Data Breach Class Action Lawsuits are Rising; It Is Now Critical to Understand “Reasonable” as a Standard that Separates Defensible Practices from Negligence

The frequency and severity of successful cyberattacks is causing a significant and rapid change in organizational incident reporting and accountability…and an onslaught of class action litigation.

As commonly detailed in class action filings, breached organizations are now being accused of “intentionally, willfully, recklessly, or negligently failing to implement and maintain adequate and reasonable measures”.

The impact of stolen data is no longer in question

Six years ago, the American Bar Association posted an article, “Emerging Legal Issues in Data Breach Class Actions,” exploring the changing nature of class action litigation around data breaches. The authors noted that, up until that time, judgements could easily fall in favor of the breached organizations due to failure of plaintiffs to prove they had been, or were in imminent danger of being, harmed as a result of the breach.

As stated in the 2013 Clapper vs. Amnesty Int’l USA case before the Supreme Court, “Allegations of possible future injury are not sufficient.”

How times have changed.

Today, that argument has weakened substantially in face of an intensifying barrage of data breaches, the explosive growth in identity theft related to that stolen data, and the dramatic escalation of financial loss for ID theft victims.

According to a Governing magazine’s report on the Identity Theft Resource Center’s annual report, U.S. companies recorded a record 3,205 data breaches in 2023, a stunning 78% increase from 2022 that has impacted 353 million known victims.

Significantly, cyber-attacks accounted for the vast majority of those breaches.

“In fact,” according to James E. Lee, chief operating officer of the resource center, “there were more data breaches caused by cyberattacks last year, 2,365, than the previous record for all types of compromises in a single year.”  

It is no longer possible to ignore the clear connection between cyber-attacks, data breaches, and the threat of imminent harm to victims. The fact that Personally Identifying Information (PII) used in identity theft can be sold for  more than $1,000 on the dark web belies the notion that no harm will come from that exposure once it’s in the hands of criminal agents who are clearly seeing it as useful. Even breached organizations are admitting as much, as evidenced by their common practice of offering credit monitoring and ID theft protection services to those whose private information has been compromised.

Class Action Lawsuits are in a growth stage

In light of the current threat landscape, today’s class action plaintiffs and the attorneys that represent them have become increasingly emboldened by the clear shift in regulations and judgements around data breach cases.

As commonly detailed in class action filings, breached organizations are now being accused of “intentionally, willfully, recklessly, or negligently failing to implement and maintain adequate and reasonable measures” to protect the PII of their constituents. This charge is usually followed by a litany of potential damages, such as:

  • Invasion of privacy
  • Lost or diminished value of PII
  • Lost time and opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach
  • Loss of benefit of the bargain (i.e. contractual agreement between the organization and customer)
  • Lost opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach
  • The continued and certainly increased risk to their PII which remains available for unauthorized third parties to access and abuse.

What’s especially notable in these recent case filings, however, is the repeated use of “reasonable” as a standard that separates defensible practices from negligence.

“Reasonable” means what?

The concept of “reasonable” cybersecurity measures has its roots in the Federal Trade Commission (FTC).

 As the primary consumer protection authority, the FTC enforces a number of statutes and rules that impose obligations on businesses to protect consumer data. In these rulings, “reasonableness” serves as a touchstone for determining whether an organization has satisfied its “duty of care” to protect constituents to the best of its ability.

It’s no surprise that current class action suits like those pending against MGM Resorts, AT&T, and many others, include “reasonable” throughout their texts, as the term harkens back to the powerful enforcement authority of the FTC.

Nevertheless, it also leaves the door open for a plausible defense from organizations asserting that they have met that “duty of care” threshold despite falling victim to cyber-attackers.

The fact is, the use of “reasonable” as a legal standard is ambiguous by design, especially when applied to an issue as complex and mutable as cybersecurity. It provides just enough direction for argument, but with enough flexibility to allow for differences in organizational structures and resources as well as re-interpretation over time as threat tactics and defense technologies develop.

Understanding “Reasonableness”: an Attorney’s Perspective

For clarity, it’s helpful to see this through the eyes of legal experts with real-life court experience in matters of data breach law.

