights and Oversight for Electronic and Commercial Transactions Act of 2006, or the PROTECT Act, would give consumers greater rights over the privacy of their personal information.
Notably, the act would provide for a private right to sue and seek damages, and would entail a tiered system of statutory damages. Therefore, the PROTECT Act could overcome some of the current impediments to class action litigation discussed above.
Increased Regulation Possibility
Even though legislation addressing information security liability is still pending in Congress, consumers have already flooded the courts with class action lawsuits over breaches. Should Congress enact legislation that provides for a private right of action, such lawsuits will become more common.
Companies that deal with consumers’ personal information, including large retailers, should prepare themselves for the prospect of increased regulation and enforcement by the government, as well as increased private enforcement through consumer class actions.
Gregory T. Parks a partner at Morgan, Lewis & Bockius, specializes in commercial litigation, including data privacy and security issues. He can be contacted at [email protected]. Megan E. Adams, a 2006 summer associate at Morgan Lewis, attends Stanford Law School.
This article generally applies to personally identifying consumer data, such as name and address list, credit card numbers, purchasing history, etc. There are specific laws that apply to medical data, educational records, electronic communications, and dealings with financial institutions. Those laws are not addressed in this article. The information presented herein is not intended to be, and should not be construed as, legal advice. It is merely intended as background information.