You've been hacked, and now you're being sued: the developing world of cybersecurity litigation.

• Author: Hooker, Michael

Hardly a week goes by nowadays without headlines of yet another incident of corporate hacking or cybersecurity theft. Companies that electronically store sensitive information are facing the ever-changing challenge of guarding against unauthorized access to and misuse of such digital data. Critical computer-based assets increasingly have come under siege, and sophisticated hackers seem to be outpacing prophylactic measures designed to thwart their advance. As a result, digital data breaches have become almost commonplace today not only for multinational companies, but also for small and midsize companies. In short, cybersecurity has emerged as more than just an IT challenge--it is now a business and legal imperative.

Perhaps it is no surprise then that the recent scourge of cyber-theft has resulted in a proliferation of lawsuits brought by a variety of plaintiff groups. Shareholders, customers, and employees alike have joined the legal fracas, all claiming that the release of sensitive corporate information or personal data has caused some form of personal or business loss. Despite this groundswell of potential claimants, there is no single set of laws setting forth the legal duty of care or the bases for civil liability in data breach settings. Consequently, aggrieved individuals and their attorneys have been forced to resort to a patchwork of common law and state or federal statutory claims to obtain relief.

Judicial development in the cybersecurity arena is still evolving, as courts wrestle with how the theft of personal information, proprietary business data, or even someone's identity should be properly prosecuted and defended. This article explores emerging trends in the burgeoning field of cybersecurity litigation, including the types of claims typically asserted following digital data breaches, commonly asserted defenses to such claims, and the regulatory efforts to curb such breaches and protect consumers.

Types of Cybersecurity Litigation

Digital data breach litigation obviously does not trace its roots back to the English common law, and creative plaintiffs thus have been forced to shoehorn their claims into existing tort, contractual, and statutory theories of liability--with varying levels of success. The still-developing corpus of cybersecurity decisions provides limited judicial guidance and, as a result, new theories of liability are currently being vetted in state and federal courts across the country.

Most cybersecurity breach litigation today falls into one of four categories: 1) shareholder derivative suits to recover for losses in stock value; 2) securities fraud class actions to recover for the diminution in stock value following a cyber breach; 3) class action lawsuits by the breached company's outside customers or business partners whose sensitive or personal information was compromised during the breach; or 4) enforcement actions by governmental agencies invoking their regulatory authority under relevant state or federal laws. Although a single cyber breach incident might trigger more than one of the foregoing suits, and there is certainly overlap in the types of legal claims likely to be asserted in such actions, each category of suit nevertheless evinces some distinctive characteristics.

Shareholder Derivative Actions

Shareholders of corporations who have experienced a cybersecurity breach oftentimes file a shareholder derivative action. In a derivative action, a shareholder brings suit on behalf of the corporation against third parties, typically "insiders" such as executive officers or board members, asserting these individuals breached their duties of care to the corporation. In the cybersecurity context, the derivative claim typically alleges management failed to take adequate precautions to guard against a cyberattack and possibly compounded the problem by failing to give timely notice of the incident to affected third parties. This claim alternatively may be cast as a breach of loyalty for failing to act.

These breach claims are also sometimes combined with a claim alleging management wasted corporate assets or abused its authority. (1) The recovery in a derivative action goes to the corporation itself, not the initiating shareholder.

A shareholder who wishes to sue on behalf of a corporation typically first must demand the board of directors bring the action. If the board refuses, its decision falls under the purview of what is known as the "business judgment rule." Pursuant to this rule, courts presume board members refused the shareholder demand on an informed basis, in good faith, and with the honest belief that their actions were in the best interests of the corporation. The board also has the option of appointing what is known as a "special litigation committee," whose purpose is to investigate the shareholder's claims and to make a recommendation as to whether the corporation should file suit. (2)

Shareholder derivative suits in response to cybersecurity breaches thus far have yielded mixed results. In October 2014, in Palkon v. Holmes, No. 2:14-CV-01234 SRC, 2014 WL 5341880 at *6 (D.N.J. Oct. 20, 2014), a New Jersey federal district court dismissed a derivative suit that had been filed against Wyndham Worldwide Corporation following a well-publicized cyberattack that allegedly involved the theft of over 619,000 payment card numbers. (3) The court upheld the Wyndham board's decision to reject the shareholder's demand to sue, finding that this rejection had been based on a recommendation by outside counsel and the board's own independent investigation. Although the Wyndham shareholder argued that the board's investigation was predetermined and unreasonable, the court noted that "the business judgment rule's strong presumption" authorizes courts to "uphold even cursory investigations by boards refusing shareholder demands." (4)

Following the well-publicized 2014 cyber-theft of credit and debit card information belonging to more than 40 million Target Corporation customers, Target shareholders filed four separate shareholder derivative actions, all of which were later consolidated into a single federal court proceeding. (5) The suits asserted that Target's board violated its fiduciary duties and wasted corporate assets not only by initially failing to prevent the data breach, but also by later failing to disclose the breach. (6) They also count among the damages "costs incurred from the [c]ompany's internal investigation into the data breach ... [and] for remediation activities." (7) Responding to yet another shareholder demand that was not part of the consolidated case, Target's board later appointed a special litigation committee to investigate the claim and to make a recommendation as to whether the corporation should pursue legal action. The appointment of the committee --again a common defense strategy in shareholder derivative suit cases--resulted in a lengthy "stay" of the litigation, which remains pending as of this writing.

As these high-profile cases illustrate, shareholders pursuing derivative actions in the cybersecurity breach context face many challenges. Not only must the shareholders first make a demand on the corporation to file the suit, which the corporation might reject, but the corporate board's conduct also is protected to a substantial extent from "second-guessing" by the business judgment rule. These obstacles may be particularly difficult to overcome when challenging corporate judgment calls regarding how to respond to cyber-threats involving complex and ever-changing computer systems. Nevertheless, directors do have an affirmative duty to oversee cybersecurity initiatives, and a failure to do so could trigger shareholder derivative liability.

Securities Fraud Class Action Lawsuits

Perhaps the most frequently used form of lawsuit to recover for diminution in stock value following a cyber breach is securities class action litigation. In this type of suit, similarly situated shareholders contend that they relied to their detriment on a company's material misrepresentations. The misrepresentation in the cybersecurity context might result from public statements by the company regarding its cyberattack readiness or the comprehensiveness or impact of an attack that already has occurred. Material misrepresentations sometimes stem from public statements made in press releases or, in the case of public companies, even the corporation's Form 10-K reports. Unlike the shareholder derivative action discussed above, recovery in a securities fraud case inures to the suing shareholders, not the corporation.

In December 2007, Heartland Payment Systems, Inc., a Fortune 1000 bank card payment processor, suffered a data breach impacting 130 million credit and debit card numbers. (8) The plaintiffs alleged that the company finally admitted the full scope of the breach to the public more than a year later in 2009. (9) When Heartland's stock price fell almost 80 percent, shareholders sued, alleging that the company had hidden the attack on its computer network and also had overstated its cybersecurity preparedness. (10) Some of these statements derived from Heartland's Form 10-K filing, which touted Heartland's "emphasis on maintaining a high level of security." In a victory for defendants, the trial court dismissed the lawsuit, holding that Heartland's failure to disclose the prior cyberattack was not a material omission and the mere fact that Heartland's system had been infiltrated did not necessarily mean that its public statements were false. (11)

Damages in a securities fraud class...