Shawn Tuma of Spencer Fane, LLP, is a cybersecurity and data privacy attorney serving as co-chair of his firm’s Cybersecurity & Data Privacy Practice Group. In a recorded interview at SecureWorld Expo in Dallas, Tuma had this to say:

“Reasonableness is defined by your company itself. What is reasonable to one company may not be reasonable to another…  You have to develop a plan that implements appropriate policies, procedures, tools, strategies, everything you need to help mitigate the risks that you have identified as being germane to your company. No one can do everything at once and nobody expects that. But when you can show that you’ve done those things and if you’ve made legitimate efforts to combat the risks that your company faces, then even when you do have an incident, it makes you look so much better in the eyes of the regulators, the judges, the attorneys, and whoever else.”

In short, Mr. Tuma says, “You show you have done the best you can under the circumstances, or pretty close. And that’s where you get to reasonableness. It may not be 100% right, but it was Reasonable.”

Understanding “Reasonableness”: The FTC

In a simplified analysis, the FTC acknowledges the subjective nature of “reasonable” as a standard, but notes it can generally be measured using the following considerations:

1) The nature and size of your business

The larger the company, and the more personal data it retains on behalf of customers or other constituents, the greater its liability becomes should that data be compromised and a lawsuit ensues.

2) The types of information you have

Personal Information (PI) stored by organizations can range from the relatively benign (name only) to the highly sensitive (Social Security numbers, passport information, financial account records, patient IDs etc.). The more sensitive the information, the greater the risk of damages for the constituents and, therefore, for the organization, should that data is exposed.

3) Risks you are likely to face

With an estimated 68% of organizations reporting cyberattacks in 2023, the risk of someday being on the receiving end of an attempted breach is high. Therefore, courts consider it a basic business imperative to stay apprised of ongoing and emerging threat tactics such as GenAI enhanced cyber threats and organized voice-based voice phishing (vishing) criminal campaigns as were perpetrated on MGMTwitterRobinhood and Cisco.

The more these high-profile cases reach the public eye, the less sympathetic the courts will be to similar organizations caught unprepared. As commonly stated in these filings, “Defendant knew or should have known of the Risk because institutions in possession of PII are particularly susceptible to Cyber Attacks.”

4) The security tools available to you based on your resources

By conservative estimates, organizations are spending an average 12% of their IT budgets on cybersecurity. Large, data-rich enterprises are particularly prime targets for cyber-crime. But they also likely have a greater depth of financial resources at their disposal relative to smaller operations, and so may be held to a higher standard when measuring their level of commitment to cyber-defense against their level of investment.

Understanding “Reasonableness”: an Expert Witness’ Perspective

Halock® Security Labs, a Chicago-based consultancy specializing in cyber-risk management, information security strategies, and cyber due diligence, helps clients navigate this delicate balance between the likelihood and impact of foreseeable threats against the burden of safeguards. In a podcast for Security Week, Principal Consultant/Partner Chris Cronin discussed what he has seen through his service as expert witness in court cases, including the kinds of questions litigants are likely to face from overseeing judges. Some examples:

  • Was the threat foreseeable?
  • Did you consider the harm it could cause?
  • What alternative safeguards would have mitigated the risk?
  • Would those alternative safeguards have imposed an undue burden on you?
  • How well would these alternative safeguards have reduced the risk of harm?
  • Would the proposed safeguards have created other undesirable risks? 

These questions are designed to reveal the level of attention organizations have given to their “duty of care” to protect the customer PII under their control. How well they are prepared to answer is an indication of how well they might fare if challenged before a court in real time.

Comprehensivity, EDGAR and the Evolving Attack Surface

In its listing of Information Security Practice Principles, Indiana University Center for Applied Cybersecurity puts “Comprehensivity” at the top, urging organizations to “Identify and account for all relevant systems, actors, and risks in the environment.”

Or, more simply put, they need to continually ask themselves, “Am I covering all of my bases?”

As mandated by the Security and Exchange Commission (SEC) in its recently-published set of cybersecurity disclosure rules, public entities are now required to conduct a broad, introspective, and fully-documented annual audit revealing what measures are being implemented to control access to, and protection of, customer data throughout the entire organization’s IT network structures. And if a breach occurs? They have four days to report full details on the SEC’s EDGAR site. Any attempts to hide from public disclosure will now be met with stiff penalties, not to mention far more damaging lawsuit settlement demands.

Despite the size and complexity of the attack surface for most large enterprises, a well-designed IT risk analysis audit must strive to recognize and examine All of the organization’s assets, both physical and digital, that may be exposed to potential attack. The intention is to uncover, and resolve, possible vulnerabilities that an unauthorized intruder might leverage to gain access into internal systems and data.   

Commonly, these risk assessment reviews have focused on assets such as network servers (email, application, Web, etc.), operating systems and software update status, cloud resources, Endpoint Detection and Response (EDR) systems, Internet of Things (IoT) and mobile device management, as well as specific practices and protocols related to authentication, systems access, data encryption, backup systems and password management.

