In addition to new FTC regulations and HIPAA-related requirements, civil lawsuits continue to emerge against companies asserting negligence and other causes of action for poor cyber hygiene. Examining the matter from an economic perspective, defending litigation (regardless of an eventual outcome) will undoubtedly be more expensive in time and resources than investing in cyber defenses.
In the past, courts declined to find “standing” (or the right to sue) in response to a company’s failure to employ cybersecurity defenses. Claims for negligence lacked a standard that the Courts could affix to a defendant’s conduct and the unknown effects of cyber incidents made legal recourse extremely difficult.
Those days are over, and blood is in the water. Think about these two recent examples:
In re Ambry Genetic Data Breach Litigation:
Currently pending in California state court, Plaintiffs are the victims of data breach of Ambry, which provides genetic testing that screens and diagnoses medical issues including hereditary cancer, hereditary cardiovascular disease, neurodevelopmental disorders, and epilepsy. In January 2020, Ambry experience a data breach of personal identifying information and confidential medical information, including diagnoses and Social Security numbers.
The origin of the breach was a hacker that fooled an Ambry employee and received access to Ambry files. Plaintiffs alleged that the breach was the result of poor cybersecurity practices and failure to implement reasonable protections. Now, Ambry faces claims of negligence, invasion of privacy, breach of implied contract, unjust enrichment, and failure to mitigate the threat following discovery. The court called Ambry’s invasion of the plaintiff’s privacy “highly-offensive.”
While neither HIPAA nor FTC data security and privacy standards allow individuals to file suit against companies for breaching these federal regulations, this case is yet ANOTHER example of the courts allowing “the violation of a statute, ordinance, or regulation to establish part of that cause of action” and form the standard for negligence. Between the federal regulations protecting the data and Ambry’s representations to its customers of “valuing their privacy,” the court is allowing the breach of implied contract action to stand.
Jerry Everhart, et al v. Colonial Pipeline:
Saturated now with information about the May 2021 ransomware attack on Colonial Pipeline, the event spurred anlax-cybersecurity-practices-create-more-lawsuitsother class action in Federal Court in Georgia. Plaintiffs in the case claim that Colonial Pipeline failed to protect the plaintiffs’ personal identifying information and timely notify them of the breach (more than 90 days). Plaintiffs' alleged injuries include lost and diminished value of their PII, efforts and expenses utilized to remediate damage from the breach, and risk of future injuries. These damages are not as well-defined as those in Ambry.
However, like Ambry, the plaintiffs alleged failure to implement basic cybersecurity precautions, including but limited to failure to use multi-factor authentication for accounts, strong spam filters, configured firewalls, and patch operating systems. Each of these concepts should be standard operating procedures for an entity serving critical infrastructure. Colonial filed a Motion to Dismiss these claims on November 1, 2021, and the result will be interesting.
Make no mistake, legal consequences (particularly in the form of class actions) will follow poor cybersecurity practices and internal policies.