It seems every week another major data breach occurs only to be quickly followed by a class-action lawsuit. In reviewing any of these suits, one can easily see that the major complaint from the plaintiffs is that the breached company failed to implement "reasonable security." Therefore, it would seem logical that if the breached companies could show they had implemented "reasonable security," then the lawsuits could be avoided or easily defended. Unfortunately, no definition or standard for "reasonable security" exists.
If you suffer a breach, what are the ramifications: potential class-action lawsuit and/or an investigation and fines by a regulatory agency? At this point, most, if not all, companies should assume they cannot prevent a breach and, in fact, should assume a breach is inevitable. While speaking at the RSA conference in San Francisco in 2012, FBI Director Robert Mueller stated, “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” Despite the inevitable breach, is it possible to avoid lawsuits by disgruntled customers or investigations by regulatory agencies? Maybe. Can you successfully defend against them? Most likely!
The common factor in most data breach class-action lawsuits and investigations by regulatory agencies is the allegation that the breached company failed to implement reasonable security or protections to prevent the breach. It logically follows that if you implement reasonable security and protections, you should be able to confidently defend your security practices and actions.
If you haven’t thought about what constitutes reasonable security lately, or possibly ever, the time to do so is right now. Most of us have become numb to the weekly news reports of another data breach and the report of a class-action suit being filed shortly thereafter. In fact, less than 24 hours after the Anthem breach was publicly acknowledged, a lawsuit was filed. Sadly, these reports are only a small percentage of the actual number of breaches. Realistically, the number is closer to two or more a day. According to the Identity Theft Resource Center (ITRC) Data Breach Reports, once a company is outed as having been breached, the potential for damage to the company’s reputation and the threat of a lawsuit hangs in the air.
These are not the only threats plaguing breached companies. Many companies have also found themselves suddenly being investigated and possibly fined by regulatory agencies such as the Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), Health and Human Services (HHS) or a State Attorney General.
Since most of the data breach class-action suits and regulatory investigations claim breached companies did not implement reasonable security or protections, it is logical to assume that reasonable security is the antidote to getting sued or fined. This article will look at some of the claims and allegations made in the lawsuits and agency findings as well as the requirements or guidance provided by regulatory agencies and states in order to develop a clear definition and standard for reasonable security. Here is the spoiler alert: there is no clear definition for reasonable security or any standard one could point to that will prevent a breach or allow a breached company to completely avoid all lawsuits or regulatory investigations.
Class-Action Compliance Failures
I researched a sampling of companies such as Target, Home Depot, Anthem, Experian, Trump Hotels, and Wendy’s. The companies in the 13 class-action suits had not implemented basic security or even some form of best practices. According to the allegations, here are some of the areas they failed in security:
• Use of encryption
• Destroy sensitive information
• Use good passwords
• Use a firewall or improperly configured the firewall
• Use or failed to properly update anti-virus
• Implement good vendor security
• Segment networks separating sensitive information from common or public networks
• Implement adequate intrusion detection systems
• Notify customers in a timely manner
• Outdated software/hardware
• Unsecure environment to accept, process, or store credit card information