However, as cyber-attack tactics continue to evolve, so, too, must the organization’s field of vision around the ever-expanding attack surface. As noted in this CSO Magazine article addressing “reasonable” cyber-defense, “Traditional security programs have focused only on prevention. The problem is that an attacker only needs to find one weakness to get in your network, and as a defender you have to plug every vulnerability to make sure that the bad actors don’t get in. A reasonable security practitioner will take this into consideration.”

To be sure, amorphous threat agents have proven remarkably adept at finding the cracks in organizations’ cybersecurity shields.

One Threat Vector is Often Not “Reasonably” Protected

Over the last 24 months, attacks targeting the voice channel have skyrocketed.  These voice-based attacks include those directed at contact centers as well as other service-centric organizations like financial institutions and  healthcare providers. Not only are these organizations gatekeepers of highly-lucrative resources and data, but attending to voice callers is an essential part of their operations. 

Criminal scammers, voice phishers (vishers) and other impostors skilled at psychological manipulation and social engineering have learned to exploit the traditionally under-protected voice network by targeting its most vulnerable component – the human at the other end of the call. 

There has, in fact, been a 1,265% increase in phone-based attacks since 2022. Financial institutions alone are reporting  more than 700 cyberattack attempts per week and face an average cost of $5.72 million per incident should a breach occur.

The healthcare industry is seeing a similar surge as reported through the department of Health and Human Services Office of Civil Rights data breach portal and related alerts.  However, the cost of a breach in the healthcare space is far steeper, averaging nearly $11 million per incident.

Traditional security practices and employee training seem to have limited impact on voice threat deterrence as skilled criminal agents continue to find their way to susceptible human targets. Now, in their current 2024 iteration, these voice-based threat agents have coalesced into highly-organized criminal enterprises leveraging the abundance of personal data found on the Dark Web and easy access to AI tools used to reinforce their deceptions and evade detection.

 Clearly, the rapid evolution in voice-based attack tactics now calls for a shift in defense strategies, replacing obsolete practices and tools with those better aligned to meet the challenges of today’s threat environment.  While recognizing the complexity of that ask, this set of Foundational Best Practices for Voice Cybersecurity simplifies the task by offering a clear, organized list of recommended steps and assignments coordinated through the three areas most impacted – IT, Risk Management/Cybersecurity, and Contact Center operations. When applied to an organization’s overall cyber-risk auditing process, these recommended practices represent a comprehensive, effective, and highly reasonable approach to closing security gaps that currently exist in the enterprise Voice channel.

How are You Protecting Your Voice Channel?

While a number of these Best Practices address closing the knowledge gap that exists around emerging threats, potential impacts and related legal/regulatory compliance measures, they also call for prioritizing investment in new cyber-defense tools specific to Voice. Fortunately, as voice phishing (vishing) and related social-engineering cyber-threat tactics continue to evolve, so, too, do the systems and technologies available to combat them.

A primary example of technology meeting the moment is Mutare’s Voice Traffic Filter.

The Voice Traffic Filter (VTF) is a modern voice network call control and security software solution that analyzes incoming call data in order to detect and remove those that are clearly unwanted while redirecting to another resource those deemed suspicious based on sophisticated call data analysis. In so doing, it substantially reduces the opportunity for threat agents to reach, and potentially breach, susceptible employee targets. As part of a comprehensive network security strategy, technology solutions like Voice Traffic Filter can substantially enhance the organization’s overall cyber-defense posture.

As for the “undue burden” threshold, with the ability to automatically remove large numbers of disruptive unwanted calls (which, according to Mutare, accounts for an average 9% of all enterprise voice traffic), a software-based solution quickly pays for itself through regained productivity alone. However, there is no underestimating the value of their added protection against the “foreseeable” organizational, reputational, and legal consequences associated with a cyber-breach perpetrated through a new and increasingly sophisticated breed of voice-based attackers.

Of course, no organization wants to find itself in the role of defendant should a cyber-breach lead to potential litigation. But with the emergence of evidence-based best practices and readily-available, highly scalable voice network cyber-defense tools and technologies, organizations both large and small can now not only better protect their internal data and systems from criminal intruders, but also further substantiate that they have, indeed, taken every Reasonable measure to do just that.

 

 

Disclaimer: The information provided here does not, and is not intended to, constitute legal advice; All information and content for this piece is intended for general informational purposes only.